Skip to content

EU Data Protection Regulation brings new personal data rights for citizens

Ministry of Justice
Publication date 16.5.2018 10.01
Press release

The application of the EU General Data Protection Regulation will begin on 25 May 2018. The basic principles governing the processing of personal data and data subjects’ rights will mainly remain unchanged. Data subjects will also in future have the right to access the personal data concerning themselves and to request rectification of inaccurate data and erasure of unnecessary data.

The reform will also bring new rights for data subjects. Data subjects will in future have the right to obtain their personal data from the controller by electronic means and the right to data portability, which means an easier transfer of data from one system to another.

The data protection reform concerns all EU Member States. This means that the same rights apply even when making purchases in an online store operating in some other EU country, for example.

Time limit for rectification of data is introduced

A company, entity or authority processing personal data must rectify inaccurate personal data and erase personal data that has become unnecessary or outdated, for example. Rectifications must be made without undue delay, normally within a month from the receipt of the request for rectification or erasure.

In the case of a personal data breach, the controller must, no later than 72 hours after having become aware of it, notify the breach to the Data Protection Ombudsman, if the breach is likely to result in a risk to the rights and freedoms of natural persons. In certain cases, the personal data breach must also be notified to the data subject.

In accordance with the so-called one-stop shop principle, companies carrying out cross-border activities will only have to deal with one data protection authority in the future, even if they operate in several Member States. The same applies to citizens wishing to lodge a complaint on the activities of a company operating in another EU country, for example.

Data Protection Act complementing the Regulation under consideration in Parliament

A government proposal for a Data Protection Act is currently being considered by Parliament. The Act would complement and specify the provisions of the EU General Data Protection Regulation. According to the proposal, information society services could be provided directly to a child only if he or she has reached the age of 13. In respect of children younger than this, the controller would have to verify that a child has received consent from his or her parents to the use of social media services, for example.

The Data Protection Act would also lay down provisions on derogations from the Data Protection Regulation in certain questions and on the centralisation of official duties related to data protection to the Data Protection Ombudsman.

The Data Protection Act will enter into force as soon as possible after the bill has been passed in Parliament and has been approved.

Inquiries: Anu Talus, Senior Ministerial Adviser, Ministry of Justice, tel. +358 2951 50586, email: firstname.lastname(at)
Tanja Jaatinen, Senior Ministerial Adviser, Ministry of Justice, tel. +358 2951 50056, email: firstname.lastname(at)
Reijo Aarnio, Data Protection Ombudsman, tel. +358 2951 66730, email: firstname.lastname(at)

Press release of the Ministry of Justice of 1 March 2018: Data Protection Act would complement EU Data Protection Regulation (in Finnish and Swedish)
Information on the EU data protection reform (website of the Data Protection Ombudsman)

Back to top