Event log file of the register of the Suomi.fi e-Authorizations checks on the right to act on behalf of another party

When Suomi.fi e-Authorizations is used to check the right to act on behalf of another party, a log entry is stored for each inquiry. The Digital and Population Data Services Agency collects event log data in accordance with the law for the purpose of follow-up and monitoring the use of Suomi.fi e-Authorizations as well as fault investigation and investigation of any abuses and data security violations.

1. Name of register

2. Controller and contact person

Digital and Population Data Services Agency

Lintulahdenkuja 2, 00530 Helsinki

PL 123, 00531 Helsinki

Telephone (switchboard) 02 9553 6000, email: kirjaamo(a)dvv.fi

Contact person in register-related matters

Tuuli Krekelä, Chief Specialist, Business Owner (Suomi.fi e-Authorizations)

Lintulahdenkuja 2, 00530 Helsinki

Telephone (switchboard) 02 9553 6000, email: kirjaamo(a)dvv.fi

3. Data Protection Officer

Telephone (switchboard) 02 9553 6000, email: tietosuoja@dvv.fi

4. Purpose and legal basis for processing of personal data

The register is the event log file of the register on Suomi.fi e-Authorizations checks on the right to act on be-half of another. Digital and Population Data Services Agency produces Suomi.fi e-Authorizations in accord-ance with sections 3 and 4 of the Act on Common Administrative E-Service Support Services. Personal data is processed as required by the Digital and Population Data Services Agency’s statutory task.

The data entered in the register is also used for the follow-up and monitoring of the use of Suomi.fi e-Authorizations, fault investigation and investigation of any abuses and data security violations. The data stored in the register is also used for statistical purposes.

The Digital and Population Data Services Agency’s IT infrastructure service provider Valtori and its subcontrac-tors manage the IT infrastructure of the Suomi.fi service registers.

5. Retention period of the personal data

The Controller shall retain the register information for a period of five (5) years from the authorization quiry. The Digital and Population Data Services Agency has estimated that with regard to event data, a five-year (5) retention period is necessary, when taking into consideration the limitation periods for the most common offences related to the processing of personal data and the limitation period for offences in office, which is five years.

6. Register data content

The following information on the use of Suomi.fi e-Authorizations are saved in the event log file register:

Which e-service has submitted an inquiry for a check on acting on behalf of another as well as check request’s ID.

The personal identity code of the end user who has identified themselves sent by the e-service.

If you are acting on behalf of a child, who is your dependent:

Inquiries sent to the Population Information System the aim of which is to check the currently valid guardianship.
The responses to inquiries on guardianship concerning the end user’s right to act on behalf of their dependent and the possible limitations to their rights to act on behalf of the other (e.g. joint guardianship, a non-disclosure order)

If you are acting on behalf of another adult:

Inquiries sent to the mandate register and the responses to these inquiries concerning the end user’s right to act on behalf of another.
The information on the person acting on behalf of another and the end user that are returned to the e-service.

Personal identity code and name of person on behalf of whom the end user is acting
Information on the end user (depending on the technical implementation of the e-service) includes either information on their right to act on behalf of another (yes/no) or a list of e-service roles with regard to which they have the right to act on behalf of the client.

In certain exceptional cases, the personal identity code of the persons on behalf of whom the person is acting are sent by the e-service

If you are acting on behalf of a company:

The IDs (Business IDs) of the organisations on behalf of which a person is acting, transferred by the e-service
Inquiries submitted to the Population Information System, the purpose of which is to check the end user’s general ability to act on behalf of others (the person is aged 18 or over, is not subject to guardianship, and has not been declared incompetent)
Inquiries sent to the Business Information System, the Trade Register and other basic registers on an organisation and a person’s right to act on behalf of the organisation in question (the person’s mandates in different organisations) and the responses to these inquiries
Inquiries sent to the Suomi.fi e-Authorizations mandate register and the responses to these on the end user’s valid mandates
The information returned to the e-service: the end user’s information and the code that identifies the organisation on behalf of which the person is acting on behalf of

Time stamps related to the e-authorization inquiries sent to the e-service and those of the responses sent to these inquiries.

The time stamps related to inquiries sent to the Population Information System, the mandate register, the Business Information System, the Trade Register and other basic registers and those of the responses sent to these inquiries.

If the authorisation check results in a rejection, the criteria for the rejection are saved. The reason for the rejection is not transferred to the e-service.

If the authorisation check is interrupted due to an error, the reason for error is saved.

7. Standard sources of information

Sources for register data:

The Population Information System (Digital and Population Data Services Agency)
Business Information System (Finnish Patent and Registration Office)
Trade register (Finnish Patent and Registration Office)
Other basic registers, such as the Finnish Register of Associations (Finnish Patent and Registration Of-fice), and register of prohibitions to pursue a business (Legal Register Centre)
Suomi.fi e-Authorizations mandate register (Digital and Population Data Services Agency)
E-services that utilize Suomi.fi e-Authorizations and
Identification device providers such as banks or identification service providers such as the Digital and Population Data Services Agency’s Suomi.fi e-Identification

8. Standard disclosure of information

The controller may disclose information from the register to organisations using Suomi.fi e-Authorizations in their e-services, if the information has been saved during the use of these e-services or other services and if the organisation necessarily needs the information

to ensure and improve the functioning of its e-services
to ensure the data security of its e-services or to investigate disturbances in its data security
to demonstrate that data is processed in the correct manner or to otherwise examine problems related to the use of e-services.

On request, the controller may also disclose event data kept in the register to a data subject (individual or organisation) if the data concerns the data subject in question.

The disclosure of information to organisations using Suomi.fi e-Authorizations and the data subjects is based on section 14 of the Act on Common Administrative E-service Support Services.

The controller may also disclose data in the service to

police, criminal investigation and prosecuting authorities as well as a court of law for the purposes of preventing and investigating a crime
the Data Protection Ombudsman for the purpose of supervising data security.

Information may also be disclosed as statistics or in other formats so that individuals cannot be identified.

Information may also be disclosed for other purposes laid down in the law.

9. Transferring data outside the EU or the EEA

No personal data is transferred outside the EU or the EEA.

10. Principles of register protection

The data is protected taking into account data security and the management of access rights.

The register does not contain manual material. Manual material that may be created in liquidations is protected taking into account data security in locked facilities where access is monitored.

The data in the register can only be accessed by persons whose duties include processing such data. Log data is saved on the processing of data.

11. Existence of automated decision-making

No automated decision-making or profiling is performed on the basis of the data.

12. Rights of the data subject

Right of inspection

You and your organisation have the right to request that the controller provides you with access to the data on you, so that you can check the information that is kept on you. The request must be submitted in writing to Digital and Population Data Services Agency’s registry office. Be prepared to prove your identity.

You will receive the information you need within a month of the time your request was registered. However, for justified reasons the Digital and Population Data Services Agency can extend the aforementioned one-month timeline by two months at the most. In this case you will receive a notification.

Right to demand data correction

Data subjects do not have the right to request corrections to event data.

Limitations to the rights of the data subject with regard to the processing of personal data

The data subject does not have the right to request the deletion of their data, as the data processing is based on the law. For the same reason, the data subject does not have the right to object to the processing of their personal data or the right to have their data transferred to another system.

13. The data subject’s right of appeal to the supervisory authority

The data subject has the right to lodge a complaint to the supervisory authority on the processing of their personal data.

Additional information by the Office of the Data Protection OmbudsmanOpens in a new window..