Updated 15.03.2024

Our Privacy Policy

On this page you will find information about how we process personal data, how you can exercise your data protection rights, what personal data we collect and what the processing of personal data is based on.

Findata becomes a controller of personal data when we receive data from the original data controllers. We process personal data as a data controller when we process applications, provide services that are part of our duties, and carry out our communications. We process contact information of applicants or applicant entities and Kapseli users to send customer notices related to the services and their use.

We do not disclose personal data on the rights, interests or obligations of an individual for decision-making purposes. We do not disclose information, for example, insurance companies for the purpose of preparing individual insurance decisions or to the Social Insurance Institution of Finland (Kela) for benefit decisions. In addition, we do not disclose data for marketing or to provide commercial services.

Compliance with data protection legislation in Finland is monitored by the Office of the Data Protection Ombudsman (tietosuoja.fi).

What are the laws on which Findata bases the processing of personal data?

Findata’s legal basis for processing personal data are:

  • Article 6, (1)(e) of the EU’s General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 4(1)(2) of the Data Protection Act: processing of data that is provided for by the law or that is directly attributable to the controller for the task prescribed by the law

We also process data belonging to special categories of personal data, formerly known as sensitive data. Such data includes, for example, a person’s health data.

The grounds for processing this kind of personal data are:

  • Article 9(2)(g) of the EU General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or the exercise of public authority
  • Section 6(1)(2) of the Data Protection Act: processing is necessary and proportionate for the performance of a task carried out in the public interest by a public authority

More detailed criteria for processing activity-specific personal data can be found in the privacy notices on this page.

See also: Rights of the data subject and how to exercise them

Contact

Controller
Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
Annika Rahkonen
tietosuojavastaava@findata.fi

Privacy notices

The list of privacy notices is not comprehensive. We will complete the listing in early 2024.

Pre-processing of data under data permit

Purpose of use

We issue permits for the secondary use of social and health data when the application applies to

Data permits can be issued for the purposes of

  • scientific research
  • statistics
  • education
  • planning and reporting duties of an authority

Once the data permit has been issued, we combine and pre-process the data and transfer the pre-processed data to the data recipient for the purpose described in the permit.

Pre-processing refers to the actions that are taken on data disclosed to Findata by different controllers before we hand it over to the data recipient. In pre-processing, we aggregate, combine, pseudonymise, and anonymise data.

In principle, we pseudonymise the data before handing it over. Pseudonymisation refers to the processing of data so that it cannot be directly linked to individuals. We disclose information in an identifiable form only for a particularly justified and necessary reason.

We store the identifiers of pseudonymised data securely. We store the identifiers in a way that the data can be made identifiable and the same data can be produced again with the help of identifiers.

The purpose of the pre-processing of personal data is to create data sets in accordance with the issued permit from the data controllers referred to in the Secondary Use Act.

We do not use automated decision-making or profiling in the processing of data.

Data processed and data sources

Each data permit specifies which data can be processed based on it.

In the pre-processing of data permit, we process the social and health data from controllers within the scope of the data permit to the extent that they have been estimated to be necessary for each project. We store identifiers that allow us to identify the individuals whose data has been processed in the projects.

We do not issue permits for all materials of all data controllers that are subject to the Secondary Use Act. For more detailed restrictions on data, see the Secondary Use Act (in Finnish, finlex.fi).

Data controllers within the scope of the Secondary Use Act:

  • Data saved in Kanta services
  • Digital and Population Data Services Agency (DVV)
  • Finnish Centre for Pensions (ETK)
  • Finnish Institute for Health and Welfare (THL)
  • Finnish Institute of Occupational Health (TTL)
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public and private service providers of social welfare and health care
  • Social Insurance Institution of Finland Kela
  • Statistics Finland
  • Regional state administrative agencies (AVI)

The data is transferred to Findata and on to the data recipient via a secure transfer service.

