Legislation

A social and health care regulatory or supervisory authority may request aggregated statistical data from Findata by means of a data request if it needs data under the Secondary Use Act in order to carry out its steering or supervisory task.

Upon reasoned request, the data may also be provided in identifiable form if the supervisory authority is entitled to receive them under other legislation, irrespective of confidentiality obligations.

Secondary purpose of personal data refers to the processing of personal data for a purpose other than its primary purpose. The secondary purposes permitted under the Act are

• scientific research
• statistics
• development and innovation operations
• education
• knowledge-based management
• steering and supervision by authorities and
• authorities’ planning and reporting duties.

In statistical data, individual personal data is combined and added together. Statistics describe groups of individuals rather than particular individuals. The data for these groups is formed in such a way that the individuals cannot be identified.

A data request is a request to obtain aggregated statistics created from personal data for use in accordance with the Secondary Use Act. Any request for information under the Secondary Use Act must to submitted to Findata.

A data permit is a permit issued in accordance with the Secondary Use Act for the processing of the secret personal data specified in the permit for the purpose described in the permit.

Findata is the data permit authority for the social and health care sector which makes data permit and data request decisions regarding the data of other controllers. Findata is responsible for the gathering, combining, previewing and disclosing of data for secondary use in accordance with the decisions it makes.

Findata also monitors compliance with the conditions of the permits it issues. It may cancel the data permit if the permit holder either fails to comply with the law or violates the conditions of the permit.

Data utilisation plan refers to a research plan, project plan or similar plan.

The plan must detail

• the intended purpose of the data referred to in the permit application
• the controller and processors of the data
• the legal ground for the processing and

the essential elements of data protection and data security related to the processing throughout the life-cycle of the data (data storage, erasure or archiving)

Individual, community, institution or foundation

• for which the person register was established and
• has the right to determine the use of the person register

or

• has the legal duty of maintaining the register.

Data utilisation plan

Data utilisation plan refers to a research plan, project plan or similar plan.

The plan must detail

• the intended purpose of the data referred to in the permit application
• the controller and processors of the data
• the legal ground for the processing and
• the essential elements of data protection and data security related to the processing throughout the life-cycle of the data (data storage, erasure or archiving)

A social and health care service provider that has an obligation as an authority to ensure that the customer gets the service of benefit that is due to them based on the law or an official decision. The obligation of a private service provider is to ensure that the customer who purchases the service privately is provided with the service that is due to him or her under the regulations on customer protection.

Personal data refers to all data which refer to an identified or identifiable individual.

The primary purpose of the customer data is the purpose for which the data was originally saved in the customer register and/or patient register. The primary purpose may be, for example, examination, treatment and rehabilitation of the patient, the service received by a social welfare customer, or the processing of benefits by the Social Insurance Institution of Finland (Kela).

By law, customer data is confidential personal data covered by the General Data Protection Regulation which has been stored in a customer register or an associated administrative register as a result of social and health care customership or for processing of benefits.

Aggregation is a statistical procedure through which data is combined and added together. Aggregated data describes a group of individuals rather than one particular individual. The data for these groups is formed in such a way that the individuals cannot be identified.

Knowledge management refers to the processing of data carried out by a service provider in their customer, service and production processes for the purpose of supporting

• operations, production and financial control
• management and
• decision-making.

Development and innovation activities refer to application and use of technical and business data and other existing data together with the personal data referred to in the Secondary Data Act for the purpose of developing new or significantly improved products, processes or services.

In addition, the purpose of the activities must be to

• promote national health or social security
• develop social welfare and health care services for service systems
• protect individuals’ health or well-being or
• secure for them their related rights and freedoms.

A data permit is a fixed-term authorisation granted by a public authority to use individual-level personal data for a specific, clearly defined purpose, such as research or compiling statistics.

A permit is granted only for a justified reason, and the consent of each individual is not required. Authorities such as Findata, Kela, or wellbeing services counties are responsible for ensuring that data is used lawfully and responsibly.

The permit holder is given access only to the data necessary for the research. The dataset is delivered in pseudonymised form: names and personal identity codes are replaced with codes, so individuals cannot be identified. The data may only be processed in a secure processing environment without an internet connection, and only named individuals are granted access.

Read more:

• Data permits
• Conditions of data permit

Findata is the social and health data permit authority in Finland. It was established in 2019, and its operations are based on the Act on the Secondary Use of Health and Social Data, commonly known as the Secondary Use Act.

