Data permits

A data permit is a fixed-term permit from an authority to an individual for the processing of confidential materials that contain personal data.

Please read the Permits web page before applying for a data permit. The page includes useful information to take into consideration before applying, while applying and after applying.

Data permit applications and their attachments are confidential. We will forward all the necessary information for the extraction of data and the formation of a target group, as well as information on the applicant and their contact details to the controller.

The decisions and permits granted by an authority are primarily public. On our website, we will publish the following information on projects that have received favourable data permit decisions:

• date of decision
• permit validity period
• permit holder (organisation)
• project name
• a brief description of the intended use for the data.
• purpose of use pursuant to the Act on Secondary Use

This public data can be shared from the website also to other communication channels.

After a data permit has been issued, the data is extracted by different controllers and sent in a secure manner to Findata. We pro-process, pseudonymise and, where necessary, combine and anonymise the data.

In practice, all direct identifiers are removed from the information and a pseudo ID is produced, which will allow different people to be identified from one another and information on each individual can be combined from various pieces of data.

If you need data on individuals from just one public sector controller, contact the controller directly. Contact information is available e.g. on the Data page.

Processing of data permit applications

We review all data permit applications within a week of their arrival and divide them into two groups: applications that can be processed and applications that require supplementation.

Applications that can be processed have been filled in with the information necessary for processing. These applications go directly to waiting for processing. We will send the applicant an email within 10 business days of submitting the application, if the application is eligible for processing.

Applications that require supplementation are left waiting for personal guidance, where our expert will contact the applicant and send a detailed supplement request and instructions.

Applicants can utilise the instructions and criteria listed below when completing their data permit application, or they can personally review an application they have already sent before we may contact them.

If you want to supplement the application you have send, send us an email to  info@findata.fi, and ask us to return the application. Enter Return of application in the subject line as well as your application’s record number (e.g. Return of application THL/XXXX/14.0X.00/202X).

To submit a data permit application, log into our e-service at: asiointi.findata.fi using either Suomi.fi e-Identification or Haka login. For more information on logging in see the Logging into services page.

Please always log in using the same identification methods, so that you can see the applications you have sent and the decisions that have been given.

Data permit applications can be submitted in Finnish, Swedish or English

1 Public information about the project

• Project name
  • The project name of a project that has been granted a data permit is published on Findata’s web page. Write the project name so that it does not contain any confidential information.
• A brief description of the project
  • Provide a short description of the study or project and the use of the requested data. The short description of the purpose of data use of a project that has been granted a data permit is published on Findata’s web page. Write the description so that it does not contain any confidential information.

2 Details of the applicant

• Permit applicant refers to the person or organization named in the data permit application to whom the data permit applied for will be issued. Enter the contact person’s information in the “Details of the contact person” section.
• Enter the applicant’s business ID. If the applicant is an individual, enter 123 in the field. If the applicant organization is located in an EU/EEA country other than Finland, name the official register in which the organization is registered.

3 Details of the contact person

• Contact person refers to the person who responds to enquiries concerning the application. The contact person’s details can be forwarded to the controller during the processing of an application if extraction requires more additional information.
• Describe the relationship between the contact person and the applicant in the application. The relationship can be based on, for example, an employment or a public service appointment.

4 Invoicing details

• E-invoice is always the primary method of invoicing. If the invoiced party is different from the applicant, indicate the connection of the invoiced party to the project in the application.
• Invoicing details for Finnish payers:
  • E-invoicing is the primary invoicing method for Finnish payers. In your application, state the connection between the invoiced party and the project. Inconsistencies between the applicant and the invoiced party (e.g. the payer is not the applicant) can be clarified where necessary in the Additional information section.
  • If necessary ask for more information from your organisation’s financial department. You can also search for e-invoice addresses on the TIEKE Finnish Information Society Development Centre website (verkkolaskuosoite.fi). A list of e-invoicing addresses is maintained by Finnish e-invoice operators.
  • A VAT number is formed from a business ID e.g. 1234567-8. Add the two letter country code FI to its beginning and remove the hyphen from the ID e.g. FI12345678.
• Invoicing details for foreign payers:
  • If the payer is not Finnish the payer should have a Peppol-address for the e-invoicing. Read more about Peppol (peppol.org).
  • If the payer doesn’t have a Peppol-address, the invoice is sent by mail.

