Advanced Search

Law (2007:258) Concerning The Processing Of Personal Data In The Armed Forces ' Defence Intelligence And Military Security Service

Original Language Title: Lag (2007:258) om behandling av personuppgifter i Försvarsmaktens försvarsunderrättelseverksamhet och militära säkerhetstjänst

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
Chapter 1. General provisions



The law's scope of application, etc.



section 1 of this Act apply to the processing of personal data in

The armed forces ' defence intelligence operations and military

Security Service, if the processing is wholly or partly

automated or if the information included in or intended for

be part of a structured set of personal data which are

available for searching or compilation according to specific

criteria.



Personal data Act (1998:204) does not apply to such processing

of personal data referred to in the first subparagraph.



2 § the purpose of the Act is to protect people against their

personal privacy is violated by the action of

personal data in the armed forces

defence intelligence and security service.



Relationship to the principle of



paragraph 3, the provisions of this law shall not apply in the

extent it would restrict military duty

According to Chapter 2. freedom of the Press Act to disclose

personal data.



Definitions



section 4 of this Act, the following definitions shall apply the following

importance.



Indication Significance



Treatment

(personal data) Any operation or set of operations

taken in respect of personal data,

whether by automated means

or not, eg. the collection,

registration, organization, storage,

adaptation or alteration, retrieval,

consultation, use, disclosure

by transmission, dissemination or

otherwise making available,

alignment or combination,

blocking, erasure or destruction.



Blocking

(personal data) An action taken to

personal data shall be

associated with information about the

is blocked and the reason for

latch and to the personal data

shall not be disclosed to third parties

other than pursuant to Chapter 2.

freedom of the Press Act.



The recipients to whom the personal data is provided

out. When personal information is disclosed from

Armed forces to another

authority to carry out such

supervision, control and audit

It is obliged to take care, however,

not that authority as receiver.



Personal data is All kinds of information that directly or

indirectly attributable to a natural

person in life.



Processor The processing personal data for

on behalf of the controller.



Data protection officer the natural person who, after

the appointment of the

controller, independently

shall ensure that personal data

processed fairly and lawfully

way.



It registered it as a personal data relates.



Third parties other than the data subject, the

controller,

the data protection officer,

processor and such

persons who, under the

controller or

direct responsibility of the processor

has the power to treat

personal data.



Data collection a collection of information using

of automated processing is used

in common.



Privacy responsibility



section 5 of the Finnish defence forces are responsible for the treatment

of personal data by the Agency.



Basic requirements for the processing of personal data



section 6 of the defence forces shall ensure that



1. personal data may be processed only if it is legal,



2. personal data is always processed in a proper manner and in

accordance with good practice,



3. personal data may be collected only for specified, explicit and

specified and legitimate purposes,



4. personal data processed for any purpose that is

incompatible with that for which the data were collected,



5. the personal data processed is adequate and relevant in

relation to the purposes of the processing,



6. no more personal data than necessary with

the light of the purposes of the processing,



7. the personal data that is processed is correct and, if it is

necessary, current, and



8. all reasonable measures are taken to correct, block or

wipe out such personal information that is incorrect or

incomplete with respect to the purposes of the processing.



Data collections



section 7 of the military defence intelligence activities and

military security service may, under the conditions

specified in this law, personal data are processed in

data collections.



Government Announces rules or decisions in individual cases

If the data collections that may exist and what information

which may be treated in the relevant collection.



When the processing of personal data is lawful



Defence intelligence activity



paragraph 8 of the personal data may be processed in the armed forces

defence intelligence operations if necessary to

carry out the activities specified in the Act (2000:130) about

Defense intelligence operations.



Data on a person may only be processed if the person has

affiliation with a specific focus of

defence intelligence function and processing is necessary

to pursue this approach.



The military security service



section 9 personal data may be processed in the armed forces ' military

security services to detect, prevent and ward off

security-threatening activities directed against the armed forces and

its security interests, if necessary to



1. clarify the activities involving the threat to national security,

or



2. take measures that prevent or hinder security-threatening

activity.



section 10 of the data on a person shall be treated for the purposes of

specified in section 9 only if



1. the data give reasonable cause to believe that the person has

exercised or could exercise activities involving

crimes that threaten national security or terrorist offences under

section 2 of the Act (2003:148) if the penalties for terrorist offences or

the corresponding crime under previous legislation,



2. the data give reasonable cause to believe that the person has

exercised or could exercise intelligence activities directed

against the armed forces and its security interests;



3. the data gives justified reason to assume that the person

exercise other security-threatening activities referred to in paragraph 1 and

that includes crimes or breach of duties

employment with the armed forces, and there are specific reasons

that task must be processed,



4. the interested party has provided information about the security-threatening activities

and personal information is necessary to assess the person's

credibility, or



5. the information refers to information that has come to light in the context

that a person has been subjected to the register control or special

personal investigation under Security Act (1996:627).



