Skip to content
GDPR by Law

European Union · updated 2026-06-15

Finland

Conditional

Finland enforces through a collegial sanctions board and focuses on employee monitoring — its Working Life Privacy Act is the strictest workplace data law in the EU. HR tech and employer tools face Finland-specific rules.

Law:
GDPR + Data Protection Act (1050/2018) + Act on Electronic Communications Services
Regulator:
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher — imposed by a three-member sanctions board

What Finland requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (tietosuojaseloste)

    Art. 13–14 GDPR

    Privacy notice in Finnish (and Swedish for national services), naming the Ombudsman as complaint authority.

    How to implement English is accepted for developer tools; consumer services need Finnish. Finland's bilingual obligations apply mainly to public bodies.

    Required
  2. Cookie consent banner

    s.205 ECSA

    Opt-in consent for analytics and marketing cookies with prior blocking, per Traficom guidance.

    How to implement Standard EU CMP configuration with a Finnish-language banner. Traficom handles cookie supervision; the Ombudsman covers the personal-data side.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register of processing activities.

    How to implement Keep current; the Ombudsman's investigations typically open with a ROPA and legal-basis questionnaire.

    Required
  4. Employee data compliance

    Working Life Privacy Act (759/2004)

    Finland's speciality: employers may only process employee data directly necessary for the employment relationship — a stricter test than GDPR — and monitoring requires cooperation procedures.

    How to implement If you sell HR or monitoring software into Finland, build for necessity-based collection and works-council-style consultation. Email monitoring rules are uniquely strict.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour Ombudsman notification plus individual notification for high-risk breaches.

    How to implement Post-Vastaamo, Finnish users and media react strongly to breaches — pair the legal notification with clear user communication.

    Required

The details

Cookie consent
Section 205 of the Electronic Communications Services Act requires consent for non-essential cookies. Traficom's 2021 guidance aligned Finland with EDPB standards: prior blocking, genuine reject option, no consent from browser settings alone.
Data Protection Officer
GDPR baseline thresholds; notify the Ombudsman of appointments. The public-heavy Finnish market means many B2B vendors appoint one to satisfy procurement.
Processing agreements
Art. 28 GDPR agreements required with all processors; Finnish public-sector customers additionally expect documented safeguards for any non-EEA subprocessors.
Breach notification
Notify the Data Protection Ombudsman within 72 hours via its online form; high-risk breaches also require notifying individuals without undue delay.
Enforcement in practice
The sanctions board fined Posti €2.3M over transparency failures and psychotherapy provider Vastaamo's catastrophic breach led to criminal convictions — Finland's defining privacy case.

Data subject rights

What users can demand from you in Finland, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Respond within 30 days; the Ombudsman orders compliance and the sanctions board fines repeat failures.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Finnish accounting law requires 6-year retention of accounting materials — document the exemption.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export for consent- and contract-based data.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus a support channel.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Finland's Robinson lists (ASML) cover telemarketing and postal marketing opt-outs.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

Finland amended its administrative law to permit automated public-sector decisions under safeguards — private-sector rules follow the GDPR baseline with disclosure and human review.

Tools that cover Finland

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • cookie consent

    Cookiebot

    Nordic CMP with Finnish and Swedish banners matching Traficom guidance.

    Visit Cookiebot →
  • privacy policy

    iubenda

    Finnish-language tietosuojaseloste generation kept in sync with the Data Protection Act.

    Visit iubenda →
  • dpa template

    Termly

    DPA templates with subprocessor annexes for Finnish public-sector procurement.

    Visit Termly →

Frequently asked questions

What was the Vastaamo case and why does it matter?

Psychotherapy provider Vastaamo was breached and 33,000 patients' therapy notes were used for individual extortion — leading to criminal convictions, Finland's first major breach prosecution, and a national trauma around data security. Finnish counterparties now scrutinise vendor security far more than before.

What makes Finnish employee-data law special?

The Working Life Privacy Act permits processing only data 'directly necessary' for employment — consent cannot expand this — plus strict rules on background checks, drug testing, camera surveillance, and reading employee email. HR SaaS entering Finland usually needs feature-level adjustments.

Who enforces cookies vs data protection in Finland?

Traficom (the transport and communications agency) supervises cookie consent under the ECSA, while the Data Protection Ombudsman handles GDPR. In practice one compliant EU-grade banner satisfies both.

How are GDPR fines decided in Finland?

Not by a single commissioner — a three-member sanctions board within the Ombudsman's office must decide administrative fines collegially. Enforcement is methodical rather than headline-seeking, with orders and reprimands far more common than fines.

Similar jurisdictions

Free download

Get GDPR updates for Finland

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.