Updated 09.03.2023

Data permits

A data permit is a fixed-term permit from an authority to an individual for the processing of confidential materials that contain personal data.

Please read the Permits web page before applying for a data permit. The page includes useful information to take into consideration before applying, while applying and after applying.

General information on data permit applications

Read up on the general principles that apply to applications, such as what is confidential and what is public. Read more General information on data permit applications

Logging into e-services

This page contains information on how to log in and select an application form. Read more Logging into e-services

Instructions for completing a data permit application

See the 10 point instructions on completing an application and the criteria for an application that can be processed. Read more Instructions for completing a data permit application

Data processing

Read the additional information on processing after a data permit has been issued. Read more Data processing

Information on costs

See an up-to-date price list for data permit decisions. Read more Information on costs

Application assistant

Ensure the correct address for the data permit application. Read more Application assistant

What to remember before sending an application

Select the correct application type

There are different types of applications for different information needs

  • Data permit application, when you need data on individuals
  • Data request, when you need statistical data
  • Amendment application, when you are applying for an amendment to a valid data permit
Describe and limit data

Define the data to be applied for at the variable level and remember the principle of minimisation for other information. Utilise the Data Catalogue (https://aineistokatalogi.fi/) and controller’s advisory services

  • Where from and how do I extract the target group? Is the definition specific enough?
  • Are control subjects/relatives extracted? How will they be defined?
  • From which registers will the data be extracted?
  • What variables will be included in the extraction? 

Other data to be combined

  • Have you made sure that the other data is described on the application?
  • Are the permits for other data valid or is the permit process pending?
Determine the competent authority

Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Act on secondary use of health and social data. The assessment of the competent authority must therefore consider all the data related to the application.

Check from the application assistant which authority the application should be sent to: Application assistant

GENERAL INFORMATION ON DATA PERMIT APPLICATIONS

Data permit applications and their attachments are confidential. We will forward all the necessary information for the extraction of data and the formation of a target group, as well as information on the applicant and their contact details to the controller.

The decisions and permits granted by an authority are primarily public. On our website, we will publish the following information on projects that have received favourable data permit decisions:

  • date of decision
  • permit validity period
  • permit holder (organisation)
  • project name
  • a brief description of the intended use for the data.
  • purpose of use pursuant to the Act on Secondary Use

This public data can be shared from the website also to other communication channels.

After a data permit has been issued, the data is extracted by different controllers and sent in a secure manner to Findata. We pro-process, pseudonymise and, where necessary, combine and anonymise the data.

In practice, all direct identifiers are removed from the information and a pseudo ID is produced, which will allow different people to be identified from one another and information on each individual can be combined from various pieces of data.

If you need data on individuals from just one public sector controller, contact the controller directly. Contact information is available e.g. on the Data page.

Processing of data permit applications

We review all data permit applications within a week of their arrival and divide them into two groups: applications that can be processed and applications that require supplementation.

Applications that can be processed have been filled in with the information necessary for processing. These applications go directly to waiting for processing. We will send the applicant an email within 10 business days of submitting the application, if the application is eligible for processing.

Applications that require supplementation are left waiting for personal guidance, where our expert will contact the applicant and send a detailed supplement request and instructions.

Applicants can utilise the instructions and criteria listed below when completing their data permit application, or they can personally review an application they have already sent before we may contact them.

If you want to supplement the application you have send, send us an email to  info@findata.fi, and ask us to return the application. Enter Return of application in the subject line as well as your application’s record number (e.g. Return of application THL/XXXX/14.0X.00/202X).

LOGGING INTO E-SERVICES

To submit a data permit application, log into our e-service at: asiointi.findata.fi using either Suomi.fi e-Identification or Haka login. For more information on logging in see the Logging into services page.

Please always log in using the same identification methods, so that you can see the applications you have sent and the decisions that have been given.

Data permit applications can be submitted in Finnish, Swedish or English

After logging in

  1. Go to the Submit application tab
  2. Go to “Select a new application form from below” and select “Data permit application: Individual-level data” by clicking on “Add to basket” on the right and continue by clicking on “Apply
  3. Complete the application form utilising the instructions given below and send it to us. Unfortunately, after an application has been sent, it can no longer be edited. If you want to supplement an application that has already been sent, send us an email to info@findata.fi and tell us your application’s ID (e.g. 2022/53). We will return the application so you can supplement it.

See also

Dates of monthly maintenance outages in 2023

INSTRUCTIONS FOR COMPLETING A DATA PERMIT APPLICATION

We have published a new version of the data permit application form. The instructions below apply to the new version. The English version of the instructions will be published later.

1. Applicant information

  • Applicant refers to the person or organisation named on the data permit application, who the data permit will be issued to.
  • Contact person refers to the person who is acting as the applicant’s contact person in matters related to the application and will respond to all questions regarding the application.
  • In the application, describe the link between the contact person and applicant. This can be based for example on an employment or public-service employment contract. The contact person’s details can be forwarded to the controller during the processing of an application, if extraction requires more additional information.

More information:

Applicant’s business ID

Enter the applicant’s business ID If the applicant is a private individual, enter 123 into the field. If the applicant organisation is located in a country other than Finland or an EU/EEA member state, please provide the name of the official register in which the organisation is registered.

Controllership of data being applied for

A controller compliant with the EU General Data Protection Regulation (GDPR) is an organisation or private individual who is the data controller for the data to be formed. The controller determines the purpose and means of processing for the data to be formed on the basis of an issued data permit decision.

There may be more than one controller and the controllers can be joint controllers, which means they will together determine the purpose and means of processing for the data to be formed on the basis of an issued data permit decision. In the case of joint controllership select ‘no’ and enter the names of all controllers into the additional information field.

Criteria of an application that can be processed:

  • There are not apparent errors in the supplied information.
  • There are no inconsistencies or apparent conflicts between the reported information.

Criteria for an application that will be returned:

  • The reported contact details are incomplete or they contain apparent errors.
  • The controller is unclear or illogical (e.g. private individual, although the applicant is an organisation or a party that does not seem to be involved in the project at all).
  • The applicant has applied as a private individual although the application gives the impression that the applicant is an organisation (the individual is employed by the organisation).

2. Invoicing details

  • Invoicing details for Finnish payers:
    • E-invoicing is the primary invoicing method for Finnish payers. In your application, state the connection between the invoiced party and the project. Inconsistencies between the applicant and the invoiced party (e.g. the payer is not the applicant) can be clarified where necessary in the Additional information section.
    • If necessary ask for more information from your organisation’s financial department. You can also search for e-invoice addresses on the TIEKE Finnish Information Society Development Centre website: https://verkkolaskuosoite.fi/. A list of e-invoicing addresses is maintained by Finnish e-invoice operators.
    • A VAT number is formed from a business ID e.g. 1234567-8. Add the two letter country code FI to its beginning and remove the hyphen from the ID e.g. FI12345678.
  • Invoicing details for foreign payers:
    • If the payer is not Finnish the payer should have a Peppol-address for the e-invoicing.
    • If the payer doesn’t have a Peppol-address, the invoice is sent by mail.

Criteria of an application that can be processed:

  • The invoicing details are stated appropriately.
  • There are no apparent conflicts in the invoicing details with information given in other parts of the application

Criteria for an application that will be returned:

  • Individual ambiguities in in voicing details do not constitute grounds for returning the application to the applicant. However, if the application contains numerous ambiguities or the overall picture remains fragmented, the application will be returned to the applicant.

3. Purpose of data use

  • The application should provide an overall picture that corresponds with the stated data use, which is pursuant to the Act on the Secondary Use of Health and Social Data.
  • The requested information content should match the purpose of processing personal data.
  • A thesis must be at least the final assignment for a Bachelor’s degree. The reduced decision price for theses only applies to individual theses. If the thesis is produced as part of a larger project or a project results in a number of theses, this is not the thesis work referred to in the Findata application and should be marked down as a research project.

Lisätietoja:

Planning and reporting duties of an authority

As a rule, only an authority may carry out the planning and reporting duties of an authority. If an authority does not act as the applicant in a data permit application, the authority must be the controller of the data. As a rule, when work is commissioned, the commissioning party will be the processor of personal data.

