2. Legislation and obligations

Introduction of the step

In this step, the most important obligations of Finnish legislation and the EU related to data sharing and information management are described. However, the opening of data may also be subject to legislation other than those listed below, and therefore an organisation considering data sharing should familiarise itself with the legislation in more detail.

When planning data sharing, it is important to identify the various restrictions and obligations resulting from regulation as early as possible, because they affect the implementation of data sharing and the choice of technical solutions. It is advisable to involve the legal experts and data protection officer of your own organisation to map out the restrictions and obligations.

Key Finnish legislation

This section provides a concise description of key legislation related to the sharing of public administration data in Finland.

The Constitution of Finland and the Act on the Openness of Government Activities

Under section 12 of the Constitution of Finland (731/1999), “Documents and recordings in the possession of the authorities are public, unless their publication has for compelling reasons been specifically restricted by an Act. Everyone has the right of access to public documents and recordings.”

The Act on the Openness of Government Activities (621/1999) implements the principle regarding the openness of documents and information held by the authorities laid down in section 12 of the Constitution. The Act on the Openness of Government Activities also contains provisions on the grounds on which documents may be secret. However, specific legislation applicable to a certain sector may also contain provisions on secrecy and publicity.

The authorities to which the Act on the Openness of Government Activities applies are defined in section 4 of this Act, under which authorities are defined as

  • State administrative authorities and other State agencies and institutions as well as State enterprises
  • Parliamentary agencies and institutions
  • courts of law and other bodies for the administration of law
  • municipal authorities and the authorities of well-being services counties and joint authorities for health and well-being
  • independent institutions subject to public law, including the Social Insurance Institution (Kela) and Bank of Finland
  • boards, consultative bodies, committees etc. appointed for the independent performance of a certain task on the basis of an Act, a Decree or the decision of an authority.

This list is not exhaustive, as the Act on the Openness of Government Activities may also be applicable by virtue of special legislation. Under section 30, subsection 2 of the Universities Act (559/2009), for example, activities pursued by the university and the student union are governed by the provisions of the Act on the Openness of Government Activities.

The Act on the Openness of Government Activities also applies to corporations, institutions, foundations and private individuals appointed for the performance of a public task on the basis of an Act, a Decree or a provision or order issued by virtue of an Act or a Decree.

The Act on the Openness of Government Activities applies to documents prepared or delivered to an authority. Under section 5 of the Act, a document refers to not only conventional documents on paper but also to information, datasets and messages in electronic format.

When a document is requested from an authority, the authority must, as a rule, disclose the document or decide that the document will not be disclosed without delay and as soon as possible. The decision should be made within two weeks of receiving the request, except in special cases where the matter must be resolved within one month. If the authority decides not to disclose the document, a written decision that can be appealed must be made on this.

If the full document is not secret, disclosing it may be possible, for example by deleting or covering secret information.

The Act on the Openness of Government Activities also contains provisions on the requirements and obligations applicable to the provision of information by the authorities and the manner in which access to documents is provided. An authority is obliged to assist those requesting access in finding the information, such as specifying the document to which access is required. The authorities must also promote the openness of their activities and, where necessary, produce guides, statistics and other publications, as well as information materials on their services and practices, as well as on the social conditions and developments in their field of competence.

Read more:

Act on Information Management in Public Administration

The Act on Information Management in Public Administration (906/2019, Public Information Management Act) and the acts associated with it entered into force on 1 January 2020. The Act promotes the harmonisation of information management, information security, and digitalisation in the authorities’ activities.

In the Public Information Management Act, the purpose of organising information management is

  • to ensure harmonised and high-quality management and data secure processing of datasets of authorities to implement the principle of openness;
  • to enable secure and efficient exploitation of the datasets of authorities so that an authority may attend to its tasks and provide its services to public administration clients successfully and in a qualitative manner in compliance with good governance;
  • to promote the interoperability of information systems and information resources. 