5 Purpose of data use

• The application should provide an overall picture that corresponds with the stated data use, which is pursuant to the Act on the Secondary Use of Health and Social Data.
• The requested information content should match the purpose of processing personal data.
• A thesis must be at least the final assignment for a Bachelor’s degree. The reduced decision price for theses only applies to individual theses. If the thesis is produced as part of a larger project or a project results in a number of theses, this is not the thesis work referred to in the Findata application and should be marked down as a research project.

Click to see more information about different use purposes:

6 Requested data set

• The data set requested in the data permit application should be described, making clear what data sets the application concerns (‘extraction description’).
• The extraction description should only focus on the necessary volume of personal data, following the principle of data minimisation of the EU’s General Data Protection Regulation. The application should justify why the requested data are needed for the purposes stated in the application.
• Define the formation and criteria of the target group using the extraction description form (download Word-file, 51,2 kb). Do not attach an existing target group, controls, relatives or completed consent forms to the application.

6.1 Defining the extraction criteria for the target group

• In this context, the target group refers to persons whose data is to be extracted based on the data permit applied here.

6.2 Defining the extraction criteria for controls and relatives

• The description must include the registers from which the controls are extracted and the criteria on the basis of which the controls are identified.
• Indicate how many controls are selected per research subject, and the matching criteria as precisely as possible. If there are multiple target groups, describe clearly for which target groups the controls are extracted and how the extraction will be conducted.
• Go through the selection criteria of the controls with the data controller before submitting the application.

6.3 Extraction description

• Describe, which data will be extracted, and over which period. The data requested in the data permit application should be described in such way that it is clear which data sets the application concerns.
• Following the principle of data minimisation of the EU’s General Data Protection Regulation, the extraction description should contain only the necessary volume of personal data
• In order to issue a permit, we need a register-specific list of variables on all the data requested and the time frame for data extraction. We cannot process your application before a variable-specific description has been submitted for each of the registers listed in the application. Note that if you need data related to age or gender, also mention this and the register based on which these data will be formed
• Provide this information using the extraction description form (Word-file, 51,2 kb). Download and fill in the form according to the instructions. Contact the controllers of the register directly and go through the extraction description with the controllers before submitting your application. The controllers will also give an estimate of the costs of the extractions. Note that even if you do not receive cost estimates from the controllers in advance, you can still send your application and the extraction description form to Findata.
  • Attach the completed extraction description forms in Word file format to your application.
  • The extraction description form is required in Word file format, as Findata or the controllers may have to make changes to it.

7 Other data to be combined

• It is also possible to combine other data, such as data in your possession or data obtained from elsewhere, with the register data requested with this data permit application.
• Note that the other data permits must be issued to the same project and the permits must be valid at the time data is processed.
• Choose “Yes” as the answer also when the target group is formed, for example, on the basis of another permit or consent and will be delivered to Findata.
• List information on all data that is to be combined to data for which Findata issues permits.
• Note that the other data permits must be issued to the same project and must be valid at the time data is processed.
• If the target group was selected with a permit that was issued previously, list this permit in addition to the permits for other data.
• If you wish to combine data later on to data for which Findata has provided a permit, send an amendment application for the data to be combined.
• If  applying to have data accessed with an individual’s consent to be combined with data that Findata has issued a permit for, the research subject’s notification and consent models must be attached to the application.
• In the application provide the following information the data for which other actors have issued permits:
  • Permit record number, issuer, date of decision.
  • If the permit process is pending, the party to whom the application was submitted and the permit process start date.
  • A brief description of the information content of other data.
  • Do not attach permits for other data to the application. The application processor will ask for these separately of necessary.

8 Data processing

• In accordance with the Act on Secondary Use of Data, individual-level data is processed in a secure operating environment mainly in a pseudonymised form.The data set is primarily disclosed to Kapseli, a secure operating environment provided by Findata.
• If you wish that the data will be processed in some other secure operating environment, give justifications as to why this is necessary for the project. The operating environments of other service providers can be found in Valvira’s database of secondary-use environments (TOINI). More information on Valvira’s website: Database of secondary-use environments (valvira.fi).
• The data will be delivered to the remote operating environment as a CSV file.

