Purpose of use
Everyone has the possibility to exercise their rights as a data subject in Findata’s operations. The data subject refers to the person to whom the original social and health information relate.
When we process personal data as a controller, the data subject has the following rights:
- Right to information about the processing of personal data (Article 14 of the GDPR)
- Right of access to one’s personal data (Article 15 of the GDPR)
- Right to rectify one’s data (Article 16 of the GDPR)
- Right to restrict the processing of one’s data (Article 18 of the GDPR)
- Right to object to the processing of one’s data (Article 21 of the GDPR)
The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In that case, we will no longer process the data relating to that person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
In order to be able to carry out a request for the data subject’s right, we need to process the personal data provided in connection with the request.
See more information on the rights of the data subject.
Data processed and data sources
We collect the following information about the persons who have made requests to exercise the rights of the data subject:
- name
- social security number
- contact information
In addition, we collect data depending on which right the data subject wishes to exercise.
For individuals who exercise their right to restrict or object to the processing of their data (Articles 18 and 21 of the GDPR), we will record, in addition to the information above, the reasons for restricting or objecting to the use of the data.
We implement the right to restrict and object on the basis of social security numbers. We remove the data of individuals who have exercised the right to object or restrict from the data we receive by comparing the data with the social security number and removing the detailed information contained in the data relating to those individuals.
In addition to the above, the following data from the data subject are collected from a person exercising their right to rectification (Article 16 of the GDPR):
- which data is to be corrected
- to which format the data is to be corrected
Regular disclosure of data and recipients of data
Requests concerning the rights of the data subject are recorded in the case management system maintained by the National Institute for Health and Welfare (THL). Persons working at THL’s registry, whose duties include registering and handling matters initiated at Findata, have access to the information contained in the initiation documents. Findata is an independent unit operating in connection with THL.
We disclose information to those requesting it in accordance with the Act on the Openness of Government Activities (oikeusministerio.fi). The contents of requests for the rights of the data subject may contain confidential information that will not be disclosed without the separately provided right of access or the consent of the data subject.
The contents of requests for the rights of the data subject are not regularly disclosed.
When anonymous statistical information is requested from Findata, which is formed on the basis of data held by THL, THL forms the statistics requested. In this case, we ask THL to exclude from the compilation of the statistics the information relating to the social security numbers of the individuals who have exercised their right to restrict and object to the processing of their data. For this purpose, we transfer to THL the social security numbers of these individuals via a secure transfer service.
The purpose of this policy is to minimize the number of times the social security numbers are transferred between Findata and THL, and to ensure that the data of persons who have exercised the right to object and restrict is excluded from the formation of the data as early as possible.
Legal basis of processing personal data
The processing of personal data when processing requests for data subjects’ rights is based on the following laws:
- Article 6(1)(e) and Articles 12 to 21 of the General Data Protection Regulation,
- Article 4(2) of the Data Protection Act and,
- in the case of special categories of personal data, Article 6(1)(2) of the Data Protection Act.