Data protection in the National Prosecution Authority

Ensuring data protection forms part of our operations when performing our statutory duties as the enforcer of criminal liability. The data protection regulations specify in which situations we process personal data and how we aim to ensure that the rights of the data subjects are fulfilled.

Information security is part of data protection. The information security practices of the National Prosecution Authority are one key aspect in ensuring that data protection is observed in the processing of personal data.

The data protection regulations do not specify the publicity of official documents. The Act on the Openness of Government Activities (621/1999) is applied to the publicity of documents. Official documents are usually public.

The Data Protection Ombudsman supervises compliance with the data protection legislation.

What is our processing of personal data based on?

In the National Prosecution Authority, the processing of personal data is mainly connected to prosecutorial activities and is therefore based on the law. We also process personal data that are necessary in the management of employment relationships, stakeholder co-operation and administrative matters.

We process personal data only for justified purposes, i.e., for prosecutorial activities, and only to the extent and for as long as necessary. We aim to ensure the correctness of the processed data and will update the data when necessary. Once the data is no longer needed, they are erased and archived in the manner required by the law.

Provisions on the processing of personal data during prosecution are laid down in the law.

Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018).

In other processing of personal data, the National Prosecution Authority applies

  • the EU General Data Protection Regulation (EU 679/2016)
  • the Data Protection Act (1050/2018)
  • the Act on the Protection of Privacy in Working Life (759/2004).

Disclosure of data

There are no regular disclosures of data.

We disclose personal data only on the grounds specified in the law and only to the specified recipients.

Data can be transferred out of the country in which the controller is located if the legislation applying to the data file in question allows the transfer. In such cases, we will comply with the regulations concerning the transfer laid down in the law.


In the National Prosecution Authority, the responsibility for organising data protection is borne by the Prosecutor General and the head of the Operative Support Unit of the Office of the Prosecutor General. The National Prosecution Authority's staff processes personal data during their work under a liability of acts in office.

The National Prosecution Authority has a Data Protection Officer, whose duties are to safeguard the rights of the data subjects and to develop the practices of processing personal data.


The National Prosecution Authority is the controller with respect to personal data.

Contact information

Office contact person
Joanna Autiovuori
Administrative Director

Data Protection Officer

Tommi Hietanen
Ministerial Adviser

For more detailed information on the processing of personal data by the National Prosecution Authority, see the privacy notices at the end of this page.

Rights of the data subject

With some restrictions, data subjects have the right to receive confirmation on whether the controller processes their personal data or not. The request to access one's personal data must be submitted to the controller on a document signed by one's own hand or in an equivalent certified manner, or in person at the controller's office.

Ensuring data protection

We induct our staff in data protection matters. Every employee of the National Prosecution Authority is obligated to familiarise themselves with the available training. If we suspect or detect that data protection has been endangered, we will immediately investigate the issue. We will also immediately notify the data subject of the issue if the information security violation causes a significant risk for the data subject's rights unless otherwise required by the law.

Actions in violation of personal data processing legislation are considered to be an information security violation. If the violation meets the definitional elements of a punishable act, we will delegate the matter to other authorities for investigation. If the actions do not meet the definitional elements of an offence but endanger data protection, there may be other sanctions under civil service law.

Description of document publicity 

Description of document publicity 

Delivery of confidential and sensitive documents to the National Prosecution Authority

See the instructions for sending secure e-mail messages and documents on the website.

Sending confidential documents by email

If you want to send confidential documents to the National Prosecutor Authority, it is advised to do it using secure email system. The service is easy and safe to use and free of charge.

See the guide