Data protection and the processing of personal data

We are renewing our website. The new content on this page is not yet translated for the requested language.

This page contains information on:

How does Findata take care of data protection?

One of Findata’s most important objectives is to improve data protection for individuals and data security for social welfare and health care data. We always disclose data in such a way that the data protection of the individuals is maximised and only disclose as much data as is absolutely necessary.

Once we have issued a data permit, we compile the data stored with different controllers on a permit-specific basis, combine this data in a data secure user environment and then provide it to the permit holder into a data secure user environment. After the processing is complete, the data is erased. Thus, Findata only stores or copies the data for security reasons for as long as required by the permit issued by it.

The data is retained in a separate and closed system for which fixed-term licences are issued. For example, when a permit holder wishes to extract research results from a remote access environment, we ensure that no individual person can be identified from the results or the data to be extracted.

In the data secure user environment

  • the access rights for the data are set in line with the issued permits.
  • access to the devices, systems and office premises are monitored
  • unauthorised use of the offices, data and systems is prevented
  • all data-processing events are recorded in the log data
  • data communications are monitored and restricted

The systems are carefully protected from external threats such as acts or events that would endanger data protection, including viruses and other attacks.

Social welfare and health care data cannot be used for marketing or for specifying individual commercial services.

Back to top

How does the Secondary Data Act improve data protection?

The Act on the Secondary Use of Health and Social Data (552/2019) has been drawn up based on the national-level freedom of action provided for by the EU’s General Data Protection Regulation (GDPR). The Constitutional Law Committee and the Social and Health Committee have taken care to ensure that the Act does not contravene the GDPR. Representatives of the Office of the Data Protection Ombudsman have participated in the drafting workgroup for the Act, and the Data Protection Ombudsman has also been given a hearing by the Parliament.

The Secondary Data Act sets the conditions for a data secure environment in which permit holders may process data.

Primarily, the permit holder is given access to the data via a remote access connection, such that the data remains within the Findata data secure user environment.

In some cases, it is necessary to hand the data over to the permit holder. In such cases, the permit holder must demonstrate that the data will be processed in a controlled environment which fulfils the legal data protection requirements.

The Secondary Data Act requires that the Information Systems record log data, which means the processing and event history of the data. The log shows, for example, who processed the data, how the data was processed, and when the data was processed.

Back to top

How is the implementation of data protection monitored?

Findata’s operations and the operations of controllers that issue data permits are supervised by the Parliamentary Ombudsman and the Data Protection Ombudsman, among others.

Those issuing data permits must give an annual report to the Data Protection Ombudsman regarding the processing of health and social data and the related log data.

The National Supervisory Authority for Welfare and Health Valvira monitors data secure user environments.

Back to top

What can personal data be used for?

Secondary use of health and social data means that client and register data of social welfare and health care activities is used for purposes other than the primary purpose for which it was originally stored. Primary purposes relate to, for example, treatment provided to a patient or the processing of benefits.

The Act on the Secondary Use of Health and Social Data (so-called Secondary Data Act) lays down the purposes of use for which a permit may be issued. According to section 2 of the Act, data may be disclosed for the compilation of statistics, scientific research, development and innovation activities, education, knowledge management, steering and supervision of social and health care by authorities and the planning and reporting duty of an authority.

Thus, the purposes for which a permit may be issued are limited. The permit is based on an administrative decision made by Findata. The decision is legally binding and contains clear permit conditions. In addition, Findata has the right to request a statement from the Finnish Data Protection Ombudsman before issuing the permit.

It should be noted that the utilisation of health and social data for secondary purposes is not new. Prior to the establishment of Findata, similar data have been disclosed to scientific research and for the compilation of statistics. Finland has, for a long time, collected unique register and research data that can be used to promote the health and welfare of citizens.

Personal data processing statements provide further information on how Findata uses the data.

Back to top

What are the sources of the personal data?

Findata does not hold personal data, but it collects data from social and health care sector operators and authorities regulated under the Secondary Data Act. In addition, the Secondary Data Act contains provisions on the data that Findata may obtain from said operators.

