Standard terms of use

Users of the Kapseli agree to abide by the standard terms and conditions, which can be found below.


These terms of use apply to the use of the secure operating environment (hereafter ‘the Environment’) administered by the Health and Social Data Permit Authority (hereafter ‘Findata’) and referred to in section 20 of the Act on Secondary Use of Health and Social Data (552/2019). Findata maintains the Environment.

In these terms of use, the processing of personal data is carried out by Findata. The controller is the party that has been identified or reported as the controller in the authority’s permit decision or other documentation concerning the data.

These terms of use apply to the export, use and removal of data from the Environment. Findata may modify these terms of use where there is a justified reason for doing so. Any changes made will be published on Findata’s website and also announced separately and in advance to the users of the Environment. Findata has the right to make minor or technical changes to these terms of use without giving prior notice.


  1. Anyone who as a need or desire to use the FinData Environment must submit a separate order to Findata.  The order is made by filling in the electronic order form using strong identification and sending it to Findata. Findata accepts the order if the requirements for approval are met. Findata has the right to refuse to accept an order if there is no legal basis for it.


  1. An order requesting use of the Environment can be made for data for which Findata has made a permit decision and/or for other data. A requirement for the export of other data into the Environment is that Findata has been able to verify the reliability of the data in question and that the appropriate permits or other legal grounds for processing the data are in place. Findata has the right to refuse to export data to the Environment if Findata considers that there is no legal basis for providing it.

Export of data to the Environment

  1. Findata exports the data to the Environment once the order has been approved, the data has arrived to Findata from the controllers, and Findata has reviewed them and, if necessary, pre-processed, pseudonymised or anonymised them.
  2. In the case of data for which Findata itself has granted a permit, Findata ensures that the data in question is exported to the Environment and notifies the permit holder when the data is ready for processing.
  3. In the case of other data, Findata gives instructions to the customer on the format required and how the customer should deliver the data to Findata for export to the Environment.

Logging in to the Environment

  1. Logging in to the Environment takes place in two stages: a login combined with a separate link via mobile connection.
  2. Findata provides more detailed instructions on how to log in to the Environment for those who do not have the opportunity or who cannot log in using e-Identification.
  3. Individuals who have received access rights must take care to ensure the secure use and storage of the identification tools used for logging in.

Checking the data and reporting errors

  1. The permit holder must check that the data is as it should be. Any suspected errors or deviations must be reported to Findata without delay and no later than 30 days after the permit holder has obtained access to the data. 

Data processing

  1. The data must be processed in the Environment for the purpose and in the manner required by either the official permit concerning the data, any decision of the ethics committee, or any other legal basis for the processing.
  2. When processing the data, it must be ensured that confidential information is not passed on in any way to third parties.

Processing of personal data: controller and personal data processor

  1. To the extent that the data contains personal data, the following terms of use shall apply. Findata maintains the Environment in accordance with section 20 of the Secondary Use Act.  Findata implements the necessary technical and organisational measures to ensure secure processing. In determining the necessary measures, consideration is given to the level of security that corresponds to the level of risk, in accordance with Article 32 of the EU General Data Protection Regulation.  The FinData public-service employees who handle the data comply with statutory confidentiality and secrecy obligations. Findata personnel have signed a separate confidentiality agreement. The personnel have also received a basic Finnish Security Intelligence Service security clearance.
  2. Findata subcontracts the technical maintenance and development of the Environment to IT Center for Science Ltd (CSC). CSC handles the personal data on behalf of Findata.  CSC staff have received the basic Finnish Security Intelligence Service security clearance. CSC has granted access to the Environment only to those persons who require this in order to carry out their duties. When using CSC as a personal data processor, Findata complies with the requirements for the use of a separate data processor as referred to in Article 28 and sections 2 and 4 of the GDPR.
  3. Under the GDPR, the controller is responsible for responding to requests from data subjects regarding the data in the Environment. Findata shall, where possible, assist the controller with appropriate technical and organisational measures to fulfil the controller’s obligation to respond to requests relating to data subjects’ rights under the GDPR. Findata has the right to charge the controller for the costs incurred in these assistance tasks.
  4. Findata helps the controller to ensure compliance with their obligations under Articles 32–36 of the GDPR concerning data processing security, data security breaches and data protection impact assessments and related prior consultations, while taking into account the nature of the data processing and the information available to Findata.

Prices and invoicing

  1. The use of the Environment is subject to a fee. The prices are listed on the FinData website.
  2. Findata confirms the prices at regular intervals.  Findata reserves the right to change the prices for use of the Environment where there are justified grounds for doing so.  
  3. Findata has the right to remove the customer’s access rights if the subscriber fails to pay the invoice for use of the Environment despite receiving a payment reminder.

Terminating use of the Environment

  1. The data may be processed in the Environment for as long as the relevant official permit or other legal basis for the processing of the data remains valid. A further requirement is that the order is valid and the invoices for use of the Environment have been paid.
  2. Findata can also remove Environment access rights from individual users if they do not comply with the above terms of use.
  3. Findata stores the data for 6 months after the expiry of the permit, unless the permit expressly states otherwise.



Inquiries related to Kapseli operating environment