Updated 26.07.2024

Data permits

A data permit is a fixed-term permit from an authority to an individual for the processing of confidential materials that contain personal data.

Please read the Permits web page before applying for a data permit. The page includes useful information to take into consideration before applying, while applying and after applying.

General information on data permit applications

Read up on the general principles that apply to applications, such as what is confidential and what is public. Read more General information on data permit applications

Logging into e-services

This page contains information on how to log in and select an application form. Read more Logging into e-services

Instructions for completing a data permit application

See the section specific instructions on completing an application, that also acts as the criteria for an application that can be processed. Read more Instructions for completing a data permit application

Data processing

Read the additional information on processing after a data permit has been issued. Read more Data processing

Information on costs

See an up-to-date price list for data permit decisions. Read more Information on costs

Application assistant

Ensure the correct address for the data permit application. Read more Application assistant

What to remember before sending an application

Select the correct application type

There are different types of applications for different information needs

  • Data permit application, when you need data on individuals
  • Data request, when you need statistical data
  • Amendment application, when you are applying for an amendment to a valid data permit
Describe and limit data

Define the data to be applied for at the variable level and remember the principle of minimisation for other information. Utilise the Data Resources Catalogue (aineistokatalogi.fi) and controller’s advisory services

  • Where from and how do I extract the target group? Is the definition specific enough?
  • Are control subjects/relatives extracted? How will they be defined?
  • From which registers will the data be extracted?
  • What variables will be included in the extraction? 

Other data to be combined

  • Have you made sure that the other data is described on the application?
  • Are the permits for other data valid or is the permit process pending?
Determine the competent authority

Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Act on secondary use of health and social data. The assessment of the competent authority must therefore consider all the data related to the application.

Check from the application assistant which authority the application should be sent to.

General information on data permit applications

Data permit applications and their attachments are confidential. We will forward all the necessary information for the extraction of data and the formation of a target group, as well as information on the applicant and their contact details to the controller.

The decisions and permits granted by an authority are primarily public. On our website, we will publish the following information on projects that have received favourable data permit decisions:

  • date of decision
  • permit validity period
  • permit holder (organisation)
  • project name
  • a brief description of the intended use for the data.
  • purpose of use pursuant to the Act on Secondary Use

This public data can be shared from the website also to other communication channels.

After a data permit has been issued, the data is extracted by different controllers and sent in a secure manner to Findata. We pro-process, pseudonymise and, where necessary, combine and anonymise the data.

In practice, all direct identifiers are removed from the information and a pseudo ID is produced, which will allow different people to be identified from one another and information on each individual can be combined from various pieces of data.

If you need data on individuals from just one public sector controller, contact the controller directly. Contact information is available e.g. on the Data page.

Processing of data permit applications

We review all data permit applications within a week of their arrival and divide them into two groups: applications that can be processed and applications that require supplementation.

Applications that can be processed have been filled in with the information necessary for processing. These applications go directly to waiting for processing. We will send the applicant an email within 10 business days of submitting the application, if the application is eligible for processing.

Applications that require supplementation are left waiting for personal guidance, where our expert will contact the applicant and send a detailed supplement request and instructions.

Applicants can utilise the instructions and criteria listed below when completing their data permit application, or they can personally review an application they have already sent before we may contact them.

If you want to supplement the application you have send, send us an email to  info@findata.fi, and ask us to return the application. Enter Return of application in the subject line as well as your application’s record number (e.g. Return of application THL/XXXX/14.0X.00/202X).

Logging into e-services

To submit a data permit application, log into our e-service at: asiointi.findata.fi using either Suomi.fi e-Identification or Haka login. For more information on logging in see the Logging into services page.

Please always log in using the same identification methods, so that you can see the applications you have sent and the decisions that have been given.

