All news and press releases

Findata’s services

The purpose of this privacy notice is to provide a comprehensive overview of the personal data that Findata collects when ordering and using Findata’s services, the purposes for which the data is used, and the parties to whom the data may be disclosed.

Findata’s services include

  • the e-service,
  • case management system,
  • the secure processing environment Kapseli, and
  • secure data transfer services Tunneli and Supertunneli.

This privacy notice also covers

  • AI assistant Vinkkeli on Findata’s website,
  • feedback form,
  • newsletter subscription,
  • booking of personal consultations,
  • contact requests, and
  • registration for training sessions organised by Findata.

The privacy notice also explains the obligations and legal frameworks that Findata complies with when processing personal data.

The controller for the processing of material in Kapseli is defined in the data permit. In this case, Findata acts as a data processor on behalf of that controller.

“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).

Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.

Controller

Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
tietosuojavastaava@findata.fi

Purpose of processing of personal data and legal basis for processing

We process the personal data of users of Findata’s services as a data controller for the following purposes:

  • To provide the requested service,
  • to ensure information security and the lawfulness of the processing of personal data and
  • for communication related to the service and its use and
  • carry out any necessary billing.

Chatbot Vinkkeli is an AI-assisted tool that answers users’ questions on Findata’s website. When using Vinkkeli, the conversation takes place with a machine, not a human. The user is asked not to insert any personal data into the conversation. Vinkkeli uses OpenAI’s API to process user inputs and provide responses. User inputs are sent to OpenAI’s servers for processing and generating replies.

We may use your information to:

  • Deliver and improve Vinkkeli’s functionality,
  • analyse interactions to enhance our services and
  • address technical issues or investigate abuse.

We also use the number of Kapseli users to develop and administer the service.

We do not use automated decision making or profiling in our data processing.

The processing of personal data of service users is based on the following laws:

  • General Data Protection Regulation Articles 6(1)(c) and 6(1)(e),
  • Data Protection Act (1050/2018) Section 4(2), and
  • Act on the Secondary Use of Health and Social Data (552/2019) Sections 16, 17, 20, and 46.

The processing of personal data may also be based on for the performance of a contract to which the data subject or the entity represented by the data subject is a party or in order to take steps prior to entering into such a contract.

In Findata’s e-service, in addition to applying for a data permit and submitting a data request, it is also possible to make requests concerning the rights of a data subject in accordance with the GDPR. The legal basis for processing requests made by individuals exercising their data subject rights is GDPR Article 6(1)(c) and Articles 12-21.

Personal data processed and sources of data

We collect the following information about the service users:

  • Name,
  • telephone number,
  • email address, and
  • organisation information.

The information is obtained either from the data subject themselves or on their behalf from the person who placed the order or, for services requiring a contract, from the service user at the time of concluding the contract.

When using Vinkkeli, the user is asked not to insert any personal data into the conversation. Findata does not process personal data in this context unless the user themselves enters personal data into the conversation. When using Vinkkeli, we may collect:

  • Messages and inputs: The text or other information you provide during your interaction with Vinkkeli.
  • Technical data: Non-personally identifiable information, such as session metadata.

We collect the following information about the persons who have made requests to exercise their rights as a data subject in Findata’s e-service:

  • Name,
  • social security number, and
  • contact information.

In addition, we collect data depending on which right the data subject wishes to exercise.

For individuals who exercise their right to restrict or object to the processing of their data (Articles 18 and 21 of the GDPR), we will record, in addition to the information above, the reasons for restricting or objecting to the use of the data.

We implement the right to restrict and object on the basis of social security numbers. We remove the data of individuals who have exercised the right to object or restrict from the data we receive by comparing the data with the social security number and removing the detailed information contained in the data relating to those individuals.

In addition to the above, the following data from the data subject are collected from a person exercising their right to rectification (Article 16 of the GDPR):

  • Which data is to be corrected, and
  • to which format the data is to be corrected,

Regular disclosures of personal data and categories of recipients

We do not disclose personal data about service Users or contact persons on a regular basis.

Input data of Vinkkeli may be shared with:

  • OpenAI: Inputs provided to Vinkkeli are processed by OpenAI’s API, subject to OpenAI’s Usage Policies and Privacy Policy.
  • Service providers: Third parties assisting us with hosting or other technical needs.

We do not sell input data to third parties.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out technical maintenance and development. CSC acts as a processor of personal data on behalf of Findata. A valid Data Processing Agreement (DPA) is in place with CSC.

Retention period for personal data

Findata retains personal data for as long as necessary to fulfill the purposes defined in this privacy notice, unless legislation requires a longer retention period or unless Findata needs the data to establish, exercise, or defend a legal claim.

Conversation logs of Vinkkeli are automatically deleted from the plugin/server after 30 days. OpenAI may retain data processed through its API for a limited period to monitor for abuse or misuse, per its privacy practices.

Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations

We do not disclose personal data outside the EU or EEA or to international organisations.

Inputs provided to Vinkkeli are processed by OpenAI’s API, subject to OpenAI’s Usage Policies and Privacy Policy. OpenAI does not use data submitted via API interfaces for model development. More information can be found from OpenAI’s website (openai.com).

Rights of the data subject

In this privacy notice, “data subject” refers to the users of Findata’s services. For more information about the rights of data subjects, see the section “Rights of the data subject” above on this page.