The majority of Findatas permits have been granted to Finnish projects. Under the EU General Data Protection Regulation (GDPR), data must move freely within the EU area, meaning the permit holder can also be located within the EU or EEA. Data must still be processed in an audited secure environment, to which only individuals specified in the permit have access.

According to the Secondary Use Act, a secure processing environment cannot be located outside the EU and EEA, so we generally do not transfer personal data outside the EU or EEA or to international organizations. Within the framework of the GDPR, data can be transferred within the European Economic Area (EEA) on the same basis as within Finland. The EEA countries include EU countries as well as Norway, Liechtenstein, and Iceland.

If data needs to be transferred or processed outside these countries, known as third countries, there must be a legal basis for the transfer under Chapter V of the GDPR. Processing personal data from abroad constitutes a data transfer, even if the data is in a secure remote access environment.