Key Benefits:
See the copyright notice Conditions of use .
In accordance with the decision of the Parliament:
The purpose of this law is to ensure the protection of privacy and other fundamental rights to protect privacy in the processing of personal data and to promote the development and application of good data processing.
Personal data shall be processed in accordance with the provisions of this Act, unless otherwise provided for by law.
This law shall apply to automatic processing of personal data. This law shall also apply to other processing of personal data where personal data are or are intended to form a personal register or part thereof.
This law shall not apply to the processing of personal data by a natural person exclusively for his or her personal or comparable private purposes.
Paragraph 4 has been repealed by L 3.12.2010/1049 .
Articles 1 to 4 and 32, Article 39 (3), Article 40 (1) and (3), Article 42, Article 44 (2), Articles 45 to 47, 48 (2) and 50 shall apply mutatis mutandis to the processing of personal data and for the purposes of artistic or literary expression. And Article 51, subject to Article 17.
For the purposes of this law:
(1) With personal information Any form of labelling of a natural person or of his/her characteristics or living conditions which may be identified for contact with him or his family or with him in the common household;
(2) Processing of personal data The collection, storage, organisation, use, transfer, transfer, storage, storage, alteration, consolidation, protection, destruction, destruction and other measures on personal data;
(3) With a personal register A set of data containing personal data consisting of personal data, which is processed partly or wholly by means of automated data processing, or arranged as a cortisone, catalogues or any other In a comparable way so that information on a given person can be found easily and without undue expense;
(4) The controller, One or more persons, entities, institutes or foundations for which a register of persons is to be established and which has the right to determine the use of a register of persons or to whom the registration has been laid down by law;
(5) Registered The person concerned by the personal data;
(6) By side Any other person, entity, body or foundation other than registered, controller, personal data handlers or personal data on behalf of the latter;
(7) Consent The expression of all forms of voluntary, individualised and informed consent to the processing of their personal data. (11.5.2007)
Paragraphs 8 to 9 have been repealed by L 11.5.2007. .
This law shall apply to the processing of personal data in which the controller is located in the territory of Finland or otherwise within the Finnish jurisdiction.
This law shall also apply where the controller does not have a seat in the territory of the Member States of the European Union, but the controller uses equipment for the processing of personal data in Finland for other purposes than only: Data transmission through this area. In this case, the controller shall designate a representative in Finland.
The controller must deal with the personal data legally, exercise due diligence and good data processing, as well as any change in such a way that the privacy of the data subject and other fundamental rights to protect privacy are not restricted Without a legal basis. The same shall be the responsibility of any self-employed or operator acting on behalf of the controller.
The processing of personal data shall be objectively justified for the activities of the controller. The purpose of the processing of personal data, as well as the regular supply of personal data and the regular supply of personal data, shall be defined prior to the collection or compilation of personal data. The purpose of the processing of personal data shall be determined in such a way as to indicate the type of data to be processed in order to carry out the tasks of the controller.
Personal data may only be used or processed in a manner which is not incompatible with the purposes of the treatment referred to in Article 6. Any subsequent processing of personal data for historical or scientific or statistical purposes shall not be considered incompatible with the purposes of the original processing.
Personal data shall only be processed:
(1) with the consent of the data subject;
(2) on behalf of the data subject, or at the request of the data subject in order to implement the pre-contractual measures;
(3) where the treatment in an individual case is necessary for the protection of the vital interest of the data subject;
(4) if the treatment is provided for by law, or if the treatment is caused by a function or obligation imposed by law or under the law;
(5) where the data subject is linked to the activities of the controller, due to a client or employment, membership or any other comparable relationship; ( Contact requirement );
(6) in the case of information on the clients or employees of the group or any other economic association, and this information is processed within that consortium;
(7) where the processing is necessary for the payment service, data processing or other comparable tasks carried out on behalf of the controller;
(8) in the case of publicly available information on the status, functions and treatment of a person in a public body or business, and that information shall be handled by the controller or the person in receipt of the information Protection; or
(9) if the Data Protection Board has authorised the authorisation referred to in Article 43 (1).