Implementing the Act is a task that belongs to all authorities and that is guided and supported in a systematic manner. The Public Information Management Act is only partly applicable to some actors; see section 3, Scope of application of the Act and restrictions to it. Parties within the scope of application of the Public Information Management Act:

  • authorities and comparable state administrative authorities
  • courts of law and committees established to handle appeals (in parts)
  • state enterprises
  • municipalities and joint municipal authorities (mainly)
  • parliamentary organs (mainly)
  • Office of the President of the Republic of Finland (mainly)
  • independent institutions subject to public law (mainly)
  • universities (mainly)
  • universities of applied sciences (mainly)
  • parties performing public administrative tasks (in parts)

The Act on Information Management in Public Administration lays down provisions on following the principle of openness and meeting the requirements of good governance in data management by the authorities. The Act contains provisions that apply to Finnish public administration as a whole in the following areas: 

  • the organisation and description of information management,
  • the interoperability of information resources,
  • the implementation of the interoperability of information systems,
  • the implementation of technical APIs and viewing access, and
  • the implementation of information security.

For more information about organising information management, see step 3 of the operating model.

More detail has been added to the provisions of the Act in decrees on documents subject to security classification (Government Decree on the Security Classification of Documents in Central Government 1101/2019), the activities of the Information Management Board (Government Decree on the Public Administration Information Management Board 1338/2019), and the procedure for issuing statements on changes in information management applicable to central government authorities (Government Decree on Statement Procedure for Information Management Changes 1301/2019).

An Information Management Board of Public Administration was established pursuant to this Act. The task of this Board operating in conjunction with the Ministry of Finance is to assess and steer information management by State agencies and municipalities.

Read more:

Source: Ministry of Finance, Public Information Management Act

The General Data Protection Regulation and the Data Protection Act

The most important factor restricting data sharing is the protection of personal data. The cornerstone of the legislation on processing personal data and data protection is the General Data Protection Regulation of the European Union, or Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Please note that the General Data Protection Regulation is an extensive and significant piece of legislation that cannot be discussed exhaustively in this context. 

The GDPR has been supplemented with the national Data Protection Act (1050/2018), which defines the tasks and competence of the Data Protection Ombudsman and lays down more detailed provisions on certain special situations, including the processing of personal data for journalistic, artistic or scientific purposes, and the processing of personal identity codes.

The General Data Protection Regulation (GDPR) imposes strict requirements for the collection, storage and control of personal data on companies and organisations. These requirements apply both to European organisations that process personal data concerning persons in the EU and to non-EU organisations that process data concerning persons residing in the EU.

Personal data are information concerning an identified or identifiable natural person which may include their name, personal identity code, address, internet protocol address, passport number or income information. However, it may be possible to anonymise data and datasets, for example by technical measures, ensuring that they no longer contain any personal data.

Under the GDPR, personal data must be processed lawfully, fairly, and transparently. Personal data must be accurate and, where necessary, kept up to date. The GDPR also lays down provisions on the data subject's right to demand rectification of incorrect personal data concerning them.

Under the GDPR, the processing of personal data always requires a legal basis for the processing. Personal data may only be collected for a specific, explicit, and legal purpose. The processing of personal data may be possible not only for a specified purpose but also for a purpose that is considered compatible with the original purpose. The processing must also be lawful from the perspective of other data protection provisions; a compatible purpose does not entitle the controller to deviate from other data protection provisions. You can read more about the purpose-related limitation of the processing of personal data on the website of the Office of the Data Protection Ombudsman.

The data processor must ensure that their data processing meets one of the criteria set out in the GDPR, which are:

  • the consent of the data subject,
  • a contract to which the data subject is party, or if the personal data processing measures preceding said contract were carried out at the request of the data subject,
  • the fulfilment of a legal obligation,
  • the protection of the data subject's vital interests,
  • the exercise of official authority or performing a task carried out in the public interest, or
  • the legitimate interest of the controller.

The processing of personal data is regulated under a national act, which defines how and for what purpose each type of data can be processed. Guidance on this matter is also provided by the practice of the parliamentary Constitutional Law Committee. Please note that the regulation that provides the legal basis for the processing of personal data may also be included in some other act, rather than being laid down in its own piece of legislation. The entry into force of the General Data Protection Regulation has consequently led to the passing of a great deal of special national legislation.

Personal data must be processed in a manner that is sufficiently secure and protected. Various measures should be taken to prevent unauthorised or unlawful access to the data and to avoid accidental destruction or loss of the data. For more information about these measures, see the GDPR. The measures detailed in regulation concerning data protection and information security have become increasingly similar.

