Key legislation on the processing of personal data
The processing of personal data is always based on law. This section explains what that means from a researcher’s perspective.
When you apply to Findata for a data permit to use social and health data in research, the processing of personal data is governed by the EU General Data Protection Regulation (GDPR), the Finnish Data Protection Act, and the Finnish Act on the Secondary Use of Health and Social Data.
In the coming years, the European Health Data Space regulation (EHDS) will also apply.
EU General Data Protection Regulation (GDPR)
The GDPR regulates the processing of personal data within the EU and EEA. It applies whenever personal data are processed.
The GDPR defines, for example, the responsibilities of the data controller, the rights of data subjects, and the key principles of personal data processing.
Key data protection principles under the GDPR
▸ Lawfulness, fairness, and transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
▸ Purpose limitation
Data must be collected for specified, explicit, and legitimate purposes and must not be processed in a way incompatible with those purposes. Exceptions include processing for research, statistical, and archiving purposes in the public interest.
▸ Data minimisation
Only data that are necessary for the purpose of processing shall be collected.
▸ Accuracy
Data must be accurate and kept up to date. Inaccurate data must be corrected or erased without delay.
▸ Storage limitation
Data shall be kept in a form which permits identification of data subjects for no longer than is necessary. In research and archiving, data may be stored for longer where appropriate safeguards are in place.
▸ Integrity and confidentiality
Data must be processed securely and protected against unauthorised access, loss, and damage.
▸ Accountability
The data controller must be able to demonstrate compliance with these principles in practice.
Data Protection Act
The Finnish Data Protection Act supplements the GDPR at national level. It specifies when special categories of personal data, such as health data, may be processed in Finland.
Typical situations where such data may be processed include:
Scientific or historical research
For example, a university may process health data in a research project where appropriate safeguards are in place.
Statistics and archiving in the public interest
For example, Statistics Finland may process large datasets of personal data to produce official statistics.
Act on the Secondary Use of Health and Social Data (Secondary Use Act)
The Finnish Secondary Use Act governs the secondary use of health and social data in Finland. Findata’s operations are based on this Act.
It defines, for example, who may grant data permits, for what purposes data may be used, and where they may be processed.
European Health Data Space (EHDS)
The EHDS Regulation establishes a common EU framework for the use and exchange of health data.
The EHDS shares many features with the Secondary Use Act, but it also introduces new operational models and changes to, for example, permissible purposes and the processing of data permit applications.
Timeline
The EHDS Regulation entered into force in March 2025. Implementation will be phased, and the provisions relating to secondary use will begin to apply in March 2029.