Updated 01.08.2024

Data permits

A data permit is a fixed-term permit issued by an authority to an individual, allowing the processing of confidential materials that contain personal data.

Before applying for a data permit, please read the Permits page.

General information on data permit applications

Read up on the general principles that apply to applications, such as what is confidential and what is public. Read more General information on data permit applications

Logging into the e-service

How to log in and select an application form. Read more Logging into the e-service

Instructions for completing a data permit application

See the section specific instructions on completing an application, that also acts as the criteria for an application that can be processed. Read more Instructions for completing a data permit application

Data processing

Read the additional information on processing after a data permit has been issued. Read more Data processing

Information on costs

See an up-to-date price list for data permit decisions. Read more Information on costs

Application assistant

Ensure the correct address for the data permit application. Read more Application assistant

What to remember before sending an application

Select the correct application type

There are different types of applications for different information needs

  • Data permit application, when you need data on individuals
  • Data request, when you need statistical data
  • Amendment application, when you are applying for an amendment to a valid data permit
Describe and limit data

Define the data to be applied for at the variable level and remember the principle of minimisation for other information. Utilise the Data Resources Catalogue (aineistokatalogi.fi) and controller’s advisory services

  • Where from and how do I extract the target group? Is the definition specific enough?
  • Are control subjects/relatives extracted? How will they be defined?
  • From which registers will the data be extracted?
  • What variables will be included in the extraction? 

Other data to be combined

  • Have you made sure that the other data is described on the application?
  • Are the permits for other data valid or is the permit process pending?
Determine the competent authority

We grant permits for the secondary use of social and health data when the application applies to

  • data maintained by several public social and health sector controllers
  • data maintained by a single public controller, that has transferred the right to issue permits to Findata
  • the register data of one or numerous private social and health service provider, or
  • data saved in the Kanta Services

The assessment of the competent authority must consider all the data related to the application.

Check from the application assistant which authority the application should be sent to.

General information on data permit applications

Data permit applications and their attachments are confidential. We will share necessary information with data controllers to extract data, form target groups, including applicant details.

Decisions and permits granted by the authority are primarily public. On our website, we will publish the following information for projects with approved data permits:

  • date of decision
  • permit validity period
  • permit holder (organisation)
  • project name
  • brief description of the intended use for the data
  • purpose of use pursuant to the Act on Secondary Use

This public information may also be shared through other communication channels.

After a permit is issued, the data is extracted by the controllers and securely sent to Findata. We then pre-process, pseudonymise and, where necessary, combine and anonymise the data.

In practice we remove all the direct identifiers and create a pseudo ID, which will allow different people to be identified from one another and information on each individual can be combined from various pieces of data.

If you need data on individuals from just one public sector controller, contact the controller directly. Contact information is available e.g. on the Data page.

Processing of data permit applications

We review all data permit applications within one week of receipt and categorize them into two groups:

  • Applications ready for processing: These applications contain all necessary information and will proceed to the next step. We will email the applicant within 10 business days if their application is eligible for processing.
  • Applications requiring supplementation: These applications require additional information. Findata’s specialist will contact the applicant with detailed instructions and a request for the needed supplements.

Use the instructions and criteria provided below to complete your data permit application. You can also review and update your application before we reach out to you.

If you need to supplement an application you’ve already submitted, email us at info@findata.fi. In the subject line, write “Return of Application” and include your application’s record number (e.g., Return of Application THL/XXXX/14.0X.00/202X).

Logging into the e-service

Submit an application in our e-service (asiointi.findata.fi) using either Suomi.fi e-Identification or Haka login. For more information on logging in, visit the Login page.

Please use the same identification method each time you log in to view your submitted applications and decisions.

Data permit applications can be submitted in Finnish, Swedish, or English.

After logging in

  1. Go to the Submit application tab.
  2. Choose Data permit application: individual-level data by clicking Fill in the application.
  3. Complete the application form following the instructions provided and submit it.

Once an application is submitted, it cannot be edited. If you need to supplement a submitted application, email us at info@findata.fi with your application ID (e.g., 2022/53). We will return the application for you to update.

See also

Dates of monthly maintenance outages in 2024
  • 18.1.2024
  • 22.2.2024
  • 21.3.2024
  • 18.4.2024
  • 23.5.2024
  • 20.6.2024
  • 18.7.2024
  • 22.8.2024
  • 19.9.2024
  • 17.10.2024
  • 21.11.2024
  • 19.12.2024

Instructions for completing a data permit application

Take these into account before filling out the application

Confirm the feasibility of the extractions from the data controllers. Use the extraction description form.