The GDPR obliges organisations that process personal data on a large scale to appoint a data protection officer (mandatory in public administration), whose task is to provide advice on different data protection issues and supervise the processing of personal data. For more information on the designation and tasks of a data protection officer, see the website of the Office of the Data Protection Ombudsman.

Read more:

Data Governance Act (DGA)

The aims of the EU’s  Data Governance Act 2022/868 include increasing the availability, interoperability, and reusability of data held by authorities, as well as creating a common framework for the mobility of official data within the EU.

The Data Governance Act applies to public sector bodies that are in possession of data covered by the Act. However, the Act does not apply to the exchange of information between authorities, i.e. situations where data that is in the possession of an authority is made available to another authority.

With regard to the Data Governance Act, public sector organisations must take care of the following factors:

1. Identify whether your organisation falls within the scope of the Data Governance Act.

The Data Governance Act covers public sector bodies that are State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities, or one or more such bodies governed by public law (see Article 2(17) of the Data Governance Act). 

Public companies are not public sector bodies as referred to in the Act.

2. Identify the types of data that the Data Governance Act applies to.

The Data Governance Act applies to data categories protected on the following grounds:

  • commercial confidentiality, including business, professional and company secrets;
  • statistical confidentiality;
  • the protection of intellectual property rights of third parties; or
  • the protection of personal data, insofar as such data fall outside the scope of Directive (EU) 2019/1024

Please note that the following data categories are not covered by the Data Governance Act:

  • data held by public undertakings;
  • data held by public service broadcasters and their subsidiaries, and by other bodies or their subsidiaries for the fulfilment of a public service broadcasting remit;
  • data held by cultural establishments and educational establishments;
  • data held by public sector bodies which are protected for reasons of public security, defence or national security; or
  • data the supply of which is an activity falling outside the scope of the public task of the public sector bodies concerned as defined by law or by other binding rules in the Member State concerned, or, in the absence of such rules, as defined in accordance with common administrative practice in that Member State, provided that the scope of the public tasks is transparent and subject to review.

3. In the Suojattudata service, describe the datasets of your organisation that are covered by the Data Governance Act.

  • Information describing the dataset, including the format and size of the data
  • The dataset’s location data
  • Terms and conditions of reuse, including information on any charges and their justification
  • Where and how to apply for a reuse permit

In other words, the Data Governance Act obliges public sector bodies to provide information in a national central data point (Suomi.fi Suojattudata) on how and under what conditions the data held by the organisation and covered by this Act can be accessed.

Avoindata Note icon


The Suomi.fi Suojattudata service is a national central data point that describes the datasets of different public administration organisations. It can be used to search for datasets and view a summary of all datasets covered by the Data Governance Act. The service contains descriptions of all available official data, including the format and size of the data and the conditions for its reuse. The Digital and Population Data Services Agency is responsible for developing the service.

Statistics Finland is responsible for supporting the reuse of protected data in Finland. You can read more about Statistics Finland’s role on its website (available in Finnish).

The Data Governance Act is binding in itself and must be applied in all respects throughout the EU. The regulation entered into force on 24 September 2023.

Read more:

Act on the Secondary Use of Health and Social Data (Secondary Use Act)

A separate Act on the Secondary Use of Social and Health Data (also known as the Secondary Use Act, 552/2019) has been passed in Finland. The objective of the Secondary Use Act is to enable the efficient and secure processing of personal data stored for the purposes of steering, control, research and compilation of statistics in the social welfare and health sector. The aims of the Act also include safeguarding individuals’ legitimate expectations as well as rights and freedoms related to the processing of personal data. The secondary use of health and social data means that the client and register data created in the course of health care and social welfare activities are used for purposes other than the primary reason for which they were originally stored.

The Finnish Social and Health Data Permit Authority Findata was established on the basis of the Secondary Use Act. The Data Permit Authority issues data permits when data held by several different controllers, data stored in Kanta services or the register data of a private social welfare and health care service provider are needed. Findata offers controllers who possess the datasets an advisory service, support for preparing metadata descriptions, an anonymisation service and a permit processing service on behalf of controllers. Source and additional information on the website of the Ministry of Social Affairs and Health.

