Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — FIStylized flag-color motif for editorial reference. Not an official symbol.FI
Finland Suomen tasavalta

WEB ANALYTICS · COOKIE COMPLIANCE · NORTHERN EUROPE · FI

Finland — analytics & cookie compliance reference

What you can run on a Finland-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. Tietosuojavaltuutettu (Office of the Data Protection Ombudsman) is pragmatic; Finnish-language privacy notices recommended.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Finland. Sectoral rules (healthcare KanTa, banking, employment Yksityisyyden suoja työelämässä) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Tietosuojalaki
Tietosuojalaki (1050/2018)
National implementation of GDPR opening clauses — establishes Tietosuojavaltuutettu and the separate Seuraamuslautakunta (sanctions board), sets child-consent age at 13 (lowered from GDPR default 16), criminal liability for intentional misuse, special-category permissions, and employer/employee carve-outs.
  • § 5 Child consent age — lowered to 13 (GDPR Art 8 opening clause used)
  • § 8–9 Special-category data — research, statistics, archiving carve-outs
  • § 8–10 Tietosuojavaltuutettu (Ombudsman) + Seuraamuslautakunta (sanctions board) — institutional split
  • § 24 Tietosuojarikkomus — criminal liability for intentional violation (fine or up to 1 year imprisonment)
Finnish Data Protection Act, in force since 1 January 2019, latest amendment 458/2023
SVPL §§ 200–205
Laki sähköisen viestinnän palveluista (917/2014)
Cookies + terminal-equipment access + electronic-communications privacy + direct-marketing opt-in. Traficom (Finnish Transport and Communications Agency) co-supervises with Tietosuojavaltuutettu on the cookie/comms layer.
  • § 200 Direct marketing — opt-in baseline for natural persons (email/SMS); soft opt-in for existing-customer + similar products
  • § 201 Storage / read access on terminal equipment — informed consent required (ePrivacy Art 5(3) transposition)
  • § 202 Strictly-necessary exception — narrowly construed, analytics/marketing never qualify
  • § 205 Confidentiality of electronic communications — supervised by Traficom
Act on Electronic Communications Services (SVPL / 'tietoyhteiskuntakaari'), §§ 200–205 transpose ePrivacy
Yksityisyyden suoja työelämässä  Stricter
Laki yksityisyyden suojasta työelämässä (759/2004)
Employee monitoring + necessity test ('välttämättömyysvaatimus') stricter than GDPR proportionality + co-operation procedure (yhteistoimintamenettely) before deploying analytics or surveillance tools that touch staff. Applies on top of GDPR and Tietosuojalaki.
  • § 3 Necessity requirement — employer may process only data directly necessary for the employment relationship
  • § 4 Collection from third parties — employee consent required for most non-direct sources
  • § 21 Co-operation procedure — mandatory consultation before deploying technical monitoring of staff
Act on the Protection of Privacy in Working Life
Yhdenvertaisuuslaki + Kielilaki
Yhdenvertaisuuslaki (1325/2014) + Kielilaki (423/2003)
Public-sector services and Finland-targeted private services should provide privacy information in Finnish (and Swedish where applicable). Tietosuojavaltuutettu has informally signalled that Finnish-only sites must offer Finnish-language privacy notices; English-only fails the Art 12(1) GDPR transparency test for Finland-targeted businesses.
  • Kielilaki § 2 Bilingual provision — Finnish + Swedish for public bodies and bilingual municipalities
  • Yhdenvertaisuuslaki § 8 Discrimination by language — relevant where critical service information is withheld in user's language
Non-Discrimination Act + Language Act — interaction with privacy notices for Finland-targeted services

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
Tietosuojavaltuutettu · Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman)
Single national DPA for Finland — supervises GDPR + Tietosuojalaki across public and private sectors. Investigations are conducted by the Ombudsman; administrative fines under GDPR Art 83 are imposed by a separate Seuraamuslautakunta (sanctions board) of three members per Tietosuojalaki §§ 8–10.
https://tietosuoja.fi/en/