Download the extraction description form (Word document, 56 KB)

You need the following attachments to fill out the application:

  • Completed extraction description form
  • Privacy notice regarding requested information

You may also need the following attachments to fill out the application:

  • Research plan when the purpose of data use is scientific research
  • Organization’s research permit, when the research has required a research permit from the responsible organization
  • Positive ethical review when the research has required an ethical review
  • Description of the sampling method of the target group (if necessary)
  • The consent form and information letter that you have sent to the target group, when the target group is formed based on consent
  • Previous permit concerning the target group, controls or relatives
  • Impact assessment (DPIA) when the General Data Protection Regulation or the Data Protection Act requires the preparation of an impact assessment

1 Public information about the project

  • Project name
    • The name of the project granted a data permit will be published on Findata’s website. Ensure the project name does not include confidential information.
  • A brief description of the project
    • Provide a concise description of the study or project and the intended use of the requested data. This description, once the data permit is granted, will be posted on Findata’s website. Avoid including confidential details in this description.

2 Details of the applicant

  • The applicant is the person or organization named in the application to whom the data permit will be issued.
    • Enter the contact person’s information only in the next section.
  • Enter the applicant’s business ID. If the applicant is an individual, enter 123 in the field. For organizations located in an EU/EEA country other than Finland, provide the name of the official register where the organization is registered.
Controllership of data being applied for

A controller under the EU General Data Protection Regulation (GDPR) is an organization or individual who is the controller of the data. The controller determines the purposes and means of processing the data generated based on the data permit.

There may be more than one controller and the controllers may be joint controllers, in which case they define the purposes and means of processing the data together. In the case of a joint controllership, select ‘A third party’ and enter all controllers in the additional information field.

3 Details of the contact person

  • The contact person is the individual responsible for answering enquiries concerning the application. Their contact details may be shared with the data controller if additional information is needed during processing.
  • Describe the contact person’s relationship with the applicant, such as employment or a public service appointment.

4 Invoicing details

  • E-invoicing is the primary method of invoicing.
  • If the invoiced party is different from the applicant, clarify this in the ‘Additional Information’ section if necessary.
  • Invoicing details for Finnish payers:
    • Use the business ID to form the VAT number. Add the country code “FI” to the beginning and remove any hyphen (e.g., business ID “1234567-8” becomes VAT number “FI12345678”).
    • Check verkkolaskuosoite.fi for e-invoice addresses.
  • Invoicing details for foreign payers:
    • Foreign payers should have a Peppol address for e-invoicing. For more information, visit peppol.org.
    • If the payer doesn’t have a Peppol-address, the invoice is sent by mail.
Applicant’s business ID

Enter the applicant’s business ID If the applicant is a private individual, enter 123 into the field. If the applicant organisation is located in a country other than Finland or an EU/EEA member state, provide the name of the official register in which the organisation is registered.

Checklist for applicants

  • Ensure that contact information and billing details are filled in correctly and are consistent with the information provided elsewhere in the application.
  • If you are applying as an individual rather than an organization, provide additional information in the “Additional Information” field at the end of the form.

5 Purpose of data use

  • The application must clearly outline how the requested data will be used, ensuring it aligns with the purpose specified under the Secondary Use Act.
  • The data you request should be relevant and necessary for the stated purpose of processing personal data.
  • For the reduced decision price applicable to theses, the thesis must be at least the final assignment for a Bachelor’s degree. The reduced price only applies to individual theses.
    • If the thesis is part of a larger project or if multiple theses are produced within the same project, it should be categorized as a research project rather than a thesis work in the Findata application.

Click to see more information about different use purposes:

Education

When data is to be used for education, the applied for data will be used to prepare teaching materials for personnel and persons studying to become social welfare and health care personnel who process customer data and social welfare and health care professionals. Please note: Data containing identifiers can only be used in teaching situations if teaching cannot be carried out anonymously due to the exceptional nature of the case, the nature of teaching or a similar reason.  The person providing teaching must inform their students of the confidentiality provisions in legislation and the sanctions resulting from their violation.

Planning and reporting duty of an authority

As a rule, only an authority may carry out the planning and reporting duties of an authority. If an authority does not act as the applicant in a data permit application, the authority must be the controller of the data. As a rule, when work is commissioned, the commissioning party will be the processor of personal data.

Scientific research

When data is to be used for scientific research, attach an up-to-date research plan and a research permit from the responsible/target organisation to your application. Also attach an opinion from the Ethics Committee, if the legislation applying to the research and/or the research setup so requires.

Criteria for scientific research (in general):

  • an appropriate research plan
  • responsible person or group
  • results to be published as a scientific publication
  • research produces new information.
Statistics

When data is to be used to form statistics, state in the application which party will compile the statistics and for what purpose.

Checklist for applicants

  • Ensure the purpose of data use matches the information stated elsewhere in the application.
  • Add all necessary attachments and verify they do not conflict with each other or with other information (e.g., other permits, statements, research plan, and abstract).
  • If the application is for a thesis, apply for only one thesis and provide the necessary information.

6 Requested data set

  • The data set requested in the data permit application must be clearly described, specifying which data sets the application pertains to. This detailed description is known as the extraction description.
  • The extraction description should focus solely on the necessary volume of personal data, adhering to the principle of data minimisation as outlined in the EU’s General Data Protection Regulation (GDPR). The application should provide a clear rationale for why the requested data are required for the stated purposes.
  • Define the formation and criteria of the target group using the extraction description form. See more information the form below in the section ‘6.3 Extraction description’.
  • Do not attach an existing target group, controls, relatives or completed consent forms to the application.
  • On the extraction description form, provide the following information regarding the final payer of the invoice:
    • Name
    • VAT ID
    • Country

6.1 Defining the extraction criteria for the target group

  • The target group refers to individuals whose data will be extracted based on the data permit applied for.
  • Extraction methods:
    1. The target group is formed based on selection criteria provided in the application from a data controller under the Secondary Use Act.
      • Select ‘The target group is formed according to the selection conditions described below, based on the data permit you are applying for.’
      • This applies to most cases.
    2. The target group has already been formed.
      • Select ‘The target group has been formed and the permit applicant or someone else submits the personal identity codes of the target group to Findata.
      • Specify the data permit under which the target group was formed and whether it is still valid.
      • This option also applies if the target group is formed based on consent.
      • If the permit for the target group is pending or under review elsewhere, provide the available details.
      • If you already have a permit for part of the target group and are applying to include additional individuals, select both of the above options.
    3. The target group is to be selected from Findata’s ready-made dataset.
      • Indicate Findata as the data controller and specify the name of the data set in the application’s table and extraction description form (e.g., Findata and FinRegistry ready-made data set).
  • Note that a research permit from an organization generally permits conducting research, while a data permit specifically allows the use of personal data in the research. If uncertain, contact the permitting authority for clarification.
  • If the size of the target group is unknown, contact the data controllers and/or estimate the size rather too large than too small.
  • Clearly describe how the target group is formed. Ensure the target group is restricted according to the purpose of use.
    • Pay attention to which registers and criteria are used for selecting the target group. For instance, geographical boundaries might refer to the place of residence, place of birth, place of work, or place of service use.
  • The data extraction will be carried out based on the selection criteria you have described in the application. Errors in describing the criteria for the target and control groups can significantly impact the usability of the data.

6.2 Defining the extraction criteria for controls and relatives

  • Provide a clear description of how controls are extracted for your study:
    • Specify the registers from which controls are selected.
    • Define the criteria used to identify and match controls. This may include factors like age, gender, location, or health status.
    • Indicate how many controls are selected for each study subject.
  • Provide a clear description of how relatives are extracted for your study:
    • Specify the registers from which relatives are selected.
    • Define the criteria used to identify relatives. If necessary, specify the relationship (e.g., biological vs. adoptive parents).
  • If the controls and/or relatives are to be selected from Findata’s ready-made data set, indicate Findata as the data controller and the name of the data set as the register.
    • Findata will assess separately whether the control extraction can be implemented from the ready-made dataset.
  • Do not attach data to the application. After the data permit is granted, Findata will provide instructions for secure data delivery. For additional guidance, refer to the page on Data transfers to Findata.

