When we process personal data as a data controller, you as a data subject have rights to your personal information. On this page you can find information about the rights of the data subject and how you can exercise them.
The data subject refers to the person to whom the original social and health information relate.
What are your rights related to the processing of personal data?
In addition, you have the following rights when we process your personal data:
- Right of access to your personal data
- Right to rectify your data
- Right to restrict the processing of your data
- Right to object to the processing of your data
Read more by clicking on the sub-headings.
Right of access to your personal data (Article 15 of the GDPR)
You have as the data subject the right to obtain a copy of your personal data processed by Findata.
In addition, you have the right to be informed of:
- where your personal data was obtained
- why your personal data is needed
- for how long your personal data is needed
- whether your personal data have been disclosed and, if so, where.
- whether your personal data has been transferred outside the EU and what safeguards have been applied to it under the GDPR
- whether the processing is carried out using automation and
- how you can exercise your rights in relation to your personal data.
Right to rectify your data (Article 16 of the GDPR)
You have as a data subject the right to correct inaccurate data processed by Findata.
Right to restrict the processing of your data (Article 18 of the GDPR)
Data subjects have the right to restrict the processing of their data in certain circumstances. Processing may also be restricted as a result of other requests without the data subject’s explicit request.
You may request Findata to restrict the processing of your personal data in the following situations:
- if your data is incorrect
- if your data are processed unlawfully but you do not want them to be deleted
- if Findata no longer needs the data for the original purpose, but you need them for the establishment, exercise or defence of legal claims
- if you have objected to the processing of your data but the final decision is still under consideration
If we restrict the processing of your data, we will, where possible, inform all those to whom the data have previously been disclosed of the restriction.
Right to object to the processing of your data (Article 21 of the GDPR)
The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Exercising your rights
If you wish to exercise these rights, you can find the necessary instructions on this page under section How can I exercise my rights?
As a rule, Findata can only execute the data subject’s requests regarding the data in its possession. The right to access personal data, the right to rectify personal data and the right to restrict the processing of personal data concern the data held by Findata at the time of filing the request.
On the other hand, a request concerning the right to object may be made for an indefinite period. We maintain a separate list of data subjects who have submitted a request to object. We record all requests we receive in a diary.
We retain personal data only for the time necessary to compile the data and to verify the accuracy of the data. If the data subject requires their personal data in order to prepare, present or defend a legal claim, the request concerning the matter should be submitted directly to the original controller of the data, for example, a healthcare provider.
For example, the Digital and Population Data Services Agency has the data concerning a person’s family relations, marital status and address, hospitals have data on the person’s treatment, and the Social Insurance Institution of Finland (Kela) has data on the prescriptions issued to the person. Information about controllers and the data contents of registers is available on the Data page.
Minors and data subject rights
Minors have the same rights as adults when processing personal data under the Secondary Use Act. The basic principle is that a minor who is able to form their own views is free to express their views on the use and processing of their personal data.
Can a child decide themselves whether to make requests?
In the case of minors, it is not possible to issue specific recommendations on the age at which a minor can independently decide on the use and processing of their data.
If taking into account their age and level of development the child is able to understand the matter and its significance, then they can decide on the exercise of their rights. Of course, this is not possible for very young children, but the older the child or young person is, the more decision-making power they have.
The guardian may make a request on behalf of the child – attach a certificate of custody or other legal representation of the child
The guardian of an underage child may make, on the behalf of the child, a request that relates to the child’s rights as a data subject. In cases of joint custody, the request should be made and signed by both guardians. A certificate of custody obtained from the Population Information System must be attached to the request. The request should be in accordance with the assumed desires of the child and should represent their best interests.
It is recommended that the guardians discuss the request with the child and hear the child’s opinion on the matter before making the request, even if the child is not yet able to make a decision on the matter. Requests for underage children must be made as separate messages through the Suomi.fi service so that they can be entered in the register as separate entities.
Inform the child
The guardians should inform the underage child of the request made on their behalf at the latest when the child is at an age and level of development where they can understand the matter. This is particularly important in situations where guardians have objected to the processing of personal data on behalf of a minor. Data processing objection requests are valid until further notice and thus continue to be valid even after the minor becomes an adult.
When is the exercise of rights not possible?
The exercise of rights is not possible always in all situations.
With regard to scientific research and the compilation of statistics, it is possible to restrict the rights of a data subject on a case-by-case basis. In that case, a separate impact assessment must have been prepared concerning the research project, and it must have been submitted to the Office of the Data Protection Ombudsman prior to initiating the project. In such cases, we consider whether the data can be disclosed despite the data subject’s objection.
Permit applicants have the possibility to limit the right of data subjects to object to the processing of personal data for educational purposes, if the processing of personal data is necessary due to the rarity of the case.
When a data subject objects to the processing of their personal data by Findata, we erase the data concerning the data subject from its systems. If the data has been disclosed before the data subject has objected to the processing, the data cannot, as a rule, be erased.
As a general rule, data subjects’ rights are not restricted and data subjects’ requests are complied with. We will limit the processing of personal data for the period during which this consideration is being made.
How can I exercise my rights?
To exercise your rights, please complete the form below. Complete the form which concerns the right you wish to exercise. If you want to exercise several rights, fill in all the necessary forms.
- Form: Right of access (open PDF-file, 212 kb)
- Form: Right to rectification (open PDF-file, 259 kb)
- Form: Right to object (open PDF-file, 150 kb)
In order to exercise the rights, we must verify the identity of the data subject. This is important so that we can be sure to perform the measures to the data of the correct person.
Submit the completed form(s) primarily via the messaging function of the Suomi.fi service (suomi.fi).
- Log in to the Suomi.fi service with your personal online banking codes, a certificate card or a mobile certificate.
- Go to ”Compose a message”
- Select ”National Institute for Health and Welfare” as the recipient of the message.
- Select ”Registry” as the recipient’s service or issue.
- Enter ”Findata: rights of a data subject” as the subject.
- List the rights you wish to exercise (you may use the names of the forms) in the message field.
- Attach the completed form(s) by clicking ”Add the attachments here”.
- Finally, click the ”Send the message” button.
The message is directed to the registry of the Finnish Institute for Health and Welfare, from where it is forwarded to Findata. As a rule, we process requests within one month of receiving them. If the processing of the request is particularly complex for some reason, we may extend the processing time to a maximum of three months.
We will send a reply on the implementation of the request or resolving the matter to the data subject as a Suomi.fi message.
If you are unable to use the Suomi.fi service, you can personally visit the reception of the National Institute for Health and Welfare in Helsinki or Kuopio. You can find the addresses of the THL offices on the THL website (thl.fi).
Note that Findata is not the original controller of health and social data. Thus, for example, a request submitted to Findata to object to the use of personal data does not prevent the disclosure of the data for secondary use by one of the controllers referred to in the Secondary Use Act Section 6.
If you have additional questions about exercising your rights, please contact us by email at email@example.com.
How can I cancel the exercise of my rights?
If desired, a request objecting to the processing of data may be cancelled. This applies to any person who has submitted a data processing objection request.
A minor on whose behalf the guardians have submitted such a request may also cancel the request themselves if they are assessed as understanding the importance of the matter given their current age and level of development.
If you wish to cancel your request, send a message concerning the request to Findata via the Suomi.fi service or visit personally the reception of the National Institute for Health and Welfare in Helsinki or Kuopio.