Act on the Protection of Privacy and Data Security in Telecommunications 565/1999. Issued in Helsinki on 22 April 1999
According to a decision of Parliament the following is enacted:
Chapter 1. General provisions
Section 1. Purpose of the Act
The purpose of this Act is to promote the data security of public telecommunications and the protection of the privacy and the legitimate interests of sub-scribers and users in telecommunications.
Section 2. Scope of application
The provisions of this Act shall be applied to public telecommunications and to telecommunications operated by means of public telecommunications services as well as to the provision of subscriber directories. The processing of personal data in telecommunications shall be governed by specific provisions on the processing of personal data unless otherwise provided for in this Act.
The ministry shall decide in more detail, taking into account the technical possibilities and the reasonableness of costs caused to telecommunications operators, on the application of this Act to telecommunications carried out in public analogous mobile networks.
This Act shall be applied to telecommunications from or to a telecommunications network other than a public telecommunications network through the latter network if the telecommunications network other than a public telecommunications network has been connected as part of a public telecommunications network or to a subscription of a public telecommunications network. Section 4 of this Act shall, however, be applied to all telecommunications.
This Act shall not be applied to television and radio broadcasting.
Section 3. Definitions
In this Act:
1) telecommunications, public telecommunications, a telecommunications network, a telecommunications service and a subscription shall have the meanings provided for them in the Telecommunications Markets Act (1997/396);
2) personal data shall mean all entries describing a person or his characteristics or personal circumstances relating to an identifiable natural person or his family or to those living in his household;
3) a telecommunications operator small mean a natural or legal person that offers for public use services referred to in the Telecommunications Markets Act and belonging to telecommunications and provided by itself;
4) the data security of telecommunications small mean the confidentiality, integrity and usability of information transmitted with telecommunications ensured by the telecommunications operator though administrative and technical measures;
5) a subscriber small mean a natural or legal person that is party to a contract with a telecommunications operator for the supply of telecommunications services or to whom or which the rights of a subscriber have been transferred under the terms of a contract on telecommunications services; the provisions of this Act on a subscriber shall, however, be applied to the natural or legal person that is liable to pay all or part of the telecommunications bill for telecommunications services used from a subscription in his possession;
6) a user shall mean a natural person using telecommunications services;
7) identification information shall mean the number of the subscription of a subscriber or user or other identification or information created or stored in the course of making a call;
8) the processing of identification information shall mean the collections, storage, Organisation, use, submission, maintenance, alteration, combination, protection, erasure and destruction of identification information as well as other measures generally directed at information;
9) a telecommunications bill shall mean a bill containing fees charged by a telecommunications operator for services belonging to telecommunications;
10) presentation of calling line identification shall mean a technical function which will allow the user to identify the calling subscription or service;
11) the identification of a switched connection shall mean a technical function allowing the user to identify the subscription or service to which the call is routed;
12) a directory of subscribers shall mean a generally available directory of subscribers and another printed or electronic directory or list of addresses containing personal data on the subscribers or other data on subscribers or users collected and maintained by the operator of directory services; as well as
13) the ministry shall mean the Ministry of Transport and Communications unless otherwise provided for by Decree.
Chapter 2. Data security of telecommunications
Section 4. Confidentiality of telecommunications
Telecommunications shall be confidential unless it is meant to be received by the public. No one who has received or otherwise learned of a confidential telecommunications message not meant for him may, without justification, disclose the contents of the telecommunications message or make use of his knowledge of the contents or existence of the telecommunications message.
Section 5. Coding of telecommunications
The user and the subscriber shall have the right to code their telecommunications message in the way they wish utilising the technical possibilities available thereto.
Decoding systems of a protective code shall be governed by the provisions of sections 25, 39 and 45 of the Telecommunications Markets Act.
Section 6. Duties of a telecommunications operator
A telecommunications operator shall safeguard the data security of telecommunications operated by it. Telecommunications operators shall, where necessary, in conjunction with other telecommunications operators, ensure a level of security that is sufficient with regard to technical development and reasonable as to its costs.
A telecommunications operator shall inform its subscribers of any special risks relating to the security of its telecommunications services as well as of any possibilities for their elimination and of the costs of the measures involved.
The ministry shall, where necessary, decide on factors to be taken into account in the evaluation of the reasonableness of the costs and the adequacy of the level of security.
Section 7. Secrecy obligation
No one who is or has been employed by a telecommunications operator may unlawfully disclose information regarding the content of a telecommunications message or the identification information of parties to telecommunications that has come to his knowledge in connection with his task unless otherwise provided for in chapter 3.