The release of personal data may take place pursuant to paragraph 1 (5) only if the transfer of personal data is a normal part of the exercise of the activity in question, provided that the purpose for which the information is disclosed is not Incompatible with the purpose of the processing of personal data and that the data subject may be expected to know of such disclosure of personal data.
The processing of sensitive personal data and identification numbers is laid down in Chapter 3. The processing of personal data for specific purposes is laid down in Chapter 4.
The right to information and any other transfer of personal data from the authority's personal register shall be valid for the public authorities' documents.
Processed personal data shall be necessary for the purpose of the processing of personal data ( The requirement of necessity).
The controller shall ensure that personal data which are inaccurate, incomplete or out of date are not processed ( Correctness requirement ). When assessing the obligation of the controller, account shall be taken of the purpose of the processing of personal data and the importance of processing to the privacy of the data subject.
The controller shall draw up a registration document from the personal register, indicating:
(1) the name and contact details of the controller and, where applicable, his representative;
2) the purpose of the processing of personal data;
(3) a description of the group or groups registered and the data or groups of data relating thereto;
(4) where information is regularly disclosed and transferred outside the European Union or the European Economic Area; and
5) a description of the principles of the protection of the register.
The controller shall keep the record sheet for each person available. This obligation may be waiving if it is necessary for reasons of public security, defence or public order and public security, for the prevention or detection of criminal offences or for taxation or public finances. Because of the supervisory function.
Processing of sensitive personal data is prohibited. Personal data shall be regarded as sensitive information describing or intended to describe:
(1) racial or ethnic origin;
(2) a person's social, political or religious affiliation or membership of a trade union;
(3) criminal acts, penalties or other criminal penalties;
(4) the health, sickness or disability of the person or treatment measures or comparable measures against him;
(5) the sexual orientation or behaviour of a person; or
(6) the need for social care of a person or the provision of social care services, support measures and other social welfare benefits.
Article 11 shall not preclude:
(1) the processing of data with the express consent of the data subject;
(2) the processing of information relating to the social, political or religious beliefs of a person or a trade union belonging to a trade union which has been made public by its registered office;
(3) the processing of data necessary for the protection of the vital interest of the data subject or another person if the data subject is prevented from giving its consent;
(4) the processing of data necessary for the establishment, presentation, defence or resolution of the legal claim;
(5) the processing of data which is provided for by law or is directly attributable to the controller as provided for by law;
(6) processing of data for historical or scientific purposes or for statistical purposes;
(7) the processing of information on religious, political or social stability in the activities of associations and other entities representing such convictions, where such information relates to members of such associations or entities or persons; Have regular contacts with them, associations and entities, and information shall not be disclosed without the consent of the data subject;
(8) the processing of information on the membership of the trade union in the activities of the trade unions and their union, where the information relates to the members of such organisations or persons who have regular organisations for the purposes of the organisations; Connections and data are not disclosed to bystander without the consent of the data subject;
(9) the processing of information on the membership of the trade union which is necessary to comply with the specific rights and obligations of the controller in the field of labour law;
(10) health care unit or healthcare professional from processing the information received by them in this activity on the state of health, illness or disability, or on the treatment or otherwise of him; Information necessary for the treatment of the data subject;
(11) information received from the insurance institution concerning the state of health, illness or disability of the applicant and the applicant, or of the measures or measures to be taken against him or any of them, or Information on the criminal act, penalties or other criminal penalties of the insured person, the claimant or the injured party, which are necessary in order to ascertain the liability of the insurance institution;
(12) any authority, institution or private social service provider granting social assistance or other social assistance benefits from processing information obtained by that authority, institution or service provider in its activities; The need for a registered social service or any other information necessary for the provision of social services, support measures or other benefits to him or any other data subject granted to the data subject; or
(13) the processing of data by the Data Protection Board in accordance with Article 43 (2).
Sensitive information shall be deleted from the register immediately following the absence of the criterion mentioned in paragraph 1. The justification and the need for treatment shall be evaluated at least every five years, subject to the law of the Data Protection Board referred to in paragraph 1 (13).