We grant data permits for the secondary use of health and social data when the data is needed from multiple public data controllers, from the private sector, from Findata’s ready-made datasets, or from the Kanta Services. We compile and preprocess the datasets with strict attention to protecting individuals’ privacy.

Findata also maintains the secure Kapseli® processing environment, where individual-level data is processed safely.

• Findata as an organisation
• Act on the Secondary Use of Health and Social Data (PDF file, 5.4 mb).

Before individual-level data obtained under a data permit is released to the permit holder, Findata processes it in a way that significantly reduces the possibility of identifying individuals.

Direct identifiers, such as names and personal identity codes, are removed from the dataset and replaced with codes. This is called pseudonymisation. In addition, precise data may be generalised. For example, a postcode may be replaced with a region, or a date of birth with a year of birth.

Pseudonymised data may only be processed in a secure environment without an internet connection. The permit holder commits to conditions that prohibit any attempts to identify individuals.

For statistical-level data requests, fully anonymous data is provided. This data describes population groups rather than individuals, and individuals cannot be identified from it.

Identifiable data is only released for particularly justified reasons.

The secondary use of social and health data is only permitted for purposes defined by law, such as:

• Education
• Scientific research
• Statistics
• Planning and reporting duty of an authority
• Development and innovation activities
• Knowledge management
• Steering and supervision of social and health care by authorities

Different types of data are available for different purposes:

• Individual-level, pseudonymised data is available for research, statistics, planning and reporting tasks of public authorities, and education.
• Anonymous, aggregated statistical data is available not only for the above-mentioned purposes, but also for development and innovation activities, knowledge management, and the steering and supervision of social and healthcare services.

In addition, wellbeing services counties and other service providers may use the data recorded in their own registers without a separate permit for purposes such as planning and evaluating their operations.

All data permit and data request decisions made by Findata are public. You can view them here: Issued permits

Permits granted by Findata cover register-based data from Finnish social and healthcare services. This refers to data generated when people use social and health services.

Register data is stored, for example, in patient and client information systems of wellbeing services counties, national registers, and the Kanta Services.

Findata grants data permits and data request decisions for the secondary use of health and social data when the application concerns:

• data from several public health and social sector data controllers
• register data from private social and health service providers
• data stored in the Kanta Services
• Findata’s ready-made datasets
• data from controllers that have transferred their permit authority to Findata

Read more: Data

Anyone may apply for a permit, but it is only granted for the purposes defined in law and for projects that meet the permit criteria and data protection requirements. Each application is assessed individually, and data is only released for necessary use.

Data permits and data request decisions are official administrative decisions. The decision process has two stages: the application handler acts as the presenter, and the Director of Findata or their deputy makes the final decision.

A proposed decision does not always lead directly to a permit being granted. Sometimes the application is returned for further preparation or requires modifications.

The secondary use of health and social data is governed by several laws that safeguard privacy and define the conditions under which data may be processed.

The EU General Data Protection Regulation (GDPR) regulates all processing of personal data across the EU. It applies whenever personal data is processed.

The regulation on the European Health Data Space (EHDS) creates a common EU framework for the use and exchange of health data, harmonises the use of health data across the EU, and strengthens individuals’ rights to their own data. The regulation entered into force in March 2025 and will be implemented gradually. The provisions concerning secondary use will apply from March 2029.

The Finnish Data Protection Act complements the GDPR at national level. It specifies when sensitive personal data, such as health data, may be processed in Finland.

The Finnish Act on the Secondary Use of Health and Social Data (the Secondary Use Act) regulates the secondary use of health and social data in Finland. Findata’s operations are based on the Secondary Use Act. The Act was amended in 2025.

Other key laws include:

• Act on the Processing of Client Data in Healthcare and Social Welfare
• Medical Research Act
• Clinical Trials on Medicinal Products for Human Use Act
• Act on the Medical Use of Human Organs, Tissues and Cells
• Biobank Act

Read more:

• Legislation
• European Health Data Space (EHDS)
• Act on the Secondary Use of Health and Social Data (PDF file, 5.4 mb).

Using health and social data for secondary purposes, such as registry-based research, benefits society in many ways.

By combining registry data from large populations, it is possible to generate new knowledge that helps develop, for example, treatments for diseases or practices in social services.

Practical benefits for citizens include:

• When treatment guidelines are studied and developed, it ensures that care is based on up-to-date research evidence
• Medicines can be made safer and their side effects can be monitored
• New health technology can be developed, such as applications and devices that support treatment
• Hospital and health centre services can be improved and streamlined as processes can be developed and studied
• Research evidence supports decision-making that promotes public health and reduces wellbeing gaps

Read more: Issued permits

Several authorities supervise Findata’s operation to ensure that the granting of data permits and the processing of data are carried out in accordance with the law.

