This privacy notice explains how Findata processes the personal data of data permit applicants and data requesters.
“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).
Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.
Controller
Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi
Data Protection Officer
tietosuojavastaava@findata.fi
Purpose of processing of personal data and legal basis for processing
Findata’s statutory duties include processing data permit applications and data requests and issuing administrative decisions on them.
We process personal data relating to applicants or representatives of applicant organisations for the purposes of processing applications, decision-making and invoicing. We process contact information of applicants or applicant entities to send customer notices related to the services and their use.
We do not use automated decision-making or profiling in our data processing.
The processing of personal data for processing data permit and data request applications is based on the following laws:
- Act on the Secondary Use of Social and Health Data (552/2019) Sections 6 a, 6 b, and 45,
- General Data Protection Regulation Articles 6(1)(a) and 6(1)(e) and
- Data Protection Act (1050/2018) Section 4(2).
Personal data processed and sources of data
We collect the information that applicants of data permits and data requests provide in the application or request. This information includes the name, position or title of the applicant or their contact person, contact details and the name and affiliation of the persons entitled to process personal data. We also process data for billing purposes. If the data recipient is a private individual, the billing information also includes personal data. In addition, the application may include the name and contact information of the person delivering the target group to Findata.
In addition, we maintain a log system that allows us to track and store personal data from the various stages of processing data permit applications and data requests.
When an application for a data permit or data request is submitted, we store the personal data required for strong electronic identification of the applicant that is transmitted by Suomi.fi service.
The personal data stored by the Suomi.fi service is described in the service’s privacy policy (suomi.fi).
Regular disclosures of personal data and categories of recipients
We do not disclose the personal data provided in data permit applications or data requests on a regular basis. We publish information on data permits and data requests that we have issued. If the data recipient is a private individual, we do not publish their name.
We disclose information to those requesting it in accordance with the Act on the Openness of Government Activities (621/1999) and the GDPR. As a rule, the information on the application for a permit and the person who made the data request is public, as it is not explicitly provided for to be kept secret.
We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development work of the data request management system. CSC acts as a processor of personal data on behalf of Findata.
Retention period for personal data
We retain data permit applications permanently, and data requests for a period of ten years from their initiation. We retain the data permit decisions permanently and the data request decisions for a period of ten years from the date of their issuance.
We retain draft applications and data requests that have not been submitted to Findata for 180 days from the last edit. Applications that have not been modified for 180 days will be automatically removed from the system.
Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations
We do not disclose personal data outside the EU or EEA or to international organisations.
Rights of the data subject
In this privacy notice, “data subject” refers to individuals submitting data permit applications and data requests. For more information about data subject rights, see the section “Rights of the data subject” above on this page.