6.3 Extraction description

  • Purpose of the extraction description:
    • To grant the permit, we need a detailed, register-specific list of variables for all requested data and the time period from which the data will be extracted.
    • This description ensures compliance with the principle of data minimization according to the EU’s General Data Protection Regulation (GDPR).
    • The information should be clearly articulated, focusing only on the necessary amount of personal data required for the study.
  • Provide this information on the extraction description form:
    • Download the form: Extraction description form (Word file, 57 kB)
    • Include detailed variable information for controls and relatives.
    • Complete a separate form for each data controller.
    • Mention age- or gender-related data if required and specify the register.
    • If the extraction involves multiple stages, describe the extraction order.
    • If the extraction involves multiple target groups or additional data for controls/relatives, specify which data will be extracted for each group.
    • If you want to combine other data with the information requested in the application, do not describe them here, but in the next section ‘7 Other Data to be Combined’.
  • Contact data controllers to review and confirm the extraction description before submitting the application to Findata.
    • The data controller will also provide an estimate of the extraction costs. Note that even if you do not receive cost estimates from the controllers in advance, you can still send your application and the extraction description form to Findata.

Checklist for applicants

  • Attach extraction description forms: Ensure that the requested information is described at the variable level.
    • Include technical variable names for THL registers.
  • Match variable information: Confirm that the variable information corresponds to the Data Resources Catalogue (aineistokatalogi.fi) or other data controller’s variable descriptions.
  • Specify data for each group: Clearly specify the data to be extracted for the main target group, controls, and/or relatives.
  • Indicate extraction order: Provide the order in which the data will be extracted.
  • Confirm extraction time period: If necessary, check with the data controller to determine the time period from which the data can be extracted.

Tips for defining the extraction of textual data

  1. Consider necessity: Determine if textual data is essential for conducting your research.
    • The need for unstructured data must always be justified. Often, similar information can be extracted in a structured format.
    • We mask direct identifiers in textual data, which affects the usability of the data.
    • Processing textual data takes time and significantly increases costs.
  2. Request insights from the data controller on appropriate keywords.
    • The data controller is best positioned to assess which keywords will yield the most comprehensive results without extraneous information.
    • For example, the keyword pressure will produce all records related to pressure, such as blood pressure, eye pressure, etc. If the research focus is on blood pressure, the extracted textual data will contain a substantial amount of unnecessary information.
  3. Specify the length of the text snippet to be extracted on a variable-by-variable basis.
    • The text snippet should be as short as possible.
    • Request the data controller’s view on the length of the text to be extracted.
    • For instance, keyword +/- 50 characters.
  4. Ensure the extraction is scoped appropriately.
    • If the extraction can be limited to the information from a specific department or field of treatment instead of the entire healthcare district’s database, the amount of text to be extracted and the processing costs will be significantly lower.

7 Other data to be combined

  • It is possible to combine other data you possess or data obtained from other sources with the register data requested in the data permit application.
  • If the target group is provided to Findata and is defined based on another permit, select “Yes” to the question “Will the data you are applying from Findata also be combined with data you have already obtained or data from other sources?”
  • Provide details about each data set to be combined:
    • List the data sets and their sources.
    • Indicate if the data is in a structured form, or if it consists of images, text, or other formats.
    • Specify which target group the data sets were formed for.
    • Describe in a free-form manner, e.g., “target group / data obtained with Kela / Health Care District’s data permit / survey data.”
  • Ensure all data permits for the combined data sets are valid at the time of data processing and granted for the same project.
  • If the data was collected with consent, attach a template of the consent forms for the target group. Do not attach completed consent forms.
  • If you plan to apply for permits from other authorities but have not yet done so, indicate this in the section “Other pending permits applications.”
  • Provide more details about other data sets or any special considerations in the additional information section. If precise information cannot be provided in the table, estimate on the higher side.
  • Do not attach the data to this application. Once the data permit has been granted, Findata will provide instructions on how to deliver the data securely.

8 Data processing

  • Individual-level data is processed in a secure processing environment (SPE), primarily in a pseudonymized form.
  • The data is primarily delivered to Kapseli, a SPE provided by Findata. If you wish to process the data in another SPE, justify why this is necessary for the project.
  • If the data needs to be retained after the analysis, the data permit must be valid, and retention is only possible in a secure environment.
    • Example: If the data usage period is until December 31, 2027, and retention is needed for five years after that, the permit will be granted until December 31, 2032. Apply for a amendment of the data permit if analysis or retention beyond this period is required.
  • Findata retains the pseudonymization key and the extraction criteria and documentation used to create the dataset so that the data can be reproduced if necessary.
  • Processing personal data from abroad constitutes data transfer, even if the data is in a remote access environment.

