Yle turned to Data Protection Ombudsman Reijo Aarnio to tackle six of the frequently asked questions Finnish residents have been asking about the impact of the EU’s General Data Protection Regulation, GDPR, on everyday life since it came into force. The following are the most commonly-held assumptions addressed by the ombudsman and other legal experts.
Name boards will no longer appear in the corridors of apartment blocks
In February, deputy lead counsel for the Finnish Real Estate Federation Kristel Pynnönen thought that housing companies in Finland might have to give up the practice of installing name boards in properties because of the regulation. She told the press that once the rules came into effect, housing firms would have to think about whether the boards are a form of personal data register and as a result might have to go.
However, Data Protection Ombudsman Reijo Aarnio later brushed aside this interpretation of the regulation. He said that the boards, which act as a kind of building directory, are not inherently a data register. He said that so far, there isn’t enough information about what kind of national legislation would result from the EU regulation. He pointed out that in most cases, the practice of putting up a name board is based on municipal building rules and as such are obligatory for housing companies.
Anu Talus, a legal affairs counsellor with the Justice Ministry, also said in February that housing companies would not have to remove the name boards. She said at the time that the regulation would not mean having to give up the practice.
No more sauna schedules posted publicly
By the same logic, some members of the public have wondered if a sauna timetable showing residents’ names and posted near on or the door of the facility should be removed as a result of the new privacy rules.
Ombudsman Aarnio said that the practice is a “typical issue of interpretation”. He added that it would be necessary to determine what a list of names is all about. However he said that it is best to avoid the general idea that a sauna schedule can never be visible.
Finland will no longer publish personal tax data
In an Iltalehti article published in 2016, attorney Jaakko Lindgren of the Dottir law firm said that the regulation could make it illegal for Finnish authorities to publish personal tax data due to tighter controls on personal data.
However in the same article, the Justice Ministry’s Talus said that applying the GDPR will not directly make it illegal to publish personal tax information. She said that the principles of the regulation are for the most part quite similar to existing personal data directives.
Tax administration chief inspector Taito von Konow also said at the time that Finland would hardly give up the custom of publishing personal tax data. However he speculated that there might be some changes to how they are released. He said that the information might continue to be public, but how it is handled and how tax officials made it available might change.
No more address lists for kids’ birthday parties
Anu Talus of the Justice Ministry told Yle that the ministry had been contacted by people wanting to know how the new regulation would affect address lists used for sending out invitations to children’s birthday parties.
Talus stressed that the data privacy rules do not affect private households. They will not be applied if a private individual processes personal data for private purposes, in their own household and as long as use of the data is not intended for professional or commercial activities.
Under-16 year-olds will be banned from using WhatsApp
The EU regulation will increase the minimum age for using the popular messaging service WhatsApp from 13 to 16 years. Some people may have taken this to mean that everyone under the age of 16 will be categorically banned from using the app.
Immediate fines for non-compliance
The most egregious violations of the rules could hit businesses where it hurts most -- on the bottom line. However, contrary to what some firms may believe, a fine is not the first or only consequence of non-compliance. A fine will usually be preceded by a warning, a request for rectification or even a ban on processing personal data.