Furthermore, Findata does not collect data from individuals themselves. Instead, all the data it collects is already stored by one of the aforementioned operators regulated under the Secondary Data Act.

Back to top

Findata as a controller

Findata becomes a controller of personal data when it receives data from the aforementioned operators. The processing of personal data requires that the controller has a legal basis for the processing.

The legal basis for the processing by Findata is Article 6, Section 1 (e) of the EU’s General Data Protection Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority). When processing data concerning specific categories of personal data (previously referred to as sensitive data), including personal health data, the processing is carried out on the basis of Article 9, Section 2 (g) (processing is necessary for reasons of substantial public interest) in addition to the aforementioned Article 6.

Findata does not disclose data on the rights, interests or obligations of an individual for decision-making purposes. Thus, the data is not disclosed to, for example, insurance companies for the purpose of preparing individual insurance decisions or to the Social Insurance Institution of Finland (Kela) for benefit decisions. In addition, the data is not disclosed for marketing or the definition of individual commercial services.

Back to top

Everyone has the right to their personal data. A data subject has the right to receive information on the use of their personal data. This information is available on the Findata website and in Findata’s personal data processing statements at the end of this page. In addition to receiving information, the data subject has the following rights to their data as regards the data held by Findata:

  • Right of access to one’s personal data
  • Right to rectify one’s data
  • Right to restrict the processing of one’s data
  • Right to object to the processing of one’s data.

If you wish to exercise these rights, you can find the necessary instructions on this page under section How can I exercise my rights?

Please note that as a rule, Findata can only execute the data subject’s requests regarding the data in its possession. The right to of access to personal data, the right to rectify personal data and the right to restrict the processing of personal data concern the data held by Findata at the time of filing the request. On the other hand, a request concerning the right to object may be made for an indefinite period. Findata records all requests made by a data subject in its register. Findata also maintains a separate list of data subjects who have submitted an objection request to it.

Findata has drawn up separate forms for the implementation of rights. However, the right to restrict the processing of personal data (Article 18) is only applicable in certain situations and may already be implemented directly as a result of other requests.  For example, in practice, Findata restricts the processing of personal data for the period of processing a request for the rectification of personal data (Article 16). The right to restrict the processing of data is also valid in situations where the data subject requires their personal data in order to prepare, present or defend a legal claim and where Findata no longer needs such data.

Findata retains personal data only for the period required for the purpose of the permit issued by it (for example, scientific research or the planning and reporting duty of an authority). If the data subject requires their personal data in order to prepare, present or defend a legal claim, the request concerning the matter should be submitted directly to the controller that, based on the primary purpose, holds the personal data in question.

For example, the Digital and Population Data Services Agency has the data concerning a person’s family relations, marital status and address, hospitals have data on the person’s treatment, and the Social Insurance Institution of Finland (Kela) has data on the prescriptions issued to the person. Information about controllers and the data contents of registers is available on the ‘Data’ page.

Back to top

Minors and data subject rights

The Act on Secondary Use of Data does not provide for the exercise of data subject rights by minors. Minors, nevertheless have the same rights as adults. The EU General Data Protection Regulation stresses the need for the protection of children’s personal data.

The basic principle is that a minor who is able to form their own views is free to express their views on the use and processing of their personal data.

Can a child decide themselves whether to make requests?

In the case of minors, it is not possible to issue specific recommendations on the age at which a minor can independently decide on the use and processing of their data.

It is important to assess the child’s age and level of development in relation to the matter in question. If, taking into account their age and level of development, the child is able to understand the matter and its significance, then they can decide on the exercise of their rights. Of course, this is not possible for very young children, but the older the child or young person is, the more decision-making power they have. This applies especially to children aged 12 to 17.

The guardian of an underage child may make, on their behalf, a request that relates to their rights as a data subject. In cases of joint custody, the request should be made and signed by both guardians. A certificate of custody obtained from the Population Information System must be attached to the request. The request should be in accordance with the assumed desires of the child and should represent their best interests.