Data permit applications can be submitted in Finnish, Swedish or English

After logging in

  1. Go to the Submit application tab
  2. Go to “Select a new application form from below” and select “Data permit application: Individual-level data” by clicking on “Add to basket” on the right and continue by clicking on “Apply
  3. Complete the application form utilising the instructions given below and send it to us. Unfortunately, after an application has been sent, it can no longer be edited. If you want to supplement an application that has already been sent, send us an email to info@findata.fi and tell us your application’s ID (e.g. 2022/53). We will return the application so you can supplement it.

See also

Dates of monthly maintenance outages in 2024
  • 18.1.2024
  • 22.2.2024
  • 21.3.2024
  • 18.4.2024
  • 23.5.2024
  • 20.6.2024
  • 18.7.2024
  • 22.8.2024
  • 19.9.2024
  • 17.10.2024
  • 21.11.2024
  • 19.12.2024

Instructions for completing a data permit application

Take these into account before filling out the application

Confirm the feasibility of the extractions from the data controllers. Use the extraction description form.

Download the extraction description form (Word document, 56 KB)

You need the following attachments to fill out the application.

  • Completed extraction description form
  • Privacy notice regarding requested information

You may also need the following attachments to fill out the application:

  • Research plan when the purpose of data use is scientific research
  • Organization’s research permit, when the research has required a research permit from the responsible organization
  • Positive ethical review when the research has required an ethical review
  • Description of the sampling method of the target group (if necessary)
  • The consent form and information letter that you have sent to the target group, when the target group is formed based on consent
  • Previous permit concerning the target group, controls or relatives
  • Impact assessment (DPIA) when the General Data Protection Regulation or the Data Protection Act requires the preparation of an impact assessment

1 Public information about the project

  • Project name
    • The project name of a project that has been granted a data permit is published on Findata’s web page. Write the project name so that it does not contain any confidential information.
  • A brief description of the project
    • Provide a short description of the study or project and the use of the requested data. The short description of the purpose of data use of a project that has been granted a data permit is published on Findata’s web page. Write the description so that it does not contain any confidential information.

2 Details of the applicant

  • Permit applicant refers to the data controller i.e. person or organization named in the data permit application to whom the data permit applied for will be issued. Enter the contact person’s information only in the “Details of the contact person” section.
  • Enter the applicant’s business ID. If the applicant is an individual, enter 123 in the field. If the applicant organization is located in an EU/EEA country other than Finland, name the official register in which the organization is registered.

3 Details of the contact person

  • Contact person refers to the person who responds to enquiries concerning the application. The contact person’s details can be forwarded to the controller during the processing of an application if extraction requires more additional information.
  • Describe the relationship between the contact person and the applicant in the application. The relationship can be based on, for example, an employment or a public service appointment.

4 Invoicing details

  • E-invoice is always the primary method of invoicing. If the invoiced party is different from the applicant, indicate the connection of the invoiced party to the project in the application.
  • Invoicing details for Finnish payers:
    • E-invoicing is the primary invoicing method for Finnish payers. In your application, state the connection between the invoiced party and the project. Inconsistencies between the applicant and the invoiced party (e.g. the payer is not the applicant) can be clarified where necessary in the Additional information section.
    • If necessary ask for more information from your organisation’s financial department. You can also search for e-invoice addresses on the TIEKE Finnish Information Society Development Centre website (verkkolaskuosoite.fi). A list of e-invoicing addresses is maintained by Finnish e-invoice operators.
    • A VAT number is formed from a business ID e.g. 1234567-8. Add the two letter country code FI to its beginning and remove the hyphen from the ID e.g. FI12345678.
  • Invoicing details for foreign payers:
    • If the payer is not Finnish the payer should have a Peppol-address for the e-invoicing. Read more about Peppol (peppol.org).
    • If the payer doesn’t have a Peppol-address, the invoice is sent by mail.
Applicant’s business ID

Enter the applicant’s business ID If the applicant is a private individual, enter 123 into the field. If the applicant organisation is located in a country other than Finland or an EU/EEA member state, provide the name of the official register in which the organisation is registered.

