Breadcrumb

Tietosuoja ja henkilötietojen käsittely poliisissa -hero -en

Data protection and processing of personal data

Police work often involves processing personal data. The police has a statutory duty to ensure the security of personal data and the privacy of people’s information. The police only processes personal data in so far as is permitted by data protection laws. 

These pages explain the rights of data subjects in more detail. We also tell you how you can exercise your data protection rights in respect of the police. The site also contains information about the steps that the police has taken to ensure data protection and information security. 

Etsi hakusanalla

Fingerprints on a computer screen.

Tietosuojalainsäädännön yleisesittely -en

Overview of data protection laws

The European Union’s data protection laws were reformed in the spring of 2016. The EU’s new General Data Protection Regulation (GDPR) and what is known as the EU’s Data Protection Directive for Police and Criminal Justice Authorities were published in May 2016.
The objective of the reform of the EU’s data protection laws was to

  • harmonise the protection of personal data across the EU,
  • bring data protection regulations in line with the latest technological developments and challenges brought by globalisation for the protection of personal data,
  • reinforce the rights and freedoms of natural persons, and
  • strengthen the enforcement of data protection regulations.

In respect of criminal matters, the reform aimed, in particular, to ensure a high standard of personal data protection and consistency in the processing of personal data in criminal contexts. The reform also sought to facilitate the exchange of information between the law enforcement and judicial authorities of the member states.

The publication of the aforementioned data protection regulations coincided with the ratification of a new directive on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The EU Passenger Name Record (PNR) Directive was transposed into Finnish law by the Act on the Use of Airline Passenger Name Record Data for the Prevention of Terrorist Offences and Serious Crime.

Data Protection Act 

The Finnish Data Protection Act applies alongside the EU’s General Data Protection Regulation.
The Data Protection Act contains provisions on, among other things,

  • the supervisory authority for data protection,
  • legal protection,
  • the processing of special categories of personal data, 
  • certain specific data processing situations, such as reconciling the right to freedom of expression or scientific research with the right to the protection of personal data, and
  • the age limit for offering information society services to a child.

Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security

The Finnish Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security implements the EU’s Data Protection Directive for Police and Criminal Justice Authorities.

The Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security applies to the processing of personal data by the police, prosecutors, ordinary courts, the Criminal Sanctions Agency, Customs, the Border Guard and other competent authorities in the context of

  • preventing, detecting and investigating criminal offences or charging offenders,
  • the prosecutor’s actions in connection with criminal offences,
  • court proceedings in criminal matters,
  • enforcing criminal sanctions, or
  • protecting the public or preventing threats to the public.

The Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security is the general law that applies in all of the aforementioned circumstances unless otherwise provided for in special laws. The Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security contains provisions on

  • purpose limitation and other general principles of personal data processing,
  • the responsibilities of controllers and processors,
  • the right of access and other rights of data subjects,
  • information security requirements,
  • the designation and duties of data protection officers,
  • the general principles for the transfer of personal data to third countries,
  • the enforcement of the law, and
  • remedies and penalties.

Act on the Processing of Personal Data by the Police

The Act on the Processing of Personal Data by the Police is a special law that complements the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security as well as the EU’s General Data Protection Regulation and the Finnish Data Protection Act.

The latest rules on the processing of personal data by the police were drafted by the Ministry of the Interior. The law now satisfies European requirements and the personal data processing and protection needs that changes in the external environment and the laws governing the police have created.

One of the most notable changes was a shift from system-specific personal data processing to purpose-specific processing. The Act on the Processing of Personal Data by the Police entered into force on 1 June 2019.

Application of EU and national data protection laws by the police

The police applies the rules of the GDPR and the Finnish Data Protection Act to, for example, the processing of permit applications, claims for asylum and contractual documents.
The Act on the Processing of Personal Data in Criminal Matters and in Connection with

Maintaining National Security is observed in the context of criminal matters.
The Act on the Processing of Personal Data by the Police is a special law that takes precedence over other laws when it comes to the police’s statutory duties. Other laws are applied complementarily to the Act on the Processing of Personal Data by the Police.
 

An analyst looking at computer screens filled with code.