Legislation and supervision
There are provisions on the protection of personal data in the European Union’s General Data Protection Regulation (EU) 2016/679 (GDPR), and in the Finnish data protection act. The legislation on the protection of personal data applies whenever personal data is processed.
The Data Protection Ombudsman is the competent authority in the supervision of the GDPR in Finland.
Personal data
Definition of personal data
- Under Article 4(1) of the GDPR, personal data means any data relating to an identified or identifiable natural person. An identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identification data such as a name, personal identity code, location data, online login data or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity.
- The definition of personal data is a very broad one. Offering travel chain services to passengers usually leads to a situation in which personal data is processed. Such data includes the passenger’s contact details and credit card data processed when an order is placed. Personal data can also include the information required to authenticate a travel authorisation.
Pseudonymisation and anonymisation
Even if data is pseudonymised, it is still regarded as personal data. Even if a party to the travel chain cannot determine the identity of a passenger, it is regarded as sufficient if a party can identify a person by combining different pieces of information. Thus, a travel identifier that does not include a passenger’s name or any other distinctive personal data, but that a party can connect to a single passenger, is regarded as personal data.
Data is anonymous if personal data is irrevocably converted into a format from which the data subject cannot be identified by any party, either directly or indirectly.
Positions of the controller and processor
Different roles are involved in the processing of personal data
- The controller defines the purposes and methods of the processing of personal data, independently or together with others.
- The processor processes personal data in the name of the controller. In that case, processing is commissioned or subject to subcontracting or a partnership.
There can also be parallel controllers, in which case each controller has an independent right to process personal data.
The controller defines the purposes of data processing independently and uses data for its own purposes in accordance with its own data processing procedures. The processor does not process data for its own purposes. Instead, it processes it in accordance with the instructions issued by the controller and an agreement concluded with the controller, and only in the name of the controller. Furthermore, the processor does not have any independent right to use the data.
The controller must notify data subjects of any processing of personal data. This information must be provided in a clear and understandable format. The GDPR defines the content of the information in more detail. The information includes the controller’s contact details, information about the purpose and principles of the data processing, and information about the rights of the data subjects. However, the parties can also agree on their mutual responsibilities so that a contracting party is obliged to give information to data subjects.
When data is transferred from one controller to another, the transferring party is responsible for ensuring that the data is transferred in compliance with the legislation.