Pay attention to the following

  • The contact information and billing information have been filled in appropriately and are consistent with the information provided elsewhere in the application.
  • In most cases, the applicant is an organization. If you are applying for a permit as an individual, you can provide additional information in the additional information field at the end of the form.
Controllership of data being applied for

A controller compliant with the EU General Data Protection Regulation (GDPR) is an organisation or private individual who is the data controller for the data to be formed. The controller determines the purpose and means of processing for the data to be formed on the basis of an issued data permit decision.

There may be more than one controller and the controllers can be joint controllers, which means they will together determine the purpose and means of processing for the data to be formed on the basis of an issued data permit decision. In the case of joint controllership select ‘no’ and enter the names of all controllers into the additional information field.

5 Purpose of data use

  • The application should provide an overall picture that corresponds with the stated data use, which is pursuant to the Secondary Use Act.
  • The requested data should match the purpose of processing personal data.
  • A thesis must be at least the final assignment for a Bachelor’s degree. The reduced decision price for theses only applies to individual theses. If the thesis is produced as part of a larger project or a project results in a number of theses, this is not the thesis work referred to in the Findata application and should be marked down as a research project.

Click to see more information about different use purposes:

Education

When data is to be used for education, the applied for data will be used to prepare teaching materials for personnel and persons studying to become social welfare and health care personnel who process customer data and social welfare and health care professionals. Please note: Data containing identifiers can only be used in teaching situations if teaching cannot be carried out anonymously due to the exceptional nature of the case, the nature of teaching or a similar reason.  The person providing teaching must inform their students of the confidentiality provisions in legislation and the sanctions resulting from their violation.

Planning and reporting duties of an authority

As a rule, only an authority may carry out the planning and reporting duties of an authority. If an authority does not act as the applicant in a data permit application, the authority must be the controller of the data. As a rule, when work is commissioned, the commissioning party will be the processor of personal data.

Scientific research

When data is to be used for scientific research, attach an up-to-date research plan and a research permit from the responsible/target organisation to your application. Also attach an opinion from the Ethics Committee, if the legislation applying to the research and/or the research setup so requires.

Criteria for scientific research (in general):

  • an appropriate research plan
  • responsible person or group
  • results to be published as a scientific publication
  • research produces new information.
Statistics

When data is to be used to form statistics, state in the application which party will compile the statistics and for what purpose.

Pay attention to the following

  • The purpose of use of the data corresponds to the information stated and given elsewhere in the application.
  • Necessary attachments have been added and they do not conflict with each other or with other information (e.g. other permits, statements, research plan and abstract).
  • If it is a thesis, a permit is applied for only one thesis and the necessary information has been provided.

6 Requested data set

  • The data set requested in the data permit application should be described, making clear what data sets the application concerns. This is called the extraction description.
  • The extraction description should only focus on the necessary volume of personal data, following the principle of data minimisation of the EU’s General Data Protection Regulation. The application should justify why the requested data are needed for the purposes stated in the application.
  • Define the formation and criteria of the target group using the extraction description form (download Word-file, 51,2 kb). Fill one form per data controller. Relatives and control groups are also defined on the form.
  • Do not attach an existing target group, controls, relatives or completed consent forms to the application.
  • Please complete the following information on the extraction description form regarding the final payer of the invoice:
    • Name
    • VAT ID
    • Country

