Navigation path

Action 11 in Finland flag Finland

In accordance with Data Protection Directive 95/46/EC, Member States will enable citizens to have electronic access to those personal data that are held on them when available electronically and will inform them electronically whenever such data are being processed by automatic means, in a simple and unambiguous manner.

Indicator Status Evidence
Under the existing Directive (95/46/EC), does your legislation give your citizens right to have electronic access to their personal data that are held by the third parties in the electronic form? Yes Partly. Some data is available, but next step is to build one stop shop to check personal information.
Under the existing Directive (95/46/EC), does your legislation give your citizens right to be informed electronically whenever their personal data are processed by automatic means? No Some explanation for this. The question suggest that a citizen should be informed by automatic means whenever (=everytime)their personal data is processed in some register. No, we do not have a such system. (There probably would be huge amout of notifications if they would be automatic). Yet, a citizen may ask and has legal right to be informed various aspects of his/her personal data processing. But it is not automatic. Th Finnish Personal Data Act (523/1999) http://www.finlex.fi/fi/laki/kaannokset/1999/en19990523.pdf says following (Note: "controller" in following text refers to any organization/entity which is owner and manager of a register that contains personal data): Section 24 — Information on the processing of data When collecting personal data, the controller shall see to that the data subject can have information on the controller and, where necessary, the representative of the controller, on the purpose of the processing of the personal data, on the regular destinations of disclosed data, as well as on how to proceed in order to make use of the rights of the data subject in respect to the processing operation in question. This information shall be provided at the time of collection and recording of the data or, if the data are obtained from elsewhere than the data subject and intended for disclosure, at the latest at the time of first disclosure of the data. The duty of providing information, referred to above in paragraph (1), may be derogated from: (1) if the data subject already has the relevant information; (2) if this is necessary for the protection of national security, defence or public order or security, for the prevention or investigation of crime or for carrying out the monitoring function pertaining to taxation or the public finances; or (3) where the data are collected from elsewhere than the data subject, if the provision of the information to the data subject is impossible or unreasonably difficult, or if it significantly damages or inconveniences the data subject or the purpose of the processing of the data and the data are not used when making decisions relating to the data subject, or if there are specific provisions in an Act on the collection, recording or disclosure of the data.” In paragraph 1 of section 26 it is stated that “Regardless of secrecy provisions, everyone shall have the right of access, after having supplied sufficient search criteria, to the data on him/her in a personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the regular sources of data in the file, on the uses for the data in the file and the regular destinations of disclosed data. Where an automated decision referred to in section 31 is involved, the data subject shall also have the right of access to information on the operating principles of the pertinent automatic processing of data.” In practice this means that citizens have to be provided information regarding the processing of their personal data (weather processed manually or by automatic means). This information (described in sections 10, 24) and 26) is usually given on the website of the controller of personal data but there is no separate electronic notice every time the data is processed. As a main rule data subject has a right of access to his personal data that has been registered as stated in section 26.