Teaching

When data is to be used for teaching, the applied for data will be used to prepare teaching materials for personnel and persons studying to become social welfare and health care personnel who process customer data and social welfare and health care professionals. Please note: Data containing identifiers can only be used in teaching situations if teaching cannot be carried out anonymously due to the exceptional nature of the case, the nature of teaching or a similar reason.  The person providing teaching must inform their students of the confidentiality provisions in legislation and the sanctions resulting from their violation.

Scientific research

When data is to be used for scientific research, attach an up-to-date research plan and a research permit from the responsible/target organisation to your application. Also attach an opinion from the Ethics Committee, if the legislation applying to the research and/or the research setup so requires.

Criteria for scientific research (in general):

  • an appropriate research plan
  • responsible person or group
  • results to be published as a scientific publication
  • research produces new information.
Statistics

When data is to be used to form statistics, state in the application which party will compile the statistics and for what purpose.

Criteria of an application that can be processed:

  • No shortcomings, conflict or inconsistencies are apparent in the description provided on data use.

Criteria for an application that will be returned:

  • The data use does not seem to correspond to what was stated.
  • The information on the application are incomplete and the information content does not see to correspond with the purpose and objectives of the processing.
  • The applicant has incorrectly selected thesis as the purpose for their application.

4. Defining the extraction criteria for the target group

  • In the application, describe the formation of the target group as clearly as possible and limit the target group according to the purpose of the work.
  • Pay attention in particular to from which registers and with which criteria the target group will be extracted. For example, a specified are can refer to a place of residence, place of birth, the town or city in which they work or to the town or city where they use services.
  • Data extraction will be implemented in accordance with the extraction description given in the application. Errors in target and control group criteria in the description will have a substantial impact on the usability of the data.
  • If a target group has been formed, specify in your application which data permit was used to form the target group, and whether this data permit is still valid.

Criteria of an application that can be processed:

  • The target group is specified clearly and there is no need to ask for additional information.

Criteria for an application that will be returned:

  • The application does not clearly state how the target group is formed, or if it is ready where it will be sent from and whether the permits related to it are still valid.

5. Definition of conditions for the extraction of controls

  • Describe the extraction of controls clearly. List the registers from which data will be extracted, as well as the criteria on the basis of which controls will be identified.
  • State how many controls will be extracted per research subject, and describe the similarity criteria in as much detail as possible.
  • If relatives are extracted for the target group describe the extraction of relatives clearly. The application must include the registers from which the extraction is implemented, as well as the criteria on the basis of which relatives are identified. Where necessary, specify the relation between the persons (e.g. biological vs. adoptive parents).
  • Please do not attach data to this application. Once a data permit has been issued, we will provide instructions on how the data can be sent securely. Also see the Submission of data to Findata page for instructions.

Criteria of an application that can be processed:

  • Criteria for control subject and/or relative extraction are clear.

Criteria for an application that will be returned:

  • Criteria for control subject and/or relative extraction are unclear

6. Information to be extracted

  • Ensure that Findata is the competent authority to issue a permit for the data you are applying for. Go to the end of the page for the permit competence assistant, where you can check the matter: Go to assistant
  • In order to issue a permit, we need a detailed register-specific list of variables on all the data that will be extracted. If the extraction includes several steps, also describe the order of extraction. We cannot process your application before a variable-specific description has been submitted for each of the registers listed in the application.
  • See e.g. the Data Catalogue for information on the variables contained in registers (https://aineistokatalogi.fi/). Contact controllers directly if you need more information about the data or variables or help with drawing up an extraction description.
  • When drawing up an extraction description, it should be ensured that
    • the extracted registers are named in a manner that can be understood
    • the data to be extracted is described at the variable level
    • the time limits for the data are unambiguous and sensible with regard to the plan (note the update timetables for registers) 
    • there is a technical name listed for all variables contained in the data to be extracted from THL registers. and
    • in the case of extractions implemented in several stages there is a description on the order in which the requested data is extracted.
  • In the case of extractions implemented in several stages, we cannot guarantee that the information will be ready and disclosed within 60 banking days from the date of the decision, as each controller has 30 banking days to submit the information.

