Chapter 1. General provisions
The law's scope of application, etc.
section 1 of this Act apply to the processing of personal data in
The armed forces ' defence intelligence operations and military
Security Service, if the processing is wholly or partly
automated or if the information included in or intended for
be part of a structured set of personal data which are
available for searching or compilation according to specific
criteria.
Personal data Act (1998:204) does not apply to such processing
of personal data referred to in the first subparagraph.
2 § the purpose of the Act is to protect people against their
personal privacy is violated by the action of
personal data in the armed forces
defence intelligence and security service.
Relationship to the principle of
paragraph 3, the provisions of this law shall not apply in the
extent it would restrict military duty
According to Chapter 2. freedom of the Press Act to disclose
personal data.
Definitions
section 4 of this Act, the following definitions shall apply the following
importance.
Indication Significance
Treatment
(personal data) Any operation or set of operations
taken in respect of personal data,
whether by automated means
or not, eg. the collection,
registration, organization, storage,
adaptation or alteration, retrieval,
consultation, use, disclosure
by transmission, dissemination or
otherwise making available,
alignment or combination,
blocking, erasure or destruction.
Blocking
(personal data) An action taken to
personal data shall be
associated with information about the
is blocked and the reason for
latch and to the personal data
shall not be disclosed to third parties
other than pursuant to Chapter 2.
freedom of the Press Act.
The recipients to whom the personal data is provided
out. When personal information is disclosed from
Armed forces to another
authority to carry out such
supervision, control and audit
It is obliged to take care, however,
not that authority as receiver.
Personal data is All kinds of information that directly or
indirectly attributable to a natural
person in life.
Processor The processing personal data for
on behalf of the controller.
Data protection officer the natural person who, after
the appointment of the
controller, independently
shall ensure that personal data
processed fairly and lawfully
way.
It registered it as a personal data relates.
Third parties other than the data subject, the
controller,
the data protection officer,
processor and such
persons who, under the
controller or
direct responsibility of the processor
has the power to treat
personal data.
Data collection a collection of information using
of automated processing is used
in common.
Privacy responsibility
section 5 of the Finnish defence forces are responsible for the treatment
of personal data by the Agency.
Basic requirements for the processing of personal data
section 6 of the defence forces shall ensure that
1. personal data may be processed only if it is legal,
2. personal data is always processed in a proper manner and in
accordance with good practice,
3. personal data may be collected only for specified, explicit and
specified and legitimate purposes,
4. personal data processed for any purpose that is
incompatible with that for which the data were collected,
5. the personal data processed is adequate and relevant in
relation to the purposes of the processing,
6. no more personal data than necessary with
the light of the purposes of the processing,
7. the personal data that is processed is correct and, if it is
necessary, current, and
8. all reasonable measures are taken to correct, block or
wipe out such personal information that is incorrect or
incomplete with respect to the purposes of the processing.
Data collections
section 7 of the military defence intelligence activities and
military security service may, under the conditions
specified in this law, personal data are processed in
data collections.
Government Announces rules or decisions in individual cases
If the data collections that may exist and what information
which may be treated in the relevant collection.
When the processing of personal data is lawful
Defence intelligence activity
paragraph 8 of the personal data may be processed in the armed forces
defence intelligence operations if necessary to
carry out the activities specified in the Act (2000:130) about
Defense intelligence operations.
Data on a person may only be processed if the person has
affiliation with a specific focus of
defence intelligence function and processing is necessary
to pursue this approach.
The military security service
section 9 personal data may be processed in the armed forces ' military
security services to detect, prevent and ward off
security-threatening activities directed against the armed forces and
its security interests, if necessary to
1. clarify the activities involving the threat to national security,
or
2. take measures that prevent or hinder security-threatening
activity.
section 10 of the data on a person shall be treated for the purposes of
specified in section 9 only if
1. the data give reasonable cause to believe that the person has
exercised or could exercise activities involving
crimes that threaten national security or terrorist offences under
section 2 of the Act (2003:148) if the penalties for terrorist offences or
the corresponding crime under previous legislation,
2. the data give reasonable cause to believe that the person has
exercised or could exercise intelligence activities directed
against the armed forces and its security interests;
3. the data gives justified reason to assume that the person
exercise other security-threatening activities referred to in paragraph 1 and
that includes crimes or breach of duties
employment with the armed forces, and there are specific reasons
that task must be processed,
4. the interested party has provided information about the security-threatening activities
and personal information is necessary to assess the person's
credibility, or
5. the information refers to information that has come to light in the context
that a person has been subjected to the register control or special
personal investigation under Security Act (1996:627).
Data on a person shall be provided with a statement of the
the first paragraph of the grounds specified in the task is processed.
