Users of the Kapseli agree to abide by the standard terms and conditions, which can be found below. The terms and conditions cover the exportation, use, storage service, and withdrawal of data from Kapseli.
The following terms and conditions are effective from May 1, 2024. If you wish to cancel or make changes to your Kapseli subscription, please do so through our e-service or send a message to kapseli@findata.fi. You can download the previous standard terms here (PDF, 54 KB).
Standard terms of use for the secure processing environment Kapseli® and the Data storage service
These terms of use apply to the use of the secure processing environment (hereinafter ‘Kapseli’) administered by the Finnish Social and Health Data Permit Authority Findata (hereinafter ‘Findata’) and referred to in section 20 (1) of the Act on Secondary Use of Health and Social Data (552/2019) as well as the Data storage service. Findata maintains these services in accordance with the Act on Secondary Use of Health and Social Data and these terms of use.
In these terms of use, the processing of personal data is carried out by Findata. The controller is the party that has been identified or reported as the controller in the authority’s data permit decision or other documentation concerning the data (hereinafter the Client).
Findata may modify these terms of use based on an advance notice. Information about any changes made will be published on Findata’s website and provided separately to the Client. Findata has the right to make minor or technical changes to these terms of use without giving prior notice. To update the terms of use of prices and invoicing, see section Prices and invoicing.
Order
- Anyone who is obliged to use Kapseli according to a data permit decision, or who wishes to use Kapseli or the Data storage service must submit a separate order to Findata on the matter. The order is placed using strong identification based on instructions available on the Findata website.
- Findata has the right to accept or reject the order at its discretion. The order is rejected if there is no legal basis for it or if it violates Findata’s binding contractual terms and conditions or these terms of use.
- Findata will notify the Client when the order has been approved. The use of the services is subject to a fee, see below under Prices and invoicing.
Data processed in Kapseli
- Kapseli can be used to process data for which Findata has made a permit decision and/or other data. A requirement for the export of other data into Kapseli is that the Client has the appropriate permits or other legal grounds for processing the data. Findata has the right to refuse to export data to Kapseli if Findata considers that there is no legal basis for processing the data or if the export of the data would pose an unjustified information security risk.
Exporting data to Kapseli
- Findata exports the data to Kapseli once the order has been approved, Findata has received the data from the controllers, and Findata has reviewed them and, if necessary, pre-processed, pseudonymised or anonymised them.
- In the case of data for which Findata itself has granted a permit, Findata ensures that the data in question is exported to Kapseli and notifies the permit holder when the data is ready for processing by the Client.
- In the case of other data than that authorised by Findata, Findata gives instructions to the Client on the format required and how the customer should deliver the data to Findata for export to Kapseli. The Client is obligated to comply with Findata’s instructions. Failure to comply with Findata’s instructions may result in a data security breach for which the Client is responsible.
Software offered in Kapseli by Findata
- Findata installs software to the new Kapseli in accordance with the software selection described in more detail on the Findata website (standard software).
- Findata performs any updates to the standard software that it considers necessary, especially for security reasons. The Client may also request that the versions of the standard software available to them be updated in accordance with the instructions given on the Findata website.
Importing software not provided by Findata to Kapseli
- The Client may request Findata to install software other than those offered by Findata in Kapseli. The request is made in accordance with the instructions provided on the Findata website.
- The Client is responsible for the existence and validity of licences required for software use in Kapsel.
- The Client must provide Findata with software installation instructions and the information required for installation and use. Since there is no network connection in Kapseli, installing and using the software in a closed environment must be possible.
- Findata assesses the information security and compatibility of the software with Kapseli before installation.
- A fee is charged for installing the Client’s software in Kapseli. In addition, a fee is charged for the assessment of information security and compatibility in accordance with the hours of work performed by specialists.
- Findata is not responsible for the functionality or use of software other than those offered by Findata. Findata is also not responsible for the licences required for using the software, its validity, or the existence or correctness of the instructions required for installation.
Logging in to Kapseli
- Logging in to Kapseli is done in a two-step authentication process. Findata provides more detailed instructions for logging in to Kapseli.
- Individuals who have received access rights must take care to ensure the secure use and storage of the identification tools used for logging in.
Checking the data in Kapseli and reporting errors
- The Client must check that the data submitted to Kapseli for processing by the Client is as it should be. Any suspected errors or deviations must be reported to Findata without delay and no later than three months after the Client has obtained access to the data.
Data processing
- The Client is obligated to process the data in Kapseli in the manner and for the purposes required by the Act on Secondary Use of Health and Social Data and the data permit or other legal basis concerning the data.