The secrecy obligation referred to in paragraph 1 shall also apply to an authorised telecommunications contractor referred to in section 12 of the Telecommunications Markets Act as well as to a person who is or has been employed by a telecommunications contractor.
Section 8. Preparation for exceptional circumstances
A telecommunications operator shall ensure the data security of its telecommunications operations also in exceptional circumstances by participating in readiness planning for emergency situations and by advance planning of operations to be carded out in exceptional circumstances and through other measures.
If the tasks resulting from paragraph 1 require measures that clearly differ from telecommunications services to be considered ordinary and which entail considerable additional costs, such additional costs may be reimbursed from State funds unless the costs incurred thereby are paid to the telecommunications operator by the party ordering the measure in question.
The ministry shall decide in more detail on the application of paragraph 1.
Chapter 3. Processing of identification information
Section 9. Erasure and alteration of identification information
Upon the termination of a call, a telecommunications operator shall erase or alter the identification information that has been created when establishing the call and stored by the telecommunications operator so that the parties to the telecommunications may not be identified unless otherwise provided for in this chapter.
Section 10. Processing of identification information for billing
For the purpose of determining telecommunications bills and interconnection payments, a telecommunications operator may process subscriber identification information relating to:
1) the number, identification or type of terminal telecommunications equipment;
2) the number or other identification of the called subscription;
3) the starting time or date of the call; as well as
4) the form and duration of the call as well as the data volume transferred during it as well as other identification information necessary to determine the fee.
A telecommunications operator may process identification information relating to the determination of the telecommunications bill for a maximum period of three years after the telecommunications bill has been paid in full, however, not longer than the payment of the telecommunications bill may be collected unless otherwise provided for elsewhere. The obligation of a telecommunications operator to store identification information relating to the determination of a telecommunications bill shall be provided for by Decree.
Section 11. Processing of identification information in the marketing of telecommunications services
Upon the consent of the subscriber, a telecommunications operator may, during the period referred to in section 10, paragraph 2, process the identification information for the purpose of marketing its telecommunications services or its other services directly relating thereto in connection with the production of which the identification information has been created.
Section 12. Processing of identification information by a telecommunications operator
During the period referred to in section 10, paragraph 2, a telecommunications operator may itself process and submit to another telecommunications operator identification information for the purpose of duties relating to billing, the maintenance and development of the telecommunications network and services as well as the prevention and investigation of fraud.
The identification information may only be processed by persons employed by a telecommunications operator or authorised for this task by telecommunications operators who handle tasks relating to billing or the maintenance and development of the telecommunications network or telecommunications services, the prevention or investigation of fraud, customer service and marketing referred to in section 11, and only to the extent necessary for the performance of these duties.
The persons referred to in paragraph 2 and authorised by telecommunications operators shall be governed by the provisions on the processing of identification information.
Further provisions on the processing of identification information in the supply of backup services shall be issued by Decree.
Section 13. Itemisation of calls
A telecommunications operator may not submit an itemisation of the numbers or other identification information on calls established from a subscription unless otherwise provided for below in this section.If a subscriber requests an itemisation of the calls covered by a telecommunications bill, the telecommunications operator shall submit the itemisation without disclosing the last three digits of the identification information of the calls unless otherwise provided for in paragraph 3.
Upon the request of the subscriber, the telecommunications operator shall submit a complete written itemisation of the numbers of calls if:
1) the calls have been established to another subscription which results in fees charged in connection with a telecommunications bills but which are not telecommunications fees; or
2) the telecommunications bill is more than double compared to the previous corresponding billing period.
The telecommunications operator may give the subscriber an itemisation only for the period that the subscription has been in the possession of the subscriber.
If the identification information does not consist of digits only, further provisions on the itemisation of the identification information of calls shall be issued by Decree.
Section 14. Calling line identification
A telecommunications operator offering calling line identification in a fixed or mobile telephone network shall ensure that the calling user has the possibility free of charge to eliminate the calling-line identification in voice telephony services on a per-call basis. The subscriber shall also have the possibility to eliminate the calling-line identification from calls made from his subscription also on a per-line basis.
A telecommunications operator offering a fixed telephone network or mobile telephone network subscription shall ensure that a subscriber receiving a call to a subscription offered by the telecommunications operator has the possibility, in the voice telephony services of his subscription:
1) to eliminate calling-line identification free of charge; as well as
2) to reject incoming calls where the calling-line identification has been eliminated.