Criteria of an application that can be processed:

  • Findata is the competent party to process the application.
  • The application lists the data being applied for at a variable level. The technical names for variables for THL registers are included.
  • Information on variables correspond with the Data Catalogue’s information or the controller’s other variable descriptions.
  • If the application requests the extraction of information on control subjects and/or relatives in addition to information on the actual target group, the application must also clearly specify the information to be extracted for each group.
  • The applied for information can be extracted in accordance with the timetable specified on the application.
  • The application specifies the order in which the data should be extracted.

Criteria for an application that will be returned:

  • It is unclear which registers information is to be extract from.
  • There is no variable-level list on the information to be extracted,
  • The THL’s variable lists are missing technical names.
  • There are issues with the extraction timetable, i.e. the register data cannot be disclosed in accordance with the timetable requested by the applicant.
  • The application does not specify the order in which the requested data should be extracted.

7. Other data to be combined

  • List information on all data that is to be combined to data for which Findata issues permits.
  • Please note that the other data permits must be issued to the same project and must be valid at the time data is processed.
  • If the target group was selected with a permit that was issued previously, list this permit in addition to the permits for other data.
  • If you wish to combine data later on to data for which Findata has provided a permit, send an amendment application for the data to be combined.
  • If  applying to have data accessed with an individual’s consent to be combined with data that Findata has issued a permit for, the research subject’s notification and consent models must be attached to the application.
  • In the application provide the following information the data for which other actors have issued permits:
    • Permit record number, issuer, date of decision.
    • If the permit process is pending, the party to whom the application was submitted and the permit process start date.
    • A brief description of the information content of other data.
    • Do not attach permits for other data to the application. The application processor will ask for these separately of necessary.

Criteria of an application that can be processed:

  • The application does not list all the aforementioned information.

Criteria for an application that will be returned:

  • The application does not clearly specify the other data with which the data applied for from Findata will be combined (although the application gives the impression that this will happen).
  • It is unclear which permits the use of other data is based on or if these permits are still valid.
  • The data combined to the data accessed via Findata has been collected with consent, but the bulletin and consent templates are not attached to the application. 
  • The consent has been submitted, but it is old and it does not list whether the information collected under the consent will be combined to the register data applied for with the data permit application.

8. Data processing

  • In accordance with the Act on Secondary Use of Data, individual-level data is processed primarily in pseudonymised form in a data secure operating environment. Findata’s Kapseli operating environment is the primary option.
  • Another operating environment can be used on a discretionary basis only for a weighty and well-justified reason. Please note that starting 1 May 2022, other operating environments must be audited in accordance with regulations provided by Findata.
  • As a rule, we will provide you access to the combined data as soon as possible. Please specify a date if you would like access to the data on a specific day.
  • A data permit is issued for a fixed period in accordance with the period when the data will be used. The anonymised results must be extracted from the access environment during the set period of use. Where needed, the period of use may be extended by applying for the data permit to be amended. The data must be destroyed immediately after the data permit period comes to an end.
  • We will remove the data from Kapseli when the data permit period comes to an end, unless otherwise agreed on. Findata will retain the pseudonymisation key and the terms and conditions of extraction and documentation used to generate the data so that the data can be reproduced as and when it is needed. Please retain the record number of the original data permit.
  • Please note that the processing of personal data abroad is counted as a transfer of personal data even if the data is in a remote access environment. Read more about transferring personal data and the legal bases for this on the website of the Data Protection Ombudsman’s office: https://tietosuoja.fi/. If necessary contact your organisation’s data protection officer.

Criteria of an application that can be processed:

  • The application states that the data is to be processed in Findata’s remote operating environment or another environment is clearly described and the grounds for needing this environment are clearly stated.
  • There is nothing particular to be remark in about the other points listed above.

Criteria for an application that will be returned:

  • The application indicates that the applicants wants the data to be disclosed to an environment other than Findata’s Kapseli, but no compelling grounds have been given for its necessity.
  • The process for the formation of the data cannot be implemented and no grounds are given for the means of implementation (e.g. researchers have planned that the controllers will send the information directly to the researcher, or that researchers intend to personally combine and/or pseudonymise the data).