See the list of the issued data permits

Regular disclosure of data

We disclose the material formed on the basis of the data permit to the data recipient. The recipient then becomes the controller of the transferred data.

According to the Secondary Use Act, the data can only be disclosed for processing in a secure operating environment.

Read more about secure operating environments

Recipients of personal data

We will disclose the pre-processed data to the data recipient. In the vast majority of data permits we grant, the recipients use the data for scientific research.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development of the information system (Viranomaisen tietoturvallinen käyttöympäristö) we use in pre-processing. CSC acts as a processor of personal data on behalf of Findata.

Data retention period

We will retain the data obtained from data controllers and the material formed in the pre-processing for four months after we have disclosed the data to the data recipient. During the retention period, we use the data to correct any possible errors made in the pre-processing of the material.

In the case of a rolling data permit, i.e. a data permit that entitles the data recipient to receive updates to the data, the latest data is retained until the new is formed. If the formation of new data set is based on all previously submitted material, we will retain all material for the duration of the permit.

It should be noted that the data recipient retains the data longer than Findata. The permit specifies its period of validity. The controller of the processing is defined in the data permit.

We retain the identifiers of pseudonymised materials for as long as it is necessary to carry out the research and to ensure the validity of its results, in principle for 12 years.

Transfer and disclosure of personal data to non-EU or EEA countries

As a rule, we do not disclose personal data outside the EU or EEA or to international organisations. According to the Secondary Use act, the data must be transferred to a secure operating environment that cannot be located outside the EU and EEA. If we in a specified individual case transfer personal data outside the EU and EEA or to an international organisation on the basis of another law, we will use the transfer basis chosen in accordance with the General Data Protection Regulation (GDPR), depending on the country and organisation of destination.

If the data recipient as the controller wishes to enable the processing of their data from outside the EU and EEA, they must apply to Findata for permission to allow the processing. If we grant permission, the controller must ensure that the material is transferred in accordance with Chapter V of the GDPR, when applicable.

Rights of the data subject

The data subject refers to the person to whom the original social and health information relate. When we process personal data as a data controller, the data subject has the following rights:

  • Right to information about the processing of personal data (Article 14 of the GDPR)
  • Right of access to one’s personal data (Article 15 of the GDPR)
  • Right to rectify one’s data (Article 16 of the GDPR)
  • Right to restrict the processing of one’s data (Article 18 of the GDPR)
  • Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Read more about your rights as a data subject

Legal basis of processing personal data

The processing of personal data in the pre-processing of data under a data permit is based on the following laws:

  • Act on the Secondary Use of Social and Health Data, Sections 14, 44, and 51,
  • Data Protection Act, Section 4(2), and
  • in the case of special categories of personal data, Data Protection Act, Section 6(1)(2), and General Data Protection Regulation, Article 9(2)(g).
Pre-processing of data under data request

Purpose of use

You can obtain statistical data from data controllers covered by the Secondary Use Act with a data request. Once we have made a positive data request decision, we combine and pre-process the data needed for the project and hand over the statistical-level data to the data recipient.

Data requests can be issued for the purposes of

  • scientific research
  • statistics
  • planning and reporting duties of an authority and/or guidance and supervision of a social and healthcare authority
  • education
  • development and innovation operations
  • knowledge management (comparative data)

The purpose of the processing of personal data is to form statistical data of the social and health data received from one or more controllers under the scope of the Secondary Use Act. We provide only anonymous statistical data on the basis of a data request.

In statistical-level data, individual personal data have been combined and summarized. The statistics describe groups of persons rather than an individual persons. The data of the groups of persons is formed in such a way that individuals cannot be identified or traced.

We do not use automated decision-making or profiling in the processing of data.

Data processed and data sources

Each data request decision specifies the basis on which the statistics are to be compiled.

In the pre-processing of data under data requests, we process the social and health data received from one or more controllers under the scope of the Secondary Use Act to the extent that it has been assessed to be necessary for each project.