The identification of the identification code shall be subject to the explicit consent of the data subject or, if the processing is provided for by law. In addition, a personal identification code may be processed if the unambiguous identification of the data subject is important:
(1) for the purpose of carrying out the statutory task;
(2) the rights and obligations of the data subject or of the controller; or
3) for historical or scientific research or for statistical purposes.
The identification code may be processed in the context of lending or recovery, insurance, credit institutions, payment services, rental and lending activities, credit information, health care, social services and other social security schemes, or In matters relating to employment, employment and other service and related benefits. (30.4.2010/294)
In addition to what is provided for in paragraphs 1 and 2, the identification number shall be disclosed for the purposes of updating the address data or for the processing of multiple-mail items, if the identification number is already available. Available to the transferee.
The controller shall ensure that the identification code is not unnecessarily marked on documents printed or drawn up on the basis of the register of persons.
For historical or scientific research, personal data may be processed on grounds other than those provided for in Article 8 (1), if:
(1) research cannot be carried out without information on the identification of a person, and where the consent of the data subjects is not possible due to the high number of data, the age of the data or any other reason;
(2) the use of the register of persons is based on an appropriate research plan and is carried out by a responsible director or a responsible group;
(3) the personal data register is used and disclosed for personal data only for historical or scientific purposes, as well as changes in such a way that information on a given person is not disclosed to third parties; and
(4) the register of persons is disposed of or transferred to archives or changed to such a form that the object of the information is not identifiable when the personal data is no longer necessary for the purpose of carrying out the study or its results; In order to ensure an appropriate level.
Paragraph 1 (3) shall not apply where, in view of the age and quality of the data recorded in the personal register, the procedure referred to therein is manifestly unnecessary.
Paragraph 1 shall apply mutatis mutandis where the processing of personal data is based on Article 8 (1).
For statistical purposes, personal data may be processed on grounds other than those provided for in Article 8 (1), if:
(1) the statistics cannot be produced or the need for information to be carried out without the processing of personal data;
(2) the production of the statistics falls within the competence of the controller; and
(3) the statistical register shall be used for statistical purposes only and shall not be disclosed in such a way that a particular person is identifiable if the information is not disclosed for the purposes of the public record.
For the purposes of planning and clearing, the Authority may collect and deposit personal data in the personal register of the Authority in accordance with Article 8 (1), in accordance with Article 14, where applicable.
On the basis of the criteria laid down in Article 8 (1), the personal data register shall be collected and stored in the register of persons other than those provided for in Article 8 (1), as well as for the spouse and the registered children and parents for the purpose of the register The necessary identification data, the identity of the identity of the registrant on the basis of the identity of the person, and the relevant information and contact details for contact, unless the data subject has not prohibited the collection of data relating to him/her; and Deposit.
"Personal data" means a publication in which the registrant has a particular profession or training, membership of employment or other Community membership, or position or achievements in the field of culture, sport, economic or other social life; or Any other such circumstance.
For the purpose of the register of persons referred to in paragraph 1, the identity register shall be obtained from the register of persons, which, under paragraph 1, shall have the right to collect and deposit in such a register, unless the data subject has not prohibited the Extradition.
On the basis of the criteria laid down in Article 8 (1), the identity of the person belonging to the family shall be collected and stored on the basis of the identity of the person in brackets other than those laid down in Article 8 (1), and the identification details necessary for the purpose of the register As well as other personal data relevant to the family study and contact details for contact, unless the data subject has not prohibited the collection and storage of data relating to him.
For the purposes of the register of relatives referred to in paragraph 1, the identity register shall be obtained from the register of persons who, under paragraph 1, shall have the right to collect and deposit in such a register, unless the data subject has not prohibited the Extradition.
On the basis of the criteria laid down in Article 8 (1), direct advertising, distance selling or other direct marketing, public opinion or market research, or any other person's register of such addresses may, other than those provided for in Article 8 (1), Collect and deposit personal data, unless the data subject has prohibited such collection and storage of personal data if:
(1) the personal register shall be used in advance for the purposes of identification and duration of a short-term marketing operation or for any other operation referred to in this paragraph and, in the light of its information content, does not endanger the privacy of the data subject;
(2) the identity register only contains information on the name, value or profession of the data subject, age, gender and mother tongue, one person to be connected to him, and contact details for contact; or
(3) the register shall contain information on the functions and status of the data subject in the course of the business or public function and shall be used for the transmission of information related to his/her duties.
