Updated 22.02.2024

Permits

We issue permits for the secondary use of social and health data, combine data that is subject to a permit in a secure manner and pre-process these ensuring the privacy of citizens.

Book a time for personal consultation

You can book a time for personal consultation with an expert from Findata. Appointments are available four days a week and last for 20 minutes. The meetings are held remotely via Teams.

We offer help in the following topics:

  • General consultation on Findata’s services
  • Data permit applications, amendments, and data requests
  • Extraction description form and other forms
  • Ordering Findata’s secure processing environment Kapseli, pausing, and data storage service

You can see the available times below.

After booking, you will receive a confirmation email and a downloadable calendar reminder. We will send the link to the Teams meeting later.

The personal consultation service is provided as a part of the FinHITS project funded by the European Union.

What to remember before sending an application

Select the correct application type

There are different types of applications for different information needs

  • Data permit application, when you need data on individuals
  • Data request, when you need statistical data
  • Amendment application, when you are applying for an amendment to a valid data permit
Describe and limit data

Define the data to be applied for at the variable level and remember the principle of minimisation for other information. Utilise the Data Catalogue (aineistokatalogi.fi) and controller’s advisory services

  • Where from and how do I extract the target group? Is the definition specific enough?
  • Are control subjects/relatives extracted? How will they be defined?
  • From which registers will the data be extracted?
  • What variables will be included in the extraction? 

Other data to be combined

  • Have you made sure that the other data is described on the application?
  • Are the permits for other data valid or is the permit process pending?
Determine the competent authority

Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Act on secondary use of health and social data. The assessment of the competent authority must therefore consider all the data related to the application.

Check from the application assistant which authority the application should be sent to.

Before applying

What data use can permits be issued for?

A permit can be issued for the purposes laid down in law, which are listed below. Data on individuals will be sent to a secure operating environment for analysis, while statistical data can be sent to the applicant.

Pursuant to the Act on the Secondary Use of Health and Social Data, information can be used without a separate permit also for knowledge management and social welfare and health care official management and supervision.

Individual-level material

  • scientific research
  • statistics
  • education
  • planning and reporting duties of an authority

In addition, under the Secondary Use Act, controllers can use their own data for knowledge management without permission from Findata.

Statistical data

  • scientific research
  • statistics
  • planning and reporting duties of an authority and/or guidance and supervision of a social and healthcare authority
  • education
  • development and innovation operations
  • knowledge management (comparative data)

Note that as a rule, the Secondary Use Act applies to register-based studies.

A register-based study is a study which utilises register data usually collected for other purposes or national registers. For example, the Secondary Use Act does not apply to clinical trials reported to Finnish Medicines Agency Fimea or to medical trials under the Medical Research Act.

What data can permits be issued for?

The data you can access via Findata are from social and health sector controllers on which you can find more information on the Data page.

Please note that we cannot issue permits for the data of all controllers within the scope of the Secondary Use Act. More details on these data restrictions can be found in the Secondary Use Act (finlex.fi, in Finnish).

See a list of the controllers within the scope of the Act on Secondary Use of Health and Social Data
  • Data saved in Kanta services
  • Digital and Population Data Services Agency
    • The Finnish Digital Agency, individual’s basic details, family relations, place of domicile and building details
  • Finnish Centre for Pensions
    • Work and earnings data, benefits and the bases for them
  • Finnish Institute for Health and Welfare
    • Does not apply to data collected for statistical purposes
  • Finnish Institute of Occupational Health
    • Occupational illnesses, exposure tests and patient registers
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public and private service providers of social welfare and health care
  • Social Insurance Institution of Finland
    • Benefits and prescriptions
  • Statistics Finland
    • To the extent that access is required to data covered by the act on the investigation of the causes of death
  • Regional state administrative agencies
    • Matters relating to social welfare and health care)

Data descriptions and additional information

In accordance with the Secondary Use Act, data controllers provide advisory services concerning their own data and are the best placed to do so. If you need more information on the variables in a certain controller’s data, contact the controller in question.

You can also make an agreement on the implementation of data extraction in a certain manner with the controller. In the application you send to us, specify the person with whom you have agreed to on the matter.

The National Data Catalogue at aineistokatalogi.fi contains descriptions of some of the data in the scope of the Secondary Use Act.

Which authority should a permit application be submitted to?

Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Secondary Use Act. The assessment of the competent authority must therefore consider all the data related to the application.

