Pursuant to Section 51 c of the Act on the Secondary Use of Health and Social Data, Findata may, for a special reason, grant a data permit allowing the dataset to be disclosed to a processing environment other than a secure environment compliant with the Act.
Such a permit may be granted if:
- the risks to national security and other risks related to the dataset disclosed under the permit are low;
- one of the project participants is an entity conducting research activities in a Finnish research organisation; and
- the level of data protection and information security in the processing of the dataset is sufficient.
The applicant must justify in the permit application why the dataset cannot be processed in an audited secure environment compliant with the Act, and provide the necessary information so that Findata can assess whether the conditions for granting the permit are met. The permit may include more specific conditions regarding data processing.
Applying for another secure processing environment is possible starting from 1 May 2026.
How to apply for a data permit to process data in a non-standard secure environment
The application is submitted by completing a data permit application form. The form includes a specific section where the alternative secure processing environment must be indicated.
Please note that a dataset disclosed to another secure processing environment will be processed by the receiving party as an independent data controller, and that party is responsible for ensuring the lawfulness of personal data processing.
The applicant must contact the entity authorised by the future data controller of the requested datasets to collect the information required for the application process. Deficiencies or errors in the application may lead to a negative assessment outcome.
The application for another secure processing environment as part of the data permit process is divided into two phases:
Phase A: Assessment of application prerequisites and the data controller role
- In Phase A, it is assessed whether the conditions under the Act on the Secondary Use of Health and Social Data and the EU General Data Protection Regulation (2016/679) are met for disclosing the dataset to another secure processing environment where the recipient becomes an independent data controller.
- When applying for another secure processing environment, the applicant must submit, as an attachment to the application, the Phase A form duly completed and signed, including the requested annexes.
- Findata will assess the information provided in the form, request additional information if necessary, and inform the applicant of the outcome. If the conditions of Phase A are not met, the applicant has the option to apply for a secure processing environment in accordance with Section 20 of the Act.
- Download Form A
Phase B: Assessment of the information security and data protection of the processing environment
- In Phase B, it is assessed whether the proposed alternative secure processing environment meets the information security and data protection requirements of the Act and the GDPR such that the protection of personal data and the rights of data subjects are effectively ensured during processing.
- If Findata approves Phase A, the applicant will be asked to submit the Phase B form, duly completed and signed. Submission must follow the instructions provided separately by the Findata application processor.
- Findata will assess the information provided in the form, request additional information if necessary, and inform the applicant of the outcome. If the conditions are not met based on the Phase B assessment, the applicant may apply for a secure processing environment in accordance with Section 20 of the Act.
- Download Form B
The detailed information requested in Forms A and B is based on Findata’s statutory assessment obligation. The legal basis and instructions are provided within the forms.
Notes
The processing time of the data permit may be extended if the application requires particularly demanding consideration.
The processing of the data permit application related to this assessment is subject to a fee in accordance with Findata’s current price list based on the applicable fee regulation.
Findata is not responsible for any costs incurred by the applicant in connection with the application.