Services and instructions

All our services are related to the secondary use of health and social data. This page contains summaries on our services, a list of instructions and a list of most frequently asked questions.

We provide services to those who need information meaning our customers and parties who control data meaning controllers. In addition, we provide information and advice to citizens on where register data are used, on each citizens’ rights under the GDPR and on how we ensure that data protection is implemented.

Book a time for personal consultation

Our personal consultation service will be on summer holiday from 1 June to 18 August 2024. Findata’s Help Desk will be serving you by e-mail as usual throughout the summer. See contact details for our Help Desk.

You can book a time for personal consultation with an expert from Findata. Appointments are available three days a week and last for 20 minutes. The meetings are held remotely via Teams.

We offer help in the following topics:

  • General consultation on Findata’s services
  • Data permit applications, amendments, and data requests
  • Extraction description form and other forms
  • Ordering Findata’s secure processing environment Kapseli, pausing, and data storage service

You can see the available times below.

After booking, you will receive a confirmation email and a downloadable calendar reminder. We will send the link to the Teams meeting later.

The personal consultation service is provided as a part of the FinHITS project funded by the European Union.

Forms for customers

Services for customers


  • We provide advisory services on this website and via email at
  • We provide advice on issues such as question related to application for data permits, data requests and amendment permits. In addition, we provide general advice on the matters related to Act on the Secondary Use of Health and Social Data.
  • When requiring information content from registers or individual pieces of data, it is best to contact the controller directly, as they are the best experts when it comes to their own data and can provide statutory advisory services on their secondary use. See the Data page for controller’s contact details.
  • Read more on the Contact us page

Data permits, amendment permits and data requests

  • We issue data permits for data on individuals, when information is needed from numerous public controllers, the private sector or the Kanta Services. We combine and pre-process data while ensuring the privacy of citizens.
  • We issue amendment permits for previously issued permits, when an amendment applies permits issued by numerous public controllers, Findata or an authority who has transferred their right to issue permits to Findata.
  • We make decisions on data requests, meaning on access to statistical data when the information is needed from a controller within the scope of the Act on the Secondary Use of Health and Social Data.
  • Read more on the Permits page

Combining and pre-processing of data

  • We collect register data from controllers.
  • We pre-process the data disclosed to the permit holder, meaning we combine and pseudonymise, anonymise or produce statistical data of the data compiled from the controller.
  • We convert and combine the permit holder’s own data to the data obtained through Findata.
  • Read more on the Data page

Secure Kapseli operating environment

  • We provide a secure environment, Kapseli for the processing of data on individuals, where the software required for the analysis of key data are available.
  • According to the Act on Secondary Use of Health and Social Data, starting on 1 May 2022 the analysis of data accessed with a data permit will only be permitted in operating environments that meet the requirements of the regulation.  The requirements specify the same level of data security as is required in Kapseli.
  • Read more on the Kapseli page

Services for controllers

Counselling service

  • We provide advisory services on this website and via email at
  • We provide answers to questions concerning such things as the submission of data, data descriptions and general questions concerning the Act on the Secondary Use of Health and Social Data

Read more on the Contact us page

Support for creating data descriptions

  • Organisations within the scope of the Act on the Secondary Use of Health and Social Data in their role as controllers have a statutory obligation to draw up data descriptions on the information content in their information resources in accordance with the Findata Regulation. This is important so that those who need data can assess the suitability of the data for secondary use.
  • We provide free tools for controllers: Data editor, with which data descriptions can be drawn up and a Data catalogue where data descriptions can be published.
  • In addition, we help controllers in creating data descriptions by providing training on the use of the aforementioned tools.

Read more on the Regulation on data descriptions page

Anonymisation service

  • If the secondary data use application relates to only one public social and health sector controller, that controller is themselves responsible for processing the data permit application and making the permit decision. However, if the data is disclosed to the permit holder in anonymised form, we will anonymise the data on behalf of the controller and deliver it for the permit holder’s use.

Read more on the Data permits page

Processing of data permit and amendment applications by the controller

  • Public controllers may authorise Findata to carry out on their behalf, as detailed in the Secondary Data Act, services other than advice and data description services. In such cases, we also process on behalf of the controller those data permit and amendment applications which relate only to the content of the controller’s own registers.
  • For information on controllers who have transferred their authority to issue permits, see the Data page section titled Transferred right to issue permits

Read more on the Data page

Other services and obligations

Rights of data subjects pursuant to the EU General Data Protection Regulation

  • Everyone has the right to their personal data and the right to access information on the use of their personal data With regard to Findata’s activities, information on this is available on this website and specifically on the Data protection and processing of personal data page.
  • For information on projects that have been issued a permit, see the Issued permits page. If necessary, you can also contact our advisory service.
  • In addition to receiving information, the data subject has the following rights to their data as regards the data held by Findata:
    • Right of access to one’s personal data
    • Right to rectify one’s data
    • Right to restrict the processing of one’s data
    • Right to object to the processing of one’s data.
  • If you wish to exercise you rights pursuant to the GDPR, see the instructions here: How can I exercise my rights?