9. Data utilisation plan

  • Provide the names of the data processors and their organisations. These individuals are granted access to the data. If you wish to change the processors or add additional processes later on, send Findata an application to amend the data permit. A fee will be charged for an amendment application.
  • State the legal basis for the processing of the personal data received from Findata. Read more about on the terms for processing e.g. on the website of the Data Protection Ombudsman’s office: https://tietosuoja.fi/.
  • Please note in the question concerning special personal data that nearly all data under Findata’s permit competence are special personal data. The processing of special personal data requires a legal basis in accordance with the EU’s GDPR.

Criteria of an application that can be processed:

  • The necessary attachments have been submitted.

Criteria for an application that will be returned:

  • Some attachments are missing.
  • The applicant is applying for a data permit for access to sensitive data, but states that the data they are applying for are not sensitive.
  • There are obvious failings in the data utilisation plan.

10. Additional information and attachments

  • You can give more details in this section on all the application’s previous sections, such as invoicing.
  • If you have spoken about your application with a Findata employee in advance, please give the person’s name.
  • If you have spoken about your application or about extraction with a contact persons of controllers in advance, please enter the names of these persons here. For example, if you have agreed that extraction will be implemented in a certain way, give the name of the person with whom you agreed on the matter.
  • Add possible attachments.
  • Please do not attach data to this application

Criteria of an application that can be processed:

  • The necessary attachments have been submitted.
  • The application lists all the necessary information.
  • Application processing can proceed to a cost estimate, either directly or after the provision of a small amount of more detailed additional information

Criteria for an application that will be returned:

  • The necessary attachments have not been submitted.
  • The application specifies that the applicant has been or will be in contact with the controller before application processing, but not contact persons for the controller are named in the application. E.g. the applicant has agreed with a representative of the controller that extraction will be implemented in a certain way, but there is no information on who this was agreed on with.

Before we make a decision on an application, you as the applicant must approve the maximum cost estimate for the extraction and pre-processing of data.

See also:

How does an application’s processing proceed?

The processing of applications can be divided into five stages, which can be preceded by the applicant independently contacting to a controller. The process is shown in text after the graph.

  1. The applicant contacts controllers directly before sending an application, if they need additional information on the data or variables or they need help with drawing up an extraction description.
    • The applicant can also make an agreement on the implementation of data extraction in a certain manner with the controller. If the customer and the controller’s contact person have agreed for example that a clinician, who is part of the research team will extract the data free of charge, the application’s Additional information section should include information on who this was agreed on with and in what context.
  2. The applicant submits their application or requested additional information to Findata in the e-services at asiointi.findata.fi
    • If the applicant is only submitting additional information, the clarifications can, depending on the case, also be submitted by e-mail.
  3. Our application processors check applications and their appendices to ensure that these contain all the necessary information.
    • Where necessary, we will return an incomplete application for completion or we will submit a request for further clarification to the applicant.
  4. When all the extraction descriptions have been completed, we will send additional information and cost estimate requests to the controllers whose information is requested in the application.
    • The purpose of the request is to determine the feasibility of the requested extraction and the maximum cost estimate for the extraction.
    • According to the Act on the Secondary Use of Health and Social Data, the controllers have 15 working days to respond to this request. Where necessary, controllers may ask for additional details to the request, in which case we will forward the questions to the applicant.
    • At this stage, we will also determine Findata’s internal cost estimate, which comprises our own data processing costs.
  5. Once all the cost estimates have been received, the applicant will be presented with a final extraction description and a maximum cost estimate for approval.
    • The applicant must accept both in order for the permit to be granted.
    • Please note that it will not be possible to change the extraction conditions after this, and that changes made to the extracted data later on will require a separate application.
  6. We at Findata will issue a positive data permit or data request decision.
    • Please note, that data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, please include these needs in your application.

DATA PROCESSING AFTER A DATA PERMIT HAS BEEN ISSUED

After a data permit has been issued, the customer’s data is extracted by different controllers and sent in a secure manner to Findata.

At Findata, these data compiled from controllers are then pre-processed and, if necessary combined and anonymised.  In practice, all direct identifiers are removed from the information and a pseudo ID is produced, which will allow different people to be identified from one another and information on each individual can be combined from various pieces of data.

The combination of data only applied the combination on the basis of a personal identity code and is only implemented when combination does not require such things as the harmonisation of classifications.

After the data has been processed, the data is transferred to a secure operating environment where the customer can access and process it.

See also:

How will the compilation of the applied for data proceed?

