Our privacy policy

This privacy notice explains how Findata processes social and health care client and registry data when granting permits for the secondary use of social and health data. In this privacy notice, “data subject” refers to an individual whose original health and social data is concerned.

“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).

Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.

Controller

Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
tietosuojavastaava@findata.fi

Purpose of processing of personal data and legal basis for processing

Data permits

We issue permits for the secondary use of social and health data when the application applies to

• data from numerous public social and health sector controllers
• data maintained by a single public controller, that has transferred the right to issue permits to Findata
  • See the list of controllers who have transferred their right to issue permits to Findata
• register data from one or numerous private social welfare and health care service organisers, or
• customer data saved in the Kanta Services.

Data permits can be issued for the purposes of

• scientific research
• statistics
• education
• planning and reporting duties of an authority

Once the data permit has been issued, we combine and pre-process the data and transfer the pre-processed data to the data recipient for the purpose described in the permit.

Pre-processing refers to the actions that are taken on data disclosed to Findata by different controllers before we hand it over to the data recipient. In pre-processing, we aggregate, combine, pseudonymise, and anonymise data. In principle, we pseudonymise the data before handing it over. Pseudonymisation refers to the processing of data so that it cannot be directly linked to individuals. We disclose information in an identifiable form only for a particularly justified and necessary reason.

We process the materials in the authority’s processing environment. For managing identifiers, we use an identifier management application. In handling unstructured text data, an AI model processing within the authority’s processing environment is used to reduce the risk of direct identifiers in the text data being disclosed to unauthorised parties. The processing of personal data may also occur in the result inspection tool.

The purpose of the pre-processing of personal data is to create data sets in accordance with the issued permit from the data controllers referred to in the Secondary Use Act.

We do not use automated decision-making or profiling in the processing of data.

The processing of personal data in the pre-processing of data under a data permit is based on the following laws:

• Act on the Secondary Use of Social and Health Data (552/2019), Sections 6 a, 14, 51, and 51a,
• General Data Protection Regulation Articles 6(1)(c) and 6(1)(e)
• Data Protection Act (1050/2018), Section 4(2), and
• in the case of special categories of personal data, Data Protection Act, Section 6(1)(2), and General Data Protection Regulation, Article 9(2)(g).

Data requests

You can obtain statistical data from data controllers covered by the Secondary Use Act with a data request. Once we have made a positive data request decision, we combine and pre-process the data needed for the project and hand over the statistical-level data to the data recipient.

Data requests can be issued for the purposes of

• scientific research
• statistics
• planning and reporting duties of an authority and/or guidance and supervision of a social and healthcare authority
• education
• development and innovation operations
• knowledge management (comparative data)

The purpose of the processing of personal data is to form statistical data of the social and health data received from one or more controllers under the scope of the Secondary Use Act. We provide only anonymous statistical data on the basis of a data request.

In statistical-level data, individual personal data have been combined and summarised. The statistics describe groups of persons rather than an individual person. The data of the groups of persons is formed in such a way that individuals cannot be identified or traced.

We do not use automated decision-making or profiling in the processing of data.

The processing of personal data in the pre-processing of the data under a data request is based on the following laws:

• Act on Secondary Use of Social and Health Data, Sections 14, 45, 51 and 51a
• General Data Protection Regulation, Articles 6(1)(c) and 6(1)(e),
• Data Protection Act, Section 4(2) and,
• in the case of special categories of personal data; Data Protection Act, Section 6(1)(2) and General Data Protection Regulation, Article 9(2)(g).

Personal data processed and sources of data

Each data permit specifies which data can be processed based on it. Each data request decision specifies the basis on which the statistics are to be compiled.

In the pre-processing of data permits and data requests, we process the social and health data received from controllers under the scope of the Secondary Use Act to the extent that they have been estimated to be necessary for each project.

We do not compile statistics on all materials of all data controllers within the scope of the Secondary Use Act. For more detailed restrictions on data, see the Secondary Use Act, Section 6 (finlex.fi).

Data controllers within the scope of the Secondary Use Act:

• Data saved in Kanta services
• Digital and Population Data Services Agency (DVV)
• Finnish Centre for Pensions (ETK)
• Finnish Institute for Health and Welfare (THL)
• Finnish Institute of Occupational Health (TTL)
• Finnish Medicines Agency Fimea
• Finnish Supervisory Agency (LVV)
• Ministry of Social Affairs and Health
• Public and private service providers of social welfare and health care
• Social Insurance Institution of Finland Kela
• Statistics Finland

The data is transferred to Findata and, in the case of data permits, further to the data recipient via a secure transfer service.