Read more on the page Data protection and processing of personal data

  • The Act on the Secondary Use of Health and Social Data obliges Findata to provide specifying regulations on matters such as secure operating environments, data descriptions and data permit applications and data utilisation plans.
  • The regulations are changing in nature and will be updated as necessary.

Read more on the Regulations page

Frequently asked questions

How to order Kapseli
  1. Log in to our e-service (
  2. From the top menu select “Submit application”
  3. Scroll down and select “Order or update of the Kapseli operating environment or the data storage service” from under Select a new application form from below and click “Fill in the application”.
  4. Complete the application form
    • Enter your own name in the applicant field
    • After this, using the “Invite a member” button add all the persons and email addresses that need user rights to Kapseli
    • The invited persons will join using multi factor authentication
    • Complete the rest of the form
    • Please note, that R-Tools is not automatically installed in Kapseli. If you need R-Tools, indicate this in the additional information section of the form.
  5. Finally, select Send application from the “Actions” section.
I can’t log in to Kapseli – what should I do?

Before logging in, please make sure that your username is registered and ready to use. If you are not sure whether your account is ready for use, contact your Findata contact person or the Kapseli helpdesk:

How to log in to Kapseli

  1. Install Duo Mobile app ( to your phone and activate it. The developer is Duo Security Inc. If you’ve already installed and activated the app go to point 2.
    • Installing: find Duo Mobile from your phones app store and install it.
    • Activating: the phone numbers reported when ordering Kapseli will get an automatic activating message for Duo Mobile. The app is activated by clicking the link in the activating message.
  2. Log in Kapseli at using your computers browser.
    • Choose the identification method from the list that you chose while registering.
  3. Choose the operating environment you’re going to use. If you have just one operating environment in use go to the next section.
    • After choosing the environment the system goes to the second phase of identification.
  4. The second phase of identification.
    • Log in the operating environment.
    • You’ll get a notification about logging in to Duo Mobile. To approve the log in choose ‘Approve’ in Duo Mobile.
Can the data I received via Findata be combined to other information?

Data referred to in the Act on the Secondary Use of Health and Social Data can be combined to other information, such as data a person has collected themselves or data accessed with some other permit. As a rule, Findata or a statistics authority combines the data.

If you wish to combine data later on to data you have received via Findata, send an amendment application for the data to be combined. For more information please see the Amendment permits -page.

If you are applying to have data accessed with an individual’s consent to be combined with data that Findata has issued a permit for, the research subject’s notification and consent models must be attached to the application.

If the data have been accessed with the permission of other actors, list the following information in the application:

  • Permit record number, issuer, date of decision.
  • If the permit process is pending, the party to whom the application was submitted and the permit process start date.
  • A brief description of the information content of other data.
  • Do not attach permits for other data to the application. The application processor will ask for these separately of necessary.

See the instructions for sending data on the page Data transfers to Findata.

How does the data controller provide the extracted data to Findata?

For instructions on how data controllers can submit extracted data, see the Data transfers to Findata -page.

Can my information be disclosed abroad?

Free movement of data within the EU is required under the General Data Protection Regulation. However, the law requires that the data is mainly processed in the centralised, secure user environment of the data permit authority for the social and health care sector, and that access rights to the environment may only be granted to authorised persons. The permit holder may also be located elsewhere than in Finland. The provision of a data secure user environment is an essential technical measure to safeguard the protection of personal data.

If necessary, the data may be disclosed to another secure environment indicated by the permit holder. However, this other environment must meet the criteria of the Findata order, it must be audited against the requirements of the order, and its audit certificate must be valid. Valvira maintains the Toini register, and in these cases also the information should only be used for the purpose for which it was disclosed to the permit holder. The EU’s General Data Protection Regulation specifies the conditions under which data can be disclosed outside the EU.

Health and social data may not be used for marketing or the determination of individual commercial services, such as insurance premiums.

Will my data be sold to third parties?

No. Findata is the Health and Social Data Permit Authority that grants temporary permits for the secondary processing of social and health care data provided that the statutory permit conditions are met.

How can I prohibit the secondary use of my data?

Everyone has the right to their personal data and the right to object to the processing of the data. We have compiled instructions on how to exercise your right of objection on the webpage ‘Data protection and processing of personal data’.