6.1 Defining the extraction criteria for the target group

  • In this context, the target group refers to persons whose data is to be extracted based on the data permit applied here.
  • In most cases, the target group is formed based on the selection criteria described in the application from a data controller under the Secondary Use Act. In this case, select “The target group is formed according to the selection conditions described below, based on the data permit you are applying for.”
  • If the target group is to be selected from Findata’s ready-made data set, choose “The target group is formed from Findata’s ready-made data set.”
    • In this case, indicate Findata as the data controller and the name of the data set as the register in the application’s table and extraction description form (e.g., Findata and FinRegistry ready-made data set).
  • If the target group has already been formed, select “The target group has been formed and the permit applicant or someone else submits the personal identity codes of the target group to Findata.
    • In the application, specify under which data permit the target group was formed and whether the data permit is still valid. Also select this option when the target group is formed based on consent. If the permit for the target group is being sought from elsewhere and the application is still under review or pending, provide the available information. If you already have a permit for part of the target group and are now applying for new individuals to be included, select both of the above options.
    • Note that, in principle, a research permit obtained from an organization is a permit to conduct research. A data permit, on the other hand, is a permit to use personal data in the research. If you are unsure, contact the permitting authority.
  • If the size of the target group is unknown, contact the data controllers and/or estimate the size rather too large than too small.
  • Clearly describe the formation of the target group in the application and limit the target group according to the purpose of use.
  • Pay attention to which registers and criteria are used to select the target group. For example, regional boundaries can refer to the place of residence, place of birth, place of work, or place of service use.
  • The data extraction is carried out according to the selection described in the application. Errors in the description of the criteria for the target and control groups significantly affect the usability of the data.

6.2 Defining the extraction criteria for controls and relatives

  • Describe the extraction of controls as clearly as possible.
    • Specify the registers from which the selection is made and the criteria based on which the controls are identified.
  • Indicate how many controls are extracted per study subject and define the matching criteria as precisely as possible.
  • If relatives are extracted for the target group, describe the selection of relatives clearly. The application should specify the registers from which the extraction is made and the criteria based on which the relatives are identified. If necessary, specify the relationship (e.g., biological vs. adoptive parents).
  • If the control and/or relative extraction is made from Findata’s ready-made data set, indicate Findata as the data controller and the name of the data set as the register in the selection description form.
    • Note! Findata will separately assess whether it is possible to implement the control extraction.
  • Do not attach data to the application. Once the data permit has been granted, we will provide separate instructions on how to deliver the data securely. Instructions can also be found on the page Data transfers to Findata.

6.3 Extraction description

  • In this section, we ask what data will be extracted for individuals in the target group and from which time period. Describe the information clearly and include only the necessary amount of personal data.
  • To grant the permit, we need a register-specific list of variables for all requested data and the time period from which the data will be extracted.
    • If the data extraction involves multiple stages, also describe the extraction order.
    • Your application cannot be processed until a variable-specific description has been provided for each register mentioned in the application.
    • If you need age- or gender-related data, also mention those and the register from which these data will be obtained.
  • If the data is extracted from Findata’s ready-made data set, indicate Findata as the data controller and the name of the data set as the register in the table and extraction description form.
    • Also specify the name of the dataset in the register column (e.g., Vaccinations from the FinRegistry ready-made data set).
  • Provide detailed variable information on the extraction description form, including for possible control and relative selections. Download the extraction description form (Word file, 57 kB) and fill it out according to the instructions.
  • Contact the data controllers directly and review the extraction description with them before submitting the application to Findata.
    • The data controller will also provide an estimate of the extraction costs.
    • Note that even if you do not receive cost estimates from the controllers in advance, you can still send your application and the extraction description form to Findata.
  • If there are multiple target groups or if the application requests data extraction for controls and/or relatives in addition to the main target group, specify the data to be extracted for each group.
  • If you want to combine other data with the information requested in the application, do not describe them here, but in the next section 7 Other Data to be Combined.

Pay attention to the following

  • Attach the extraction description forms to the application, where the requested information is described at the variable level. Remember that for THL’s registers, the technical variable names must be included.
  • Ensure that the variable information corresponds to the ones in the Data Resources Catalogue (aineistokatalogi.fi) or other data controller’s variable descriptions.
  • If the application requests data extraction not only for the main target group but also for controls and/or relatives, clearly specify the data to be extracted for each group in the application.
  • Indicate the order in which the data will be extracted. If necessary, check with the data controller to determine the time period from which the data can be extracted.