Key supervisory bodies include:

• Data Protection Ombudsman, who supervises the processing of personal data and compliance with data protection legislation
• Parliamentary Ombudsman, who oversees the lawfulness of authorities’ activities
• Finnish Supervisory Agency, who supervises secure processing environments

In addition, Findata’s operation is guided and developed by a steering group appointed by the Ministry of Social Affairs and Health, which includes representatives from the ministry and data controllers.

When you object to the secondary use of your data through Findata:

• Your request is recorded in the case management system maintained by the Finnish Institute for Health and Welfare (THL).
• Your data will be removed from datasets received by Findata based on your personal identity code. Therefore, we must retain and process your personal identity code to implement the request.

The European Health Data Space (EHDS) is a regulation of the European Union that establishes a common framework for the use and exchange of health data in EU countries. The aim of the regulation is to strengthen citizens’ rights to their own electronic health data and to enable the secure cross-border secondary use of health data.

The EHDS regulation is similar to the current Finnish Secondary Use Act, but it also introduces changes. The regulation includes partly different purposes of use, some of which are reserved only for public or EU entities. In addition, new operating models will be introduced for processing data requests and permit applications.

The regulation entered into force in March 2025 and will be implemented gradually over the coming years. The parts concerning secondary use will begin to apply in March 2029.

Findata’s legal basis for processing personal data are:

• Article 6, (1)(e) of the EU’s General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Article 4(1)(2) of the Data Protection Act: processing of data that is provided for by the law or that is directly attributable to the controller for the task prescribed by the law

We also process data belonging to special categories of personal data, formerly known as sensitive data. Such data includes, for example, a person’s health data.

The grounds for processing this kind of personal data are:

• Article 9(2)(g) of the EU General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or the exercise of public authority
• Section 6(1)(2) of the Data Protection Act: processing is necessary and proportionate for the performance of a task carried out in the public interest by a public authority

See more information on how we process personal data

Anonymisation means the transformation of personal data into a form that irreversibly prevents the identification of an individual person. This may mean, for example, removing direct identifiers and simplifying the data to a general level so that personal data cannot be reconstituted in any way.

Pseudonymisation refers to the transformation of personal data, for example into a coded form. In this case, names and personal identifiers can be removed and replaced by another unique identifier, i.e. a code. Often a code key is kept to restore direct personal data to the data. Pseudonymised data are still personal data.

Findata grants most permits to projects based in Finland. However, the permit holder may also be located in another EU or EEA country. Even in such cases, the data must be processed in a secure environment and only for the purposes defined in the permit.

As a rule, Findata does not transfer personal data outside the EU or EEA. Exceptions may only be made for a specific reason and when the legal requirements for data protection and information security are met.

Findata does not sell data.

We operate as the Finnish Data Permit Authority, responsible for granting permits for the secondary use of social and health data only when there is a statutory basis, such as public interest, and a defined purpose, such as scientific research. Data permits are always granted for a fixed period, after which the datasets are destroyed.

We do not set our own service fees. Our charges are based on the fee decree issued by the Ministry of Social Affairs and Health.

You have the right to object to the processing of your personal data for secondary use, such as research. Once you submit an objection request to Findata, we will no longer disclose your data for secondary use to permit holders.

An objection request submitted to Findata:

• is valid indefinitely
• does not remove data that has already been disclosed from existing datasets
• can be submitted via Findata’s e-service (asiointi.findata.fi), by post, or in person at THL

An objection submitted to Findata does not prevent other data controllers from disclosing your data for secondary use. Therefore, objections must be submitted separately to each data controller.

See Findata’s instructions: How to exercise your rights

Primary use means the purpose for which the data was originally saved in the customer register and/or patient register.

The primary purpose may be, for example,

• examination, treatment and rehabilitation of the patient,
• the service received by a social welfare customer,
• or the processing of benefits by the Social Insurance Institution of Finland (Kela).

Secondary use means the use of the same data for purposes other than the primary use.

Legitimate secondary purposes of use include

• scientific research,
• statistics,
• development and innovation activities,
• education,
• knowledge management,
• steering and supervision by authorities and
• the planning and reporting duty of an authority.

Different purposes of use are subject to different regulations. Only aggregated statistics from which individuals cannot be identified may be obtained for development and innovation activities.