See the list of the issued data permits

Regular disclosures of personal data and categories of recipients

We disclose the material formed on the basis of the data permit to the data recipient. The recipient then becomes the controller of the transferred data. In the vast majority of data permits we grant, the recipients use the data for scientific research.

According to the Secondary Use Act, the data authorised by a data permit may be disclosed for processing in a secure processing environment as specified in Section 20 of the Secondary Use Act or for other specific reasons, to another secure processing environment under Section 51 c of the Act. Furthermore, under Section 51 d of the Act, Findata may, for special reasons, grant a data permit to receive data in anonymised form outside the secure processing environment referred to in Section 20.

Read more about secure processing environments.

We disclose only statistical level data based on data requests. We do not disclose personal data.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development of the information systems we use to transfer the data and compile the statistics. CSC acts as a processor of personal data on behalf of Findata.

Retention period for personal data

Data permits

We will retain the data obtained from data controllers and the material formed in the pre-processing for four months after we have disclosed the data to the data recipient. During the retention period, we use the data to correct any possible errors made in the pre-processing of the material.

In the case of a rolling data permit, i.e. a data permit that entitles the data recipient to receive updates to the data, the data from each delivery are retained for four months from the date the data was provided to the recipient. If the creation of new data is based on all previously delivered data, we retain all data for four months from the date of the last delivery to the recipient.

It should be noted that the data recipient retains the data longer than Findata.

We retain the identifiers of pseudonymised materials for as long as it is necessary to carry out the research and to ensure the validity of its results, in principle for 12 years.

Data requests

We retain data from controllers for a period of six months after we have disclosed the statistics we have compiled to the data recipient. During the retention period, we use the data to correct any possible errors in the compilation of statistics.

In the case of a rolling data request, i.e. statistics are compiled and delivered at regular intervals on the basis of updated data, we will retain for six months from the delivery of each statistical dataset to the requester.

Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations

As a rule, we do not disclose personal data outside the EU or EEA or to international organisations. According to the Secondary Use act, the data must be transferred to a secure processing environment that cannot be located outside the EU and EEA. According to section 51 c of the Secondary Use Act, the data permit authority may, for a specific reason, grant a data permit that allows the data to be disclosed to another secure processing environment. If we in a specified individual case transfer personal data outside the EU and EEA or to an international organisation on the basis of another law, we will use the transfer basis chosen in accordance with the GDPR, depending on the country and organisation of destination.

If the data recipient as the controller wishes to enable the processing of their data from outside the EU and EEA, they must apply to Findata for permission to allow the processing. If we grant permission, the controller must ensure that the material is transferred in accordance with Chapter V of the GDPR, when applicable.

The statistics compiled on the basis of the data request do not contain personal data, so they can also be disclosed outside the EU member states.

Rights of the data subject

In this privacy notice, “data subject” refers to the person to whom the original social and health data relate to. For more information about the rights of data subjects, see the section “Rights of the data subject” above on this page.

The purpose of this privacy notice is to provide a comprehensive overview of the personal data that Findata collects when ordering and using Findata’s services, the purposes for which the data is used, and the parties to whom the data may be disclosed.

Findata’s services include

• the e-service,
• case management system,
• the secure processing environment Kapseli, and
• secure data transfer services Tunneli and Supertunneli.

This privacy notice also covers

• AI assistant Vinkkeli on Findata’s website,
• feedback form,
• newsletter subscription,
• booking of personal consultations,
• contact requests, and
• registration for training sessions organised by Findata.

The privacy notice also explains the obligations and legal frameworks that Findata complies with when processing personal data.

The controller for the processing of material in Kapseli is defined in the data permit. In this case, Findata acts as a data processor on behalf of that controller.

“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).

Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.

Controller

Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
tietosuojavastaava@findata.fi

Purpose of processing of personal data and legal basis for processing

We process the personal data of users of Findata’s services as a data controller for the following purposes:

• To provide the requested service,
• to ensure information security and the lawfulness of the processing of personal data and
• for communication related to the service and its use and
• carry out any necessary billing.

