Significant Amendments to the Data Protection Act

Authors: Maria Aholainen, Axel Hård af Segerstad Read time: 2 min

Administrative Fines to Be Extended to Public Authorities

The Government proposes that an administrative fine may also be imposed on public authorities and public administrative bodies for breaches of data protection legislation in order to make the system of sanctions more consistent across the public and private sectors. Fixed maximum amounts are proposed for public authorities: depending on the infringement, up to EUR 500,000 or EUR 1,000,000. In determining the amount of the fine, account would be taken of the authority’s size and financial standing, as well as the seriousness of the infringement. However, administrative fines could not be imposed on courts of law or on the offices of Parliament. Situations involving the disclosure of personal data in order to reconcile public access to official documents with data protection would also remain outside the scope of application.

Clear Grounds for Restricting Personal Data Breach Notifications

A data subject must be informed of a personal data breach if the breach is likely to result in a high risk to the data subject’s rights and freedoms. A new provision is proposed for the Data Protection Act that would make it possible, in certain situations, to restrict, delay, or omit such notification. The grounds for restriction would relate, among other things, to national security, the prevention and investigation of criminal offences, and the protection of the rights of the data subject or other individuals. However, these restrictions would not affect the controller’s obligation to notify the Data Protection Ombudsman of personal data breaches.

Clarifications to Legal Bases for Processing in the February 2026 Proposal

In a separate Government proposal submitted in February 2026, it is proposed that the legal bases for processing under the Data Protection Act be clarified so that public authorities could process personal data not only for the performance of a task carried out in the public interest but also for the exercise of official authority. A corresponding legal basis would also be extended to private entities where they perform a public administrative task assigned to them by or pursuant to law. In addition, the right of insurance institutions to process health data would be specified so that such processing is more clearly limited to what is necessary for assessing or determining liability.

Entry into Force

The amendments concerning administrative fines and personal data breach notifications are intended to enter into force on 1 January 2027. The amendments concerning legal bases for processing will enter into force earlier, on 1 September 2026.