For the purposes referred to in paragraph 1, the person from the register of persons shall be able to supply or dispose of the information referred to in Article 1 (2), unless the data subject has not prohibited the transmission of the data and, if it is obvious that: The data subject is aware of such disclosure.
Articles 20 to 21 have been repealed by L 11.5.2007. .
Personal data may be transferred outside the territory of the Member States of the European Union or of the European Economic Area only if that country guarantees an adequate level of data protection.
The adequacy of data protection shall be assessed taking into account the nature of the data, the purpose and duration of the planned treatment, the country of origin and the final destination, the general and sectoral legal rules in force in the country concerned and the Code of Conduct And the security measures to be followed.
Personal data may be transferred outside the territory of the Member States of the European Union or of the European Economic Area in so far as the Commission of the European Communities is concerned with the protection of individuals with regard to the processing of personal data and on the free movement of such data In accordance with Article 3 and Article 25 (6) of Directive 95 /46/EC of the European Parliament and of the Council, hereinafter referred to as 'the IT Directive', that a sufficient level of data protection is ensured in that country.
Personal data may not be transferred outside the territory of the Member States of the European Union or of the European Economic Area, in so far as the Commission has concluded, in accordance with Article 3 and Article 25 (4) of the Personal Data Protection Directive, that Adequacy of data protection.
However, where the transfer is not possible pursuant to Article 22 or 22a, personal data may be transferred if: (24.11.2000)
(1) the data subject has given its unambiguous consent to the transfer;
(2) the transfer is necessary for the purpose of the data subject or for the execution of an agreement between the data subject and the controller or the application of the pre-contractual measures at the request of the data subject;
(3) the transfer is necessary for the conclusion or implementation of an agreement in the interest of the data controller and the bystander;
(4) the transfer is necessary to protect the vital interest of the data subject;
(5) the transfer is necessary or required by law in order to safeguard the overriding public interest or to establish, present, defend or resolve the legal claim;
(6) the transfer shall be made from a register which is expressly provided for by general or specific criteria; (24.11.2000)
(7) the controller, in accordance with Article 3 and Article 26 (3) of the Personal Data Protection Directive, provides sufficient guarantees concerning the protection of the privacy and rights of persons; or, in accordance with Article 26 (3) of the Personal Data Directive; or (24.11.2000)
(8) the transfer takes place using the model contract clauses approved by the Commission as referred to in Article 26 (4) of the Personal Data Directive. (24.11.2000)
When collecting personal data, the controller shall ensure that the data subject is able to obtain information from the controller and, where appropriate, his representative, the purpose of the processing of personal data, and where the information is normally provided. As well as the information necessary for the exercise of the rights of the data subject in the relevant processing of personal data. The information shall be provided in the collection and storage of personal data or, where the information is sourced from a data source other than the data subject itself and the data are to be disclosed, at the latest when the data are released.
The reporting obligations laid down in paragraph 1 may be waived:
(1) where the data subject has already received this information;
(2) where it is necessary for reasons of State security, defence or public order and security, for the prevention or detection of criminal offences or for reasons of fiscal or fiscal control; or
(3) when collecting data from a non-registered person, where the provision of information to the data subject is impossible or requires excessive effort, or causes material injury or inconvenience to the data subject or data processing; and The data to be deposited shall be used for the purposes of the decision to register, or where the collection, storage or disposal of the data is explicitly provided for.
Paragraphs 1 to 2 have been repealed by L 11.5.2007. .
For the purpose of advertising, distance selling and other direct marketing, as well as a market and opinion poll, and any other similar address, for which the name and contact details of the person were obtained from the personal register, shall: Indicate the name, the controller and the contact details of the personal data register used for the acquisition. Information corresponding to telephone sales shall be provided upon request.