Tips for defining the extraction of textual data

  1. Consider necessity: Determine if textual data is essential for conducting your research.
    • The need for unstructured data must always be justified. Often, similar information can be extracted in a structured format.
    • We mask direct identifiers in textual data, which affects the usability of the data.
    • Processing textual data takes time and significantly increases costs.
  2. Request insights from the data controller on appropriate keywords.
    • The data controller is best positioned to assess which keywords will yield the most comprehensive results without extraneous information.
    • For example, the keyword pressure will produce all records related to pressure, such as blood pressure, eye pressure, etc. If the research focus is on blood pressure, the extracted textual data will contain a substantial amount of unnecessary information.
  3. Specify the length of the text snippet to be extracted on a variable-by-variable basis.
    • The text snippet should be as short as possible.
    • Request the data controller’s view on the length of the text to be extracted.
    • For instance, keyword +/- 50 characters.
  4. Ensure the extraction is scoped appropriately.
    • If the extraction can be limited to the information from a specific department or field of treatment instead of the entire healthcare district’s database, the amount of text to be extracted and the processing costs will be significantly lower.

7 Other data to be combined

  • It is possible to combine other data, such as data you possess or data obtained from other sources, with the register data requested in the data permit application.
    • List all data sets that will be combined with the register data currently being requested from Findata. We need this information to assess the workload of data processing and to make a cost estimate.
    • Describe the data sets to be combined and their sources individually. Indicate whether the combined data sets are in a structured form or, for example, image or text data, and for which target group the data sets were formed.
    • In the table, describe in the Data column in a free-form manner, for example, “target group / data obtained with Kela/Health Care District’s data permit / survey data.”
  • Note that the data permits for the data sets to be combined must be granted for the same project and must be valid at the time of data processing.
    • If you are planning to apply for permits from other authorities but have not yet applied, indicate this in the section “Other pending or to be applied for permits.
  • If the target group is provided to Findata and is defined based on another permit, select “Yes” to the question “Will the data you are applying from Findata also be combined with data you have already obtained or data from other sources?”
    • If the data was collected with consent, attach a template of the consent forms for the target group in section 6.1. Do not attach completed consent forms.
  • If you want to provide more details about other data sets or if there are any special considerations related to the data sets, indicate this in the additional information section. If it is not possible to provide precise information in the table, estimate on the higher side.
  • Note! Do not attach the data to this application. Once the data permit has been granted, Findata will provide instructions on how to deliver the data securely.

8 Data processing

  • Individual-level data is processed in a secure processing environment as stipulated by Secondary Use Act, primarily in a pseudonymized form. The data is delivered to the secure environment as a CSV file (semicolon as the delimiter, UTF-8 encoding).
  • The data is primarily delivered to Kapseli, which is a secure environment provided by Findata. If you wish to process the data in another secure environment, justify why this is necessary for the project. Other service providers’ secure environments can be found in the Toini register maintained by Valvira. Read more on Valvira’s website: Database of secondary-use environments (valvira.fi).
    • Use the official name of the environment, which can be found in the Toini register.
    • Note that if the data needs to be retained after the analysis, the data permit must be valid, and retention is only possible in a secure environment.
      • For example, if the data usage period is until December 31, 2027, and retention is needed for five years after that, the permit will be granted until December 31, 2032. If the data needs to be analyzed or retained beyond that period, apply for a modification of the data permit.
  • Findata retains the pseudonymization key and the extraction criteria and documentation used to create the dataset so that the data can be reproduced if necessary. Please retain the original data permit’s docket number.
  • Note that processing personal data from abroad constitutes data transfer, even if the data is in a remote access environment. Read more about the grounds for transfer and personal data transfers on the website of the Data Protection Ombudsman (tietosuoja.fi). If necessary, contact your organization’s data protection officer.

