Unlike the Personal Data Act (523/1999), the General Data Protection Regulation (GDPR) of the EU does not regulate the preparation or publication of a file description or privacy statement. However, the GDPR does prescribe the duty of the controller to inform the data subjects (EU 2016/679, Articles 13 and 14).
Under the Personal Data Act, the controller has been able to fulfil its obligation to provide information by preparing a privacy statement. The privacy statement combines the information required based on the duty of providing information, set out in Section 24 of the Personal Data Act, and the information required by the description of file, described in Section 10 of the same Act.
The privacy statement is an extended description of file that also provides information on the data subject's rights. A privacy statement is prepared for all personal data files. It identifies the controller that is responsible for processing personal data. It also lists the personal data stored in the file, the uses of the data, the destinations of regular hand-over, and the data protection principles.
All data that is used for the same purpose is considered to be included in the same personal data file. The same personal data file may include digital data and data provided on a paper form, if the controller uses both for performing the same task.
The National Archive is currently updating its privacy statements to meet the requirements of the informing practices set out in the GDPR.