Without prejudice to the provisions of confidentiality, each person shall have the right to seek information, after having informed him of the information relating to him in the register of persons, or that there is no information on him in the register. At the same time, the controller shall inform the data subject of the proper data sources of the register and the registry's data to be used and regularly disclosed. In the case of automated decision-making within the meaning of Article 31, the data subject shall also be entitled to information on the operating principles of automatic processing.
Paragraph 2 has been repealed by L 11.5.2007. .
The controller may only charge for the provision of compensation if, for the last time, less than one year has elapsed since the last person concerned had access to the register. The compensation to be recovered shall be reasonable and shall not exceed the direct cost of providing information.
The right of scrutiny referred to in Article 26 shall not exist if:
(1) the provision of information could harm State security, defence or public order and security, or harm the prevention or detection of criminal offences;
(2) the provision of information could constitute a serious risk to the health or treatment of the data subject or to any other rights;
(3) personal data in the register shall be used exclusively for historical or scientific research or for statistical purposes; or
(4) the personal data contained in the register shall be used for the purposes of supervision and control and failure to provide information is necessary to safeguard the important economic or financial interests of Finland or the European Union.
If only a part of the data relating to the registration is excluded from the right of scrutiny under paragraph 1, the data subject shall be entitled to know the other information about him.
Anyone who wishes to inspect self-information as referred to in Article 26 shall submit such a request to the controller in a duly signed or equivalent document, signed or equivalent to the controller. With the controller.
Without undue delay, the controller shall provide the data subject with the information referred to in Article 26 or provide information in writing on request. The information shall be provided in a comprehensible form. If the controller refuses to provide information, he shall issue a written certificate. The certificate shall also specify the reasons for the refusal of the right to inspect. The refusal to grant a right of access shall be regarded as taxable in the absence of a written reply from the controller within three months of the date of the request. The data subject may refer the matter to the edps.
Anyone who wants to know what information about him has been deposited with the health authority or the institution, medical or dental practitioner, or any other health care professional, personal data on the state of health or disease Shall make a request for the exercise of its right of inspection to a doctor or another healthcare professional who provides for the acquisition of information with the consent of the data subject and to provide this information in the register Labelling. The procedure for implementing or refusing the right to check shall be in force, as provided for in paragraph 2.
Without undue delay, the controller shall, on his own initiative or at the request of the data subject, rectify, delete or supplement the data in the register which is incorrect, incorrect, incomplete or out of date Personal data. The controller shall also prevent the dissemination of such information if the information may jeopardise the privacy of the data subject or his rights.
If the controller does not accept the data subject's request for the correction of the data, he shall issue a written certificate. The certificate shall also state the reasons for which the claim has not been accepted. The data subject may refer the matter to the edps.
The controller shall report any correction of the information to the person to whom the controller has given up or from whom the controller has received an incorrect personal information. However, there is no obligation to notify if it is impossible to disclose or require a disproportionate effort.
The registrant shall have the right to prohibit the controller from processing information relating to him himself on direct advertising, distance selling and other direct marketing, as well as market and opinion polls, as well as for personal matricular and genealogical research.
The adoption of a decision for the assessment of certain characteristics of the data subject, which takes place only on the basis of automated data processing, and which results in legal effects for the data subject or otherwise affected In a significant way, shall be permitted only if:
(1) is provided for by law; or
(2) a decision shall be taken in the context of the conclusion or implementation of the Agreement, provided that the protection of the rights of the data subject is ensured, or that the decision fulfils a request for the conclusion or implementation of the registered agreement.
The controller shall take the necessary technical and organisational measures to protect personal data from unauthorised access to information and accidental or unlawful destruction, alteration, disclosure, Or any other illegal treatment. The implementation of measures shall take into account the available technical possibilities, the cost of the measures, the quality, quantity and age of the data processed and the importance of processing in terms of privacy.
Any self-employed trader acting on behalf of the controller or for whom the controller gives the information by means of a technical service shall provide the controller with appropriate explanations prior to the processing of the data; and Commitments and otherwise adequate safeguards for the protection of personal data within the meaning of paragraph 1. (11.5.2007)
Any person who, in the course of carrying out the processing of personal data, has been informed of any other person's characteristics, personal circumstances or financial position, shall not, in breach of this law, be able to express his/her Information.
