The most important factor restricting data sharing is the protection of personal data. The cornerstone of the legislation on processing personal data and data protection is the General Data Protection Regulation of the European Union, or Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Please note that the General Data Protection Regulation is an extensive and significant piece of legislation that cannot be discussed exhaustively in this context.
The GDPR has been supplemented with the national Data Protection Act (1050/2018), which defines the tasks and competence of the Data Protection Ombudsman and lays down more detailed provisions on certain special situations, including the processing of personal data for journalistic, artistic or scientific purposes, and the processing of personal identity codes.
The General Data Protection Regulation (GDPR) imposes strict requirements for the collection, storage and control of personal data on companies and organisations. These requirements apply both to European organisations that process personal data concerning persons in the EU and to non-EU organisations that process data concerning persons residing in the EU.
Personal data are information concerning an identified or identifiable natural person which may include their name, personal identity code, address, internet protocol address, passport number or income information. However, it may be possible to anonymise data and datasets, for example by technical measures, ensuring that they no longer contain any personal data.
Under the GDPR, personal data must be processed lawfully, fairly, and transparently. Personal data must be accurate and, where necessary, kept up to date. The GDPR also lays down provisions on the data subject's right to demand rectification of incorrect personal data concerning them.
Under the GDPR, the processing of personal data always requires a legal basis for the processing. Personal data may only be collected for a specific, explicit, and legal purpose. The processing of personal data may be possible not only for a specified purpose but also for a purpose that is considered compatible with the original purpose. The processing must also be lawful from the perspective of other data protection provisions; a compatible purpose does not entitle the controller to deviate from other data protection provisions. You can read more about the purpose-related limitation of the processing of personal data on the website of the Office of the Data Protection Ombudsman.
The data processor must ensure that their data processing meets one of the criteria set out in the GDPR, which are:
- the consent of the data subject,
- a contract to which the data subject is party, or if the personal data processing measures preceding said contract were carried out at the request of the data subject,
- the fulfilment of a legal obligation,
- the protection of the data subject's vital interests,
- the exercise of official authority or performing a task carried out in the public interest, or
- the legitimate interest of the controller.
The processing of personal data is regulated under a national act, which defines how and for what purpose each type of data can be processed. Guidance on this matter is also provided by the practice of the parliamentary Constitutional Law Committee. Please note that the regulation that provides the legal basis for the processing of personal data may also be included in some other act, rather than being laid down in its own piece of legislation. The entry into force of the General Data Protection Regulation has consequently led to the passing of a great deal of special national legislation.
Personal data must be processed in a manner that is sufficiently secure and protected. Various measures should be taken to prevent unauthorised or unlawful access to the data and to avoid accidental destruction or loss of the data. For more information about these measures, see the GDPR. The measures detailed in regulation concerning data protection and information security have become increasingly similar.
The GDPR obliges organisations that process personal data on a large scale to appoint a data protection officer (mandatory in public administration), whose task is to provide advice on different data protection issues and supervise the processing of personal data. For more information on the designation and tasks of a data protection officer, see the website of the Office of the Data Protection Ombudsman.