Go directly to contents.

Privacy statement for event log file for cross-border identifiers

1. Name of register

Event log file for cross-border identifiers

2. Controller and contact persons

Digital and Population Data Services Agency 

Lintulahdenkuja 2, FI-00530 Helsinki 

P.O. Box 123, FI-00531 Helsinki

Telephone (switchboard): +358 295 536 000, email: kirjaamo(a)dvv.fi

Contact person in register-related matters

Ulla Kankkunen, Chief Specialist

Lintulahdenkuja 2, FI-00530 Helsinki 

Telephone (switchboard): +358 295 536 000, email: kirjaamo(a)dvv.fi

3.   Data Protection Officer

Telephone (switchboard): +358 295 536 000, email: tietosuoja(a)dvv.fi

4.  Purpose and legal basis for processing of personal data

The register serves as the event log file of cross-border identification events for the National Node (Node) when users log into Finnish online services. The Node is based on the elDAS regulation (910/2014). Under the regulation, public administration actors must mutually recognise strong electronic identification of citizens of other EU Member States in their e-services, if the identification means used have been notified in accordance with the regulation.

Under section 42 of the Act on Strong Electronic Identification and Electronic Signatures (617/2009), the generation of the Node is the responsibility of the Digital and Population Data Services Agency. Processing of personal data is necessary so that the strong electronic identification generated in the service can be implemented. For this reason, the personal data is processed in accordance with Article 6(1)(c) of the General Data Protection Regulation.

The data entered in the register is used for the follow-up and monitoring of the Node use, fault investigation and investigation of any abuses and data security violations. The event log data entered in the register is also used for statistical purposes, as well as for usage analysis and development of the service.

5.   Personal data retention period 

The controller will retain the registered data for a period of five years from the beginning of the calendar year following the identification event.

6. Register data content

The minimum data requirements for strongly identified persons are laid down in the Annex to the Node implementing regulation (EU 2015/1501). Under the Annex, the minimum data set for a natural person must contain all of the following mandatory attributes:

  • current family name(s)
  • current first name(s)
  • date of birth
  • a unique identifier constructed by the sending Member State in accordance with the technical specifications for the purposes of cross-border identification and which is as persistent as possible in time.

However, no information identifying the person and transmitted through the Node is entered in the event log file. Only information on the use of the Node is entered in the file. This information includes:

  • node's identification
  • message identification
  • message date and time.

7. Standard sources of information

The personal data on identified persons transmitted by other Member States and the communications data concerning the Node utilisation are used as the sources of information for the register.

8. Standard disclosure of information

The controller may disclose information from the register to organisations utilising cross-border identification, if the information has been saved during the use of their e-services or other services and if the organisation needs information:

  • to ensure the data security of its e-services or to investigate disturbances in its data security;
  • to demonstrate that data is processed in the correct manner or to otherwise examine problems related to the use of e-services.

When requested to do so, the controller may also disclose data kept in the register to Node users if the information applies to their own event logs.

Information may also be disclosed for other purposes laid down in the law. Such situations include the disclosure of information to the police, criminal investigation authorities and the prosecuting authorities.

9. Transferring data outside the EU or the EEA

No personal data will be transferred outside the EU or EEA. 

10. Principles of register protection

The data is protected taking into account data security and the management of access rights.

The register does not contain manual material. Manual material that may be created in liquidations is protected taking into account data security in locked facilities where access is monitored.

The data in the register can only be accessed by persons whose duties include processing such data. Log data is saved on the processing of data.

11. Automated decision-making and profiling

No automated decision-making or profiling is performed on the basis of the data from the personal data file.

12. Data subject’s rights

You have the right to request access to your personal data, meaning you can check the information that is kept on you in the personal data file. You can submit a request to access to your information to the Digital and Population Data Services Agency. Be prepared to verify your identity.

You will receive the information you need within a month. If, for come justified reason, the information cannot be provided to you in this time period, the Digital and Population Data Services Agency can extend the deadline by 2 months. In this case, you will be sent a notification on the matter.

1.1 Right to demand data correction

No right to correct event logs.

1.2 Restrictions to the data subject’s rights in relation to personal data processing

Most of the services provided by the Digital and Population Data Services Agency are based on compliance with a statutory obligation or the use of public powers. In those cases, you do not have the right to demand the deletion of your data or its transfer to another system nor can you oppose the processing of your personal data, Moreover, the data subject does not have the right to request that the processing of their personal data should be limited.

13. The data subject’s right of appeal to the supervisory authority

You have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of your personal data. 

Office of the Data Protection Ombudsman, PO Box 800, FI-00521 Helsinki

For more information see the Data Protection Ombudsman’s instructionsOpens in a new window.