We do not compile statistics on all materials of all data controllers within the scope of the Secondary Use Act. For more detailed restrictions on data, see the Secondary Use Act (finlex.fi).

Data controllers within the scope of the Secondary Use Act:

  • Data saved in Kanta services
  • Digital and Population Data Services Agency (DVV)
  • Finnish Centre for Pensions (ETK)
  • Finnish Institute for Health and Welfare (THL)
  • Finnish Institute of Occupational Health (TTL)
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public and private service providers of social welfare and health care
  • Social Insurance Institution of Finland Kela
  • Statistics Finland
  • Regional state administrative agencies (AVI)

The data is transferred to Findata via a secure transfer service.

Regular disclosure of data and recipients of personal data

We disclose only statistical level data based on data requests. We do not disclose personal data.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development of the information systems we use to transfer the data and compile the statistics. CSC acts as a processor of personal data on behalf of Findata.

There are no other categories of recipients of personal data because we do not disclose personal data based on data requests.

Data retention period

We retain data from controllers for a period of six months after we have disclosed the statistics we have compiled to the data recipient. During the retention period, we use the data to correct any possible errors in the compilation of statistics.

In the case of a rolling data request, i.e. statistics are compiled and delivered at regular intervals on the basis of updated data, we will retain the data for six months from the last delivery.

Transfer and disclosure of personal data to non-EU or EEA countries

We do not disclose personal data outside the EU or EEA.

The statistics compiled on the basis of the data request do not contain personal data, so they can also be disclosed outside the EU member states.

Rights of the data subject

The data subject refers to the person to whom the original social and health information relate. When we process personal data as a data controller, the data subject has the following rights:

  • Right to information about the processing of personal data (Article 14 of the GDPR)
  • Right of access to one’s personal data (Article 15 of the GDPR)
  • Right to rectify one’s data (Article 16 of the GDPR)
  • Right to restrict the processing of one’s data (Article 18 of the GDPR)
  • Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Read more about your rights as a data subject

Legal basis of processing personal data

The processing of personal data in the pre-processing of the data under a data request is based on the following laws:

  • Act on Secondary Use of Social and Health Data (552/2019) Sections 14 and 45,
  • General Data Protection Regulation Article 6(1)(e),
  • Data Protection Act Section 4(2) and,
  • in the case of special categories of personal data, the Data Protection Act Section 6(1)(2) and the General Data Protection Regulation Article 9(2)(g).
Processing of data permit applications and data requests

Purpose of use

Findata’s statutory duties include processing data permit applications and data requests and issuing administrative decisions on them. We accept data permit applications and data requests through Findata’s data request management system.

We process personal data relating to applicants or representatives of applicant organisations for the purposes of processing applications, decision-making and invoicing. We process contact information of applicants or applicant entities to send customer notices related to the services and their use.

In principle, the applicants must identify themselves using the Suomi.fi service when applying for a data permit or a data request.

Data permit applications, data requests and the decisions on them are stored in the case management system in accordance with the authority’s data management regulation. The case management system used by Findata is maintained by the National Institute for Health and Welfare (THL).

Draft applications are stored in the case management system so that the applicant can, if necessary, pause the drafting of the application and return to it at a later date.

We do not use automated decision-making or profiling in our data processing.

Data processed and data sources

We collect the information about those applying for data permits and data requests that they provide in the application or request.This information includes the name, position or title of the applicant or their contact person, contact details and the name and affiliation of the persons entitled to process personal data. We also process data for billing purposes. If the data recipient is a private individual, the billing information also includes personal data. In addition, the application may include the name and contact information of the person delivering the target group to Findata.

In addition, we maintain a log system that allows us to track and store personal data from the various stages of processing data permit applications and data requests.

When an application for a data permit or data request is submitted, we store the personal data required for strong electronic identification of the applicant that is transmitted by the Suomi.fi service. The personal data stored by the Suomi.fi service is described in the service’s privacy policy (suomi.fi).

