Updated 25.03.2025

Conditions of data permit

The data permits granted by Findata are official decisions of an authority. They are legally binding and include specific permit conditions. On this page, you will find the conditions that permit holders are required to follow when they process personal data based on a data permit.

In addition to the permit conditions, the decision includes the following sections:

Data permit decision

The decision includes the following information:

  • Decision recipient
  • Project name
  • Subject
  • Decision
  • Justifications for the decision
  • Validity of the data permit
  • Fees for data permit and data processing services
  • Verification of the disclosed data
  • Right to claim for a revised decision
  • Additional information
  • Applicable legislation
  • Appendices
Instructions for claiming for a revised decision (appendix 1)

The instructions for claiming for a revised decision contains the following information:

  • Who can file a claim for a revised decision?
  • How and to whom should a claim for a revised decision be made?
  • Content of the claim for a revised decision
  • Claim period
  • Important matters to note
  • What Findata can do as a result of a claim for a revised decision?
  • Impact of a claim for a revised decision
  • Additional information
Persons entitled to process personal data and summary of extraction descriptions and estimated costs (appendix 3)

A confidential appendix, which includes the following project-specific information:

  • persons authorised to process personal data
  • a summary of extraction descriptions
  • a summary of costs

1 General conditions

1.1 Findata compiles the personal data to be disclosed to the decision recipient on the basis of the data permit from the register data of the data controllers laid down in the Secondary Use Act. Findata is responsible for ensuring that it compiles and processes the personal data in accordance with the Secondary Use Act and the data permit decision. If other personal data held by the decision recipient are combined with the personal data obtained under the data permit, the data will be combined and pre-processed as described in the data permit.

1.2 Findata is not responsible for any parts for the correctness or accuracy of the personal data sets received from different controllers in relation to their original use purpose. As data controller, Findata is responsible for the integrity of the data it processes.

1.3 Personal data obtained under the data permit may only be used for the purpose specified in the data permit decision and data utilisation plan submitted during the application phase. If the personal data obtained under the data permit is to be used for another purpose, a separate application and a data utilisation plan must be made for the new purpose. A new purpose may not be initiated until the applicant has received a corresponding positive permit decision.

1.4 The data permit for processing personal data is granted for the period specified in the data permit decision. If necessary, the deadline may be extended with an application.

1.5 The personal data may be processed under this permit only within the EU and EEA, unless otherwise stated in the data permit decision. If it is necessary to process personal data outside the EU/EEA, the decision recipient must meet the requirements laid down in section 6 before the transfer of personal data is started.

1.6 The decision recipient must inform all persons specified in this data permit decision who have been granted the right to process personal data (persons with processing rights) of this data permit decision and its conditions. The decision recipient must monitor compliance with these permit conditions.

1.7 The decision recipient is obliged to ensure, for example by means of confidentiality commitments, that the holders of the right to process are aware of the confidentiality obligation and the possible consequences of non-compliance.

1.8 Findata monitors compliance with the conditions of the data permits it issues. It may cancel the data permit if the conditions of the permit are not complied with.

2 Confidentiality and data protection

2.1 Personal data processed under the data permit issued by Findata is confidential.

2.2 Under section 23 of the Act on the Openness of Government Activities, the decision recipient is obliged not to disclose confidential data received under this data permit and not use such data for his or her own benefit or for the benefit of another party or to the detriment of another. Violations of confidentiality may lead to sanctions and also justify the withdrawal of the data permit.

2.3 Personal data must be processed in such a way that no confidential data are transmitted in any way to third parties. The processing of confidential personal data in public places must be avoided.

2.4 The data permit decision confirms exhaustively those parties and persons who have the right to process the personal data under this permit (persons with processing rights).

2.5 The decision recipient or parties with processing rights may not attempt to identify persons from pseudonymised material by any means.

2.6 If the decision recipient or persons with processing rights discover direct identifiers in the pseudonymised or anonymised material, they are obliged to notify Findata without delay.