Coordination body

Seuraamuslautakunta · Tietosuojavaltuutetun toimiston seuraamuslautakunta
Three-member sanctions board (chair + 2 members) inside the Ombudsman's office that imposes GDPR Art 83 administrative fines. Institutionally separate from the investigating Ombudsman to satisfy the EU Charter Art 47 right to fair trial — a Finnish constitutional-law specificity that delayed Finland's first Art 83 fines until 2020.
  • 2020-05-19 · First Art 83 fines — Seuraamuslautakunta issues Finland's first GDPR fines — Posti €100K + transport company €72K + online retailer €16K. Unblocked the post-constitutional-review pipeline.
  • 2021-05-26 · Cookie guidance — Tietosuojavaltuutettu + Traficom joint guidance — opt-in baseline reaffirmed under SVPL §201; analytics never strictly-necessary.
  • 2024-09 · Verohallinto fine — Seuraamuslautakunta imposes €750K on Tax Administration for unlawful processing of taxpayer data — among Finland's largest administrative fines.
https://tietosuoja.fi/en/sanctions

Notable enforcement

Finland's GDPR enforcement pipeline was delayed by a 2018–2019 constitutional-law debate over whether the Tietosuojavaltuutettu could simultaneously investigate and fine — resolved by creating the separate Seuraamuslautakunta inside the Ombudsman's office. Since 2020, fines have been steady but moderate by EU standards, with the Verohallinto €750K (2024) marking the high-water mark. The Ombudsman is widely seen as pragmatic and dialogue-oriented relative to LfDI BW or the French CNIL.

  1. 2024-09 €750k
    Verohallinto (Tax Administration) Seuraamuslautakunta · Art 5, 6 stood

    Unlawful processing of taxpayer data — among Finland's largest administrative fines and the first significant fine against a public authority.

  2. 2021-12 €608k
    Vastaamo psychotherapy clinic (in liquidation) Seuraamuslautakunta · Art 5, 32 stood

    Catastrophic patient-data breach affecting 33,000+ therapy clients. Largest sectoral-impact case in Finnish data-protection history; fine assessed against the bankrupt entity.

  3. 2024-12 €230k
    Online retailer (anonymised) Seuraamuslautakunta · Art 5, 6, 32 stood

    Improper retention of customer purchase history beyond stated purpose + insufficient access controls.

  4. 2025-03 €150k
    Healthcare provider (anonymised) Seuraamuslautakunta · Art 32, 33 stood

    Late breach notification + insufficient pseudonymisation of patient identifiers in research datasets.

  5. 2020-05 €100k
    Posti Group Seuraamuslautakunta · Art 12, 13, 14 stood

    Finland's first GDPR fine — failure to provide transparent information about address-change processing and to honour data-subject rights.

GA4 status

GA4 is usable in Finland with prior, informed consent under SVPL § 201. Tietosuojavaltuutettu is pragmatic post-DPF — transfers to Google's US servers are accepted in principle while Google LLC remains DPF-certified. There is no Finnish equivalent of the Austrian/French 2022 Schrems-II GA4 ban; the Ombudsman has not issued a categorical adverse decision against GA4.

DPAStance
TietosuojavaltuutettuPermissive post-DPF — opt-in via SVPL §201 + DPF certification suffice. Documented TIA recommended for defensive purposes.
TraficomCo-supervisor on the cookie layer — joint 2021 guidance with Tietosuojavaltuutettu reaffirms opt-in baseline.
SeuraamuslautakuntaNo GA4-specific Art 83 fine to date; all enforcement has targeted controllers' broader cookie-banner / transparency failures.

Cross-border transfers + Schrems II

Tietosuojavaltuutettu accepts adequacy for DPF-certified US importers post-DPF (10 Jul 2023). Finnish position is pragmatic — controllers are expected to verify DPF certification status at onboarding and at material processor changes, and to keep a documented Transfer Impact Assessment for non-DPF US recipients. No public Finnish equivalent of the LfDI BW maximalist TIA stance.

EU 2021/914 SCCs are the standard fallback when DPF certification is absent or revoked. Tietosuojavaltuutettu has not issued bespoke template clauses; controllers use the EU SCCs with Module-2 onward-transfer scrutiny.