A personal register which is no longer necessary for the activities of the controller shall be destroyed unless the information stored therein is specifically provided for or ordered to be retained or if the register is not transferred within the meaning of Article 35. In the archives.
The use and protection of personal registries transferred to the repository or to the repository comparable to it, as well as the transmission of the information contained therein, shall be subject to the separate provision. However, in the event of the transfer of personal data from private registers, the archives or archives comparable to it shall take into account the provisions of this Act concerning the processing and transmission of personal data, unless it is entered in the register of personal data In view of the age and quality of the data recorded, the protection of privacy is obviously unnecessary.
A personal register which is relevant for scientific research or for any other reason may be transferred to the archives of a university or of an institution or authority carrying out the work as a statutory task if the National Archives have issued That authorisation. The National Archives may authorise the Community, the Foundation and the institution to transfer to their archives personnel registers which have been established in their own activities which comply with the above requirements. In its decision, the National Archives shall determine how the protection of the registers shall be organised and how the use of personal data must be monitored.
Before issuing an authorisation as referred to in paragraph 2, the National Archives shall have the opportunity to make an opinion.
The controller shall inform the Data Protection Supervisor of the automatic processing of personal data by sending him a copy of the data.
In addition, the controller shall inform the Data Protection Supervisor:
(1) the transfer of personal data outside the territory of the Member States of the European Union or of the European Economic Area, where the information is transferred under Article 22 or on the grounds referred to in Article 23 (6) or (7) and is not provided for by the law; and
2) the introduction of a system of automated decision-making within the meaning of Article 31.
Any activity in the form of an economic activity or of a market or opinion, or of carrying out tasks relating to the selection and suitability of the staff for the selection and assessment of the suitability of the personnel or the processing of data, and in this activity, uses or processes The personal registries and the information contained therein shall be obliged to notify their activities to the Data Protection Supervisor. Obligation to make a declaration relating to the conduct of credit operations is laid down in the credit data law (19/2007) . (11.5.2007)
The notification requirement referred to in paragraph 1 shall not be required if the processing of personal data is based on Article 8 (1) (1) to (3), paragraph 4, where the processing is governed by law, the customer or service relationship or membership referred to in paragraph 5; or Paragraphs 6 or 9 or Article 12 (1) to (4), paragraph 5, if the processing is governed by law, or paragraphs 7 to 10, 12 or 13, or Articles 13 to 18 or 20. The notification requirement may also be waived, as provided for by the Regulation, where it is obvious that the processing of personal data is not an infringement of the privacy of the data subject or of his rights or freedoms.
§ 20 has been repealed by L 528/2007 . See. L data protection committee and the Data Protection Supervisor 389/1994 ARTICLE 5 And Credit Information L 527/2007 ARTICLE 38 .
The notification referred to in Article 36 (2) (1) shall show, in addition to the information contained in the register, which types of data are transferred and how the transfer takes place.
The notification referred to in Article 36 (2) (2) shall indicate, in addition to the information contained in the register, the logic used in the system.
The notification referred to in Article 36 (3) shall indicate the trader's name, business, domicile and contact details, the identity registers and the types of information contained therein, the possible disclosure of information The register and the storage period for the data deposited, how the protection of personal registers is organised and how their use is controlled.
Such notification shall be made in a timely manner, but not later than 30 days before the collection and recording of personal data intended for deposit on the identity register or any other measure liable to be notified.
The Data Protection Supervisor shall provide guidance and advice on the processing of personal data, and shall supervise the processing of personal data in order to achieve the objectives of this Act and shall exercise the power of decision as provided for in this Act.
The Data Protection Board shall deal with issues of principle relevant to the scope of the law relating to the processing of personal data and exercise decision-making powers in the field of data protection as provided for in this Act.
Data protection authorities may exercise the powers referred to in this Chapter even when the processing of personal data is not subject to this law in accordance with Article 4. The Data Protection Authorities shall cooperate with the data protection authorities of the other Member States of the European Union and shall provide assistance where appropriate.