If the services referred to in this section are not offered in other than fixed or mobile telephone networks, the ministry shall, where necessary, decide further on the referred to in this section that shall have to be offered in the other networks referred to through the cooperation of telecommunications operators.
Section 15. Connected line identification
A telecommunications operator offering connected line identification shall ensure that the called subscriber has the possibility, free of charge, to eliminate the presentation of the connected line number or identification to the calling user.
Section 16. Automatic call forwarding
A telecommunications operator shall offer the user the possibility, free of charge, to eliminate automatic call forwarding to the subscription of the user by a third party.
Section 17. Use of identification services
The functions referred to in sections 14 – 16 shall be implemented so that they can be taken into use by simple means as further provided for by Decree.
The telecommunications operators shall inform the users and subscribers of the offering and use of identification services.
Section 18. Submission of identification information to an authority
Without prejudice to the secrecy obligation provided for in section 7, the police shall be entitled to obtain:
1) upon the consent of the injured party and the party in possession of the subscription, identification information about calls made to a subscription necessary for the investigation of a crime referred to in chapter 16, section 9a, chapter 17, section 13, subparagraph 2 or chapter 24, section 3 a of the Penal Code (1889/39); as well as
2) upon the consent of the subscriber, identification information relating to messages sent from a mobile telephone to the extent that this is necessary to investigate a crime through which the mobile phone or the subscription used therein is, without justification, in the possession of another.
Without prejudice to the provisions of section 7 or the contents of a contract concluded by the subscriber with the telecommunications operator on the confidentiality of identification information, the telecommunications operator may give the police that has received an emergency call, a rescue authority and to other authorities receiving emergency messages identification information on the subscription regarding the user of which an emergency call has been made. In addition to the number and other identification information of the subscription, the identification information given may also include information on the installation address, subscriber and user of the subscription as well as information on the location of the support station through which an emergency call made from a mobile telephone has been routed to the public telecommunications network.
The right of an authority to obtain identification information for the pre-trial investigation of comes shall be governed by the Coercive Criminal Investigation Means Act (1987/450).
Chapter 4. Directories of subscribers and telecommunications in direct marketing
Section 19. Submission of directory information and the provision of subscriber directories
Without prejudice to provisions on the submission of subscriber directory information elsewhere, telecommunications operators may submit information notified by the subscriber for publication in a subscriber directory for its publication in another subscriber directory. The provider of a subscriber directory shall have the right to maintain and provide subscriber directories.
The transfer of personal data to outside the territory of the Member States of the European Union and the European Economic Area shall be governed by specific provisions thereon.
Section 20. Subscriber directories
Only information necessary to identify a subscriber or a user may be published in a subscriber directory unless the particular party has given his unambiguous consent to the publication of additional information.
The subscriber and the user shall, free of charge, be entitled to:
1) demand that his personal data in a subscriber directory be omitted or corrected;
2) forbid the use of his personal data in a subscriber directory for direct marketing; as well as to
3) demand that his street or postal address be omitted in part or that the personal data published do not indicate his or her sex.
The telecommunications operator shall ensure that the demands and alterations of the subscriber or user relating to information referred to in paragraphs 1 and 2 are further conveyed to the parties to whom it has submitted this information for its publication in a subscriber directory. The telecommunications operator and the party to whom the telecommunications operator has submitted the information referred to above shall agree on the submission of the demands of the subscriber or user concerning this information.
Section 21. Telecommunications in direct marketing
Telecommunications may not be used for direct marketing without the prior consent of the subscriber if the calls to the called subscriber are made by means of automated calling systems or facsimile machines unless otherwise decided by the ministry under paragraph 4.
Without prejudice to the provisions of paragraph 1, telecommunications may be used for direct marketing by means of automatic systems if a subscriber who is not a natural person has not forbidden it unless otherwise decided by the ministry under paragraph 4. However, a telefax may be used for direct marketing to a subscriber who is not a natural person.
Telecommunications used for the purposes of direct marketing to a natural person by other means than those referred to in paragraph 1 shall be allowed unless expressly forbidden by him. The subscriber must have a way of forbidding the direct marketing referred to in this subparagraph free of charge.
The ministry shall, where necessary, taking into account the functionality and security of the telecommunications network and telecommunications services as well as the reasonableness of obligations ensuing on the providers of direct marketing, decide in more detail on the means of telecommunications which:
1) would be allowed in telecommunications referred to in paragraph 1 without the consent of the subscriber provided, however, that the subscriber is able to forbid or prevent the telecommunications referred to in this subparagraph; as well as which
2) in telecommunications referred to in paragraph 2 require the prior consent of the subscriber.
