Ready-made datasets

The purpose of this privacy notice is to give a comprehensive overview of the personal data that Findata collects when compiling and preprocessing ready-made datasets, the purposes for which this data is used, and to whom the data may be disclosed. This privacy notice also describes the obligations and legal frameworks that Findata adheres to when processing personal data. Findata offers thematic ready-made datasets that are pre-compiled and preprocessed data packages available more quickly, without cost estimates or extraction requests from original data controllers. These datasets are provided via Findata under a data permit.

“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).

Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.

Controller

Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
tietosuojavastaava@findata.fi

Purpose of processing of personal data and legal basis for processing

Pre-processing refers to the actions that are taken on data disclosed to Findata by different controllers before we deliver it to the data recipient. Pre-processing includes aggregating, combining, pseudonymising, and anonymising data. Findata selects the subject matter of the ready-made data sets and the data on which they are based. The purpose of the processing of personal data is to compile datasets in accordance with the chosen theme and, as a general rule, to disclose pseudonymised personal data or statistics compiled from ready-made datasets to the data recipient. Ready-made datasets may also be used to develop an AI model operating within the authority’s operating environment for processing unstructured text data, in order to enhance the data protection of text materials.

We do not use automated decision-making or profiling in the processing of data.

The processing of personal data in the formation of ready-made datasets is based on the following laws:

Act on Secondary Use of Social and Health Data (552/2019) Section 14,
General Data Protection Regulation Article 6(1)(e),
Data Protection Act (1050/2018) Section 4(2) and,
in the case of special categories of personal data, the Data Protection Act Section 6(1)(2) and the General Data Protection Regulation Article 9(2)(g).

Personal data processed and sources of data

In compiling the ready-made datasets, we process the social and health data received from one or more controllers under the scope of the Secondary Use Act to the extent deemed necessary for each project.

We cannot form ready-made material on the basis of all materials of all controllers within the scope of the law. For more detailed restrictions on data, see the Secondary Use Act, Section 6 (finlex.fi).

Data controllers within the scope of the Secondary Use Act:

Data saved in Kanta services
Digital and Population Data Services Agency (DVV)
Finnish Centre for Pensions (ETK)
Finnish Institute for Health and Welfare (THL)
Finnish Institute of Occupational Health (TTL)
Finnish Medicines Agency Fimea
Finnish Supervisory Agency (LVV)
Ministry of Social Affairs and Health
Public and private service providers of social welfare and health care
Social Insurance Institution of Finland Kela
Statistics Finland

The data is transferred to Findata and, in the case of data permits, further to the data recipient via a secure transfer service.

Regular disclosures of personal data and categories of recipients

We disclose the ready-made dataset to the data recipient. The data recipient then becomes the controller of the transferred data. In the vast majority of data permits we grant, the data recipients use the data for scientific research.

According to the Secondary Use Act, the data authorised by a data permit may be disclosed for processing in a secure operating environment as specified in Section 20 of the Secondary Use Act or for other specific reasons, to another secure operating environment under Section 51 c of the Act. Furthermore, under Section 51 d of the Act, Findata may, for special reasons, grant a data permit to receive data in anonymised form outside the secure operating environment referred to in Section 20.

When statistical data is requested from the ready-made datasets, the data to be disclosed does not contain personal data.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out technical maintenance and development. CSC acts as a processor of personal data on behalf of Findata.

Retention period for personal data

We retain the ready-made datasets permanently.

In addition, the data recipient who has obtained the ready-made dataset on the basis of the data permit retains the data for a specified period of time.

Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations

As a rule, we do not disclose ready-made datasets outside the EU or EEA or to international organisations. According to the Secondary Use act, the data must be transferred to a secure operating environment that cannot be located outside the EU and EEA. According to section 51 c of the Secondary Use Act, the data permit authority may, for a specific reason, grant a data permit that allows the data to be disclosed to another secure operating environment.

If the data recipient as the controller wishes to enable the processing of their data from outside the EU and EEA, they must apply to Findata for permission to allow the processing. If we grant permission, the controller must ensure that the material is transferred in accordance with Chapter V of the GDPR, when applicable.

Rights of the data subject

In this privacy notice, “data subject” refers to the person to whom the original social and health data relate to. For more information about the rights of data subjects, see the section “Rights of the data subject” above on this page.