Data on a person shall be provided with a statement of the

the first paragraph of the grounds specified in the task is processed.

If the processing of personal data caused by something other than

assuming that the person has engaged, or will exercise

criminal activities shall in particular set out that the person does not

is suspected of criminal activity, unless otherwise

way such suspicion clearly does not exist. Data on

a person who cannot be presumed to have engaged in or may be

exercise other security-threatening activities shall be provided with a

specific information on this, if it is not otherwise clear

It is evident that such a presumption does not exist.



Data on a person referred to in the first subparagraph 1, 2 and 3 shall

provided with a disclosure of the respondent's credibility and

the accuracy of the thing.



section 11 Notwithstanding section 10, personal data which are included in the

or have been raised in connection with the use of FOI

telecommunication and information system is processed to

prevent unauthorized visibility into and influence of these systems. The

also applies to data referred to in paragraphs 12 and 13.

Treatment that specifically aims to identify a person

may, however, be carried out only if the provisions of section 10, first subparagraph

1, 2 or 3, as applicable.



The armed forces shall maintain a list of the treatments

specifically designed to identify a person and the

data that served as the reason for reading.



The processing of sensitive personal data



section 12 of the personal data may not be processed solely because of what

is known about the person's race or ethnic origin, political

opinions, religious or philosophical convictions, membership in the

Trade Union, health or sex life.



If a person is treated on other grounds, the

be supplemented with such tasks as referred to in the first subparagraph

When it is strictly necessary for the purpose of treatment.

Data that describes a person's appearance will always


designed in an objective manner with respect for human dignity.



When searching, personal data revealing racial or ethnic

origin, political opinions, religious or philosophical

beliefs, trade-union membership, or concerning health

or sex life can be used as a search term only if it is

absolutely necessary for the purpose of treatment.



Processing of personal number



section 13 information concerning personal identification number or co-ordination number may

be treated only when it is clearly justified by the



1. the purpose of the processing,



2. the importance of a secure identification, or



3. any other noteworthy reasons.



Disclosure of personal data on the medium of automated

treatment



section 14 of the only single person data may be released to the media

automated processing, unless the Government has announced

regulations or in an individual case decided that data

may be disclosed in such a medium, even in other cases.



Direct access



section 15 of the Government Announces rules on which authorities

may have direct access to the data collections.



Government, or the Government authority determines,

Announces additional regulations or decisions in individual cases

If the extent of direct access.



Access to personal data



section 16 of the access to personal data must always be limited

to what each one needs to be able to fulfil their

work tasks.



Transfer of personal data to other countries



section 17 of the personal data processed pursuant to this Act may

be transferred to other countries or people-to-people

organizations only if privacy is not preventing it, and it is

necessary for the armed forces to fulfil their

data in the framework of the international

defence intelligence and security cooperation, if not

the Government has announced regulations or in an individual case

decided that the transfer may take place also in other cases where it is

necessary for the activities of the armed forces.



Chapter 2. Information to the individual, the rectification and indemnity



Information to the individual



Information to be provided voluntarily



§ 1 If information about an individual is collected in the military

security services from the person himself, the armed forces of

connection therewith voluntarily provide the data subject with information about

the processing of the data. The information shall include



1. the task of the armed forces who is

the data controller for the processing,



2. a statement of the purposes of the processing, and



3. all other information needed for the registered

to be able to take advantage of their rights in connection with

treatment, such as information about the recipients of the data,

duty to disclose information and the right to apply for

information and obtain redress.



Information in accordance with the first paragraph need not be given if such

as he already has.



Information to be submitted upon application



section 2 of the armed forces owe to each applicant

If it once per calendar year free leave whether

personal data concerning the applicant is treated or not.

Processed such data shall be submitted in writing

also if



1. what information about the applicant that is processed,



2. where this information is retrieved,



3. the purposes of the processing, and



4. the recipients or categories of recipients who are

the data are disclosed.



An application referred to in the first subparagraph shall be made in writing in

The armed forces and be signed by the applicant himself.

Information referred to in the first subparagraph shall be provided within one month

from the time the application was made. If there are special reasons for

However, the information is submitted no later than four months after the

that application was made.



paragraph 3 of Information under section 2 need not be given if

personal data in running text that did not receive their final

the design when the application was made or that constitutes the memory note

or similar. However, this does not apply if the data are

disclosed to third parties or, in the case of continuous text

that did not receive their final form, if the information has

treated for longer than a year.



Exemption from the duty to provide information on privacy



section 4 of the provisions of paragraphs 1 and 2 shall not apply to the extent

Privacy prevents the transfer of information to the

registered.



Corrigendum to:



section 5 of the Finnish defence forces are required to at the request of the

registered as soon as correct, block or delete such

personal data that has not been treated in accordance with this

law or regulations issued under the law.

The defence forces shall also notify third parties to whom

the data have been disclosed of the operation, if the data subject

request it or if substantial harm or inconvenience to the

registered could be avoided by an intelligence.