We record applications for data permits and data requests in the case management system Helmi maintained by THL. See THL’s website (thl.fi) for more information.

Regular disclosure of data and recipients of personal data

We do not disclose the personal data provided in data permit applications or data requests on a regular basis. We publish information on data permits and data requests that we have issued. If the data recipient is a private individual, we do not publish their name.

We disclose information to those requesting it in accordance with the Act on the Openness of Government Activities. As a rule, the information on the application for a permit and the person who made the data request is public, as it is not explicitly provided for to be kept secret.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development work of the data request management system. CSC acts as a processor of personal data on behalf of Findata.

We record data permit applications and data requests in the case management system maintained by THL. Persons working at THL whose duties include processing Findata’s documents have access to the data. Findata is an independent unit operating in connection with THL.

Data retention period

We retain data permit applications permanently, and data requests for a period of ten years from their initiation. We retain the data permit decisions permanently and the data request decisions for a period of ten years from the date of their issuance.

We retain draft applications and data requests that have not been submitted to Findata for 180 days from the last edit. Applications that have not been modified for 180 days will be automatically removed from the system.

Transfer and disclosure of personal data to non-EU or EEA countries

We do not disclose personal data outside the EU or EEA.

Rights of the data subject

The data subject refers to the person to whom the original social and health information relate. When we process personal data contained in an application for data permit or a data request, the data subject has the following rights:

  • Right to information about the processing of personal data (Article 14 of the GDPR)
  • Right of access to one’s personal data (Article 15 of the GDPR)
  • Right to rectify one’s data (Article 16 of the GDPR)
  • Right to restrict the processing of one’s data (Article 18 of the GDPR)
  • Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Read more about your rights as a data subject

Legal basis of processing personal data

The processing of personal data for processing data permit and data request applications is based on the following laws:

  • Act on the Secondary Use of Social and Health Data (552/2019) Sections 44 and 45,
  • General Data Protection Regulation Article 6(1)(e) and
  • Data Protection Act Section 4(2).
Ready-made datasets

Purpose of use

We offer thematic datasets which are pre-compiled and processed data entities. The ready-made datasets are available through Findata more quickly on the basis of a data permit, without having to request cost estimates or extracts from the controllers.

Pre-processing refers to the actions that are taken on data disclosed to Findata by different controllers before we deliver it to the data recipient. Pre-processing includes aggregating, combining, pseudonymising, and anonymising data.

Pseudonymisation refers to the conversion of personal data into a encrypted form. In this case, names and personal identification numbers may be removed and replaced with another unique identifier, i.e. a code. Often, a code key is retained in order to return direct personal information to the data. Pseudonymised data is still personal data. In principle, we pseudonymise the data before handing it over. We will only disclose information in identifiable form for a particularly justified and necessary reason.

Anonymising means changing personal data to make it irreversibly impossible to identify an individual. This can mean, for example, removing direct identifiers and the coarsening the data to a general level so that personal data cannot be changed back to be identifiable in any way.

Findata selects the subject matter of the ready-made data sets and the data on which they are based. The purpose of the processing of personal data is to compile datasets in accordance with the chosen theme and, as a general rule, to disclose pseudonymised personal data or statistics compiled from ready-made datasets to the data recipient.

We do not use automated decision-making or profiling in the processing of data.

Data processed and data sources

In compiling the ready-made datasets, we process the social and health data received from one or more controllers under the scope of the Secondary Use Act to the extent deemed necessary for each project.

We cannot form ready-made material on the basis of all materials of all controllers within the scope of the law.  For more detailed restrictions on data, see the Secondary Use Act (in Finnish, finlex.fi).