9 Data utilisation plan

  • A data controller, as defined by the GDPR, is an organization or individual responsible for determining the purposes and means of processing personal data. This entity is identified based on the data permit decision.
  • The data permit can be applied for by the data controller or by another entity on behalf of the data controller.
    • If an entity applies on behalf of the data controller as a data processor, a written data processing agreement must be established between the data processor and the data controller, as required by the GDPR.
  • Data controllers:
    • Identify all data controllers.
    • If there are more than one data controller (joint controllership), they must determine the purposes and means of processing the data.
      • Select ‘A Third party‘ and list all data controllers in the additional information field.
  • Data processors:
    • List all individuals who will process the data, including their representing organization.
    • Separate the individuals with a semicolon: “Person 1, organization; Person 2, organization; etc.”
  • Data minimization principle:
    • Briefly describe how the data minimization principle under the GDPR has been considered.
    • Personal data must be adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed.
  • Information obligations to data subjects:
    • Explain how the information obligations towards the data subjects (the target group) have been fulfilled.
    • Attach the privacy notice or equivalent document used for information purposes.
    • If the privacy notice is available online, provide the web address.
  • Data Protection Impact Assessment (DPIA):
    • If the GDPR or the Data Protection Act requires a DPIA, attach it to the application.
    • Refer to the Data Protection Ombudsman’s guidelines (tietosuoja.fi) for assistance in conducting a DPIA.
  • Research permit and ethical statement:
    • Attach the research permit and/or a favorable ethical statement to the application if necessary.
  • Legal basis for processing:
    • State the legal basis for processing personal data concerning the data obtained from Findata and any other data.
    • Note that nearly all data under Findata’s permit authority are special categories of personal data. The processing of such data requires a legal basis under the GDPR.
    • Refer to the Data Protection Ombudsman’s guidelines (tietosuoja.fi) for more information.

10 Additional information and attachments

  • List all sources of funding under the question regarding project funding. The sources of funding influence the decision on the data permit fee.
    • A lower data permit fee applies if:
      • The applicant’s place of operation is in Finland or another EU/EEA country.
      • The research is research-driven and funded without external funding or with funding from a public healthcare unit, university, research institution, or other public or non-profit entity.
  • Specify any details from previous sections of the application, such as invoicing or the desired processing environment.
  • If you have discussed the application with a Findata employee in advance, provide the employee’s first and last name.
  • Include all relevant attachments that do not have a designated place on the application form. Do not attach data to the application.

11 Confirmation of information

  • Confirm the information provided on the application form.
  • The permit decision will be subject to a fee according to the current fee decree. See the current pricing.
  • The final costs also depend on:
    • The data controllers’ expenses for extracting data
    • The time Findata spends processing the material.
  • Before we make a decision on an application, you must approve the maximum cost estimate for the extraction and pre-processing of data.

Checklist for applicants

  • Complete all requested information in the application and upload necessary attachments. If precise information is not available, provide your best estimate or describe background information in the additional information fields.
  • Consult your organization’s data protection officer or research services if needed. Data controllers also provide advisory services regarding the contents of their datasets.
  • To supplement a submitted application, request a return for completion. Send an email with the subject “Application Return” to info@findata.fi and include the application ID in the message field.

See also:

How does an application’s processing proceed?

The processing of applications involves five stages, which may be preceded by the applicant independently contacting a controller. The process is outlined in detail below the graph.

  1. Contact controllers before submitting the application
    • Contact controllers directly for additional information on data or variables.
    • Request cost estimates and feasibility details from controllers.
    • Arrange any special data extraction agreements with the controller and include this in the Additional Information section of your application. For example, if a clinician from the research team will perform the extraction free of charge, include details in the Additional Information section about who agreed to this and under what conditions.
  2. Submit the application
    • Submit your application or any requested additional information via our e-service (asiointi.findata.fi). Email may be used for additional information if applicable.
  3. Findata reviews the application and its appendices
    • Data permit applications are reviewed within a week of receipt. Applications are divided into those that can be processed immediately and those that need further information.
    • Incomplete applications will be returned for more information or clarification.
  4. Cost estimation:
    • Findata sends requests for additional information and confirmation of cost estimates to the controllers from whom data is being requested in your application. Controllers have 15 working days to respond. We will forward any additional questions from controllers to you.
    • Findata determines its cost estimate for data processing.
  5. Approve the maximum cost estimates:
    • Review the final extraction description and maximum cost estimate.
    • Approve both to proceed with the permit.
    • Note that you cannot change the extraction conditions after approval. Any modifications to the extracted data will require a new application.
  6. Findata issues a decision:
    • A data permit or data request decision will be issued.
    • Data permits are for a fixed period. If you need to save data for purposes such as research verification, or if you plan to renew your permit or require regular updates, include these needs in your application.

