The Finnish Data Protection Authority (the Office of the Data Protection Ombudsman) has the power to investigate complaints and cases (including requesting documents and making on-the-spot investigations); issue non-binding advice; submit matters to the Data Protection Board for prohibition; submit criminal cases to the public prosecutor, and to order the suspension of processing and/or transfer of data, as well as the destruction of data and other similar actions; these orders can be appealed to the courts.
Individuals can file complaints with the authority, and can seek a judicial remedy for violations of the law.
Serious breaches are classified as “personal data file crimes”, and are punishable by up to 1 year imprisonment. Less serious breaches are classified as “personal data violations” and are punishable only by fines.
Directors, officers or employees may be liable to compensate their employer for damages that the employer incurs and may also be subject to criminal charges.
Selected Enforcement Actions / General Comments
There is limited case law in Finland related to breach of the data privacy regulation. In its case 1998:85, the Supreme Court regarded a disclosure (sale) of a personal data file to another company for a different purpose of use as an infringement of the privacy of data subjects and found the representatives of the company guilty of infringing the law (criminal liability). According to the Supreme Court, infringing the privacy of a data subject in itself constitutes damage or injury. As the Finnish Data Protection Authority has no authority to impose fines, the Finnish enforcement is mainly based on correcting violations by giving guidance and advice to the data controller.