Purpose of use

We offer thematic datasets which are pre-compiled and processed data entities. The ready-made datasets are available through Findata more quickly on the basis of a data permit, without having to request cost estimates or extracts from the controllers.

Pre-processing refers to the actions that are taken on data disclosed to Findata by different controllers before we deliver it to the data recipient. Pre-processing includes aggregating, combining, pseudonymising, and anonymising data.

Pseudonymisation refers to the conversion of personal data into a encrypted form. In this case, names and personal identification numbers may be removed and replaced with another unique identifier, i.e. a code. Often, a code key is retained in order to return direct personal information to the data. Pseudonymised data is still personal data. In principle, we pseudonymise the data before handing it over. We will only disclose information in identifiable form for a particularly justified and necessary reason.

Anonymising means changing personal data to make it irreversibly impossible to identify an individual. This can mean, for example, removing direct identifiers and the coarsening the data to a general level so that personal data cannot be changed back to be identifiable in any way.

Findata selects the subject matter of the ready-made data sets and the data on which they are based. The purpose of the processing of personal data is to compile datasets in accordance with the chosen theme and, as a general rule, to disclose pseudonymised personal data or statistics compiled from ready-made datasets to the data recipient.

We do not use automated decision-making or profiling in the processing of data.

Data processed and data sources

In compiling the ready-made datasets, we process the social and health data received from one or more controllers under the scope of the Secondary Use Act to the extent deemed necessary for each project.

We cannot form ready-made material on the basis of all materials of all controllers within the scope of the law.  For more detailed restrictions on data, see the Secondary Use Act (in Finnish, finlex.fi).

Data controllers within the scope of the Secondary Use Act:

  • Data saved in Kanta services
  • Digital and Population Data Services Agency (DVV)
  • Finnish Centre for Pensions (ETK)
  • Finnish Institute for Health and Welfare (THL)
  • Finnish Institute of Occupational Health (TTL)
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public and private service providers of social welfare and health care
  • Social Insurance Institution of Finland Kela
  • Statistics Finland
  • Regional state administrative agencies (AVI)

The data is transferred to Findata and on to the data recipient via a secure transfer service.

Read more detailed descriptions of the data used in the ready-made datasets.

Regular disclosure of data

We disclose the ready-made dataset to the data recipient. The data recipient then becomes the controller of the transferred data.

Under the Secondary Use Act, the data can only be disclosed for processing in a secure operating environment. Read more about secure operating environments

When statistical data is requested from the ready-made datasets, the data to be disclosed does not contain personal data.

Recipients of personal data

We will disclose the data to the data recipient. In the vast majority of data permits we grant, the data recipients use the data for scientific research.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out technical maintenance and development. CSC acts as a processor of personal data on behalf of Findata.

Data retention period

We define the retention period for each ready-made dataset separately.

In addition, the data recipient who has obtained the ready-made dataset on the basis of the data permit retains the data for a specified period of time. The controller of this processing is the data recipient.

Transfer and disclosure of personal data to non-EU or EEA countries

As a rule, we do not disclose ready-made datasets outside the EU or EEA or to international organisations. According to the Secondary Use act, personal data must be transferred to a secure operating environment that cannot be located outside the EU and EEA.

If the data recipient as the controller wishes to enable the processing of their data from outside the EU and EEA, they must apply to Findata for permission to allow the processing. If we grant permission, the controller must ensure that the material is transferred in accordance with Chapter V of the GDPR, when applicable.

Rights of the data subject

The data subject refers to the person to whom the original social and health information relate. When we process personal data to form ready-made materials, the data subject has the following rights:

  • Right to information about the processing of personal data (Article 14 of the GDPR)
  • Right of access to one’s personal data (Article 15 of the GDPR)
  • Right to rectify one’s data (Article 16 of the GDPR)
  • Right to restrict the processing of one’s data (Article 18 of the GDPR)
  • Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Read more about your rights as a data subject

Legal basis of processing personal data

The processing of personal data in the formation of ready-made datasets is based on the following laws:

  • Act on Secondary Use of Social and Health Data (552/2019) Sections 14 and 51,
  • General Data Protection Regulation Article 6(1)(e),
  • Data Protection Act Section 4(2) and,
  • in the case of special categories of personal data, the Data Protection Act Section 6(1)(2) and the General Data Protection Regulation Article 9(2)(g).