Topic: International transfers

Employee data

Key thresholds

Child consent age
13 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Finland vs Sweden
COMPARE
Finland vs Estonia
COMPARE
Finland vs Norway
COMPARE
Finland vs Germany

Common questions

Is Google Analytics legal in Finland in 2026?
Yes, conditionally. GA4 is usable in Finland with prior, informed consent under SVPL § 201. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. Tietosuojavaltuutettu has not issued a categorical adverse decision against GA4 — Finland's posture is more pragmatic than Austria's or France's 2022 GA-ban era.
Who is Finland's data protection authority?
Tietosuojavaltuutettu (Office of the Data Protection Ombudsman) is the single national DPA for Finland. It supervises GDPR and Tietosuojalaki across public and private sectors. Investigations are conducted by the Ombudsman; administrative fines under GDPR Art 83 are imposed by a separate Seuraamuslautakunta (sanctions board) inside the same office.
Why does Finland have two bodies — Tietosuojavaltuutettu and Seuraamuslautakunta?
Constitutional-law reasons. A 2018–2019 Finnish constitutional review found that the same official cannot both investigate a case and impose a fine under EU Charter Art 47 (right to fair trial). Tietosuojalaki §§ 8–10 therefore created Seuraamuslautakunta — a three-member sanctions board (chair + 2 members) inside the Ombudsman's office that imposes Art 83 fines after the Ombudsman's investigation. This split is a Finnish specificity and delayed Finland's first GDPR fine until May 2020.
What is the child-consent age in Finland?
13 years. Finland used GDPR Art 8 opening clause to lower the digital-services consent age from the GDPR default of 16 to 13 (Tietosuojalaki § 5). This aligns Finland with Sweden, Denmark, and the UK and is at the low end of the EU range.
Do I need a Finnish DPO?
No special Finnish threshold beyond GDPR Art 37. Finland did not use the Tietosuojalaki opening clause to set a stricter DPO trigger (unlike Germany's BDSG § 38 at ≥20 employees). DPO is mandatory only when GDPR Art 37(1)(a)–(c) is met — public authorities, large-scale systematic monitoring, or large-scale special-category data.
What language must my privacy notice be in?
Finnish, and Swedish where applicable. Tietosuojavaltuutettu's informal position is that Finland-targeted services must provide privacy notices in Finnish — English-only fails the GDPR Art 12(1) transparency test. Public bodies and bilingual municipalities must also provide Swedish under Kielilaki (423/2003). The targeting test mirrors GDPR Art 3(2) — Finnish-language website, .fi domain, EUR pricing, Finnish-language marketing all signal targeting.
Is 'legitimate interest' a valid basis for analytics in Finland?
No, for non-essential analytics that store or read on terminal equipment. SVPL § 201 is independent of GDPR Art 6 — it requires opt-in consent for any non-strictly-necessary cookie or device-storage technology, regardless of GDPR lawful basis. § 201 governs the cookie/tracking layer; GDPR governs subsequent processing. Tietosuojavaltuutettu and Traficom confirmed this jointly in May 2021.
What about employee monitoring and analytics?
Yksityisyyden suoja työelämässä (759/2004) imposes a stricter 'välttämättömyysvaatimus' (necessity requirement) than GDPR's proportionality test — employer may process only data 'directly necessary' for the employment relationship. § 21 requires a yhteistoimintamenettely (co-operation procedure) with employee representatives before deploying any technical monitoring of staff. This applies to most analytics, productivity, HR, and IT-monitoring tools and is independent of GDPR consent.
Do I need a Finnish Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Finland (or any EEA state), unless the small-business exception in Art 27(2) applies. Tietosuojavaltuutettu accepts the GDPR EEA-wide representative — a single representative based in any EEA state covers Finland.
Can a public authority be fined in Finland under GDPR?
No, in most cases. Tietosuojalaki § 24(4) uses the GDPR Art 83(7) opening clause to exempt Finnish public authorities from administrative fines — they receive reprimands and corrective orders only (e.g. Kela 2022, Yle 2023). The Verohallinto €750K fine (2024) was possible because the Tax Administration's commercial-style data uses fell outside the public-authority carve-out for that specific processing.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Finland's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.