Data controllers within the scope of the Secondary Use Act:

  • Data saved in Kanta services
  • Digital and Population Data Services Agency (DVV)
  • Finnish Centre for Pensions (ETK)
  • Finnish Institute for Health and Welfare (THL)
  • Finnish Institute of Occupational Health (TTL)
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public and private service providers of social welfare and health care
  • Social Insurance Institution of Finland Kela
  • Statistics Finland
  • Regional state administrative agencies (AVI)

The data is transferred to Findata and on to the data recipient via a secure transfer service.

Read more detailed descriptions of the data used in the ready-made datasets.

Regular disclosure of data

We disclose the ready-made dataset to the data recipient. The data recipient then becomes the controller of the transferred data.

Under the Secondary Use Act, the data can only be disclosed for processing in a secure operating environment. Read more about secure operating environments

When statistical data is requested from the ready-made datasets, the data to be disclosed does not contain personal data.

Recipients of personal data

We will disclose the data to the data recipient. In the vast majority of data permits we grant, the data recipients use the data for scientific research.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out technical maintenance and development. CSC acts as a processor of personal data on behalf of Findata.

Data retention period

We define the retention period for each ready-made dataset separately.

In addition, the data recipient who has obtained the ready-made dataset on the basis of the data permit retains the data for a specified period of time. The controller of this processing is the data recipient.

Transfer and disclosure of personal data to non-EU or EEA countries

As a rule, we do not disclose ready-made datasets outside the EU or EEA or to international organisations. According to the Secondary Use act, personal data must be transferred to a secure operating environment that cannot be located outside the EU and EEA.

If the data recipient as the controller wishes to enable the processing of their data from outside the EU and EEA, they must apply to Findata for permission to allow the processing. If we grant permission, the controller must ensure that the material is transferred in accordance with Chapter V of the GDPR, when applicable.

Rights of the data subject

The data subject refers to the person to whom the original social and health information relate. When we process personal data to form ready-made materials, the data subject has the following rights:

  • Right to information about the processing of personal data (Article 14 of the GDPR)
  • Right of access to one’s personal data (Article 15 of the GDPR)
  • Right to rectify one’s data (Article 16 of the GDPR)
  • Right to restrict the processing of one’s data (Article 18 of the GDPR)
  • Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Read more about your rights as a data subject

Legal basis of processing personal data

The processing of personal data in the formation of ready-made datasets is based on the following laws:

  • Act on Secondary Use of Social and Health Data (552/2019) Sections 14 and 51,
  • General Data Protection Regulation Article 6(1)(e),
  • Data Protection Act Section 4(2) and,
  • in the case of special categories of personal data, the Data Protection Act Section 6(1)(2) and the General Data Protection Regulation Article 9(2)(g).
Ordering and using Kapseli

Purpose of use

Kapseli is a secure operating environment provided by Findata, where you can process individual level data obtained under a data permit issued by Findata or another authority.  Kapseli is used via a remote connection by logging in via a browser.

The controller for the processing of material in Kapseli is defined in the data permit. In this case, Findata acts as a data processor on behalf of that controller.

We process the personal data of Kapseli users as a data controller in order to

  • provide the functions of Kapseli,
  • ensure information security and the lawfulness of the processing of personal data and
  • carry out billing.

We process contact information of Kapseli users to send user notices related to Kapseli and its use.

We also use the number of Kapseli users to develop and administer the service.

We do not use automated decision making or profiling in our data processing.

Data processed and data sources

When ordering Kapseli, we collect the following information about the person ordering Kapseli:

  • name
  • telephone number
  • email address
  • organisation information

The person ordering Kapseli also enters the information of any other persons who need access rights to the environment. The names and email addresses of these individuals are collected.

The information is obtained either from the data subject themselves or on their behalf from the person who placed the order.

Logging into Kapseli is primarily done through two-step authentication via the Suomi.fi service. The personal data collected by the Suomi.fi service is described in the service’s privacy policy (suomi.fi).

Regular disclosure of data and recipients of data

We do not disclose data about Kapseli users on a regular basis.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out technical maintenance and development. CSC acts as a processor of personal data on behalf of Findata.