9 Data utilisation plan

  • A data controller, in this context, refers to an organization or an individual under the EU General Data Protection Regulation (GDPR) that, by the basis of the data permit decision, is the data controller for the dataset to be created and determines the purposes and means of processing the data.
    • The data permit can be applied for by the data controller or by another entity on behalf of the data controller. If an entity applies for the permit on behalf of the data controller, acting as a data processor on behalf of the data controller, a written agreement on data processing must be made between the data processor and the data controller as required by the GDPR.
    • There can be more than one data controller, and data controllers can be joint controllers, in which case they jointly determine the purposes and means of processing the dataset created by the data permit decision.
    • If joint controllership is involved, select ‘Third party’ and list all data controllers in the additional information field.
  • List all individuals who will process the data and their representing organization. No other information is needed.
    • Separate the individuals with a semicolon: “Person 1, organization; Person 2, organization; etc.”
    • If joint controllership is involved, select ‘Third party‘ and list all data controllers in the additional information field.
  • Briefly describe how the data minimization principle under the GDPR has been considered.
    • Personal data must be adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed.
  • Explain how the information obligations towards the data subjects (the target group) have been fulfilled.
    • Attach the privacy notice or equivalent document used for information purposes. If the privacy notice is available online, provide the web address.
  • If the GDPR or the Data Protection Act requires a Data Protection Impact Assessment (DPIA), attach it to the application.
  • Attach the research permit and/or a favorable ethical statement to the application if necessary.
  • State the legal basis for processing personal data concerning the data obtained from Findata and any other data.
  • Note, in the case of special categories of personal data, that nearly all data under Findata’s permit authority are special categories of personal data. The processing of special categories of personal data requires a legal basis under the GDPR.

10 Additional information and attachments

  • List under the question regarding project funding all sources of funding. The sources of funding affect the decision on the data permit fee.
    • A lower data permit fee applies to the applicant whose place of operation is in Finland or another EU or EEA country, and when the research is research-driven and funded without external funding or with funding from a public healthcare unit, university, research institution, or other public or non-profit entity.
  • You can specify in this section all previous sections of the application, such as invoicing or desired processing environment.
  • Include here all attachments to be considered in the application process that do not have another place on the application form. Do not attach data to the application.
  • If you have discussed the application in advance with a Findata employee, provide the employee’s first and last name.

11 Confirmation of information

  • Confirm the information provided on the application form.
  • The permit decision will be subject to a fee according to the current fee decree. The final costs also depend on the data controllers’ expenses for extracting data and on the time Findata spends processing the material. Please refer to the current price list on the page Pricing.

Pay attention to the following:

  • Ensure that all requested information in the application has been completed and attachments have been uploaded. If you do not have precise information on certain aspects, provide your best estimate or briefly describe background information in the additional information fields.
  • If necessary, consult your organization’s data protection officer or research services. Remember that data controllers provide advisory services regarding the contents of their datasets.
  • If you need to supplement your submitted application, request us to return the application for completion. Send an email with the subject “Application Return” to info@findata.fi and include the application ID in the message field.

Before we make a decision on an application, you as the applicant must approve the maximum cost estimate for the extraction and pre-processing of data.

See also:

How does an application’s processing proceed?

The processing of applications can be divided into five stages, which can be preceded by the applicant independently contacting to a controller. The process is shown in text after the graph.

  1. The applicant contacts controllers directly before sending an application, if they need additional information on the data or variables or they need help with drawing up an extraction description.
    • The applicant can also make an agreement on the implementation of data extraction in a certain manner with the controller. If the customer and the controller’s contact person have agreed for example that a clinician, who is part of the research team will extract the data free of charge, the application’s Additional information section should include information on who this was agreed on with and in what context.
  2. The applicant submits their application or requested additional information to Findata in the e-services at asiointi.findata.fi
    • If the applicant is only submitting additional information, the clarifications can, depending on the case, also be submitted by e-mail.
  3. Our application processors check applications and their appendices to ensure that these contain all the necessary information.
    • Where necessary, we will return an incomplete application for completion or we will submit a request for further clarification to the applicant.
  4. When all the extraction descriptions have been completed, we will send additional information and cost estimate requests to the controllers whose information is requested in the application.
    • The purpose of the request is to determine the feasibility of the requested extraction and the maximum cost estimate for the extraction.
    • According to the Act on the Secondary Use of Health and Social Data, the controllers have 15 working days to respond to this request. Where necessary, controllers may ask for additional details to the request, in which case we will forward the questions to the applicant.
    • At this stage, we will also determine Findata’s internal cost estimate, which comprises our own data processing costs.
  5. Once all the cost estimates have been received, the applicant will be presented with a final extraction description and a maximum cost estimate for approval.
    • The applicant must accept both in order for the permit to be granted.
    • Please note that it will not be possible to change the extraction conditions after this, and that changes made to the extracted data later on will require a separate application.
  6. We at Findata will issue a positive data permit or data request decision.
    • Please note, that data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, include these needs in your application.

