2
State of the European Union, but it uses equipment located in Finland in the processing of personal
data, except where the equipment is used solely for the transfer of data through the territory. In this
case the controller shall designate a representative established in Finland.
Chapter 2 — General rules on the processing of personal data
Section 5 — Duty of care
The controller shall process personal data lawfully and carefully, in compliance with
good processing practice, and also otherwise so that the protection of the data subject’s private life
and the other basic rights which safeguard his/her right to privacy are not restricted without a basis
provided by an Act. Anyone operating on the behalf of the controller, in the form of an independent
trade or business, is subject to the same duty of care.
Section 6 — Defined purpose of processing
It must be appropriate and justified to process personal data in the operations of the
controller. The purpose of the processing of personal data, the regular sources of personal data and
the regular recipients of recorded personal data shall be defined before the collection of the personal
data intended to be recorded in the file or their organisation into a personal data file. The purpose of
the processing shall be defined so that those operations of the controller in which the personal data
are being processed are made clear.
Section 7 — Exclusivity of purpose
Personal data must not be used or otherwise processed in a manner incompatible with
the purposes referred to in section 6. Later processing for purposes of historical, scientific or
statistical research is not deemed incompatible with the original purposes.
Section 8 — General prerequisites for processing
(1)
Personal data shall be processed only if:
(1) the data subject has unambiguously consented to the same;
(2) the data subject has given an assignment for the same, or this is necessary in
order to perform a contract to which the data subject is a party or in order to take steps at the
request of the data subject before entering into a contract;
(3) processing is necessary, in an individual case, in order to protect the vital interests
of the data subject;
(4) processing is based on the provisions of an Act or it is necessary for compliance
with a task or obligation to which the controller is bound by virtue of an Act or an order issued
on the basis of an Act;
(5) there is a relevant connection between the data subject and the operations of the
controller, based on the data subject being a client or member of, or in the service of, the
controller or on a comparable relationship between the two (connection requirement);
(6) the data relate to the clients or employees of a group of companies or another
comparable economic grouping, and they are processed within the said grouping,
(7) processing is necessary for purposes of payment traffic, computing or other
comparable tasks undertaken on the assignment of the controller;
(8) the matter concerns generally available data on the status, duties or performance
of a person in a public corporation or business, and the data is processed in order to safeguard
the rights and interests of the controller or a third party receiving the data; or
(9) the Data Protection Board has issued a permission for the same, as provided in
section 43(1).
Personal data may be disclosed on the basis of paragraph (1)(5) only if such disclosure is a regular
feature of the operations concerned and if the purpose for which the data is disclosed is not
incompatible with the purposes of the processing and if it can be assumed that the data subject is
aware of such disclosure.
Chapter 3 contains provisions on the processing of sensitive personal data and personal identity
numbers. Chapter 4 contains provisions on the processing of personal data for special
purposes.