Chatbot Vinkkeli is an AI-assisted tool that answers users’ questions on Findata’s website. When using Vinkkeli, the conversation takes place with a machine, not a human. The user is asked not to insert any personal data into the conversation. Vinkkeli uses OpenAI’s API to process user inputs and provide responses. User inputs are sent to OpenAI’s servers for processing and generating replies.

We may use your information to:

• Deliver and improve Vinkkeli’s functionality,
• analyse interactions to enhance our services and
• address technical issues or investigate abuse.

We also use the number of Kapseli users to develop and administer the service.

We do not use automated decision making or profiling in our data processing.

The processing of personal data of service users is based on the following laws:

• General Data Protection Regulation Articles 6(1)(c) and 6(1)(e),
• Data Protection Act (1050/2018) Section 4(2), and
• Act on the Secondary Use of Health and Social Data (552/2019) Sections 16, 17, 20, and 46.

The processing of personal data may also be based on for the performance of a contract to which the data subject or the entity represented by the data subject is a party or in order to take steps prior to entering into such a contract.

In Findata’s e-service, in addition to applying for a data permit and submitting a data request, it is also possible to make requests concerning the rights of a data subject in accordance with the GDPR. The legal basis for processing requests made by individuals exercising their data subject rights is GDPR Article 6(1)(c) and Articles 12-21.

Personal data processed and sources of data

We collect the following information about the service users:

• Name,
• telephone number,
• email address, and
• organisation information.

The information is obtained either from the data subject themselves or on their behalf from the person who placed the order or, for services requiring a contract, from the service user at the time of concluding the contract.

When using Vinkkeli, the user is asked not to insert any personal data into the conversation. Findata does not process personal data in this context unless the user themselves enters personal data into the conversation. When using Vinkkeli, we may collect:

• Messages and inputs: The text or other information you provide during your interaction with Vinkkeli.
• Technical data: Non-personally identifiable information, such as session metadata.

We collect the following information about the persons who have made requests to exercise their rights as a data subject in Findata’s e-service:

• Name,
• social security number, and
• contact information.

In addition, we collect data depending on which right the data subject wishes to exercise.

For individuals who exercise their right to restrict or object to the processing of their data (Articles 18 and 21 of the GDPR), we will record, in addition to the information above, the reasons for restricting or objecting to the use of the data.

We implement the right to restrict and object on the basis of social security numbers. We remove the data of individuals who have exercised the right to object or restrict from the data we receive by comparing the data with the social security number and removing the detailed information contained in the data relating to those individuals.

In addition to the above, the following data from the data subject are collected from a person exercising their right to rectification (Article 16 of the GDPR):

• Which data is to be corrected, and
• to which format the data is to be corrected,

Regular disclosures of personal data and categories of recipients

We do not disclose personal data about service Users or contact persons on a regular basis.

Input data of Vinkkeli may be shared with:

• OpenAI: Inputs provided to Vinkkeli are processed by OpenAI’s API, subject to OpenAI’s Usage Policies and Privacy Policy.
• Service providers: Third parties assisting us with hosting or other technical needs.

We do not sell input data to third parties.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out technical maintenance and development. CSC acts as a processor of personal data on behalf of Findata. A valid Data Processing Agreement (DPA) is in place with CSC.

Retention period for personal data

Findata retains personal data for as long as necessary to fulfill the purposes defined in this privacy notice, unless legislation requires a longer retention period or unless Findata needs the data to establish, exercise, or defend a legal claim.

Conversation logs of Vinkkeli are automatically deleted from the plugin/server after 30 days. OpenAI may retain data processed through its API for a limited period to monitor for abuse or misuse, per its privacy practices.

Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations

We do not disclose personal data outside the EU or EEA or to international organisations.

Inputs provided to Vinkkeli are processed by OpenAI’s API, subject to OpenAI’s Usage Policies and Privacy Policy. OpenAI does not use data submitted via API interfaces for model development. More information can be found from OpenAI’s website (openai.com).

Rights of the data subject

In this privacy notice, “data subject” refers to the users of Findata’s services. For more information about the rights of data subjects, see the section “Rights of the data subject” above on this page.

This privacy notice explains how Findata processes the personal data of data permit applicants and data requesters.

“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).

Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.

Controller

Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
tietosuojavastaava@findata.fi

Purpose of processing of personal data and legal basis for processing

Findata’s statutory duties include processing data permit applications and data requests and issuing administrative decisions on them.