Data retention period

We retain the data for the duration of the Kapseli subscription and for as long as necessary for billing purposes.

Transfer and disclosure of personal data to non-EU or EEA countries

We do not disclose data outside the EU or EEA or to international organisations.

Rights of the data subject

The data subject refers to the person to whom the original social and health information relate.  When processing personal data of Kapseli users, the data subject has the following rights:

  • Right to be informed about the processing of personal data (Article 13 of the GDPR)
  • Right of access to one’s personal data (Article 15 of the GDPR)
  • Right to rectify one’s data (Article 16 of the GDPR)
  • Right to restrict the processing of one’s data (Article 18 of the GDPR)
  • Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Read more about your rights as a data subject

Legal basis of processing personal data

The processing of personal data of Kapseli users is based on the following laws:

  • General Data Protection Regulation, Art. 6(1)(e) and
  • Data Protection Act, Section 4(2).
Exercising your rights as a data subject

Purpose of use

Everyone has the possibility to exercise their rights as a data subject in Findata’s operations. The data subject refers to the person to whom the original social and health information relate.

When we process personal data as a controller, the data subject has the following rights:

  • Right to information about the processing of personal data (Article 14 of the GDPR)
  • Right of access to one’s personal data (Article 15 of the GDPR)
  • Right to rectify one’s data (Article 16 of the GDPR)
  • Right to restrict the processing of one’s data (Article 18 of the GDPR)
  • Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In that case, we will no longer process the data relating to that person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

In order to be able to carry out a request for the data subject’s right, we need to process the personal data provided in connection with the request.

See more information on the rights of the data subject.

Data processed and data sources

We collect the following information about the persons who have made requests to exercise the rights of the data subject:

  • name
  • social security number
  • contact information

In addition, we collect data depending on which right the data subject wishes to exercise.

For individuals who exercise their right to restrict or object to the processing of their data (Articles 18 and 21 of the GDPR), we will record, in addition to the information above, the reasons for restricting or objecting to the use of the data.

We implement the right to restrict and object on the basis of social security numbers. We remove the data of individuals who have exercised the right to object or restrict from the data we receive by comparing the data with the social security number and removing the detailed information contained in the data relating to those individuals.

In addition to the above, the following data from the data subject are collected from a person exercising their right to rectification (Article 16 of the GDPR):

  • which data is to be corrected
  • to which format the data is to be corrected

Regular disclosure of data and recipients of data

Requests concerning the rights of the data subject are recorded in the case management system maintained by the National Institute for Health and Welfare (THL). Persons working at THL’s registry, whose duties include registering and handling matters initiated at Findata, have access to the information contained in the initiation documents. Findata is an independent unit operating in connection with THL.

We disclose information to those requesting it in accordance with the Act on the Openness of Government Activities (oikeusministerio.fi). The contents of requests for the rights of the data subject may contain confidential information that will not be disclosed without the separately provided right of access or the consent of the data subject.

The contents of requests for the rights of the data subject are not regularly disclosed.

When anonymous statistical information is requested from Findata, which is formed on the basis of data held by THL, THL forms the statistics requested. In this case, we ask THL to exclude from the compilation of the statistics the information relating to the social security numbers of the individuals who have exercised their right to restrict and object to the processing of their data. For this purpose, we transfer to THL the social security numbers of these individuals via a secure transfer service.

The purpose of this policy is to minimize the number of times the social security numbers are transferred between Findata and THL, and to ensure that the data of persons who have exercised the right to object and restrict is excluded from the formation of the data as early as possible.

Legal basis of processing personal data

The processing of personal data when processing requests for data subjects’ rights is based on the following laws:

  • Article 6(1)(e) and Articles 12 to 21 of the General Data Protection Regulation,
  • Article 4(2) of the Data Protection Act and,
  • in the case of special categories of personal data, Article 6(1)(2) of the Data Protection Act.