Data processing after a data permit has been issued

After a data permit has been issued, the customer’s data is extracted by different controllers and sent in a secure manner to Findata. We request the materials from the controllers primarily in CSV format.

At Findata, these data compiled from controllers are then pre-processed and, if necessary, combined and anonymised. In practice, all direct identifiers are removed from the information and a pseudo ID is produced, which will allow different people to be identified from one another and information on each individual can be combined from various pieces of data.

The combination of data only applied the combination on the basis of a personal identity code and is only implemented when combination does not require such things as the harmonisation of classifications.

After the data has been processed, the data is transferred to a secure operating environment where the customer can access and process it. We deliver the data in CSV format (semicolon as separator, UTF-8 encoding).

Do the following if you find errors in your data

  1. Once you have received the material covered by a data permit or request, please check it as soon as possible, but within three months at the latest.
  2. If you notice any omissions or errors, send a message to Findata at data@findata.fi.
  3. In the message, explain as precisely as possible how your data differs from the data described in the extraction description.

Extractions under a data permit or data request are always made on the basis of the extract description.

If the extraction description you have provided is incomplete, you can complete the extraction by submitting an amendment application or a new application for a data permit to Findata.

The maximum price estimates given are based on the extraction description you have provided. If the extraction needs to be completed, a new maximum price estimate will be submitted with the new permit.

See also:

How will the compilation of the applied for data proceed?

Once we have issued a data permit or made a decision on a data permit, there are five different staged for the compilation of data and its pre-processing. The process is shown in text after the graph.

  1. We will send the data requests to the controllers so that extraction can begin. Each controller has 30 working days to submit the requested data to Findata.
    • Depending on the nature of the project and the extraction, this phase may include several consecutive parts, such as 1. extraction of the target group; 2. extraction of the controls; 3. extraction of data.
  2. We will begin to process the sent data. As agreed on for each project, we will check, combine and pseudonymise the data or make statistics on them in accordance with a data request.
  3. The completed data will be handed over to the permit holder in an agreed-upon secure operating environment. Findata’s secure remote operating environment Kapseli is the statutory primary option. The data can be disclosed to other operating environments, if this is necessary for the completion of the project.
    • The target time for the handing over of data is 60 working days. The target time will not be possible if a target group is not given immediately after the decision has been made, data extraction is carried out in several stages, deliveries by data controllers are delayed or the data is exceptionally complex.
  4. The permit holder has 30 working days to review the material. The permit holder must notify Findata within this given time period of any comments they wish to make on the material.
    • Check the data thoroughly as soon as possible. Errors that occur during extraction can accumulate, if, for example, the target group has been formed incorrectly and other controllers must carry out their own extractions all over again for this reason.
  5. We will remove the data from our own systems 3 months after it has been handed over. We will retain the code keys for pseudonymised data that will enable the data to be reproduced.
    • Data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, include these needs in your application.

Information on costs

We will charge a decision fee for data permits according to the pricelist below. In addition to the decision fee, we will charge an hourly fee for data processing carried out at Findata.

The total price will also be affected by the costs incurred by data controllers for the extraction and delivery of data, based on each controller’s own provisions.

The data will forwarded for analysis primarily to Findata’s Kapseli environment, which is also subject to a fee. For more information see the page Kapseli.

For more information on charges see the page Pricing.