Any such notice need not be given, if this is

impossible or would involve a disproportionate

work effort.



Damages



section 6 of the State shall replace the registered for damage and

violation of privacy as a treatment for

personal information in contravention of this Act or regulations

has been issued under the law has caused.



Liability, to the extent that it is reasonable

be adjusted, if the military proves that the failure was not due to

authority.



Chapter 3. Security of processing



section 1 of the processor and the person or persons

working under counsel's or the armed forces ' leadership,

process personal data only in accordance with instructions

from the armed forces.



There should be a written agreement if the

the processor for the processing of personal data

On behalf of the defence forces. In the agreement, in particular the

to the processor shall process the personal data

only in accordance with the instructions of the armed forces, and to

the processor is required to take the measures

referred to in paragraph 2 of the first paragraph.



In terms of privacy and confidentiality in the public

activities should apply the provisions of the public access to information and

secrecy (2009:400) instead of the first paragraph.

Law (2009:520).



section 2 of the defence forces shall take appropriate technical and

organisational measures to protect personal data

treated. Measures shall ensure a level of security

appropriate having regard to the



1. the technical possibilities available,



2. what it would cost to implement the measures,



3. the specific risks associated with the treatment of

the personal data, and



4. how that sensitive personal data is processed.



When the armed forces employ a processor,

The defence forces shall satisfy itself that the processor can

implementing the security measures that must be taken and ensure that

the processor really take those measures.



Chapter 4. Data protection officer



section 1 the defence forces shall designate one or more

data protection officer and report them to the supervisory authority

referred to in Chapter 5. A dismissal of a

the personal data shall be notified to the supervisory authority.



section 2 of the data protection officer shall be responsible for

independently ensure that the armed forces treat

personal information in a lawful and correct manner and in accordance

with good manners and point out any shortcomings of the authority.



The data protection officer has reason to suspect that

Armed forces violates the provisions applicable to

the processing of personal data and taken no rectification so

soon it may be after the remark, the data protection officer

report the fact to the supervisory authority.



The data protection officer shall otherwise consult

the supervisory authority if in doubt about how the rules

applies to the processing of personal data shall apply.



section 3 of the data protection officer shall over the treatments

The armed forces are carrying out and which are wholly or partly

automated keep a list relating to

defence intelligence function and a list relating to

the military security service.



Government, or the Government authority determines,

announces the rules about what the list should contain.



section 4 of the data protection officer shall assist the data subject to receive

rectification when there is reason to suspect that treated

personal data is incorrect or incomplete.



Chapter 5. The supervisory authority



§ 1 the authority the Government shall exercise supervision

over the armed forces ' treatment of personal data under this

team.



section 2 of the regulatory authority has the right to order their supervision upon request

get



1. access to the personal data processed,



2. information and documentation of the treatment of

personal data and the security of this, and



3. access to such premises which are related to

the processing of personal data.



§ 3 If the regulator finds that personal information

processed or may be processed in an unlawful manner,

the authority by observations or similar procedures

seeking rectification.



section 4 of the regulatory authority may with the administrative court within whose

territorial jurisdiction of the supervisory authority is situated may apply to such

personal data that have been processed unlawfully,

wiped out.



Decision on deleting shall be granted if it is unfair.

Law (2009:850).



Chapter 6. Other provisions



Thinning



section 1 of the personal data processed automated, screening

as soon as these data is no longer needed for the purpose for

which they are treated, if not the Government or the authority


the Government has announced regulations or in individual

cases decided that screening must take place no later than the specified time

or that the information may be kept for historical, statistical

or scientific purposes.



Penalty



2 § to fine or imprisonment not exceeding six months, or, if

the crime is gross, imprisonment for at most two years condemned it as

intentionally or recklessly



1. provide false information in such information to data subjects

provided for in Chapter 2, the notification to the supervisory authority

According to Chapter 4. section 1 or to the supervisory authority when

authority requests information according to Chapter 5. paragraph 2, or



2. processing personal data in contravention of Chapter 1. section 12.



In minor cases are judged not to liability.



Appeal



section 3 of the armed forces ' decision on information to be provided

According to Chapter 2. 1 and 2 sections and for rectification and notification to the

third parties under Chapter 2. section 5 may be appealed to the General

Administrative Court. Other decision under this Act shall not

subject to appeal.



Leave to appeal is required for an appeal to the administrative court.



Transitional provisions



2007:258



1. this law shall enter into force on 1 July 2007.



2. the provisions of Chapter 1. section 6 of basic requirements on

the processing of personal data and in Chapter 1. section 12 concerning the processing

of sensitive personal data shall not be applicable until

on October 1, 2007 in the matter of such manual processing of

personal data commenced before or on 24 October 1998

manual processing for a particular purpose if

manual processing for this purpose commenced before the October 24

1998.



3. the provisions of Chapter 2. section 6 damages shall apply

only if the claim relates to have

occurred after the law has come into force with respect to the

current treatment. In other cases older

provisions.