Processing of data permit applications and data requests

Purpose of use

Findata’s statutory duties include processing data permit applications and data requests and issuing administrative decisions on them. We accept data permit applications and data requests through Findata’s data request management system.

We process personal data relating to applicants or representatives of applicant organisations for the purposes of processing applications, decision-making and invoicing. We process contact information of applicants or applicant entities to send customer notices related to the services and their use.

In principle, the applicants must identify themselves using the Suomi.fi service when applying for a data permit or a data request.

Data permit applications, data requests and the decisions on them are stored in the case management system in accordance with the authority’s data management regulation. The case management system used by Findata is maintained by the National Institute for Health and Welfare (THL).

Draft applications are stored in the case management system so that the applicant can, if necessary, pause the drafting of the application and return to it at a later date.

We do not use automated decision-making or profiling in our data processing.

Data processed and data sources

We collect the information about those applying for data permits and data requests that they provide in the application or request.This information includes the name, position or title of the applicant or their contact person, contact details and the name and affiliation of the persons entitled to process personal data. We also process data for billing purposes. If the data recipient is a private individual, the billing information also includes personal data. In addition, the application may include the name and contact information of the person delivering the target group to Findata.

In addition, we maintain a log system that allows us to track and store personal data from the various stages of processing data permit applications and data requests.

When an application for a data permit or data request is submitted, we store the personal data required for strong electronic identification of the applicant that is transmitted by the Suomi.fi service. The personal data stored by the Suomi.fi service is described in the service’s privacy policy (suomi.fi).

We record applications for data permits and data requests in the case management system Helmi maintained by THL. See THL’s website (thl.fi) for more information.

Regular disclosure of data and recipients of personal data

We do not disclose the personal data provided in data permit applications or data requests on a regular basis. We publish information on data permits and data requests that we have issued. If the data recipient is a private individual, we do not publish their name.

We disclose information to those requesting it in accordance with the Act on the Openness of Government Activities. As a rule, the information on the application for a permit and the person who made the data request is public, as it is not explicitly provided for to be kept secret.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development work of the data request management system. CSC acts as a processor of personal data on behalf of Findata.

We record data permit applications and data requests in the case management system maintained by THL. Persons working at THL whose duties include processing Findata’s documents have access to the data. Findata is an independent unit operating in connection with THL.

Data retention period

We retain data permit applications permanently, and data requests for a period of ten years from their initiation. We retain the data permit decisions permanently and the data request decisions for a period of ten years from the date of their issuance.

We retain draft applications and data requests that have not been submitted to Findata for 180 days from the last edit. Applications that have not been modified for 180 days will be automatically removed from the system.

Transfer and disclosure of personal data to non-EU or EEA countries

We do not disclose personal data outside the EU or EEA.

Rights of the data subject

The data subject refers to the person to whom the original social and health information relate. When we process personal data contained in an application for data permit or a data request, the data subject has the following rights:

  • Right to information about the processing of personal data (Article 14 of the GDPR)
  • Right of access to one’s personal data (Article 15 of the GDPR)
  • Right to rectify one’s data (Article 16 of the GDPR)
  • Right to restrict the processing of one’s data (Article 18 of the GDPR)
  • Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Read more about your rights as a data subject

Legal basis of processing personal data

The processing of personal data for processing data permit and data request applications is based on the following laws:

  • Act on the Secondary Use of Social and Health Data (552/2019) Sections 44 and 45,
  • General Data Protection Regulation Article 6(1)(e) and
  • Data Protection Act Section 4(2).