Also see the page Average cost estimates (in Finnish)

Data permit pricing

Price categoryCriteriaPrice
Data permit for a thesisA data permit related to a thesis for an applicant who is domiciled in Finland or another EU or EEA country.

If the project produces several theses or other outputs not related to the thesis, another permit fee category will be applied.		250,00 EUR
Limited data permitThe processing of the application takes less than 7 hours and the applicant’s place of business is an EU or EEA country. For example, new research questions without changes to the data or new extractions.300,00 EUR
Normal data permitThe application concerns the data of 1 to 15 data controllers and the applicant is established in an EU or EEA country.

If the extraction description is modified at the initiative of the applicant in the middle of the application processing process after receiving the cost estimates, or the processing takes more than 14 hours for some other reason, this is an extensive data permit, cf. below.		1 400,00 EUR
Normal data permit for researcher-driven researchData permit for the applicant whose place of operation is in Finland or another EU or EEA country, with a processing time of 7 hours or more but less than 14 hours, and it is research that is conducted without external funding or with funding from a public health care unit, university, research institute or other public or non-profit association. The application must be accompanied by an explanation of how the research will be funded.700,00 EUR
Extensive data permitYou may need an extensive data permit e.g. if one or more of the following is met:
– The application concerns the data of more than 15 data controllers
– The extraction description is modified at the initiative of the applicant after receiving the cost estimates, ie more than one round of cost estimates is required from one or more controllers		2 000,00 EUR
Extensive data permit for researcher-driven researchData permit for the applicant whose place of operation is in Finland or another EU or EEA country, with a processing time of 14 hours or more, and it is research that is conducted without external funding or with funding from a public health care unit, university, research institute or other public or non-profit association. The application must be accompanied by an explanation of how the research will be funded.1 000,00 EUR
Data permit for outside the EU or EEA areaData permit for the applicant whose place of business is in a country outside the EU or EEA.3 000,00 EUR
No VAT is charged on permit decisions.

Findata’s hourly based fees

Price categoryCriteriaPrice
Data processingHourly fee for data combining, pre-processing, pseudonymisation and anonymisation. Minimum one hour.147,00 EUR/hour
Costs of processing a lapsed applicationIf the application for a data permit or data request is canceled or not completed after the start of the processing, we will charge a proportion of the workload.88,00 EUR/hour
Hourly payments are services under public law, which are not subject to VAT.

Ensure the correct address for the data permit application

Select the controllers from which the data will be retrieved

Apply permit from the controller in question. The exception is those controllers who have delegated permit jurisdiction to Findata.

Please note that Findata is responsible for data permit and amendment applications whenever the data of data controllers covered by the Act on secondary use is combined. When evaluating the competent authority, all data related to the application under the Act must be taken into account.

Apply permit (s) from the controllers in question.

Findata is responsible for data permits of the Finnish Center for Pensions (ETK) and the Finnish Digital Agency (DVV) and / or Statistics Finland if the data are combined with

  • data of other public organizations under the Act on Secondary Use of Health and Social Data (For Statistics Finland, at least two other organizations are needed, for DVV and ETK, one is sufficient)
  • data stored on Kanta services or
  • to the register data of a private social or health care service provider.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Apply permit from Findata.

The Regional Administrative Agencies (AVI) have delegated the jurisdiction to Findata.

Apply permit from Findata.

National Supervisory Authority for Welfare and Health Valvira have delegated the jurisdiction to Findata.

Apply for a data permit

Finnish Institute for Health and Welfare (THL) has delegated the jurisdiction to Findata. As far as THL is concerned, the delegation of jurisdiction does not apply to its

  • internal permit management
  • the transfer of samples and data transferred to THL Biobank.

Permit is applied from Statistics Finland and the respective data controller. Exceptions are the registrars who have delegated the jurisdiction to Findata.

We are responsible for data permits for data subject to the Secondary Act of Statistics Finland when they are combined

  • to the information of at least two public organizations covered by secondary laws
  • to data stored in Kanta services or
  • to the register data of a private social or healthcare service organizer.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Please select at least one data controller or group.