The secondary use of health and social data is governed by several laws that safeguard privacy and define the conditions under which data may be processed.
The EU General Data Protection Regulation (GDPR) regulates all processing of personal data across the EU. It applies whenever personal data is processed.
The regulation on the European Health Data Space (EHDS) creates a common EU framework for the use and exchange of health data, harmonises the use of health data across the EU, and strengthens individuals’ rights to their own data. The regulation entered into force in March 2025 and will be implemented gradually. The provisions concerning secondary use will apply from March 2029.
The Finnish Data Protection Act complements the GDPR at national level. It specifies when sensitive personal data, such as health data, may be processed in Finland.
The Finnish Act on the Secondary Use of Health and Social Data (the Secondary Use Act) regulates the secondary use of health and social data in Finland. Findata’s operations are based on the Secondary Use Act. The Act was amended in 2025.
Other key laws include:
- Act on the Processing of Client Data in Healthcare and Social Welfare
- Medical Research Act
- Clinical Trials on Medicinal Products for Human Use Act
- Act on the Medical Use of Human Organs, Tissues and Cells
- Biobank Act
Read more: