Information security - The rights and obligations of corporate and association subscribers

Companies, educational institutions and other organisations may provide, for example, e-mail and telecoms services for their staff and students. Such organisations are called corporate or association subscribers and the users of their services include company employees, residents of housing companies and the like. Corporate and association subscribers process the users' confidential messages, identification data and location data in their communications networks. These subscribers have to ensure the information security of the network and communications services they provide.

A corporate or association subscriber must maintain the information security of its network and communications services by ensuring:

  • operating security
  • communications security
  • hardware and software security
  • data security.

A corporate or association subscriber may have outsourced its network and communications services, for example, to an IT service company. Even then, the corporate or association subscriber is responsible for ensuring that information security is maintained and that the services comply with the law.

Corporate or association subscribers are not required to take unreasonable measures for ensuring information security as long as the measures are commensurate with:

  • the seriousness of threats
  • the level of technical development
  • the costs.

FICORA may issue further regulations regarding the information security of services or of data retention.

Corporate and association subscribers' rights in ensuring information security

In order to prevent information security violations and to ensure information security, a corporate or association subscriber has the right to:

  • prevent the conveyance and reception of messages
  • remove from messages malware that pose a threat to information security
  • take any other comparable technical measures in its communications network.

A corporate or association subscriber may undertake these measures only if they are necessary for safeguarding the network or communications services or the communications ability of a message recipient. The measures taken to ensure information security may not limit freedom of speech or the protection of privacy any more than is necessary.

The Information Society Code (Chapter 29, Section 247)

If possible, the filtering of messages must be done without interfering with the contents of the communications. Message contents may be examined and filtered by technical means if there is reason to suspect that a message contains malware or is used for interfering with communications.

The Criminal Code of Finland (Chapter 34, section 9 a(1))
The Criminal Code of Finland (Chapter 38, section 5)


Key words: Information security, Data protection


LinkedIn Print