Submit the application to Findata when it applies to

  1. data from several public social and health sector controllers
  2. data maintained by a single public controller, that has transferred the right to issue permits to Findata
  3. register data from one or numerous private social welfare and health care service organisers, or
  4. customer data saved in the Kanta Services.

Under the law, statistical, aggregated data subject to a data request can only be accessed via Findata.

See the bottom of this page for the application assistant. The assistant can help in determining which authority you should send you data permit or amendment application to.

Go to the end of the page and check the correct address for the application

The rights listed below concerning the issuing of data permits and amendment permits also apply when not permit has been issued to any controller’s information. If there is already a valid permit for some of the information, it will then be determined how many controllers have data that the applicant needs to access. In a situation where a permit is only needed for information from one public sector controller, the controller in question will issue the permit.

The Secondary Use Act does not apply to clinical trials reported to Fimea, so these are not within Fimea’s competence. The definitions for interventional clinical trial and noninterventional study can be looked up in Finnish at Fimea Regulation 8/2019 (PDF file, 196 kB). When necessary, Fimea will provide advice on whether a study is considered a clinical trial.

You can read more on data permit processing related competences in Finnish in section 44 of the The Secondary Use Act (2019/552, finlex.fi)

Under the Secondary Use Act, public sector social and health controller are divided into two groups. Below is the more detailed division of these groups and their differences in competence.

Public sector controllers: Group 1

  • Regional State Administrative Agencies (AVI)
  • Social Insurance Institution (Kela)
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public service providers of social welfare and health care
  • Ministry of Social Affairs and Health (STM)
  • Finnish Institute for Health and Welfare (THL)
  • Finnish Institute of Occupational Health (TTL)

We are responsible for data permits and amendment permits when the application concerns the information of at least controllers in this group.

This is also applies in a situation where another party could be believed to have already accessed data or to have their own data. If for example, a wellbeing services county needs data from Kela in addition to their own data for a study, the application in this case concerns the data of two controllers. In this case, Findata is the competent authority.

If the application or the data utilisation plan mentions other data under the Secondary Use Act which is to be combined with the data to be retrieved, the application applies to this combined data as well.

Public sector controllers: Group 2

  • Digital and Population Data Services Agency (DVV): A person’s basic personal data (e.g. birthdate, date of death, personal identity code), family relations, place of residence and building details. If other information is needed, DVV is responsible for processing applications and making permit decisions.
  • Finnish Centre for Pensions (ETK): People’s employment and income data, granted benefits and their grounds including diagnoses concerning disability pensions. If other information is needed, the ETK is responsible for processing applications and making permit decisions.
  • Statistics Finland: Information to help in determining cause of death. If other information is needed, Statistics Finland will be responsible for processing applications and making permit decisions.

We are responsible for the data permits and amendment permits of the Finnish Centre for Pensions, the Digital and Population Data Service Agency and Statistics Finland, if in addition to them the application also concerns

  • information from one or more public sector controllers in Group 1
  • information from one or more private social welfare and health care service organisers, or
  • data saved in the Kanta Services

Applying

Logging into e-services

All applications to Findata are sent in our e-service with an online form. Log into the service at asiointi.findata.fi using Suomi.fi e-Identification or Haka log in.

Please always log in using the same identification methods, so that you can see the applications you have sent and the decisions that have been given.

If you encounter any problems, contact Findata’s advisory service: info@findata.fi

For more information on logging in see the Logging into services page.

Selecting and completing an application form

There are different application forms for different information needs

  • Data permit application, when you need data on individuals, the analysis of data subject to a data permit will only be possible in audited, secure operating environments.
  • Data request, when you need statistical data The statistical data accessed with a data request will be sent to the applicant.
  • Amendment application, when you are applying for an amendment to a valid data permit See the Amendment permits page for information on what amendments you can apply for with an amendment application.

Complete the application form carefully. Shortcomings in an applicant will lead to a request for more information and the return of the application to the applicant.

For detailed instructions on the completion of different application forms see the pages for different types of permits:

If you do not know what information to enter into  an information field on the form, ask for help well in advance from within your organisation or from our advisory service.

Help Desk

General guidance & advice

How to expediate the processing of application

The processing times for applications are affected by the content of the application, in particular, the accuracy of an extraction description, the backlog at Findata and the response times of controllers.

If there are any ambiguities concerning the completion of your application, contact the controller directly and Findata’s advisory service to expediate processing.

How to speed up the processing of your application:

  1. Check whether Findata is the competent authority to issue a permit for the data you need.
    • Use the application assistant to help in determining this.
    • The exceptions to Findata’s ‘one-stop shop’ are the Digital and Population Data Services Agency, the Finnish Centre for Pensions, and Statistics Finland. If you need information from one or several the aforementioned controllers, these controllers are responsible themselves for the processing of applications and making permit decisions.
    • If you do not know where you should send an application, contact our advisory service before sending the application: info@findata.fi.
  2. Contact controllers directly if you need more information about the data or variables.
    • In accordance with the Secondary Use Act, the data controllers provide advisory services concerning their own data and are the best placed to do so. You can also make an agreement on the implementation of data extraction in a certain manner with the controller.
    • In the application you send to us, specify the person with whom you have agreed to on the matter.
    • You can also contact our advisory services or use the Data Catalogue.
  3. Describe the information need and the register-specific data extractions as accurately as possible before sending the application.
  4. Make sure that the extractions and the data you want to retrieve is essential
    • The principle of minimisation as defined in the GDPR is applied to the disclosure of personal data, meaning that only the essential data is disclosed.
    • The extraction can be extensive provided that there are good grounds for the necessity of the data.
  5. Complete the application carefully. 
    • Pay attention when entering basic data such as the applicant, the controller for the data to be disclosed, invoicing details and possible other data to be combined.

About the transfer of personal data outside the EU/EEA

The processing of personal data abroad is counted as a transfer of personal data even if the data is in a remote access environment.

Under the EU’s General Data Protection Regulation, data can be transferred within the European Economic Area on the same grounds as within Finland. Countries belonging to the European Economic Area include the EU Member States and Norway, Liechtenstein and Iceland.

If data is to be transferred or processed outside the aforementioned countries, i.e. in so-called third countries, there must be a legal basis for this in keeping with Chapter V of the GDPR.

The acceptable legal bases are listed below. It is sufficient that just one of these bases for data transfer is met.

Commission decision in the adequacy of data protection under Article 45
Standard contractual clauses on data protection pursuant to Article 46(2)
  • Standard contractual clauses (SCC) are standard contractual clauses approved by the European Commission that can be used in contracts between two controllers or between a controller and a processor.
  • These standard clauses can be viewed on the website of the Data Protection Ombudsman (tietosuoja.fi).
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision. We will make the data available outside the EU/EEA subject to this condition and only after the applicant or permit holder has submitted to Findata the signed standard contractual clauses. The use of standard clauses will also require additional examination of the adequacy of data protection.  Please note that standard contractual clauses may not be modified or added to, but must be approved as they are.
Binding corporate rules pursuant to Article 47
  • Binding corporate rules (BCR) refer to shared, binding rules for the transfer of personal data to third countries within a corporate group or group of companies engaged in joint economic operations.
  • For more information, see the website of the Data Protection Ombudsman (tietosuoja.fi).
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision. We will make the data available outside the EU/EEA area subject to this condition and only after the applicant or permit holder has notified the Findata of the code of conduct in question, which must have been appropriately approved by a data protection ombudsman of an EU Member State.
Exceptions and safeguards under Article 49

Exceptions and safeguards under Article 49, such as the explicit consent of the subject to the proposed transfer after being informed of the risks associated with the transfer. This basis for transfer can only be used in exceptional cases.

Further information on the transfer of data to the United Kingdom following Brexit can be found on the website of the Data Protection Ombudsman (tietosuoja.fi).

Permit fees and other costs

A fee will be charged for decisions concerning data permit applications, data requests and amendment applications and the related processing of data. The price of our services comprises the price of the decision and an hourly fee, which will be determined according to the working hours spent on combining and processing the data.

In addition to the fees charged by Findata, the final price is affected by the data extraction and delivery fees based on
decrees concerning the controllers.

When we process applications, we will ask the controller for a maximum cost estimate for extracting the necessary data. We will also give a maximum cost estimate on data processing by Findata.

We will forward these estimates to the applicant before making a decision on the permit. The final price of the data resource is confirmed after disclosing the data. A separate processing fee is charged for any expired and negative decisions.

See the Pricing page for more information.

After applying

How does an application’s processing proceed?

The processing of applications can be divided into five stages, which can be preceded by the applicant independently contacting to a controller. The process is shown in text after the graph.

  1. The applicant contacts controllers directly before sending an application, if they need additional information on the data or variables or they need help with drawing up an extraction description.
    • The applicant can also make an agreement on the implementation of data extraction in a certain manner with the controller. If the customer and the controller’s contact person have agreed for example that a clinician, who is part of the research team will extract the data free of charge, the application’s Additional information section should include information on who this was agreed on with and in what context.
  2. The applicant submits their application or requested additional information to Findata in the electronic application system at https://asiointi.findata.fi.
    • If the applicant is only submitting additional information, the clarifications can, depending on the case, also be submitted by e-mail.
  3. Our application processors check applications and their appendices to ensure that these contain all the necessary information.
    • Where necessary, we will return an incomplete application for completion or we will submit a request for further clarification to the applicant.
  4. When all the extraction descriptions have been completed, we will send additional information and cost estimate requests to the controllers whose information is requested in the application.
    • The purpose of the request is to determine the feasibility of the requested extraction and the maximum cost estimate for the extraction.
    • According to the Act on the Secondary Use of Health and Social Data, the controllers have 15 working days to respond to this request. Where necessary, controllers may ask for additional details to the request, in which case we will forward the questions to the applicant.
    • At this stage, we will also determine Findata’s internal cost estimate, which comprises our own data processing costs.
  5. Once all the cost estimates have been received, the applicant will be presented with a final extraction description and a maximum cost estimate for approval.
    • The applicant must accept both in order for the permit to be granted.
    • Note that it will not be possible to change the extraction conditions after this, and that changes made to the extracted data later on will require a separate application.
  6. We at Findata will issue a positive data permit or data request decision.
    • Note, that data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, include these needs in your application.

How will the compilation of the applied for data proceed?

Once we have issued a data permit or made a decision on a data request, there are five different staged for the compilation of data and its pre-processing. The process is shown in text after the graph.

  1. We will send the data requests to the controllers so that extraction can begin. Each controller has 30 working days to submit the requested data to Findata.
    • Depending on the nature of the project and the extraction, this phase may include several consecutive parts, such as 1. extraction of the target group; 2. extraction of the controls; 3. extraction of data.
  2. We will begin to process the sent data. As agreed on for each project, we will check, combine and pseudonymise the data or make statistics on them in accordance with a data request.
  3. The completed data will be handed over to the permit holder in an agreed-upon secure operating environment. Findata’s secure remote operating environment Kapseli is the statutory primary option. The data can be disclosed to other operating environments, if this is necessary for the completion of the project.
    • The target time for the handing over of data is 60 working days. The target time will not be possible if a target group is not given immediately after the decision has been made, data extraction is carried out in several stages, deliveries by data controllers are delayed or the data is exceptionally complex.
  4. The permit holder has three months to review the material. The permit holder must notify Findata within this given time period of any comments they wish to make on the material.
    • Check the data thoroughly as soon as possible. Errors that occur during extraction can accumulate, if, for example, the target group has been formed incorrectly and other controllers must carry out their own extractions all over again for this reason.
  5. We will remove the data from our own systems four months after it has been handed over. We will retain the code keys for pseudonymised data that will enable the data to be reproduced.
    • Data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, include these needs in your application.

Where can the data be analysed?

The aggregated statistical data accessed via a data request is sent to the customer, and it can be analysed freely in accordance with a data utilisation plan.

Data on individuals that require a data permit can only be analysed in a secure environment.

As a rule, the data will always be disclosed to Findata’s secure operating environment Kapseli. However, the Act on the Openness of Government Activities makes it possible to disclose information to other operating environments, if necessary. Read more below in the section: Findata’s regulation sets information security requirements for environments.

If an individual controller within the scope of the Secondary Use Act has made a decision on a data permit concerning data included in their own registers, they must disclose the data to a secure environment referred to in the Act as well. Amendment permits are also officially data permits (decisions to amend data permits), meaning the same requirements apply to these as to data permits. The exception to this is changes to personal data processors.

Findata’s regulation sets information security requirements for environments

We have issued a regulation in accordance with the Secondary Use Act, which describes the requirements laid down other service providers’ secure operating environments.

The regulation concerns the secondary use of social and health data, and it will be applied to all the purposes provided in the Act for which a data permit is required. These purposes include scientific research, statistics, teaching and the planning and investigation tasks of the authorities. With regard to teaching, the regulation pertains to the preparation of teaching materials, not actual teaching.

As of 1 May 2022, the implementation of the requirements laid down in the regulation is a prerequisite for the disclosure of data to be processed by the permit holder for secondary purposes in an environment other than Findata’s secure operating environment Kapseli. In addition, the operating environment must be assessed by a data security assessment body that must issue a certificate on the assessment.

The entry into force of the requirements does not affect existing, valid permits. If data are processed on the basis of a valid permit previously granted, the processing of that data may continue in the same environment after 1 May 2022.

The requirements take into account the solutions in existing environments and enable the utilisation of different technical solutions.

At its simplest, a secure environment can be a physically and technically secure space with a terminal device for analysing data that is isolated from the Internet and other devices. On the other hand, technical solutions based on cloud services are also possible, as long as the service provider ensures the required level of data security. The operating environments of foreign researchers must also meet the data protection and security requirements.

Clinically significant findings

Based on the Section 55 of the Secondary Use Act, a data recipient can contact Findata if they make a clinically significant finding where a health-related risk could be prevented or the quality of their treatment improved.

Findata establishes who the finding concerns and then submits the information to a specialist at the Finnish Institute for Health and Welfare (THL). THL’s appointed specialists assess the significance of the data and the expected benefits of taking action. If the benefit is assessed to be so clear that it would be important for the patient to receive treatment, the information is then disclosed to the wellbeing services county responsible for the patient’s treatment. An employee of the wellbeing services county contacts the patient.

Everyone has the right to prohibit attempts to contact them based on section 55 of the Secondary Use Act. This prohibition can be set up in any operating unit that provides public health care and also online via My Kanta. Contact prohibitions cannot be set up via Findata, Kela or THL.

How to report a clinically significant finding to Findata
  1. Send an email to data@findata.fi with a message stating that you wish to report a significant clinical finding.
    • Do not send personal data by email!
    • Please write “Clinically significant finding” in the subject line of the email.
  2. You will receive a reply with instructions on how to submit the information to Findata.
    • Personal data will be transferred securely via Nextcloud.
    • If you do not have Nextcloud account, create one by following the instructions on the page Data transfers to Findata.
      • See the section ‘Open the Nextcloud connection’.
      • Enter the diary number of the data permit from which you have made the clinically significant finding (enter ‘section55’ in the identifier-field)
    • If you already have Nextcloud connection, we will share a Nextcloud folder with you for data transfer. You can transfer data following the instructions on the page Data transfers to Findata.
      • See the section ‘Encrypt your data and transfer it to Nextcloud’.
      • Once you have submitted your data, please let us know at data@findata.fi.
  3. Submit the following data to Find
    • The diary number of the data permit and the issuer.
    • The pseudo-code or personal identification number of the person with a significant clinical finding.
    • Information about the clinically significant finding that THL can use to assess the significance of the information.
    • The name and contact details of the contact person of the data permit, that can be provided to the THL for any further questions.

Verifying the anonymity of results

All those who process personal data must provide the results of their analyses in an anonymous form that cannot be used to reveal any data or aspects concerning individual participants.

We ensure anonymity in line with the Secondary Use Act. This applies to all materials that have been authorised under said Act.

See the Producing anonymous results page, for the criteria on reviewing results and for example on the most common analysis types.

Publishing results from Kapseli

Data processing is done in Kapseli-environment and only the final analysis results are exported from Kapseli. The user produces the results in an anonymous format and Findata ensures the anonymity of the results in accordance with the Secondary Use Act.

  1. Verify the anonymity of the results intended for publication using the instructions found on this page.
  2. Transfer the results and the summary form to Findata via the Output (O:) drive in Kapseli.
    • The summary form for the verification of the anonymity of results can be found in the Kapseli D-folder from folder named “Käyttöohjeet_User_guide_05062023”.
    • Compress the files and the summary form into a zip folder and name it as follows:
      • “Results_[Record_number_of_permit_decision]_[Kapseli_ID]_[Delivery_date]” (e.g., “Results_ THL_1234_14.02.00_2020_a01_15032021”).
      • Note: write the date in format ddmmyyyy.
    • Create an empty text file named as ZZZ_READY.txt to the Output drive. This will initiate an automatic transfer of the zip folder. Make sure to double check the spelling of the ZZZ_READY.txt file. Transfers take place on the hour and in every 30 minutes. Transferred files will be automatically deleted from the Output drive.
    • You can notify Findata of your transfer (data@findata.fi) if you wish and we will get back to you if we do not receive your transfer. There will be no verification that the transfer succeeded.
  3. Findata will review the requests within 5 working days and submit the results via Nextcloud to the permit holder, o
    • If you don’t have a Nextcloud account, fill in the form “Order a new Nextcloud account” in Findata’s E-service (asiointi.findata.fi).
    • Note that if your result files are very large, the verification process may exceed the usual 5-day time limit. The time limit also applies only to the verification of the anonymity of results, not to the import of other files out of Kapseli (e.g. code files).

Publishing results from other secure operating environments

If you are processing data in a secure operating environment other than Findata’s Kapseli and are ready to publish the results, follow the instructions below.

  1. Download the summary form and fill in the requested information: Summary form – verifying the anonymity of the results (Word-file, 40 kB).
  2. Compress the files and the summary form into a zip folder and name it as follows:
    • “Results_[Record_number_of_permit_decision]_[Kapseli_ID]_[Delivery_date]” (e.g., “Results_ THL_1234_14.02.00_2020_a01_15032021”).
    • Note: write the date in format ddmmyyyy.
  3. You can deliver the results to Findata in two ways:
    • If you have a Nextcloud-account, transfer the results via Nextcloud
    • If you do not have a Nextcloud-account transfer the results via secure e-mail
    • Note: do not send the result files to Findata as an attachment to a regular, non-secure e-mail.
  4. Contact Findata at data@findata.fi
    • Name the subject of your e-mail as “Ensuring the anonymity of results”
    • Specify in your e-mail whether you are transferring the results via Nextcloud or via secure email.
    • If you are using Nextcloud, please include the diary number of the data permit and your Nextcloud ID. Findata will provide you with the name of the folder where you can transfer your results and a zip folder containing the summary form.
    • If you transfer your results by secure email, you will receive a secure e-mail from Findata to which you can reply to securely transfer the zip folder containing your results and the summary form.
    • For more information on encryption and how to transfer data via Nextcloud, see the page Data transfers to Findata.
  5. If there are any concerns about the anonymity of the results, we will be in touch within seven working days of the results being submitted.
    • If you do not hear from us within seven working days of submitting your results, you can proceed with the publication of your results.

Apply for a data permit

Do you need data on individuals? Apply for a data permit when you need data on individuals from multiple public sector social and health controllers or the private sector. Data permits Apply for a data permit

Submit a data request

Do you need anonymous statistical data? Submit a data request to use, when you need aggregated statistical data in table format or key figures from a social and health sector controller. Data requests Submit a data request

Apply for an amendment permit

Is your permit period about to expire or have there been changes to the processors of personal data? Apply for an amendment permit from us when an amendment concerns a controller’s permits or information. Amendment permits Apply for an amendment permit

Check the correct address for the application

Select the controllers from which the data will be retrieved

Apply permit from the controller in question. The exception is those controllers who have delegated permit jurisdiction to Findata.

Please note that Findata is responsible for data permit and amendment applications whenever the data of data controllers covered by the Act on secondary use is combined. When evaluating the competent authority, all data related to the application under the Act must be taken into account.

Apply permit (s) from the controllers in question.

Findata is responsible for data permits of the Finnish Center for Pensions (ETK) and the Finnish Digital Agency (DVV) and / or Statistics Finland if the data are combined with

  • data of other public organizations under the Act on Secondary Use of Health and Social Data (For Statistics Finland, at least two other organizations are needed, for DVV and ETK, one is sufficient)
  • data stored on Kanta services or
  • to the register data of a private social or health care service provider.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Apply permit from Findata.

The Regional Administrative Agencies (AVI) have delegated the jurisdiction to Findata.

Apply permit from Findata.

National Supervisory Authority for Welfare and Health Valvira have delegated the jurisdiction to Findata.

Apply for a data permit

Finnish Institute for Health and Welfare (THL) has delegated the jurisdiction to Findata. As far as THL is concerned, the delegation of jurisdiction does not apply to its

  • internal permit management
  • the transfer of samples and data transferred to THL Biobank.

Permit is applied from Statistics Finland and the respective data controller. Exceptions are the registrars who have delegated the jurisdiction to Findata.

We are responsible for data permits for data subject to the Secondary Act of Statistics Finland when they are combined

  • to the information of at least two public organizations covered by secondary laws
  • to data stored in Kanta services or
  • to the register data of a private social or healthcare service organizer.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Please select at least one data controller or group.