Once we have issued a data permit or made a decision on a data permit, there are five different staged for the compilation of data and its pre-processing. The process is shown in text after the graph.

  1. We will send the data requests to the controllers so that extraction can begin. Each controller has 30 working days to submit the requested data to Findata.
    • Depending on the nature of the project and the extraction, this phase may include several consecutive parts, such as 1. extraction of the target group; 2. extraction of the controls; 3. extraction of data.
  2. We will begin to process the sent data. As agreed on for each project, we will check, combine and pseudonymise the data or make statistics on them in accordance with a data request.
  3. The completed data will be handed over to the permit holder in an agreed-upon secure operating environment. Findata’s secure remote operating environment Kapseli is the statutory primary option. The data can be disclosed to other operating environments, if this is necessary for the completion of the project.
    • The target time for the handing over of data is 60 working days. The target time will not be possible if a target group is not given immediately after the decision has been made, data extraction is carried out in several stages, deliveries by data controllers are delayed or the data is exceptionally complex.
  4. The permit holder has 30 working days to review the material. The permit holder must notify Findata within this given time period of any comments they wish to make on the material.
    • Check the data thoroughly as soon as possible. Errors that occur during extraction can accumulate, if, for example, the target group has been formed incorrectly and other controllers must carry out their own extractions all over again for this reason.
  5. We will remove the data from our own systems 3 months after it has been handed over. We will retain the code keys for pseudonymised data that will enable the data to be reproduced.
    • Data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, please include these needs in your application.

INFORMATION ON COSTS

We will charge a decision fee for data permits according to the attached pricelist. In addition to the decision fee, we will charge an hourly fee for data processing carried out at Findata.

The total price will also be affected by the costs incurred by data controllers for the extraction and delivery of data, based on each controller’s own provisions.

The data will forwarded for analysis first and foremost to Findata’s Kapseli environment, which is also subject to a fee. For more information please see the page Kapseli.

For more information on charges see the page Pricelist.

Also see the page Average cost estimates (in Finnish)

Data permit pricing

Price categoryCriteriaPrice
Data permit for a thesisA data permit related to a thesis for an applicant who is domiciled in Finland or another EU or EEA country.

If the project produces several theses or other outputs not related to the thesis, this is a normal or extensive information permit.
250,00 EUR
VAT +0%
Normal data permitThe application concerns the data of 1 to 15 data controllers and the applicant is established in an EU or EEA country.

If the sampling description is modified at the initiative of the applicant in the middle of the application processing process after receiving the cost estimates, this is an extensive data permit, cf. below.
1 000,00 EUR
VAT+0 %
Extensive data permitWhen one or more of the following is met:
– The application concerns the data of more than 15 data controllers
– The sampling description is modified at the initiative of the applicant after receiving the cost estimates, ie more than one round of cost estimates is required from one or more controllers
– The applicant is established outside the EU or EEA.
3 000,00 EUR
VAT +0 %

Findata’s hourly based fees

Price categoryCriteriaPrice
Data processingHourly fee for data combining, pre-processing, pseudonymisation and anonymisation.115,00 EUR/hour
VAT +0 %
Costs of processing a lapsed applicationIf the application for a data permit or data request is canceled or not completed after the start of the processing, we will charge a proportion of the workload.72,00 EUR/hour
VAT +0 %

Ensure the correct address for the data permit application

Select the controllers from which the data will be retrieved

Apply permit from the controller in question. The exception is those controllers who have delegated jurisdiction to Findata.

Apply permit (s) from the controllers in question.

Findata is responsible for data permits of the Finnish Center for Pensions and the Finnish Digital Agency and / or Statistics Finland if the data are combined with

  • data of other public organizations under the Act on Secondary Use of Health and Social Data
  • data stored on Kanta services or
  • to the register data of a private social or health care service provider.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to data from numerous public social and health sector controllers.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Apply permit from Findata.

Finnish Institute for Health and Welfare (THL). The Regional Administrative Agencies (AVI) and National Supervisory Authority for Welfare and Health (Valvira) have delegated the jurisdiction to Findata.

As far as THL is concerned, the delegation of jurisdiction does not apply to its

  • internal permit management
  • the transfer of samples and data transferred to THL Biobank.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.