It should be noted that Findata is not the original controller of health and social data. Thus, for example, a request submitted to Findata to object to the use of personal data does not prevent the disclosure of the data for secondary use by one of the controllers referred to in the Act on the Secondary Use of Health and Social Data (Secondary Use Act), Section 6.

Unfortunately, Finland does not have a centralised system through which the secondary use of data can be banned once and for all in a way that is binding on all parties.

You can submit a objection request directly to the other actors referred to in Section 6 of the Secondary Use Act:

  • social welfare and health care service providers,
  • the Ministry of Social Affairs and Health,
  • the Finnish Institute for Health and Welfare (THL),
  • the Social Insurance Institution of Finland (Kela),
  • the National Supervisory Authority for Welfare and Health,
  • the Regional State Administrative Agencies,
  • the Finnish Institute of Occupational Health,
  • Fimea,
  • Statistics Finland and
  • the Central Pension Insurance Institute.

See general guidelines on how to object to the use of data (

It is not possible to submit to the Digital and Population Data Services Agency an objection to the disclosure of a person’s data for purposes under the Secondary Use Act. The Act on the Population Information System and the Certificate Services of the Digital and Population Data Services Agency (Section 28) provides for prohibitions on the disclosure of data relating to the Population Information System. Read more in Finnish on the website of the DVV (

What is the difference between primary and secondary use of health and social data?

Primary use means the purpose for which the data was originally saved in the customer register and/or patient register.

The primary purpose may be, for example,

  • examination, treatment and rehabilitation of the patient,
  • the service received by a social welfare customer,
  • or the processing of benefits by the Social Insurance Institution of Finland (Kela).

Secondary use means the use of the same data for purposes other than the primary use.

Legitimate secondary purposes of use include

  • scientific research,
  • statistics,
  • development and innovation activities,
  • education,
  • knowledge management,
  • steering and supervision by authorities and
  • the planning and reporting duty of an authority.

Different purposes of use are subject to different regulations. Only aggregated statistics from which individuals cannot be identified may be obtained for development and innovation activities.

Can I collect the data myself from my own hospital and thus avoid the data controller’s collection fee?

Yes, you can, if this is okay with the controller. The controller has the right to determine independently the manner in which it carries out the extraction, and it has the right to use an external processor to carry out the data extraction.

If such processors are used, the EU General Data Protection Regulation (GDPR) requires that a data protection agreement (DPA) covering the processing of personal data is signed with them. The controller is ultimately responsible for ensuring that the personal data is processed in a legal manner. The processor, meanwhile, is responsible for ensuring that it complies with the terms of the DPA and the instructions of the controller.

The collected data must be delivered to Findata securely via the transfer service Nextcloud, after which we combine and pre-process them.

Do the collection fees charged by the controllers include VAT?

This depends on the controller. The data controllers determine their own collection fees on the basis of their own regulations.

Why is the VAT rate 0% for some payments and 24% for others?

Findata’s prices are based on the decree of the Ministry of Social Affairs and Health on charges for work carried out by the Health and Social Data Permit Authority.

With the exception of Kapseli, the service prices are for actions under public law that are based on cost value (VAT 0 %). The prices for Kapseli’s services are commercially priced paid services with 24% VAT.

The data controllers determine their own costs on the basis of their own regulations.

On average, how much are Findata’s data processing charges?

On the page Average costs estimates (in Finnish), you can find the average, range and median calculated from the maximum cost estimates. The data is updated quarterly.

What are the average collection fees for data controllers?

You can find the average, the range and the median calculated from the maximum cost estimates for data extractions in Finnish on the Average Cost Estimates page. We update the data quarterly.

Can someone other than the permit holder receive the invoices?

Possibly. Any inconsistencies between the applicant and the invoiced party (e.g. the payer is not the applicant) can be clarified where necessary in the ‘Additional information’ section.

Can I receive a paper invoice?

E-invoicing is the primary invoicing method. Paper invoices are only possible in exceptional cases. As a rule, however, the invoice recipient are organisations that only accept e-invoices. If necessary, ask for more information from your organisation’s financial department.


Delays in Findata’s services due to a high number of citizens’ GDPR requests

Due to recent media coverage, the significantly increased number of citizens’ requests… Read more Delays in Findata’s services due to a high number of citizens’ GDPR requests

Concerned about the FinRegistry ready-made dataset? Read more about the dataset and how to object to the processing of your data

Findata’s FinRegistry ready-made data set has sparked discussions about the secondary use… Read more Concerned about the FinRegistry ready-made dataset? Read more about the dataset and how to object to the processing of your data

Findata’s popular personal consultation service continues in the autumn

The popularity of the personal consultation service, piloted in spring 2024, exceeded… Read more Findata’s popular personal consultation service continues in the autumn