Finland Data Protection Act (Tietosuojalaki, 1050/2018)
The Finland Data Protection Act (Tietosuojalaki, 1050/2018) is the Finnish national supplement to the EU General Data Protection Regulation (Regulation (EU) 2016/679). The Act entered into force on 1 January 2019 + repealed the prior Personal Data Act (523/1999). The Act covers the national-level derogations + supplements permitted by GDPR including: (a) lawful basis under public-interest task + official authority for public authorities and statutorily-tasked private entities (Section 4); (b) processing of PERSONAL IDENTITY CODES (Henkilotunnus) - the Finnish national identifier - with strict purpose limitation + need for identification (Section 29); (c) SPECIAL CATEGORIES of personal data with derogations for employment + social security + professional secrecy + research + statistics + archiving + health + occupational safety (Section 6); (d) PROCESSING OF CRIMINAL OFFENCES DATA per Section 7 + the Criminal Records Act; (e) DATA PROTECTION OMBUDSMAN (Tietosuojavaltuutettu) as the supervisory authority with Sanctions Collegium (Seuraamuskollegio) for administrative fines (Sections 8-13); (f) DEROGATIONS from the right of access + rights of data subjects for scientific or historical research purposes + statistical purposes + archiving purposes in the public interest (Section 31); (g) JOURNALISTIC + ACADEMIC + ARTISTIC + LITERARY EXEMPTIONS (Section 27 + Constitution Section 12 freedom of expression); (h) BILINGUAL TRANSPARENCY (Finnish + Swedish per Constitution Section 17 + Language Act 423/2003) for data subject information notices. SECTORAL COORDINATION: the Tietosuojalaki coordinates with the ACT ON PRIVACY IN WORKING LIFE (Laki yksityisyyden suojasta tyoelamassa, 759/2004) for employee data + workplace monitoring + email inspection; the INFORMATION SOCIETY CODE (Sahkoisen viestinnan palveluista annettu laki, SVTSL 917/2014) for cookies + ePrivacy + electronic-marketing (consent + technical-necessity exemption); the ACT ON ELECTRONIC COMMUNICATIONS SERVICES; the Public Information Disclosure Act; and the new Cybersecurity Act 2024 implementing EU NIS2. ENFORCEMENT: Data Protection Ombudsman + 3-member SANCTIONS COLLEGIUM may impose administrative fines up to 4% of global annual turnover or EUR 20 million (whichever higher) - PUBLIC authorities are exempt from administrative fines under Section 24. APPEALS: to the Administrative Court within 30 days. 2024-2025 PRIORITIES: AI Act interplay + cross-border enforcement under GDPR one-stop-shop + Nordic data-protection coordination (Nordic-Baltic Working Group on Data Protection).
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
Finland DPA: Bilingual Transparency, Data Subject Rights Coordination with GDPR + Children
| Code | Title |
|---|---|
| FiDPA-Bilingual-Rights-Children | Bilingual Transparency, Data Subject Rights Coordination with GDPR + Children |
Finland DPA: Data Protection Ombudsman (Tietosuojavaltuutettu) and Supervisory Authority
| Code | Title |
|---|---|
| FiDPA-Tietosuojavaltuutettu | Data Protection Ombudsman (Tietosuojavaltuutettu) - Supervisory Authority |
Finland DPA: Lawful Basis, Personal Identity Code (Henkilotunnus) and Special Categories
| Code | Title |
|---|---|
| FiDPA-LawfulBasis-IdCode | Lawful Basis Under Public Interest + Personal Identity Code (Henkilotunnus) (Section 4-5, 29) |
| FiDPA-SpecialCategories-CriminalData | Special Categories of Personal Data + Criminal Offences Data (Sections 6-7) |
Finland DPA: Sanctions Collegium, Administrative Fines and Enforcement
| Code | Title |
|---|---|
| FiDPA-SanctionsCollegium | Sanctions Collegium (Seuraamuskollegio) and Administrative Fines |
Finland DPA: Scope, Application, Definitions and Sectoral Coordination
| Code | Title |
|---|---|
| FiDPA-Ch1-Scope-Defs | Chapter 1 - Scope, Application and Definitions (Tietosuojalaki Sections 1-3) |
Finland DPA: Sectoral Acts (Working Life 759/2004, SVTSL 917/2014, Cybersecurity Act 2024)
| Code | Title |
|---|---|
| FiDPA-Coord-GDPR-NIS2-DSA | Coordination with GDPR, NIS2, DSA, DGA, eIDAS and EU Framework |
| FiDPA-Sectoral-SVTSL-Cyber2024 | Sectoral Acts - SVTSL (917/2014), Cybersecurity Act 2024, Information Society Code |
| FiDPA-Status-AIAct-Nordic | Implementation Status, EU AI Act Interplay, Nordic-Baltic Coordination |
Finland DPA: Specific Processing Situations (Journalism, Research, Working Life, Public Sector)
| Code | Title |
|---|---|
| FiDPA-SpecificProcessing | Specific Processing Situations - Journalism, Research, Statistics, Public Sector (Sections 27, 31, 32, 33) |
| FiDPA-WorkingLifeAct | Act on Privacy in Working Life (759/2004) - Workplace Monitoring + Email Inspection |
Frequently Asked Questions
What is Finland Data Protection Act (Tietosuojalaki, 1050/2018)?
