Personal Data

Art. 4 (1) of the GDPR states that personal data reveal information about an identified or identifiable natural person. Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, etc.

Please visit:


Special Category of personal data

‘Special category of personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning health, sex life or judicial information.

Art. 9 of the GDPR contains rules about Processing of special categories of personal data. Sensitive data is personal data which reveals individual’s racial and ethnic origin, political beliefs, religion, philosophical and moral convictions, trade union affiliation or membership, health, and sexual orientation, and also refers to genetic and biometric data.

Article 9(2) sets out the circumstances in which the processing of special category of personal data which is otherwise prohibited, may take place. These include, among others:

  • Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
  • Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
  • Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.

Please visit:


The Finnish Data Protection Act allows the processing of special category of personal data:

  • For scientific or historical research purposes or statistical purposes (provided that certain procedures are satisfied, and a data protection impact assessment is conducted);
  • For solely academic, artistic and literary expression purposes and for a few other specified activities such as provision of health care services and social welfare services;
  • By an insurance company where the data processed relates to health, sickness or disability of treatment received by a data subject, and such data is received in the course of insurance activities.

Consent or special legislation is required for the processing of biometric data (Ombudsman guidance).



The GDPR definition of ‘consent’, written in Art. 4 (11), is: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.


Children’s age

In Finland, the age at which a child can provide a valid consent in relation to information society services is 13 years. The age limit applies only for consent given in relation to information society services offered directly to a child.

In the case of processing of data for other purposes (e.g. direct marketing or use of photographs) the general rules of the Finnish Act on Child Custody and Right of Access (361/1983) apply according to which the person who has custody of the child has to give consent. However, a child can represent themselves (e.g. give consent) after their age and level of development are considered appropriate for the specific case. Hence, in “ordinary matters”, 15-year old children may represent themselves.