In Finland, the GDPR is supplemented with a new Data Protection Act that entered into force on 1 January 2019. The Finnish Data Protection Ombudsman officially became a supervisory authority with the adoption of this new Act. Due to the Act’s late entry into force, the Finnish supervisory authority has, however, had rather limited scope to exercise its powers under the GDPR.
The number of new cases brought increased significantly after the GDPR became applicable in May 2018. The Data Protection Ombudsman has received almost three times more complaints and notifications last year compared to the previous years. One third are data breach notifications. Due to the delay with implementing the new Act and lack of resources, only some of these cases have led to further action by the supervisory authority.
The new Act enables the supervisory authority, together with other members of the new collegial body introduced by the Act, to impose fines. This collegial body consists of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. These Deputies were appointed by the Finnish government as late as 1 May this year, explaining why no fines has yet been imposed in Finland. Furthermore, the Data Protection Ombudsman has emphasised in his public appearances that corrective measures other than fines can often be a more effective response to failures to comply with data protection legislation. In addition, the Data Protection Ombudsman has underlined the importance of harmonisation when interpreting and applying the GDPR in the EU, meaning that the future practice of the European Data Protection Board is expected to significantly impact on the Data Protection Ombudsman’s actions.
Finnish legislation has been revised in the light of the GDPR. In addition to the new Data Protection Act, the GDPR is supplemented with the Act on the Protection of Privacy in Working Life, which has recently been amended. The amendments to this Act were minor and mainly technical: the strict protection of employee privacy and more detailed national rules remain central in Finland even in the GDPR era. The Act maintains national requirements and restrictions in matters such as background checks on job applicants, drug testing, employee monitoring, accessing employee emails, retention of employee health data, and on cooperation procedures necessary when implementing new data protection practices. Furthermore, the employer is, in principle, entitled to collect employee’s personal data only from that employee him or herself. Collection of data from other sources requires an explicit legal basis or the employee’s consent. In practice, this recently enforced interpretation has made implementation of whistleblowing systems in Finland more complicated than in other jurisdictions.