Data processing after a data permit has been issued

After a data permit has been issued, the data is extracted by different controllers and sent securely to Findata, primarily in CSV format. At Findata, we pre-process and if necessary, combine and anonymise the data.

In practice, we remove all direct identifiers from the data and produce a pseudo ID that allows different individuals to be identified uniquely and information on each individual to be combined from various data sets. The combination of data is applied based on a personal identity code and is only implemented when it does not require for example the harmonisation of classifications.

After the data has been processed, it is transferred to a secure processing environment where the customer can access and process it. The data is delivered in CSV format, with a semicolon as the separator and UTF-8 encoding.

Do the following if you find errors in your data

  1. Upon receiving the material covered by a data permit or request, please review it as soon as possible, but no later than within three months.
  2. If you notice any omissions or errors, contact Findata at data@findata.fi.
  3. In your message, explain precisely how your data differs from the data described in the extraction description.

Data extractions under a data permit or request are always based on the extraction description. If the extraction description you provided is incomplete, you can complete the extraction by submitting an amendment application or a new application for a data permit to Findata.

The maximum price estimates given are based on the extraction description you provided. If the extraction needs to be completed, a new maximum price estimate will be submitted with the new permit.

See also:

How will the compilation of the applied for data proceed?

Once a data permit is issued or a decision on a data request is made, the data compilation process involves five stages. The process is outlined in detail below the graph.

    1. Data controllers extract the data
      • We will send data requests to the controllers to start the extraction process.
      • Each controller has 30 working days to submit the requested data to Findata.
      • The extraction may involve multiple steps, such as:
        • Extraction of the target group
        • Extraction of controls
        • Extraction of additional data
      • Each step can take up to 30 working days, potentially totaling up to 90 working days.
    2. Findata pre-processes the extracted data
      • We will check, combine, and pseudonymize the data or generate statistics according to the data request.
    3. Findata delivers the data to the permit holder
      • The processed data will be provided in a secure processing environment, typically in CSV format.
      • Findata’s secure processing environment, Kapseli, is the primary option. Data may be disclosed to other environments if necessary.
      • The target time for delivering the data is 60 working days. This timeframe may be extended if the target group is not provided immediately, if extraction is conducted in multiple stages, if there are delays from controllers, or if the data is particularly complex.
    4. Review the data
      • You have three months to review the data and notify Findata of any discrepancies or comments.
      • Thoroughly check the data, as errors can lead to additional work.
        • Errors that occur during extraction can accumulate, such as if the target group is formed incorrectly, requiring additional extractions from other controllers.
      • If you find omissions or errors, email Findata at data@findata.fi with detailed descriptions of how your data differs from the extraction description.
    5. Findata’s data retention and disposal
      • Data will be removed from our systems four months after delivery, but code keys for pseudonymised data will be retained to allow reproduction if needed.
      • Note: Data permits are for a fixed period. If you need to save data for purposes like research verification, plan to renew the permit, or require regular updates, include these needs in your application.

    Information on costs

    The costs for data permits consist of the following:

    • Decision fee: Charged according to the pricelist.
    • Hourly fee: For data processing carried out at Findata.
    • Data controller costs: Costs for the extraction and delivery of data, based on each controller’s provisions.
    • Kapseli fee: For data forwarded for analysis to Findata’s Kapseli environment.

    For more details, visit:

    Data permit pricing

    Price categoryCriteriaPrice
    Data permit for a thesisA data permit related to a thesis for an applicant who is domiciled in Finland or another EU or EEA country.

    If the project produces several theses or other outputs not related to the thesis, another permit fee category will be applied.    		250,00 EUR
    Limited data permitThe processing of the application takes less than 7 hours and the applicant’s place of business is an EU or EEA country. For example, new research questions without changes to the data or new extractions.300,00 EUR
    Normal data permitThe application concerns the data of 1 to 15 data controllers and the applicant is established in an EU or EEA country.