It is recommended that the guardians discuss the request with the child and hear the child’s opinion on the matter before making the request, even if the child is not yet able to make a decision on the matter. Requests for underage children must be made as separate messages through the service so that they can be entered in the register as separate entities.

Inform the child

The guardians should inform the underage child of the request made on their behalf at the latest when the child is at an age and level of development where they can understand the matter. This is particularly important in situations where guardians have objected to the processing of personal data on behalf of a minor. Data processing objection requests are valid until further notice and thus continue to be valid even after the minor becomes an adult.

Back to top

How to cancel the exercise of rights?

If desired, a request objecting to the processing of data may be cancelled. This applies to any person who has submitted a data processing objection request. A minor on whose behalf the parents have submitted such a request may also cancel the request themselves if they are assessed as understanding the importance of the matter given their current age and level of development.

Back to top

When is the exercise of rights not possible?

The exercise of rights is not possible always and in all situations. With regard to scientific research and the compilation of statistics, it is possible to restrict the rights of a data subject on a case-by-case basis.

Findata does not restrict data subjects’ rights on its own initiative. Restrictions may only be applied if a decision has been made to restrict the rights of a data subject in connection with the research project for which the data permit is applied from Findata. In that case, a separate impact assessment must have been prepared concerning the research project, and it must have been submitted to the Office of the Data Protection Ombudsman prior to initiating the project. Such a restriction of rights may apply to all of the aforementioned rights. In addition, the Act on the Secondary Use specifies that a data subject does not have the right, pursuant to Article 21 of the Data Protection Regulation, to object to the processing of his or her personal data for educational purposes, if the processing of personal data is necessary due to the rarity of the case.

In a situation where a data subject objects to the processing of their personal data by Findata, Findata erases the data concerning the data subject from its systems. At times, however, it is possible that the rights of the data subject, such as the right to object, have been restricted as part of a research project, for example. In that case, Findata must consider how the research project-specific restriction applies to data subjects who have objected to the use of their personal data. In general, the right to object can be exercised without harming the research project. Findata restricts the processing of personal data for the duration of this consideration.

Back to top

How can I exercise my rights?

To exercise your rights, please complete the form below. There is a separate form for each right of the data subject. Complete the form which concerns the right you wish to exercise.

In order to exercise the rights, Findata must verify the identity of the data subject. This is important so that we can be sure to perform the measures to the data of the correct person.

Please submit the completed form(s) primarily via the messaging function of the service ( Instructions for activating messages are available at:

Do this:

  • Log in to the service with your personal online banking codes, a certificate card or a mobile certificate.
  • Go to ”Compose a message”
  • Select ”National Institute for Health and Welfare” as the recipient of the message.
  • Select ”Registry” as the recipient’s service or issue.
  • Enter ”Findata: rights of a data subject” as the subject.
  • List the rights you wish to exercise (you may use the names of the forms) in the message field.
  • Attach the completed form(s) by clicking ”Add the attachments here”.
  • Finally, click the ”Send the message” button.

The message is directed to the registry of the Finnish Institute for Health and Welfare (THL), from where it is forwarded to Findata for processing. As a rule, we process requests within one month of receipt. If the processing of the request is particularly complex for some reason, we may extend the processing time to a maximum of three months.

We will send a reply on the implementation of the request/resolving the matter to the data subject as a message.

If you wish to cancel your request, send a message concerning the request to Findata via the service.

It is possible to exercise your rights even if you are unable to use the service for some reason. In that case, you must personally visit the reception of the National Institute for Health and Welfare in Helsinki or Kuopio.

It should be noted that Findata is not the original controller of health and social data. Thus, for example, a request submitted to Findata to object to the use of personal data does not prevent the disclosure of the data for secondary use by one of the controllers referred to in the Act on the Secondary Use of Health and Social Data, Section 6.

If you have additional questions about exercising your rights, please contact us by email at

Personal data processing statements

The personal data processing statement concerning data permits will be added to the website soon.

Contact details

Lisää henkilöitä