We process personal data relating to applicants or representatives of applicant organisations for the purposes of processing applications, decision-making and invoicing. We process contact information of applicants or applicant entities to send customer notices related to the services and their use.

We do not use automated decision-making or profiling in our data processing.

The processing of personal data for processing data permit and data request applications is based on the following laws:

• Act on the Secondary Use of Social and Health Data (552/2019) Sections 6 a, 6 b, and 45,
• General Data Protection Regulation Articles 6(1)(a) and 6(1)(e) and
• Data Protection Act (1050/2018) Section 4(2).

Personal data processed and sources of data

We collect the information that applicants of data permits and data requests provide in the application or request. This information includes the name, position or title of the applicant or their contact person, contact details and the name and affiliation of the persons entitled to process personal data. We also process data for billing purposes. If the data recipient is a private individual, the billing information also includes personal data. In addition, the application may include the name and contact information of the person delivering the target group to Findata.

In addition, we maintain a log system that allows us to track and store personal data from the various stages of processing data permit applications and data requests.

When an application for a data permit or data request is submitted, we store the personal data required for strong electronic identification of the applicant that is transmitted by Suomi.fi service. 

The personal data stored by the Suomi.fi service is described in the service’s privacy policy (suomi.fi).

Regular disclosures of personal data and categories of recipients

We do not disclose the personal data provided in data permit applications or data requests on a regular basis. We publish information on data permits and data requests that we have issued. If the data recipient is a private individual, we do not publish their name.

We disclose information to those requesting it in accordance with the Act on the Openness of Government Activities (621/1999) and the GDPR. As a rule, the information on the application for a permit and the person who made the data request is public, as it is not explicitly provided for to be kept secret.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development work of the data request management system. CSC acts as a processor of personal data on behalf of Findata.

Retention period for personal data

We retain data permit applications permanently, and data requests for a period of ten years from their initiation. We retain the data permit decisions permanently and the data request decisions for a period of ten years from the date of their issuance.

We retain draft applications and data requests that have not been submitted to Findata for 180 days from the last edit. Applications that have not been modified for 180 days will be automatically removed from the system.

Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations

We do not disclose personal data outside the EU or EEA or to international organisations.

Rights of the data subject

In this privacy notice, “data subject” refers to individuals submitting data permit applications and data requests. For more information about data subject rights, see the section “Rights of the data subject” above on this page.

The purpose of this privacy notice is to give a comprehensive overview of the personal data that Findata collects when compiling and preprocessing ready-made datasets, the purposes for which this data is used, and to whom the data may be disclosed. This privacy notice also describes the obligations and legal frameworks that Findata adheres to when processing personal data. Findata offers thematic ready-made datasets that are pre-compiled and preprocessed data packages available more quickly, without cost estimates or extraction requests from original data controllers. These datasets are provided via Findata under a data permit.

“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).

Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.

Controller

Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
tietosuojavastaava@findata.fi

Purpose of processing of personal data and legal basis for processing

Pre-processing refers to the actions that are taken on data disclosed to Findata by different controllers before we deliver it to the data recipient. Pre-processing includes aggregating, combining, pseudonymising, and anonymising data. Findata selects the subject matter of the ready-made data sets and the data on which they are based. The purpose of the processing of personal data is to compile datasets in accordance with the chosen theme and, as a general rule, to disclose pseudonymised personal data or statistics compiled from ready-made datasets to the data recipient. Ready-made datasets may also be used to develop an AI model operating within the authority’s operating environment for processing unstructured text data, in order to enhance the data protection of text materials.

We do not use automated decision-making or profiling in the processing of data.

The processing of personal data in the formation of ready-made datasets is based on the following laws:

• Act on Secondary Use of Social and Health Data (552/2019) Section 14,
• General Data Protection Regulation Article 6(1)(e),
• Data Protection Act (1050/2018) Section 4(2) and,
• in the case of special categories of personal data, the Data Protection Act Section 6(1)(2) and the General Data Protection Regulation Article 9(2)(g).

Personal data processed and sources of data

In compiling the ready-made datasets, we process the social and health data received from one or more controllers under the scope of the Secondary Use Act to the extent deemed necessary for each project.

We cannot form ready-made material on the basis of all materials of all controllers within the scope of the law. For more detailed restrictions on data, see the Secondary Use Act, Section 6 (finlex.fi).