The Data Protection Supervisor shall have the right, notwithstanding the confidentiality rules, to obtain information on the personal data to be processed and any information necessary to verify the lawfulness of the processing of personal data. The Data Protection Board shall have a similar right to deal with it.
The Data Protection Supervisor shall have the right to inspect personnel registers and to use experts in the inspection. For the purposes of the submission of an inspection, the Data Protection Supervisor and the expert shall be entitled to access to the records held by the controller and his/her office in which personal data are processed or personal data held by the controller. And shall have access to the information and equipment necessary for the delivery of the inspection. In the case of domestic disturbance, the inspection may only be carried out if, in the present case, there are identified grounds for suspecting that the provisions on the processing of personal data have been infringed or broken. The verification shall be carried out in such a way that it does not cause unnecessary inconvenience and costs to the controller.
With regard to the treatment referred to in Article 2 (5), the Data Protection Supervisor shall monitor compliance with the obligation to protect the information provided for in Article 32. The Data Protection Supervisor is entitled, for this purpose, to receive the necessary information on the protection of the registers.
The Data Protection Officer shall promote good information processing and guidance and advice to ensure that the unlawful conduct is not continued or renewed. If necessary, the Data Protection Supervisor shall refer the matter to the Data Protection Board, or report it for the purposes of prosecution.
The Data Protection Supervisor shall decide on a matter which has been brought before him pursuant to Articles 28 and 29. The Data Protection Supervisor may issue to the controller the execution of the data subject or the correction of the data subject.
The Data Protection Supervisor may provide further guidance on how personal data should be protected against the unlawful processing of personal data.
The authority concerned shall provide the Data Protection Supervisor with the opportunity to be heard in the preparation of legislative or administrative reforms concerning the protection of the rights and freedoms of persons with regard to the processing of personal data.
Before bringing proceedings against this law, the prosecution shall consult the Data Protection Supervisor. When dealing with such a case, the court or tribunal shall provide the Data Protection Supervisor with an opportunity to be heard. (13/05/457)
The controllers or these representative bodies may draw up a sectoral code of conduct for the purposes of this law and promote good data processing and shall submit their proposals to the Data Protection Supervisor. The Data Protection Supervisor may check that the Code of Conduct complies with this law and with other provisions affecting the processing of personal data.
The Data Protection Board may authorise the processing of personal data, as referred to in Article 8 (1) (9), where such processing is necessary in order to protect the legitimate interest of the data subject in a non-specific case or a task of general interest , or for the exercise of the public authority which belongs to the controller or to the person to whom the information is disclosed. Authorisation may also be granted for the exercise of the legitimate interest of the controller or of the beneficiary of the information, provided that such processing does not endanger the privacy and rights of the individual.
The Data Protection Board may authorise the processing of sensitive personal data referred to in Article 12 (13) for a reason of public interest.
The authorisation may be issued for a specified period or time and shall be accompanied by the provisions necessary for the protection of the data subject. The provisions may be amended or supplemented by the Data Protection Supervisor or the licensee if it is necessary due to changed circumstances.
The Data Protection Committee may, upon application by the Supervisor:
(1) prohibit the processing of personal data contrary to this law or by any provisions adopted pursuant to it;
(2) impose, within the period referred to in Article 40 (2), an obligation to rectify the wrongdoing or omissions of the person concerned;
(3) order the termination of a register where unlawful acts or omissions seriously undermine the protection of privacy or interests or rights of the data subject, unless the register is provided for by law; and
(4) withdraw the authorisation referred to in Article 43 when the conditions for granting the authorisation no longer exist, or where the controller is acting in breach of the authorisation or the provisions annexed thereto.
An appeal against the decision of the Data Protection Officer and of the Data Protection Board may be appealed to the Administrative Court, as in the case of administrative law (18/06/1996) Provides. The Data Protection Supervisor may appeal against the decision of the Data Protection Board pursuant to Article 43.
An appeal to the decision of the administrative court shall be lodged only if the Supreme Administrative Court grants an appeal.