If the processing of personal data caused by something other than
assuming that the person has engaged, or will exercise
criminal activities shall in particular set out that the person does not
is suspected of criminal activity, unless otherwise
way such suspicion clearly does not exist. Data on
a person who cannot be presumed to have engaged in or may be
exercise other security-threatening activities shall be provided with a
specific information on this, if it is not otherwise clear
It is evident that such a presumption does not exist.
Data on a person referred to in the first subparagraph 1, 2 and 3 shall
provided with a disclosure of the respondent's credibility and
the accuracy of the thing.
section 11 Notwithstanding section 10, personal data which are included in the
or have been raised in connection with the use of FOI
telecommunication and information system is processed to
prevent unauthorized visibility into and influence of these systems. The
also applies to data referred to in paragraphs 12 and 13.
Treatment that specifically aims to identify a person
may, however, be carried out only if the provisions of section 10, first subparagraph
1, 2 or 3, as applicable.
The armed forces shall maintain a list of the treatments
specifically designed to identify a person and the
data that served as the reason for reading.
The processing of sensitive personal data
section 12 of the personal data may not be processed solely because of what
is known about the person's race or ethnic origin, political
opinions, religious or philosophical convictions, membership in the
Trade Union, health or sex life.
If a person is treated on other grounds, the
be supplemented with such tasks as referred to in the first subparagraph
When it is strictly necessary for the purpose of treatment.
Data that describes a person's appearance will always
designed in an objective manner with respect for human dignity.
When searching, personal data revealing racial or ethnic
origin, political opinions, religious or philosophical
beliefs, trade-union membership, or concerning health
or sex life can be used as a search term only if it is
absolutely necessary for the purpose of treatment.
Processing of personal number
section 13 information concerning personal identification number or co-ordination number may
be treated only when it is clearly justified by the
1. the purpose of the processing,
2. the importance of a secure identification, or
3. any other noteworthy reasons.
Disclosure of personal data on the medium of automated
treatment
section 14 of the only single person data may be released to the media
automated processing, unless the Government has announced
regulations or in an individual case decided that data
may be disclosed in such a medium, even in other cases.
Direct access
section 15 of the Government Announces rules on which authorities
may have direct access to the data collections.
Government, or the Government authority determines,
Announces additional regulations or decisions in individual cases
If the extent of direct access.
Access to personal data
section 16 of the access to personal data must always be limited
to what each one needs to be able to fulfil their
work tasks.
Transfer of personal data to other countries
section 17 of the personal data processed pursuant to this Act may
be transferred to other countries or people-to-people
organizations only if privacy is not preventing it, and it is
necessary for the armed forces to fulfil their
data in the framework of the international
defence intelligence and security cooperation, if not
the Government has announced regulations or in an individual case
decided that the transfer may take place also in other cases where it is
necessary for the activities of the armed forces.
Chapter 2. Information to the individual, the rectification and indemnity
Information to the individual
Information to be provided voluntarily
§ 1 If information about an individual is collected in the military
security services from the person himself, the armed forces of
connection therewith voluntarily provide the data subject with information about
the processing of the data. The information shall include
1. the task of the armed forces who is
the data controller for the processing,
2. a statement of the purposes of the processing, and
3. all other information needed for the registered
to be able to take advantage of their rights in connection with
treatment, such as information about the recipients of the data,
duty to disclose information and the right to apply for
information and obtain redress.
Information in accordance with the first paragraph need not be given if such
as he already has.
Information to be submitted upon application
section 2 of the armed forces owe to each applicant
If it once per calendar year free leave whether
personal data concerning the applicant is treated or not.
Processed such data shall be submitted in writing
also if
1. what information about the applicant that is processed,
2. where this information is retrieved,
3. the purposes of the processing, and
4. the recipients or categories of recipients who are
the data are disclosed.
An application referred to in the first subparagraph shall be made in writing in
The armed forces and be signed by the applicant himself.
Information referred to in the first subparagraph shall be provided within one month
from the time the application was made. If there are special reasons for
However, the information is submitted no later than four months after the
that application was made.
paragraph 3 of Information under section 2 need not be given if
personal data in running text that did not receive their final
the design when the application was made or that constitutes the memory note
or similar. However, this does not apply if the data are
disclosed to third parties or, in the case of continuous text
that did not receive their final form, if the information has
treated for longer than a year.
Exemption from the duty to provide information on privacy
section 4 of the provisions of paragraphs 1 and 2 shall not apply to the extent
Privacy prevents the transfer of information to the
registered.
Corrigendum to:
section 5 of the Finnish defence forces are required to at the request of the
registered as soon as correct, block or delete such
personal data that has not been treated in accordance with this
law or regulations issued under the law.
The defence forces shall also notify third parties to whom
the data have been disclosed of the operation, if the data subject
request it or if substantial harm or inconvenience to the
registered could be avoided by an intelligence.
Any such notice need not be given, if this is
impossible or would involve a disproportionate
work effort.
