Finnish Supreme Administrative Court Clarifies GDPR Administrative Fines and Enforcement Standards

The Finnish Supreme Administrative Court ("SAC") has issued a series of significant decisions concerning administrative fines under the General Data Protection Regulation ("GDPR"). These judgments provide imp

ortant guidance on GDPR compliance requirements, the assessment of administrative fines, and the evidentiary standards applicable in enforcement proceedings in Finland.

Transparency and information obligations (KHO:2023:81)

In decision KHO:2023:81, the SAC reviewed one of the first administrative fines imposed by the Finnish Data Protection Ombudsman under the GDPR. The case concerned compliance with the GDPR's transparency and information obligations and involved an administrative fine of EUR 100,000.

The SAC ultimately upheld the administrative fine originally imposed by the Data Protection Ombudsman after it had been annulled by the Administrative Court. The SAC emphasised that information provided to data subjects pursuant to Article 12 GDPR must be presented in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Court highlighted that the transparency principle must be reflected in the practical implementation of information obligations.

According to the SAC, data subjects cannot generally be expected to understand that information required under the GDPR may be embedded within product terms and conditions or other documents that are not clearly presented as privacy-related information. The required information must be made available in an appropriate and logical context that enables data subjects to effectively exercise their rights. The Court also considered that unnecessarily complex navigation paths and unclear or uninformative wording may undermine compliance with the GDPR's transparency requirements.

With regard to administrative fines, the SAC held that the supervisory authority is not required to first use other corrective powers, such as warnings, reprimands or orders, before imposing an administrative fine.

Evidentiary standards in GDPR enforcement (KHO:2023:82)

Decision KHO:2023:82 arose from allegations concerning the unnecessary collection of personal data from job applicants. The case focused primarily on the evidentiary standards applicable to GDPR enforcement and the imposition of administrative sanctions.

The SAC emphasised that administrative sanctions under the GDPR must respect the presumption of innocence. Enforcement measures cannot be based on a reversed burden of proof or on strict liability principles. In the circumstances of the case, the Court concluded that the Data Protection Ombudsman had not produced sufficient evidence to establish that the company had processed personal data in breach of applicable data protection legislation. As a result, the conditions for imposing an administrative sanction were not met.

Factors impacting levels of administrative fines (KHO:2026:104)

In its most recent GDPR-related decision, KHO:2026:1604, issued on 12 June 2026, the SAC considered a retailer operating both physical stores and an online shop. Customers wishing to place orders through the online store were required to create customer accounts. Personal data collected in connection with those accounts was retained indefinitely unless the customer specifically requested deletion.

The SAC found that this practice was incompatible with the GDPR. The Court considered it particularly serious that the company, acting as controller, had failed to determine and implement appropriate retention periods and had instead left responsibility for initiating deletion to the data subjects themselves. The infringement had continued for several years, affected a significant number of individuals, and formed part of a repeated and systematic practice.

The Court further noted that the infringement was neither isolated nor attributable to a single error. Rather, it reflected a long-standing failure to comply with GDPR requirements and could be regarded as intentional or negligent. The company had also failed to take adequate measures to mitigate the effects of the infringement, including after earlier interventions by the data protection authorities.

When assessing the appropriate sanction, the Court took into account mitigating factors, including that the case did not involve special categories of personal data and that there were no known previous GDPR infringements by the company. Nevertheless, considering the scope, duration and seriousness of the violations as a whole, the Court concluded that an administrative fine constituted an effective, proportionate and dissuasive enforcement measure.

Key Takeaways

The SAC's emerging GDPR case law provides important guidance for organisations operating in Finland. The decisions underline the need for practical and user-friendly privacy notices, confirm that administrative fines may be imposed without prior use of other corrective measures, and highlight the importance of compliance with GDPR obligations. The administrative fines imposed as a result of breaches are significant. Together, these judgments offer valuable insight into how Finnish courts assess GDPR compliance and administrative sanctions.