Free movement of data within the EU is required under the General Data Protection Regulation. However, the law requires that the data is mainly processed in the centralised, secure user environment of the data permit authority for the social and health care sector, and that access rights to the environment may only be granted to authorised persons. The permit holder may also be located elsewhere than in Finland. The provision of a data secure user environment is an essential technical measure to safeguard the protection of personal data.

If necessary, the data may be disclosed to another secure environment indicated by the permit holder. However, this other environment must meet the criteria of the Findata order, it must be audited against the requirements of the order, and its audit certificate must be valid. Valvira maintains the Toini register, and in these cases also the information should only be used for the purpose for which it was disclosed to the permit holder. The EU’s General Data Protection Regulation specifies the conditions under which data can be disclosed outside the EU.

Health and social data may not be used for marketing or the determination of individual commercial services, such as insurance premiums.