2.7 Information on the identification of a person may not be disseminated or passed on without legal grounds.

2.8 If the decision recipient or person with processing rights discovers that personal data other than the data specified in the permit has been incorrectly disclosed by Findata, the decision recipient or the persons with processing rights must notify Findata and the controller of the project in accordance with the data permit decision without delay.

2.9 Personal data obtained under a data permit may not be used in decision-making that concerns individual persons. Information on illness or its possibility may not, without a justification laid down by law, be conveyed in a document, storage location or system where it has not previously existed.

2.10 The decision recipient may notify the contact person designated by Findata of a clinically significant finding, based on which it would be possible to prevent a certain patient’s health-related risk or to significantly improve the quality of treatment in accordance with section 55 of the Act on the Secondary Use of Health and Social Data. This is done by following the instructions provided by Findata.

3 Controllership

3.1 The data permit decision indicates the party that acts as the controller for the processing of personal data when personal data obtained through Findata in accordance with the data permit are processed for the purpose specified in the data permit decision.

3.2 Findata is the controller of the processing of personal data after receiving the personal data from the controllers covered by the Secondary Use Act until the personal data are disclosed to the decision recipient for the purpose specified in the data permit. The time of disclosure is when Findata first opens a technical access to personal data in a secure processing environment maintained by Findata or when the personal data has been successfully disclosed to another processing environment specified in the permit. The disclosure is made through Findata’s secure user service.

4 Using Findata’s secure operating environment

4.1 The personal data received under the data permit may only be processed in Findata’s secure processing environment unless otherwise stated in the data permit decision.

4.2 Once the personal data are disclosed to the secure processing environment maintained by Findata, Findata is responsible for fulfilling the following statutory obligations:

4.2.1 Maintaining a secure operating environment

4.2.2 Storing of pseudonymised data identifiers (code key) securely as required by section 15 of the Act on the Secondary Use of Health and Social Data.

4.2.3 Preparing and storing a description of the personal data specified in the permit, its formation and the pseudonymisation method used.

4.2.4 If Findata has exceptionally disclosed personal data in an identifiable format, Findata has no obligation to store the code key specified in section 4.2.2 or to describe the pseudonymisation method specified in section 4.2.3. In this case, the controller mentioned in the data permit holds these obligations.

4.2.5 Collecting and storing usage log data from the organisation whose data are used, the user of the data, the processed data and data groups, the purpose of the data, the identification of the data permit application and the time of use.

4.2.6 Collecting and storing disclosure log data from the disclosing organisation, the party disclosing the data, the purpose of disclosing the data, the identification of the data permit application, the recipient of the disclosure and the date on which the data was disclosed.

4.2.7 Destroying or archiving log data 12 years after the expiry of the data permit.

4.2.8 Destroying personal data specified in the permit after the expiry of the data permit, unless otherwise provided in the obligations to archive personal data.

4.3 It is prohibited to make copies of personal data using personal recording methods, such as filming or storing material on a phone.

4.4 The data permit decision confirms the person or persons who have the right to process personal data under the permission (persons with processing rights). These persons are granted access based on a separate order for an operating environment, and they log into the operating environment according to Findata’s instructions.

4.5 The method of logging in to Findata’s secure remote operating environment is a two-step verification: suomi.fi login (identification) combined with a separate link via a mobile connection (so-called mobile duo).

4.6 Findata provides more detailed instructions on logging in to the operating environment for persons whose data are not registered in the Population Information System that the Suomi.fi login requires.

4.7 The decision recipient must ensure that the phone used for logging in is stored safely. The phone may not be handed over to third parties, and it may not be accessible to third parties without valid reason. If the phone goes missing, the controller named in the data permit decision must be informed without delay.

4.8 The decision recipient must determine whether the personal data are subject to an archiving obligation under legislation. If the personal data are subject to an archiving obligation, the decision recipient must submit this information to Findata and give instructions on where and how the personal data are transferred for archiving. If the personal data are subject to an archiving obligation, the obligation also applies to the code key.

5 Use of another operating environment

5.1 The decision recipient must comply with the following conditions if Findata has stated in the data permit decision that the personal data can be disclosed to the operating environment indicated by the decision recipient.

