|
FINLAND
The Office of the Data Protection Ombudsman
Website:
http://www.tietosuoja.fi/1560.htm
The Personal Data Act 1999 (as amended):
http://www.tietosuoja.fi/uploads/hopxtvf.HTM
What needs to be
done prior to collection?
CONTACT THE DATA
SUBJECT
Section 24
(1)
When collecting personal data, the controller shall see to that
the data subject can have information on the controller and, where
necessary, the representative of the controller, on the purpose of
the processing of the personal data, on the regular destinations of
disclosed data, as well as on how to proceed in order to make use of
the rights of the data subject in respect to the processing
operation in question. This information shall be provided at the
time of collection and recording of the data or, if the data is
obtained from elsewhere than the data subject and intended for
disclosure, at the latest at the time of first disclosure of the
data.
(2)
The duty of providing information, referred to above in paragraph
(1), may be derogated from:
1)
if the data subject already has the relevant information;
2)
if this is necessary for the protection of national security,
defence or public order or security, for the prevention or
investigation of crime or for carrying out the monitoring function
pertaining to taxation or the public finances; or
(3)
where the data is collected from elsewhere than the data subject,
if the provision of the information to the data subject is
impossible or unreasonably difficult, or if it significantly damages
or inconveniences the data subject or the purpose of the processing
of the data and the data is not used when making decisions relating
to the data subject, or if there are specific provisions in an Act
on the collection, recording or disclosure of the data.
NOTIFY THE DATA
PROTECTIO OMBUDSMAN
Section 36
(1)
The controller shall notify the Data Protection Ombudsman of
automated data processing by sending a description of the file to
that authority.
(2)
In addition, the controller shall notify the Data Protection
Ombudsman of:
1.
The transfer of personal data to outside the European Union or
the European Economic Area, if the data is transferred on the
grounds provided in section 22 or 23(6) or (7) and there is no
statutory provision on the same;
2.
On the launching of an automated decision-making system referred
to in section 31.
(3)
Anyone who is engaged in credit data activity or carrying out
debt collection or market or opinion research as a business, or
operating in recruitment, personnel assessment or computing on the
behalf of another, and who uses or processes files or personal data
in this activity, shall notify the same to the Data Protection
Ombudsman.
(4)
The duty of notification referred to above in paragraph (1) does
not apply, if the processing of personal data is based on section
8(1)(1)—(3), on section 8(1)(4) if so provided by law, on a client
or service relationship or membership referred to in section
8(1)(5), on section 8(1)(6) or (9), on section 12(1)—(4), on section
12(5) if so provided by law, on section 12(7)—(10), (12) or (13), or
on sections 13—18 or 20. The duty of notification may also be
derogated from as provided by Decree, if it is evident that the
processing of personal data does not compromise the protection of
the privacy of the data subject, or his/her rights or freedoms.
Section 37
(1)
The notification referred to above in section 36(2) (1) shall
indicate the information contained in the description of the file
and also the types of data being transferred and how the transfer is
carried out.
(2)
The notification referred to above in section 36(2) (2) shall
indicate the information contained in the description of the file
and also the logical construction of the system.
(3)
The notification referred to above in section 36(3) shall
indicate the name, field of business, domicile and address of the
trader or business, the personal data files used in the activity and
the type of data contained therein, the disclosure of data from the
file, the duration of storage of recorded data, the technical
measures for securing the data and the measures for monitoring the
use of the personal data files.
(4)
The notification shall be made well in advance of the collection
or recording of the data to be recorded into the file or of the
carrying out of another measure giving rise to the duty of
notification; in any event, it shall at the latest be made 30 days
before the same.
What needs to be
done prior to shipping?
Section 22
(1)
Personal data may be transferred to outside the European Union or
the European Economic Area only if the country in question
guarantees an adequate level of data protection.
(2)
The adequacy of the level of data protection shall be evaluated
in the light of the nature of the data, the purpose and duration of
the intended processing, the country of origin and the country of
final destination, as well as the general and sectoral legal
provisions, codes of conduct and security measures applied in that
country.
Section 23
However, section 22 does not prevent the transfer of data if:
(1)
The data subject has unambiguously consented to the transfer;
(2)
The data subject has given an assignment for the transfer, or
this is necessary in order to perform a contract to which the data
subject is a party or in order to take steps at the request of the
data subject before entering into a contract;
(3)
The transfer is necessary in order to make or perform an
agreement between the controller and a third party and in the
interest of the data subject;
(4)
The transfer is necessary in order to protect the vital interests
of the data subject;
(5)
The transfer is necessary or called for by law for securing an
important public interest or for purposes of drafting or filing a
lawsuit or for responding to or deciding such a lawsuit;
(6)
The transfer is made from a file, the disclosure of data from
which, either generally or for special reasons, has been
specifically provided in an Act; or
(7)
The controller, by means of contractual terms or otherwise, gives
adequate guarantees of the protection of the privacy and the rights
of individuals.
What are the
sanctions for non compliance?
Section 47
(1)
The
controller is liable to compensate for the economic and other loss
suffered by the data subject or another person because of processing
of personal data in violation of the provisions of this Act
(2)
Otherwise the provisions in Chapter 2, sections 2 and 3, Chapter 3,
Sections 4 and 6 and Chapter 4, 6 and 7 of the Damages Act
(412/1974) apply to the liability in damages.
Section 48
(1)
The
penalty for a personal data offence is provided for in Chapter 38,
Section 9 of the Penal Code (39/1889) and for breaking into a
personal data file in Chapter 38, Section 8 of the Penal Code.
(2)
A
person who intentionally or grossly negligently and contrary to the
provisions in this Act:
-
fails to comply with the provisions on the definition of the purpose
of the processing of the personal data, the drawing up of the
description of the file, the information on data processing, the
rectification of the file, the right of the data subject to prohibit
the processing of data or the notification of the Data Protection
Ombudsman;
Thus
compromising the protection of the privacy of the data subject or
his/her rights, shall be sentenced for a personal data violation
to a fine, provided that a more severe penalty is not provided
in another Act.
Please refer to
the Office of the Data Protection
Ombudsman Website for further details on the Statute
|