- When processing the data, it must be ensured that confidential information is not passed on in any way to third parties. Only anonymised result data may be removed from the secure processing environment.
Pausing Kapseli use
- The Client has a right to pause their Kapseli use for a fixed period. The terms and conditions related to the fixed periods are available on the Findata website. A precondition for pausing the use of Kapseli is that the data permit and the Kapseli order are valid during the pause.
- The Client must submit a separate order on pausing the service use to Findata. The order will be processed according to terms 1–3. Pauses are subject to a fee. For the determination of prices and invoicing, see section Prices and invoicing.
- The Client does not have access to Kapseli during the pause. Findata maintains Kapseli and the data and tools it contains during the pause so that the Client can continue processing the data after the pause.
- At the end of the pause, the Client’s right to access Kapseli will resume.
Expiry of Kapseli use and the termination and cancellation of the order
- The data may be processed in Kapseli for as long as the relevant official permit or other legal basis for the processing of the data remains valid. The order for Kapseli must also be valid and invoices for the use of Kapseli must be paid.
- The Kapseli order will end when the order period expires, the Client terminates the order and the order’s period of termination expires, or when the subscription is cancelled. The period of termination is one (1) full calendar month. Any fees specified in Findata’s price list will be charged until the end of the notice period. Payments already paid will not be refunded.
- When the Kapseli order expires, the Client’s right to process the data in Kapseli ends. Findata will destroy the data no later than three months after the expiry of the order.
- Findata has the right to cancel the order and remove the Client’s access right if:
- The Client violates the permit terms concerning the processing of the data and has not rectified its procedure within 14 days of the written notice issued by Findata, or the procedure cannot be rectified, or
- The Client fails to pay the Kapseli invoice and has not paid the invoice despite receiving a reminder, or
- The Client otherwise violates these terms and has not rectified its procedure within 14 days of the written notice issued by Findata, or the procedure cannot be rectified.
- When the order is cancelled, the right to use Kapseli expires immediately.
- Instead of cancelling the order, Findata has, at its discretion, the right to remove access rights to Kapseli from individual users on a user-specific basis if they do not comply with the permit conditions for the processing of data or these terms of use.
Data storage service
- After the expiry of the Kapseli order, the Client may store the data in the data storage service provided by Findata by ordering the data storage service from Findata. Kapseli and the data storage service may not be used simultaneously.
- The data storage service is ordered for a fixed period. The terms and conditions related to the fixed periods are available on the Findata website. The data permit or other legal grounds for processing the data must be valid for the entire duration of the order.
- The order for the data storage service may be terminated before the expiry of the period with a separate order in accordance with terms 1–3. The period of termination is four weeks.
- The data storage service or the continuation of the related order must be requested in accordance with terms 1–3 at least four weeks before the expiry of the Kapseli order or the data storage service.
- The data storage service is used to store the data referred to in the data permit and any other files related to the study. When the data storage service is introduced, Kapseli previously used by the Client, and any software other than that offered by Findata exported to Kapseli, will be removed.
- The data will be transferred to the data storage service in the status valid on the first date of the order. No changes may be made to the data during the use period of the data storage service.
- If necessary, the data can be transferred for processing to a new Kapseli or another processing environment in accordance with the data permit for the processing of data. The order concerning the transfer of data and the new Kapseli will be made in accordance with terms 1–3 no later than four weeks before the desired transfer date.
- When the data storage service is introduced, an encryption key and unique identifier necessary for restoring the data will be delivered to the Client. The encryption key and unique identifier must be protected from unauthorised access. The Client must save the data exported to the data storage service in a file format that enables the processing of the data after it has been restored.
- The data storage service order will end when the order period expires, the Client terminates the order and the order’s period of termination expires, or when the subscription is cancelled. The period of termination is one (1) full calendar month. Any fees specified in Findata’s price list will be charged until the end of the notice period. Payments already paid will not be refunded.
- Once the data storage service order period ends, the access rights to the data storage service expire. Findata will remove the data no later than three months after the expiry of the order.
- Findata may terminate an order of the data storage service if:
- The Client violates the permit terms concerning the processing of the data and has not rectified its procedure within 14 days of the written notice issued by Findata, or the procedure cannot be rectified, or
- The Client fails to pay the data storage service invoice and has not paid the invoice despite receiving a reminder, or
- The Client otherwise violates these terms and has not rectified its procedure within 14 days of the written notice issued by Findata, or the procedure cannot be rectified.
- When the order is cancelled, the right to use the data storage service expires immediately.
- The data storage service is subject to a fee. For the determination of prices and invoicing, see section Prices and invoicing.The data storage service activation fee and user fee for the first 12 months will be charged in connection with activating the service.