5.2 Findata has the following statutory obligations for which it is responsible:

5.2.1 Storing of pseudonymised data identifiers (code key) securely in accordance with section 15 of the Act on the Secondary Use of Health and Social Data. Findata will store the code key for 12 years or the duration of the validity of the data permit if it is longer than 12 years.

5.2.2 A description of the personal data specified in the permit, its formation and the pseudonymisation method used.

5.2.3 If the personal data has exceptionally been disclosed in an identifiable format, Findata has no obligation to store the code key specified in section 5.3.1 or to describe the pseudonymisation method specified in section 5.3.2. In this case, these obligations lie with the controller of the project in accordance with the data permit decision.

5.3 The decision recipient must ensure that the persons with access rights and the persons responsible for the other operating environment in question are aware of the conditions of the data permit decision.

5.4 The decision recipient ensures that log data are stored in accordance with section 19(2) of the Act on Secondary Use of Health and Social Data. Anyone processing personal data based on a data permit referred to in section 19 of the Act on Secondary Use must record in the usage logs information about the controller that has been granted a data permit, the purpose of use under section 2 of the Act on Secondary Use, the user entitled to process data according to the data permit, the data processed, categories of information, and the time of use of the data.

5.5 Processing of personal data must take place in the operating environment specified in the data permit decision throughout the validity of the data permit. It is prohibited to make copies of personal data using personal recording methods, such as filming or storing material on a phone.

5.6 The decision recipient must ensure that the persons with access rights carefully store the identifiers or other certificates used for identification so that they cannot be accessed by third parties. If a certificate or identification goes missing, the controller of the project in accordance with the data permit decision must be informed without delay.

5.7 The decision recipient is only entitled to request or require the transfer of personal data from the operating environment if such a change has been applied for with a separate permit from Findata and such a permit has been granted.

5.8 The secure operating environment maintained by Findata is the primary processing environment laid down in the Act on Secondary Use. For a justified reason, personal data may be transferred to other secure operating environments as provided in the Act on Secondary Use. The decision recipient is entitled to request the transfer of personal data to a secure operating environment maintained by Findata at any time without applying for a separate permit or an amendment to the permit, regardless of what is stated above in sections 5.5 and 5.7. The request is made by following the currently valid instructions for ordering a secure operating environment maintained by Findata.

5.9 The decision recipient is entitled to request the transfer of personal data to a secure operating environment maintained by Statistics Finland (Fiona remote access environment), regardless of what is stated above in sections 5.5 and 5.7, if the personal data contains data disclosed by Statistics Finland as a statistical authority.

5.10 The decision recipient must determine whether the personal data are subject to an archiving obligation under legislation. If the personal data are subject to an archiving obligation, the decision recipient must ensure archiving. If the personal data are subject to an archiving obligation, the obligation also applies to the code key.

6 Use of data outside the EU/EEA

6.1 Personal data obtained under the data permit may not be processed nor may a technical connection be opened from outside the EU/EEA, unless the data permit decision gives permission to do so.

6.2 If Findata’s data permit decision includes the right to process data outside the EU/EEA, the decision recipient is responsible as the controller for ensuring that there are grounds for the transfer of personal data in accordance with Chapter V of the General Data Protection Regulation, including any necessary and adequate additional safeguards. Findata verifies that there are grounds for the transfer but does not further assess the lawfulness of the transfer of personal data.

7 Changes

7.1 If the personal data obtained under the data permit is to be used for a purpose other than that specified in the data permit decision, a separate application and data utilisation plan must be made for the new purpose. A new purpose for the processing of data may not be initiated until the applicant has received a corresponding positive permit decision.

7.2 The decision recipient must apply for a change to the data permit granted by Findata with a separate application in the situations mentioned in sections 7.2.1–7.2.8. If the change is granted, the recipient must comply with the following conditions that apply to the change.

7.2.1 Extension of the validity of the data permit

7.2.1.1 If the personal data set referred to in the permit has been stored outside a secure operating environment before the decision on changing the data permit has been issued, the personal data must be transferred to a secure operating environment, unless otherwise stated in the decision in question. The data must be transferred without undue delay, but no later than one month after receiving notification of the decision, unless rectification is sought to the decision.

7.2.1.2 A secure user service must be used when transferring personal data.

7.2.2 A change to the personal data processors

7.2.2.1 The decision recipient must provide the decision on the change to the data permit and its conditions as well as where necessary the data permit decisions previously issued to all persons who have been granted the right to process personal data in the decision on the change to the data permit (persons with processing rights).

7.2.2.2 The decision recipient is obliged to ensure, for example by means of confidentiality commitments, that the holders of the right to process are aware of the confidentiality obligation and the possible consequences of non-compliance.

7.2.3 Adding data to personal data set

7.2.3.1 If the personal data set held by the decision recipient has been stored outside a secure operating environment before the decision on changing the data permit has been issued, the data set must be transferred to a secure operating environment, unless otherwise stated in the decision in question. The personal data must be transferred without undue delay, but no later than one month after receiving notification of the decision, unless rectification is sought to the decision.

7.2.3.2 A secure user service must be used when transferring personal data.

7.2.4 Extending the period of time from which data are extracted

7.2.4.1 If the personal data set held by the decision recipient has been stored outside a secure operating environment before the decision has been issued, the data must be transferred to a secure operating environment, unless otherwise stated in the decision. The personal data must be transferred without undue delay, but no later than one month after receiving notification of the decision, unless rectification is sought to the decision.

7.2.4.2 A secure user service must be used when transferring personal data.

7.2.5 Changing the data processing environment

7.2.5.1 The transfer to the new operating environment must be carried out without undue delay, but no later than one month after receiving notification of the decision, unless a rectification of the decision is sought or no other agreement has been reached between the decision recipient and the providers of the operating environments.

7.2.5.2 A secure user service must be used when transferring personal data.

7.2.5.3 When the operating environment is changed to Kapseli or a secure operating environment maintained by Statistics Finland, sections 5.8 and 5.9 of the permit terms shall apply.

7.2.6 Change in the controller of data disclosed with a data permit

7.2.6.1 The new controller must comply with these conditions starting on the date on which the decision to amend the data permit decision was issued, unless a rectification is sought for the decision or otherwise stated in the decision.

7.2.7 Combining data with a prior permit to data with a Findata permit

7.2.7.1 Combining personal data other than those referred to in the Act on Secondary Use with data may have an impact on the quality of the pseudonymisation of the data. If Findata considers it necessary to take additional measures related to the pre-processing of data, the decision recipient is obliged to submit the personal data to be combined to Findata for pre-processing.

7.2.7.2 A secure user service must be used when submitting personal data.

7.2.8 Expanding the processing of personal data outside the EU and EEA.

7.2.8.1 If a data permit decision issued by Findata includes the right to process personal data outside the EU and EEA, the decision recipient is responsible as the controller for ensuring that there are grounds for the transfer of personal data in accordance with Chapter V of the General Data Protection Regulation if necessary, including any necessary and adequate additional safeguards. Findata verifies that there are grounds for the transfer but does not further assess the lawfulness of the transfer of personal data.

8 Ensuring the anonymity of published results

8.1 When the objective is to publish results produced from personal data, Findata is responsible for ensuring the anonymisation of the data to be published. Before publishing results, the decision recipient must deliver the results to be published to Findata for anonymisation.

8.2 If the data permit grants the decision recipient the right to carry out the anonymisation of the results to be published, the anonymised data must be delivered to Findata after the anonymisation.

8.3 The right granted in the data permit to anonymise the results to be published does not prevent the decision recipient from requesting Findata to produce the anonymised results in the manner referred to in Section 52 of the Act on Secondary Use. The request is made by submitting a request for anonymisation to Findata together with a proposal attached to the request.

8.4 Publication refers to making information available to the public and disseminating it to the surrounding society. Presenting the results outside the recipient’s working group is considered publication.