The decision of the Data Protection Board may stipulate that the decision must be complied with, in spite of the appeal, unless the Board of Appeal decides otherwise.
L to 19/2015 Article 45 shall enter into force on 1 January 2016. The previous wording reads:
Pursuant to Article 40 (2) of the Data Protection Supervisor and in accordance with Articles 43 and 44 of the Data Protection Board, an appeal is brought in accordance with the rules of administrative law (18/06/1996) Provides. The Data Protection Officer may appeal against the decision of the Data Protection Board pursuant to Article 43.
The decision of the Data Protection Board may stipulate that the decision must be complied with, in spite of the appeal, unless the Board of Appeal decides otherwise.
The Data Protection Officer may make a decision pursuant to Article 39 (1) and (3) and its decision pursuant to Article 40 (2) and the Data Protection Board pursuant to Article 39 (1) and Article 44 The decision to impose periodic penalty payments in the form of a periodic penalty payment (1113/1990) Provides.
The controller shall be obliged to replace the economic and other damage resulting from the processing of personal data contrary to this law to the registered or other person.
Compensation for damages is otherwise in force, (412/1974) Articles 2 and 3, Articles 4 and 6 and Articles 4, 6 and 7 of Chapter 3.
Penalty report is punishable by criminal law (39/1889) chapter 9 of Chapter 38 And the data breach on the personal register Article 8 of Chapter 38 of the Penal Code . Punishment for breach of the obligation of professional secrecy laid down in Article 33 Chapter 38 of the Criminal Code 1 or 2, if the act is not punishable Article 5 of Chapter 40 of the Penal Code Or otherwise, the law provides for a heavier penalty.
Every deliberate or gross negligence, contrary to this law,
(1) fails to comply with the definition of the purposes of the processing of personal data, the preparation of the register, the processing of data, the processing of data, the repair of the data in the personal register, the registration of the data subject or the notification; To the Data Protection Supervisor,
(2) provide the data protection authority with false or misleading information concerning the processing of personal data;
(3) breaches the provisions on the protection of personal data and the destruction of personal data, or
(4) infringes the law of the Data Protection Board pursuant to Article 43 (3);
And thereby jeopardise the protection of the privacy of the data subject or the rights of the data subject, must be condemned, unless the act is subject to a heavier penalty elsewhere in the law, On the violation of personal registration Fine.
More detailed provisions on the implementation of this law shall be adopted by the Regulation.
This Act shall enter into force on 1 June 1999.
This law repeals the Personal Data Act of 30 April 1987. (1999) With its subsequent modifications. However, the provisions of the repealed Law on the definitions of mass and sensitive sampling continue to apply, in so far as other legislation refers to them, until 24 October 2001.
Before the entry into force of this Act, measures may be taken to implement it.
The processing of personal data undertaken before the entry into force of this Act shall be brought into line with the requirements of this law by 24 October 2001.
Where other legislation refers to the identity of the identity document or its provisions, the reference shall be construed as referring to this law or its equivalent provisions.
THEY 96/1998 , 26/1998, EV 278/1998This Act shall enter into force on 1 December 2000.
THEY 137/2000 , HaVM 16/2000, EV 144/2000, European Parliament and Council Directive 95 /46/EC (31995L0046); OJ L 281, 23.11.1995, p. 31
This Act shall enter into force on 1 November 2007.
2. Has been repealed by L 18.7.2008/512 .
THEY 241/2006 , LaVM 32/2006, EV 315/2006
This Act shall enter into force on 1 May 2010.
THEY 169/2009 , TaVM 4/2010, EV 38/2010, Directive 2007 /64/EC of the European Parliament and of the Council (32007L0064) OJ L 319, 5.12.2007, p.1
This Act shall enter into force on 1 January 2011.
THEY 202/2010 , HaVM 20/2010, EV 196/2010
This Act shall enter into force on 17 May 2011.
THEY 286/2010 , LaVM 34/2010, EV 311/2010
This Act shall enter into force on 1 January 2016.
In the case of appeals before the entry into force of this Act, the provisions in force at the time of entry into force of this Act shall apply.
THEY 230/2014 , LaVM 26/2014, EV 319/2014