Data controllers within the scope of the Secondary Use Act:

• Data saved in Kanta services
• Digital and Population Data Services Agency (DVV)
• Finnish Centre for Pensions (ETK)
• Finnish Institute for Health and Welfare (THL)
• Finnish Institute of Occupational Health (TTL)
• Finnish Medicines Agency Fimea
• Finnish Supervisory Agency (LVV)
• Ministry of Social Affairs and Health
• Public and private service providers of social welfare and health care
• Social Insurance Institution of Finland Kela
• Statistics Finland

The data is transferred to Findata and, in the case of data permits, further to the data recipient via a secure transfer service.

Read more detailed descriptions of the data used in the ready-made datasets.

Regular disclosures of personal data and categories of recipients

We disclose the ready-made dataset to the data recipient. The data recipient then becomes the controller of the transferred data. In the vast majority of data permits we grant, the data recipients use the data for scientific research.

According to the Secondary Use Act, the data authorised by a data permit may be disclosed for processing in a secure operating environment as specified in Section 20 of the Secondary Use Act or for other specific reasons, to another secure operating environment under Section 51 c of the Act. Furthermore, under Section 51 d of the Act, Findata may, for special reasons, grant a data permit to receive data in anonymised form outside the secure operating environment referred to in Section 20.

Read more about secure operating environments.

When statistical data is requested from the ready-made datasets, the data to be disclosed does not contain personal data.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out technical maintenance and development. CSC acts as a processor of personal data on behalf of Findata.

Retention period for personal data

We retain the ready-made datasets permanently.

In addition, the data recipient who has obtained the ready-made dataset on the basis of the data permit retains the data for a specified period of time.

Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations

As a rule, we do not disclose ready-made datasets outside the EU or EEA or to international organisations. According to the Secondary Use act, the data must be transferred to a secure operating environment that cannot be located outside the EU and EEA. According to section 51 c of the Secondary Use Act, the data permit authority may, for a specific reason, grant a data permit that allows the data to be disclosed to another secure operating environment.

If the data recipient as the controller wishes to enable the processing of their data from outside the EU and EEA, they must apply to Findata for permission to allow the processing. If we grant permission, the controller must ensure that the material is transferred in accordance with Chapter V of the GDPR, when applicable.

Rights of the data subject

In this privacy notice, “data subject” refers to the person to whom the original social and health data relate to. For more information about the rights of data subjects, see the section “Rights of the data subject” above on this page.

This privacy notice explains how Findata processes the personal data of employees and representatives of suppliers and subcontractors.

“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).

Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.

Controller

Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
tietosuojavastaava@findata.fi

Purpose of processing of personal data and legal basis for processing

We process the personal data of the employee/representative of the supplier or subcontractor as a data controller for the following purposes:

• To deliver the service or product in accordance with the contract,
• to ensure information security and the lawfulness of the processing of personal data and
• for communication related to the service and its use and
• carry out any necessary billing.

We do not use automated decision making or profiling in our data processing.

The processing of personal data in connection with supplier or subcontractor relationships is typically based on the performance of a contract between Findata and the supplier or subcontractor (Article 6(1)(b) of the GDPR).

Personal data processed and sources of data

We collect the following information about the employee/representative of the supplier or subcontractor:

• Name,
• telephone number,
• email address, and
• title and employer information.

The information is obtained either from the data subject themselves or from the supplier or subcontractor represented by the data subject.

Regular disclosures of personal data and categories of recipients

We do not disclose personal data about representatives of suppliers or subcontractors on a regular basis.

Retention period for personal data

Findata retains personal data for as long as necessary to fulfill the purposes defined in this privacy notice, unless legislation requires a longer retention period or unless Findata needs the data to establish, exercise, or defend a legal claim.

Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations

We do not disclose personal data outside the EU or EEA or to international organisations.

Rights of the data subject

In this privacy notice, “data subject” refers to the employees and representatives of suppliers and subcontractors. For more information about the rights of data subjects, see the section “Rights of the data subject” above on this page.

Findata is administratively a unit of the National Institute for Health and Welfare (THL), and therefore, for job applicants and employees, the human resources privacy notice of THL applies.

The privacy notice can be found here in Finnish: Tietosuojailmoitus henkilöstöhallinto (thl.fi)