Finland Data Protection Act (Tietosuojalaki, 1050/2018) is a compliance framework from Finland with 7 domains and 11 controls. The Finland Data Protection Act (Tietosuojalaki, 1050/2018) is the Finnish national supplement to the EU General Data Protection Regulation (Regulation (EU) 2016/679). The Act entered into force on 1 January 2019 + repealed the prior Personal Data Act (523/1999). The Act covers the national-level derogations + supplements permitted by GDPR including: (a) lawful basis under public-interest task + official authority for public authorities and statutorily-tasked private entities (Section 4); (b) processing of PERSONAL IDENTITY CODES (Henkilotunnus) - the Finnish national identifier - with strict purpose limitation + need for identification (Section 29); (c) SPECIAL CATEGORIES of personal data with derogations for employment + social security + professional secrecy + research + statistics + archiving + health + occupational safety (Section 6); (d) PROCESSING OF CRIMINAL OFFENCES DATA per Section 7 + the Criminal Records Act; (e) DATA PROTECTION OMBUDSMAN (Tietosuojavaltuutettu) as the supervisory authority with Sanctions Collegium (Seuraamuskollegio) for administrative fines (Sections 8-13); (f) DEROGATIONS from the right of access + rights of data subjects for scientific or historical research purposes + statistical purposes + archiving purposes in the public interest (Section 31); (g) JOURNALISTIC + ACADEMIC + ARTISTIC + LITERARY EXEMPTIONS (Section 27 + Constitution Section 12 freedom of expression); (h) BILINGUAL TRANSPARENCY (Finnish + Swedish per Constitution Section 17 + Language Act 423/2003) for data subject information notices. SECTORAL COORDINATION: the Tietosuojalaki coordinates with the ACT ON PRIVACY IN WORKING LIFE (Laki yksityisyyden suojasta tyoelamassa, 759/2004) for employee data + workplace monitoring + email inspection; the INFORMATION SOCIETY CODE (Sahkoisen viestinnan palveluista annettu laki, SVTSL 917/2014) for cookies + ePrivacy + electronic-marketing (consent + technical-necessity exemption); the ACT ON ELECTRONIC COMMUNICATIONS SERVICES; the Public Information Disclosure Act; and the new Cybersecurity Act 2024 implementing EU NIS2. ENFORCEMENT: Data Protection Ombudsman + 3-member SANCTIONS COLLEGIUM may impose administrative fines up to 4% of global annual turnover or EUR 20 million (whichever higher) - PUBLIC authorities are exempt from administrative fines under Section 24. APPEALS: to the Administrative Court within 30 days. 2024-2025 PRIORITIES: AI Act interplay + cross-border enforcement under GDPR one-stop-shop + Nordic data-protection coordination (Nordic-Baltic Working Group on Data Protection). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Finland Data Protection Act (Tietosuojalaki, 1050/2018) have?
Finland Data Protection Act (Tietosuojalaki, 1050/2018) has 11 controls organised across 7 domains. The largest domains are Finland DPA: Sectoral Acts (Working Life 759/2004, SVTSL 917/2014, Cybersecurity Act 2024) (3 controls), Finland DPA: Lawful Basis, Personal Identity Code (Henkilotunnus) and Special Categories (2 controls), Finland DPA: Specific Processing Situations (Journalism, Research, Working Life, Public Sector) (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Finland Data Protection Act (Tietosuojalaki, 1050/2018) map to?
Finland Data Protection Act (Tietosuojalaki, 1050/2018) does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.
How do I get started with Finland Data Protection Act (Tietosuojalaki, 1050/2018) compliance?
Start your Finland Data Protection Act (Tietosuojalaki, 1050/2018) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Finland Data Protection Act (Tietosuojalaki, 1050/2018) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 11 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.
Get Started Free →Free forever — no credit card required