Processing of personal data: obligations of the controller and personal data processor
- To the extent that the data submitted to Kapseli or the Data storage service contains personal data, the following terms of use shall apply Findata maintains Kapseli and the Data storage service in accordance with section 20 of the Secondary Use Act. Findata implements the necessary technical and organisational measures to ensure secure processing. In determining the necessary measures, consideration is given to the level of security that corresponds to the level of risk, in accordance with Article 32 of the EU General Data Protection Regulation. Findata’s employees who handle the data comply with statutory confidentiality and secrecy obligations. Findata personnel have signed a separate confidentiality agreement. The personnel have also received a basic Finnish Security Intelligence Service security clearance.
- Findata uses the IT Center for Science Ltd (CSC) as the service provider for the technical maintenance and development of Kapseli and the Data storage service. CSC handles the personal data on behalf of Findata. CSC staff have received the basic Finnish Security Intelligence Service security clearance. CSC has granted access to the services only to those persons who require this in order to carry out their duties. When using CSC as a personal data processor, Findata complies with the requirements for the use of a separate data processor as referred to in Article 28 and Sections 2 and 4 of the EU’s General Data Protection Regulation.
- The controller is responsible for the implementation of the rights of data subjects under Chapter III of the EU’s General Data Protection Regulation with regard to the processing of personal data in Kapseli or the Data storage service. The controller responds to requests concerning these rights. Findata shall, where possible, assist the controller as the processor of personal data with appropriate technical and organisational measures to fulfil the controller’s obligation to respond to requests relating to data subjects’ rights under the EU GDPR.
- Findata helps the controller to ensure compliance with their obligations under Articles 32–36 of the EU GDPR concerning data processing security, data security breaches and data protection impact assessments and related prior consultations, while taking into account the nature of the data processing and the information available to Findata. Findata provides the controller with all information necessary for demonstrating compliance with the obligations laid down in Article 28 of the EU’s General Data Protection Regulation and contributes, where appropriate, to the relevant audits and reports.
Prices and invoicing
- Findata will charge the Client for the use of Kapseli, for pausing the use for a fixed period and for the data storage service in accordance with its price list. The prices are listed on the FinData website.
- Findata confirms the prices at regular intervals. Findata reserves the right to change the prices. The changes in prices will be announced no later than one month before the new prices are introduced.
Restrictions on the provision of services and restrictions on Findata’s liability
- Findata has the right to temporarily suspend access to Kapseli if this is necessary for maintaining or securing the Kapseli operations, for making technical changes to the service or for some other important reason.
- Findata will notify users in advance of service interruptions if it is aware of the need and timing of the interruption in advance.
- The use of Kapseli may have to be interrupted without prior notification if the interruption is due to measures which must be carried out immediately or without undue delay based on Findata’s assessment. Kapseli’s users will be notified of any such delays as soon as possible after the start of the interruption.
- Findata is not liable for damages and delays caused by disruptions or faults in the third-party software, information systems or data connections of the service providers it uses.
- Findata is not liable for indirect damages caused to users, the data they process in the services or other property, or damages and delays caused by downtime or restrictions on use. Findata’s liability is limited to at most the amount of user fees paid by the Client to Findata during the year in which the damage occurred.
- Findata shall in no way be liable for the functionality of software other than that offered by Findata that has been exported to Kapseli or for any disturbances or defects in this or for any damages or delays caused to the Client by using said software.
- The Client is personally responsible for ensuring that the devices and telecommunications connections they use are working and for any damages and delays caused to the Client by disturbances or faults that may occur in these.
- The Client is responsible for the appropriate use of the standard software offered by Findata in Kapseli. Findata does not provide software user support.
- Findata’s liability to compensate for fees charged for the use of Kapseli.
- Findata’s liability to compensate arises only when
- Kapseli is completely inaccessible for reasons for which Findata or the service provider it uses is responsible, and
- The service is inaccessible for at least 72 hours during the calendar month for a reason other than that the one stated in advance.
- Determination of compensation
- Compensation is not paid for indirect damage or harm.
- The amount of compensation is calculated based on the total realised full 24-hour periods. An installment corresponding to the monthly service fee is paid in compensation.
- Any failures that prevent use must be reported immediately after detecting them to take them into account in the determination of the compensation.
- Findata processes failure reports and accepts disruptions that entitle users to compensation based on a separate notification.
- Applying for compensation
- The Client must apply for compensation within two weeks from the end of the calendar month in which the failure preventing use occurred, unless Findata provides other instructions in an individual case. Compensation is applied for in accordance with instructions provided by Findata.
- Findata’s liability to compensate arises only when