    If the extraction description is modified at the initiative of the applicant in the middle of the application processing process after receiving the cost estimates, or the processing takes more than 14 hours for some other reason, this is an extensive data permit, cf. below.    		1 400,00 EUR
    Normal data permit for researcher-driven researchData permit for the applicant whose place of operation is in Finland or another EU or EEA country, with a processing time of 7 hours or more but less than 14 hours, and it is research that is conducted without external funding or with funding from a public health care unit, university, research institute or other public or non-profit association. The application must be accompanied by an explanation of how the research will be funded.700,00 EUR
    Extensive data permitYou may need an extensive data permit e.g. if one or more of the following is met:
    – The application concerns the data of more than 15 data controllers
    – The extraction description is modified at the initiative of the applicant after receiving the cost estimates, ie more than one round of cost estimates is required from one or more controllers    		2 000,00 EUR
    Extensive data permit for researcher-driven researchData permit for the applicant whose place of operation is in Finland or another EU or EEA country, with a processing time of 14 hours or more, and it is research that is conducted without external funding or with funding from a public health care unit, university, research institute or other public or non-profit association. The application must be accompanied by an explanation of how the research will be funded.1 000,00 EUR
    Data permit for outside the EU or EEA areaData permit for the applicant whose place of business is in a country outside the EU or EEA.3 000,00 EUR
    No VAT is charged on permit decisions.

    Findata’s hourly based fees

    Price categoryCriteriaPrice
    Data processingHourly fee for data combining, pre-processing, pseudonymisation and anonymisation. Minimum one hour.147,00 EUR/hour
    Data transferringData transfers are priced based on the number of zip folders to be transferred. It takes 2,5 hours to transfer one zip folder.

    2,5 x 147 EUR = 367,5 EUR/zip folder

    Each zip folder can be a maximum of 4 GB in size. If the total data to be transferred exceeds 40 GB, we kindly ask that you contact us in advance at data@findata.fi so we can arrange the best approach for transferring your data.    		367,50 EUR/zip folder
    No VAT is charged for data processing and transferring.

    Ensure the correct address for the data permit application

    Select the controllers from which the data will be retrieved

    Apply permit from the controller in question. The exception is those controllers who have delegated permit jurisdiction to Findata.

    Please note that Findata is responsible for data permit and amendment applications whenever the data of data controllers covered by the Act on secondary use is combined. When evaluating the competent authority, all data related to the application under the Act must be taken into account.

    Apply permit (s) from the controllers in question.

    Findata is responsible for data permits of the Finnish Center for Pensions (ETK) and the Finnish Digital Agency (DVV) and / or Statistics Finland if the data are combined with

    • data of other public organizations under the Act on Secondary Use of Health and Social Data (For Statistics Finland, at least two other organizations are needed, for DVV and ETK, one is sufficient)
    • data stored on Kanta services or
    • to the register data of a private social or health care service provider.

    Apply permit from Findata.

    Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

    • data from numerous public social and health sector controllers
    • register data from one or numerous private social welfare and health care service organisers, or
    • customer data saved in the Kanta Services.

    Apply permit from Findata.

    The Regional Administrative Agencies (AVI) have delegated the jurisdiction to Findata.

    Apply permit from Findata.

    National Supervisory Authority for Welfare and Health Valvira have delegated the jurisdiction to Findata.

    Apply for a data permit

    Finnish Institute for Health and Welfare (THL) has delegated the jurisdiction to Findata. As far as THL is concerned, the delegation of jurisdiction does not apply to its

    • internal permit management
    • the transfer of samples and data transferred to THL Biobank.

    Permit is applied from Statistics Finland and the respective data controller. Exceptions are the registrars who have delegated the jurisdiction to Findata.

    We are responsible for data permits for data subject to the Secondary Act of Statistics Finland when they are combined

    • to the information of at least two public organizations covered by secondary laws
    • to data stored in Kanta services or
    • to the register data of a private social or healthcare service organizer.

    Apply permit from Findata.

    Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

    • data from numerous public social and health sector controllers
    • register data from one or numerous private social welfare and health care service organisers, or
    • customer data saved in the Kanta Services.

    Please select at least one data controller or group.