Privacy statement of the user register of Suomi.fi Messages
Citizens can use Suomi.fi Messages to exchange messages electronically with public-sector organisations. Personal data of persons who use Suomi.fi Messages and the messages received and sent through the service are stored in the user register of Suomi.fi Messages.
1. Name of register
User register of Suomi.fi Messages
2. Controller and contact persons
Digital and Population Data Services Agency
Lintulahdenkuja 2, FI-00530 Helsinki
Telephone (switchboard) +358 295 536 000, email kirjaamo(a)dvv.fi
Contact person in register-related matters
Development Manager Maria Juka-Lahdenperä
3. Data Protection Officer
Lintulahdenkuja 2, FI-00530 Helsinki
Telephone (switchboard) +358 295 536 000, tietosuoja(a)dvv.fi
4. Purpose and legal basis for processing of personal data
The register comprises the register of Suomi.fi Messages, which is provided by the Digital and Population Data Services Agency under section 4 of the Act on Common Administrative e-Service Support Services (571/2016) and contains the personal data necessary for the provision of the service, the messages and notifications of Suomi.fi Messages, the message attachments and the permission to use electronic messages. Event data (i.e. log data) in agreement with the Act is collected on the use of the service.
Section 11 of the Act lays down provisions on keeping a register of permissions to use electronic messages.
The personal data in the register is processed in accordance with the Data Protection Act in order to prove the validity of the data processing carried out in the service and to otherwise provide and develop the service and to ensure its functionality and information security.
In addition, the data can be used to determine the extent to which the service is used, to track expenses and their distribution, and for statistical purposes. When using the data for statistical purposes, the data will be published in such a way that individual persons cannot be identified.
The actual processing of personal data has not been outsourced, but the Digital and Population Data Services Agency’s IT infrastructure service provider Valtori and its subcontractors manage the IT infrastructure of the event log files and other registers of the Suomi.fi services.
In addition, the Digital and Population Data Services Agency provides centralised posting of letters printed on paper. If the end user has not selected electronic messages, the letters sent by the organisation will be sent by post. User organisations can also connect paper mail senders of their choice to the service.
The organisations using Suomi.fi Messages ensure for their part that the necessary logs concerning data processing are kept and the required records are drawn up.
5. Personal data retention period
Provisions on the production of the Suomi.fi Messages service and the retention periods of the personal data related to the service are laid down in the Act on Common Administrative e-Service Support Services:
The retention periods of the data contained in the user register of Suomi.fi Messages has been differentiated as follows:
- the data in the user register is retained for five (5) years after the account has been closed.
- message attachments are retained for three (3) years, after which they are deleted from the register.
Section 13 of the Act on Common Administrative e-Service Support Services lays down provisions on retaining the data processed in service production. The Digital and Population Data Services Agency must retain the data contained in the register of permissions to use electronic messages, provided in section 11 of the Act in question, and the data required for verifying the data processing and the messages sent in the register. In addition, section 13 provides that the Digital and Population Data Services Agency must retain the transmitted messages for at least two years unless they have been removed by the user before that.
The Digital and Population Data Services Agency has made the decision to keep the messages on file for the time being and the message attachments for three years.
The data in the event log file (log file) is retained for five (5) years. The Digital and Population Data Service Agency has estimated that, with regard to event logs, a five-year (5) retention period is necessary when taking into consideration the limitation periods for the most common offences related to the processing of personal data and the limitation period for offences in office, which is five years.
6. Register data content
The data stored in the user register of Suomi.fi Messages consists of the received messages and notifications and the permission given by the person to use electronic messages or their choice to receive the messages as paper documents. The other selections made by the user are also stored in the register as well as the email address, which is recorded as the person’s contact address.