Damages
section 6 of the State shall replace the registered for damage and
violation of privacy as a treatment for
personal information in contravention of this Act or regulations
has been issued under the law has caused.
Liability, to the extent that it is reasonable
be adjusted, if the military proves that the failure was not due to
authority.
Chapter 3. Security of processing
section 1 of the processor and the person or persons
working under counsel's or the armed forces ' leadership,
process personal data only in accordance with instructions
from the armed forces.
There should be a written agreement if the
the processor for the processing of personal data
On behalf of the defence forces. In the agreement, in particular the
to the processor shall process the personal data
only in accordance with the instructions of the armed forces, and to
the processor is required to take the measures
referred to in paragraph 2 of the first paragraph.
In terms of privacy and confidentiality in the public
activities should apply the provisions of the public access to information and
secrecy (2009:400) instead of the first paragraph.
Law (2009:520).
section 2 of the defence forces shall take appropriate technical and
organisational measures to protect personal data
treated. Measures shall ensure a level of security
appropriate having regard to the
1. the technical possibilities available,
2. what it would cost to implement the measures,
3. the specific risks associated with the treatment of
the personal data, and
4. how that sensitive personal data is processed.
When the armed forces employ a processor,
The defence forces shall satisfy itself that the processor can
implementing the security measures that must be taken and ensure that
the processor really take those measures.
Chapter 4. Data protection officer
section 1 the defence forces shall designate one or more
data protection officer and report them to the supervisory authority
referred to in Chapter 5. A dismissal of a
the personal data shall be notified to the supervisory authority.
section 2 of the data protection officer shall be responsible for
independently ensure that the armed forces treat
personal information in a lawful and correct manner and in accordance
with good manners and point out any shortcomings of the authority.
The data protection officer has reason to suspect that
Armed forces violates the provisions applicable to
the processing of personal data and taken no rectification so
soon it may be after the remark, the data protection officer
report the fact to the supervisory authority.
The data protection officer shall otherwise consult
the supervisory authority if in doubt about how the rules
applies to the processing of personal data shall apply.
section 3 of the data protection officer shall over the treatments
The armed forces are carrying out and which are wholly or partly
automated keep a list relating to
defence intelligence function and a list relating to
the military security service.
Government, or the Government authority determines,
announces the rules about what the list should contain.
section 4 of the data protection officer shall assist the data subject to receive
rectification when there is reason to suspect that treated
personal data is incorrect or incomplete.
Chapter 5. The supervisory authority
§ 1 the authority the Government shall exercise supervision
over the armed forces ' treatment of personal data under this
team.
section 2 of the regulatory authority has the right to order their supervision upon request
get
1. access to the personal data processed,
2. information and documentation of the treatment of
personal data and the security of this, and
3. access to such premises which are related to
the processing of personal data.
§ 3 If the regulator finds that personal information
processed or may be processed in an unlawful manner,
the authority by observations or similar procedures
seeking rectification.
section 4 of the regulatory authority may with the administrative court within whose
territorial jurisdiction of the supervisory authority is situated may apply to such
personal data that have been processed unlawfully,
wiped out.
Decision on deleting shall be granted if it is unfair.
Law (2009:850).
Chapter 6. Other provisions
Thinning
section 1 of the personal data processed automated, screening
as soon as these data is no longer needed for the purpose for
which they are treated, if not the Government or the authority
the Government has announced regulations or in individual
cases decided that screening must take place no later than the specified time
or that the information may be kept for historical, statistical
or scientific purposes.
Penalty
2 § to fine or imprisonment not exceeding six months, or, if
the crime is gross, imprisonment for at most two years condemned it as
intentionally or recklessly
1. provide false information in such information to data subjects
provided for in Chapter 2, the notification to the supervisory authority
According to Chapter 4. section 1 or to the supervisory authority when
authority requests information according to Chapter 5. paragraph 2, or
2. processing personal data in contravention of Chapter 1. section 12.
In minor cases are judged not to liability.
Appeal
section 3 of the armed forces ' decision on information to be provided
According to Chapter 2. 1 and 2 sections and for rectification and notification to the
third parties under Chapter 2. section 5 may be appealed to the General
Administrative Court. Other decision under this Act shall not
subject to appeal.
Leave to appeal is required for an appeal to the administrative court.
Transitional provisions
2007:258
1. this law shall enter into force on 1 July 2007.
2. the provisions of Chapter 1. section 6 of basic requirements on
the processing of personal data and in Chapter 1. section 12 concerning the processing
of sensitive personal data shall not be applicable until
on October 1, 2007 in the matter of such manual processing of
personal data commenced before or on 24 October 1998
manual processing for a particular purpose if
manual processing for this purpose commenced before the October 24
1998.
3. the provisions of Chapter 2. section 6 damages shall apply
only if the claim relates to have
occurred after the law has come into force with respect to the
current treatment. In other cases older
provisions.