Direct marketing directed at a consumer shall further be governed by the provisions of the Consumer Protection Act (1978/38).
Section 22. Availability of refusals to accept regarding direct marketing
The ministry shall, where necessary, decide in more detail on ways in which the refusals referred to in section 20, paragraph 2, subparagraph 2 and section 21 shall be held available to those providing direct marketing.
Chapter 5. Supervision, coercive measures and consequences
Section 23. Guidance and supervision
The general guidance and supervision of telecommunications shall belong to the ministry. It shall, in cooperation with the Telecommunications Administration Centre, the data protection authorities, telecommunications operators, the industry manufacturing telecommunications equipment and organisations representing the users promote the protection of privacy in telecommunications and the security of telecommunications.
It shall be the function of the Telecommunications Administration Centre to
1) supervise compliance with this Act and with provisions and orders issued thereunder unless otherwise provided for in paragraph 3; as well as to
2) where necessary, issue technical orders on the operations of telecommunications operators as well as on equipping telecommunications terminal equipment, telecommunications networks and telecommunications services in the manner required by this Act.
It shall be the function of the Data Ombudsman to supervise compliance with the night of the subscriber to forbid the activities referred to in sections 20 and 21 as well as compliance with the requirement of the prior consent of the subscriber referred to in the said sections.
If a matter being handled by the Telecommunications Administration Centre relates to a procedure which may violate the provisions of the Personal Data Act, the Telecommunications Administration Centre may, for that part, refer the matter to be handled in accordance with the Personal Data Act.
Section 24. Right to information
Without prejudice to the provisions on secrecy elsewhere, the ministry, the Telecommunications Administration Centre and the Data Ombudsman shall, for the purpose of attending to the functions provided for in section 23, have the right to receive from telecommunications operators and their consortia, the owners and holders of telecommunications networks, telecommunications contractors, publishers of subscriber directories and providers of direct marketing referred to in this Act, the necessary information on their operations referred to in this Act.
Section 25. Coercive measures
Anyone who violates this Act or provisions or orders issued thereunder may be ordered by the Telecommunications Administration Centre to rectify his error or omission. The decision may be enforced by a conditional fine or by a threat that all or part of the operations be suspended or that the omission be ordered rectified at the cost of the party in question.
The costs for a measure ordered done shall be paid from State funds and collected from the neglecting party using the procedure provided for in the Act on the Collection of Taxes and Charges through Execution (1961/367).
Section 26. Breach of confidentiality
Punishment for breach of the confidentiality provided for in section 7 shall be sentenced in accordance with chapter 38, section 1 or 2 of the Penal Code unless the act is punishable in accordance with chapter 40, section 5 of the Penal Code or subject to a more severe punishment elsewhere in the law.
Punishment for breach of the confidentiality provided for in section 4, paragraph 2 shall be sentenced in accordance with chapter 38, section 2, paragraph 2 of the Penal Code unless the act is punishable in accordance with chapter 40, section 5 of the Penal Code or subject to a more severe punishment elsewhere than in chapter 38, section 1 of the Penal Code.
Section 27. Violation of the provisions on the protection of privacy in telecommunications and the security of telecommunications
Anyone who wilfully
1) neglects to attend to the security of telecommunications referred to in section 6, paragraph 1,
2) processes identification information in violation of the provisions of sections 9 through 13 or
3) uses telecommunications for direct marketing in violation of section 21 shall, unless the act is subject to a more severe punishment provided for elsewhere, be sentenced for a violation of the provisions on the protection of privacy in telecommunications and the security of telecommunications to a fine.
A punishment shall not be ordered if the breach is minor.
Chapter 6. Miscellaneous provisions
Section 28. Appeal
A decision of the Telecommunications Administration Centre issued under this Act may be appealed in accordance with the provisions of the Act on the Application of Administrative Law (1996/586). In its decision, the Telecommunications Administration Centre may order that the decision shall be complied with before it has become final. However, the appeal authority may forbid its enforcement until the appeal has been decided.
Section 29. Further provisions
Further provisions on the implementation of this Act shall be issued by Decree.
Chapter 7. Provisions on entry into force and transitory provisions
Section 30. Entry into force
This Act shall enter into force on 1 July 1999.
Measures necessary for the implementation of this Act may be taken prior to its entry into force.
Section 31. Transitory provision
If the processing of identification information referred to in section 11 has been started prior to the entry into force of this Act, it may be continued notwithstanding this Act. In this case, the subscribers shall be notified of the processing of the identification information and, unless they inform otherwise within one month, they shall be deemed to have consented to the processing of the information.