The register contains the following personal data:
- Personal identity code and/or organisation code
- Received messages and their attachments as well as their unique identifiers and metadata
- Sent notifications
- Information on whether the person has given permission to use electronic messages or not. The person may also choose to receive the documents on paper
- The email address the person has given for the notifications
- The language selected by the person
- The time and date the message from the customer organisation was received and the time and date it was sent to the agreed channels
- The time and date the notification was sent
- The settings made by the Digital and Population Data Services Agency in the service, the changes made to the end user’s settings and other measures, such as updates from the Population Information System
- Time stamps of event data
- Information on whether the person is alive
The personal identity code serves as a key individualising the end user. The personal identity code is received from the user organisation when it sends the message. The personal identity code is received when the end user logs in the Suomi.fi Web Service using strong identification. The code is transmitted by Suomi.fi e-Identification.
As regards acting on behalf of another person and acting on behalf of an organisation, the email address of the person acting on behalf the other party is recorded in the register of Suomi.fi Messages. Other personal data related to acting on behalf of the other party is recorded in the Suomi.fi e-Authorizations service of the Digital and Population Data Services Agency and in a centralised log file.
Event data (log data) on the use of the service is recorded. The data in the event log file includes the data rec-orded on the processing activities performed by the Digital and Population Data Services Agency and the customer organisations and the measures targeted at the register. In addition, event data on the end user’s activities is recorded when the end user uses Suomi.fi Messages.
7. Standard sources of information
The data in the user register is primarily received from the users themselves when they start to use Suomi.fi Messages and provide the necessary personal data.
In addition, data for the register is obtained when the end user, customer organisation and the Digital and Population Data Services Agency carry out actions related to Suomi.fi Messages. When the end user uses the service, information on their service use is recorded in the event log file. Information on the actions taken by the customer organisation and the Digital and Population Data Services Agency is also recorded.
8. Standard disclosure of information
The Digital and Population Data Services Agency may disclose user data or event data contained in the regis-ter to organisations that use Suomi.fi Messages if the data has been recorded in connection with their e-services or other service use and the organisation needs it:
- to ensure the data security of its e-services or to investigate disturbances in its data security;
- to demonstrate that data is processed in the correct manner or to otherwise examine problems related to the use of e-services;
- to ensure and improve the functioning of its e-services.
When requested to do so, the controller may also disclose data kept in the register to the end user if the data concerned is the end user’s own data.
The personal identity code and the message sent to the organisation are disclosed to the organisation when the person responds to a received message or initiates communication with the organisation. The message may also contain personal data.
In addition, information may be disclosed for other purposes laid down in the law. Such situations include the disclosure of information to the police, criminal investigation authorities and the prosecuting authorities.
9. Transferring data outside the EU or the EEA
No personal data is transferred outside the EU or EEA.
10. Principles of register protection
The data material has been protected by means of access control and the servers can only be accessed from the central government’s internal network. In addition, the personal data is protected by means of access management, the monitoring of use and the provision of instructions for the processing of personal data.
11. Automated decision-making and profiling
No automated decision-making or profiling is performed on the basis of the data from the personal data file.
12. Data subject’s rights
Right of inspection
You can see the data recorded on you in the user register through the Suomi.fi Messages service. You can also view the event data concerning yourself in the Activity history service of the Suomi.fi Web Service when you have logged in using strong identification. The Activity history shows the event log data on the Suomi.fi Messages concerning the user and the related identification.
You also have the right to request that the controller provide you with access to your personal data (so that you can check the information that is kept on you in the personal data files). In addition, every person has the right to check that there is no information on them in the register. A request for checking this must be submitted in writing to the registry of the Digital and Population Data Services Agency (see Section 2 for contact information).
Right to demand data correction
You have the right to request that your personal data should be corrected. Submit the request in writing to the contact person of the register (Section 2, Controller and contact persons). In your request, you must mention the data that should be rectified and the details of the change or the data that should be added to the register. Your identity will be verified in connection with the request.
You can also change certain user data yourself by identifying yourself in Suomi.fi Messages and changing the data you have provided previously.
Restrictions to the data subject’s rights in relation to personal data processing
Most of the services provided by the Digital and Population Data Services Agency are based on complying with a statutory obligation or the use of public powers. In such cases, you do not have the right to demand that your data should be deleted or transferred to another service.
You do not have the right to request the deletion of your data, as the data processing is based on law. You therefore do not have the right to object to the processing of your personal data.
13. The data subject’s right of appeal to the supervisory authority
The data subject has the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.