9 Data utilisation plan

• State which organization or individual is the controller of the data to be formed based on the data permit.
• A controller under the EU General Data Protection Regulation (GDPR) is an organization or individual who is the controller of the data. The controller determines the purposes and means of processing the data generated based on the data permit. The controller can be either the applicant or someone else.
• If the applicant acts as a processor of personal data on behalf of a third party (controller), the applicant and the controller must enter into a written agreement on the processing of personal data required by the General Data Protection Regulation.
• There may be more than one controller and the controllers may be joint controllers, in which case they define the purposes and means of processing the data together. In the case of a joint controllership, select ‘A third party’ and enter all controllers in the additional information field.
• Provide the names of the data processors and their organisations. These individuals are granted access to the data. If you wish to change the processors or add additional processes later on, send Findata an application to amend the data permit. A fee will be charged for an amendment application.
• State the legal basis for the processing of the personal data received from Findata. Read more about on the terms for processing e.g. on the website of the Data Protection Ombudsman’s office (tietosuoja.fi).
• Note in the question concerning special personal data that nearly all data under Findata’s permit competence are special personal data. The processing of special personal data requires a legal basis in accordance with the EU’s GDPR.

10 Additional information and attachments

• In this section, you can specify previous sections of the application, for example with regard to invoicing.
• If you have spoken about your application with a Findata employee in advance, give the person’s name.
• If you have spoken about your application or about extraction with a contact persons of controllers in advance, enter the names of these persons here. For example, if you have agreed that extraction will be implemented in a certain way, give the name of the person with whom you agreed on the matter.
• Add possible attachments.
• Please do not attach data to this application

11 Confirmation of information

Before we make a decision on an application, you as the applicant must approve the maximum cost estimate for the extraction and pre-processing of data.

See also:

After a data permit has been issued, the customer’s data is extracted by different controllers and sent in a secure manner to Findata. We request the materials from the controllers primarily in CSV format.

At Findata, these data compiled from controllers are then pre-processed and, if necessary combined and anonymised.  In practice, all direct identifiers are removed from the information and a pseudo ID is produced, which will allow different people to be identified from one another and information on each individual can be combined from various pieces of data.

The combination of data only applied the combination on the basis of a personal identity code and is only implemented when combination does not require such things as the harmonisation of classifications.

After the data has been processed, the data is transferred to a secure operating environment where the customer can access and process it. We deliver the data in CSV format (semicolon as separator, UTF-8 encoding).

See also:

We will charge a decision fee for data permits according to the attached pricelist. In addition to the decision fee, we will charge an hourly fee for data processing carried out at Findata.

The total price will also be affected by the costs incurred by data controllers for the extraction and delivery of data, based on each controller’s own provisions.

The data will forwarded for analysis first and foremost to Findata’s Kapseli environment, which is also subject to a fee. For more information see the page Kapseli.

For more information on charges see the page Pricelist.

Also see the page Average cost estimates (in Finnish)

Data permit pricing

Price category	Criteria	Price
Data permit for a thesis	A data permit related to a thesis for an applicant who is domiciled in Finland or another EU or EEA country. If the project produces several theses or other outputs not related to the thesis, this is a normal or extensive information permit.	250,00 EUR VAT +0%
Normal data permit	The application concerns the data of 1 to 15 data controllers and the applicant is established in an EU or EEA country. If the sampling description is modified at the initiative of the applicant in the middle of the application processing process after receiving the cost estimates, this is an extensive data permit, cf. below.	1 000,00 EUR VAT+0 %
Extensive data permit	When one or more of the following is met: – The application concerns the data of more than 15 data controllers – The sampling description is modified at the initiative of the applicant after receiving the cost estimates, ie more than one round of cost estimates is required from one or more controllers – The applicant is established outside the EU or EEA.	3 000,00 EUR VAT +0 %

Findata’s hourly based fees

Price category	Criteria	Price
Data processing	Hourly fee for data combining, pre-processing, pseudonymisation and anonymisation.	115,00 EUR/hour VAT +0 %
Costs of processing a lapsed application	If the application for a data permit or data request is canceled or not completed after the start of the processing, we will charge a proportion of the workload.	72,00 EUR/hour VAT +0 %