Archives Act

The Archives Act (831/1994) lays down provisions on archiving and its organisation as well as the obligations of records creators. Archiving activities form part of the data life cycle management process, and archiving needs must be taken into account in data management whenever necessary. The Archives Act also contains further provisions on the preparation, preservation and use of documents

The Archives Act applies quite extensively to different public administration actors, who are referred to as records creators in the Act. The records creator must determine how the responsibility for and the planning and practical management of its archive activities are arranged. The requirements of the archive services must be addressed in the records creator’s information and document management. 

The records creator must define the storage periods and methods for the documents accumulated as a result of the performance of their tasks and maintain a filing system for them. The National Archives of Finland determines which documents and information related to them must be preserved permanently.

Read more:

Data sharing obligations

This section provides a concise description of key obligations related to sharing public administration data in Finland.

General legislation

General legislation contains general provisions on certain activities, such as data sharing, to which detail is added in special legislation.

Directive on open data and the re-use of public sector information

The aims of EU's Directive on open data (EU) 2019/1024 is to promote the reuse of public sector data for commercial and non-commercial purposes. The directive is about the practices and procedures of data reuse, such as document charges and reuse licences. Directive is based on national regulations on access to documents, which it does not affect. Thus, the directive does not mean exceptions or changes to what is nationally regulated regarding the public disclosure or confidentiality of official documents.

The directive is implemented nationally in July 2021 (see He 74/2021 vp).  Regarding public authorities, amendments were made to the Public Information Management Act (710/2021) and the Act on the Openness of Government Activities (711/2021). The most important regulation regarding the directive is contained in section 19, subsection 2, and sections 24 a and 24 b of the Public Information Management Act, and section 34 of the Act on the Openness of Government Activities.

Based on the directive, in the implementation regulation issued in December 2022, the European Comission has defined so-called high-value datasets. High-value datasets are documents that are within the scope of the directive and have particular value. High-value datasets must be made available free of charge and in machine-readable form through APIs by June 9, 2024. You can read more about high-value datasets in step 4 of the operating model.

Read more:

Interoperable Europe Act

On 18 November 2022, the Commission issued a proposal for a regulation of the European Parliament and of the Council on measures to achvieve a high level of public sector interoperability in the Union (Interoperable Europe Act, COM/2022/720 final). The Commission's proposal aims to establish an interoperability governance structure and create an ecosystem of interoperability solutions for the EU’s public sector. Better interoperability enables a more efficient and secure data exchange to provide seamless cross-border public services. In this way, EU's internal market is developed and the realisation of the rights included in the basic treaties is strengthened.

Read more:

Special legislation

Special legislation supplements and adds detail to general legislation. The following section describes special legislation relevant to data sharing concerning spatial, forest and transport data.

Legislation on spatial data and INSPIRE Directive

The EU’s INSPIRE Directive (2007/2/EC) aiming to improve the use of spatial data, increase cooperation between authorities and create diverse services for the public was adopted in 2007. In Finland, provisions implementing the INSPIRE Directive are laid down in the Spatial Data Infrastructure Act (421/2009) and the Spatial Data Infrastructure Decree (725/2009).

Read more:

Legislation on forest data

In 2018, an amendment to the Forest Information Act stemming from a change in EU environmental directives was passed. This meant providing open access to most of the data collected by the Finnish Forest Centre in electronic format.

Act on the Forest Information System of the Finnish Forest Centre (in Finnish)

Legislation on transport data and ITS Directive

In 2010, the ITS Directive (2010/40/EU) was adopted, which contained rules on the deployment of intelligent transport systems in road transport and interfaces with other modes of transport. The delegated acts have entered into force gradually from 2013 on. A specific report has been prepared on the national implementation of the ITS Directive (pdf, in Finnish).

The Act on Transport Services (320/2017), which contains provisions on the interoperability of data and information systems as well as the deployment of intelligent transport systems related to the ITS Directive, was passed in 2017.

Read more:

Support materials on the topic

This section contains support material related to the topics discussed in this step.

Training courses on the data.europa.eu website:

Training courses on the eOppiva website in Finnish: