Data permits

With the data permit application, you can apply for individual level data from the Social and Health Data Permit Authority Findata.

After the data permit has been granted, the data are extracted by different data controllers and delivered securely to Findata, where we pre-process and pseudonymise the data, and if necessary, combine and anonymise it.

In practice, direct identifiers are removed from the data and a pseudo-tag is produced that allows different individuals to be distinguished from each other and the data to be combined at the personal level from different files.

If you only need individual level data from one controller, please contact the data controller directly.

This page contains information on:

Instructions for submitting a data permit application

Data permit applications are submitted by completing an online form which is available at https://lupa.findata.csc.fi/ (the link opens in a new window). You can log in to the system using Suomi.fi e-Identification. If this login method is not possible, please request an identification form at info@findata.fi.

The data permit application can be submitted in Finnish, Swedish or English.

The following information is asked in the permit application

  • Applicant information
  • Billing details
  • Purpose of the data use
  • Defining target population data sampling
  • Defining the selection criteria for control persons or relatives to be selected for the target population
  • Register-specific lists of variables and extraction-related delimitations. Paste the information in the format shown in the table below. Download the spreadsheet as a Word file from this link and fill it out.
  • Data processing information
  • A list of people who will process the data
  • Annexes: List of variables to be extracted, data utilisation plan / research plan (if scientific study), other necessary annexes
  • Additional information: you can provide other additional information related to the application

Please note! Attach information on the variables to be extracted to your application in the format shown in the table below. Copy the table as necessary and provide one table per register.

You can download the spreadsheet as a Word file from this link and fill it out.

NAME OF THE REGISTERXX
DEMARCATIONSTarget population: XX
Time span from which the data should be extracted: XX
Other demarcations: XX
VARIABLES TO BE EXTRACTEDXX
OTHER NOTESXX

Please note that we can only receive the application using the online form, which you can access at https://lupa.findata.csc.fi/ (opens in a new window).

For the time being, it is advisable to search the registrars’ own websites for the information contents of the registers of the registrars subject to Findata’s operations. You can find more information on the Data page.

Back to top

How you can speed up the processing of your application

The processing time of the application is affected by the content of the application (especially the accuracy of the data/variable description), the application processing situation and the response times of the data controllers.

You can speed up the processing of your application in the following ways:

  1. Fill out the application with care.
  2. Please specify the needs and registry-specific variables as precisely as possible before submitting the application.
    • Use the table behind this link to define the sampling. Incomplete specifications may lead to the application being returned.
  3. Remember to delimit the needed data.
    • The transfer of personal data is subject to the principle of minimization in accordance with the Data Protection Regulation, ie only necessary data can be transferred. Data extraction can be extensive as long as the need for data is justified.
  4. Contact the data controllers directly if you need more information on the data or variables.
    • In accordance with the Act on the Secondary Use of Social and Health Data, data controllers provide advisory services regarding their own data sets and are the best experts in relation to them. You can find more information on the Data page.
  5. Please see from the table we have provided to find whether Findata is the competent authority for your permit application.
    • An exception to Findata’s “one-stop shop” is made by the Digital and Population Information Agency (DVV), the Finnish Center for Pensions (ETK) and Statistics Finland. If the responsibilities for issuing permits are not completely clear, you should contact our Help desk before submitting your application.

Back to top

Costs

A fee is charged for the decision on the application and the processing of the data. The price of Findata’s service consists of a fee for the decision and an hourly fee, which is determined by the working time spent on combining and processing the material.

In addition to Findata’s fees, the final price will be affected by the data controllers’ own fees for extracting and transferring the requested data.

When processing an application for a data permit, we ask the controllers for a maximum cost estimate for extracting the necessary data. We also provide a maximum cost estimate for Findata’s data processing costs.

We will forward the assessments to the applicant before making a permit decision. The final price of the data will only be confirmed after the data has been handed over. A separate processing fee will be charged for a lapsed and negative decision.

You can find more information about costs on the Pricing page.

Back to top

General instructions and notes for using the online form

Data permit applications are submitted by completing an online form which is available at https://lupa.findata.csc.fi/ (the link opens in a new window). You can log in to the system using Suomi.fi e-Identification.

Currently, the identification and thus, submitting a data permit application, is possible for persons who have a personal identity code registered in the Finnish Population Information System. If you do not have a personal identity number registered in the Finnish Population Information System, pleasre request an identification form at info@findata.fi

There’s a monthly maintenance outage in our online application system. Please find the technical releases related to the Health and Social Data Permit Authority Findata’s systems, such as maintenance outages, system malfunctions and operating restrictions here: Technical releases.

Currently, the system automatically logs the applicant out after a certain time limit, and the form is not saved automatically. We advise to to save your unfinished application approximately every 15 minutes.

We have detected problems when using Internet Explorer. We recommend using other browsers.

In case of problems, you can contact our Help Desk by e-mail: info@findata.fi.

Back to top

Processing of amendment applications

As of 1 April 2020, Findata will process amendment applications whenever the change concerns the data of multiple different controllers or private service providers. If an amendment application concerns the data of only one public controller, the controller that granted the permit will process the amendment application as before.

The decree of public charges issued by the Ministry of Social Affairs and Health specifies when an application to Findata counts as an amendment application and when a new data permit application is in fact being submitted. According to this decree, amendment applications are those which extend the period of validity of the permit and/or add to the number of persons entitled to process the data disclosed under the data permit.

If the amendment concerns the data itself, this is from the perspective of Findata a new data permit application

Back to top

Data transfer to third countries (outside the EU/EEA)

The processing of personal data abroad is counted as a transfer of personal data even if the data is in a remote access environment.

Under the EU’s Data Protection Regulation, data can be transferred within the European Economic Area (EU countries and Norway, Liechtenstein and Iceland) on the same grounds as within Finland.

If data is to be transferred or processed outside the aforementioned countries, i.e. in so-called third countries, there must be a legal basis for this in keeping with Chapter V of the GDPR.

The acceptable legal bases are listed below. It is sufficient that just one of these bases for data transfer is met.

1) decision of the European Commission on adequacy of data protection pursuant to Article 45, updated information available on the EU ’s website https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_fi (opens in a new window)

  • At present (31 March 2020), the EU has assessed as adequate the data protection provided in the following countries: Andorra, Argentina, the Faroe Islands, Guernsey, Israel, Japan, Jersey, Canada (partial decision: commercial organisations), the Isle of Man, Switzerland, Uruguay and New Zealand. Negotiations are under way with South Korea.
  • If the requirements for the transfer are met on this basis, no other measures are required, and the data permit authority takes this criterion into account as a factor justifying the transfer in its data permit decision. This ’safe country’ principal is the primary basis for data transfer.
  • For more information, see the website of the Data Protection Ombudsman: https://tietosuoja.fi/siirto-tietosuojan-riittavyytta-koskevan-paatoksen-perusteella (opens in a new window)

2) Standard contractual clauses on data protection pursuant to Article 46(2)

  • Standard contractual clauses (SCC) are standard contractual clauses approved by the European Commission that can be used in contracts between two controllers or between a controller and a processor.
  • These standard clauses can be viewed on the website of the Data Protection Ombudsman: https://tietosuoja.fi/komission-hyvaksymat-vakiolausekkeet (opens in a new window)
  • If this is given as the basis for data transfer, the data permit authority takes this criterion into account in the data permit decision. The data permit authority will make the data available outside the EU/EEA subject to this condition and only after the applicant / permit holder has submitted to the data permit authority the signed standard contractual clauses. The use of standard contractual clauses also requires further consideration of the adequacy of data protection. Please note that standard contractual clauses may not be modified or added to, but must be approved as they are.

3) Binding corporate rules pursuant to Article 47

  • Binding corporate rules (BCR) refer to shared, binding rules for the transfer of personal data to third countries within a corporate group or group of companies engaged in joint economic operations.
  • For more information, see the website of the Data Protection Ombudsman: https://tietosuoja.fi/yritysta-koskevat-sitovat-saannot
  • If this is given as the basis for data transfer, the data permit authority will take this into account in the data permit decision. The data permit authority will make the data available outside the EU/EEA area subject to this condition and only after the applicant / permit holder has notified the data permit authority of the code of conduct in question, which must have been appropriately approved by a data protection ombudsman of an EU Member State.

4) Exceptions and safeguards under Article 49, such as the explicit consent of the subject to the proposed transfer after being informed of the risks associated with the transfer. This basis for transfer can only be used in exceptional cases.

Further information on the transfer of data to the United Kingdom following Brexit can be found on the website of the Data Protection Ombudsman: https://tietosuoja.fi/brexit (opens in a new window)

Back to top