suomi.fi
Go directly to contents.

Privacy statement for Suomi.fi e-identification event register

Suomi.fi e-Identification is a joint identification service for public administration. The service enables electronic authentication of the end-user in e-services and makes it possible to use the different e-services with a single sign-on.

1. Name of register

Suomi.fi e-identification event register

2. Controller and contact persons

Digital and Population Data Services Agency 

Lintulahdenkuja 2, FI-00530 Helsinki 

P.O. Box 123, FI-00531 Helsinki

Telephone (switchboard): +358 295 536 000, email: kirjaamo(a)dvv.fi

Contact person in register-related matters

Mika King, Development Manager

Lintulahdenkuja 2, FI-00530 Helsinki 

Telephone (switchboard): +358 295 536 000, email: kirjaamo(a)dvv.fi

3. Data Protection Officer

Telephone (switchboard) +358 295 536 000, email: tietosuoja(a)dvv.fi

4. Purpose and legal basis for processing of personal data

The register is the Suomi.fi identification event log The Population Register Centre produces Suomi.fi identification in accordance with section 4 of the Act on central government’s joint e-service support services (571/2016). 

The data saved in the register is used for the follow-up and monitoring of Suomi.fi identification use, fault investigation and investigation of any abuses and data security violations. The event log data saved in the file is also used for statistical purposes.

5. Personal data retention period 

The controller shall retain the register's data for a period of five years from the beginning of the year following identification (section 13 of the Act on central government’s joint e-service support services)

6. Register data content

Information on the use of Suomi.fi identification is saved in the event log register.

  • Information on the eService that has requested identification
  • The user's IP address
  • Used browser and operating system
  • Time stamps related to identification events for Suomi.fi identification and tokens.
  • An identified user's 
  1. personal identity code, if they have used internet bank codes, a mobile certificate or certificate card in identification
  2. Katso ID, if the user has used Katso for identification 
  • Information on the tokens in use as well as the personal data recovered by the tokens, which include
  1. internet bank codes: personal identity code, name information, bank transaction ID 
  2. mobile certificates; telephone number, event ID sent to mobile phone 
  3. ID card: e-Services code, information on the party providing the certificate
  4. ID card for regulated social welfare and health care professionals: A person's unique identifier supplied by the National Supervisory Authority for Welfare and Health, a certificate's serial number, information on the authority that granted the certificate
  5. organisation cards as well as other social and healthcare personnel certificate cards: an individual's unique identifier, the certificate's serial number, information on the authority that granted the certificate
  6. When a user has been identified, their personal identity code or Katso ID are trans-ferred to the e-service as is information on what other personal data has been trans-mitted to the e-service from the Population Information System or the Katso identifier. The register does not include any actual information content on transmitted information in addition to the personal identity code or Katso ID. 

On the basis of the personal identity code recovered by the token the Suomi.fi identification creates a request in the  Population Information System. Personal data recovered by the Population Information system are not saved to the event log register. Instead, the information content can be viewed later on from the Population Information System's logs. If identification is rejected on the basis of the answer from the Population Information System, the reason for the rejection is saved in the register, which be for example that the information cannot be found with the given personal identity code or that the person connected to the personal identity code has been  declared dead.

If an order of non-disclosure for personal security reasons is valid for the user in the Population Information System, the Suomi.fi identification will not process data to which the non-disclosure applies.

If identification is interrupted or is unsuccessful with a token, information on the reason for this rejec-tion or failure is saved. 

7. Standard sources of information

The data sources of the file are:

  • the Population Information System
  • Certificate Management System
  • tokens and their related identification services
  • eServices that utilise Suomi.fi identification
  • information entered and registered by the user in the electronic Suomi.fi identification form

8. Standard disclosure of information

The controller may disclose information from the register to organisations that utilise Suomi.fi identification in their e-services, if the information has been saved during the use of these e-services or other services and if the organisation needs information: 

  • to ensure and improve the functionality of its e-services;
  • to ensure the information security of its e-services or to investigate disturbances in its information security;
  • in order to demonstrate that that data is processed in the correct manner or to otherwise examine problems related to the use of e-services.

The controller can also disclose the register's data at request to Suomi.fi identification users, if the information applies to their own event logs.  

The disclosure of information to organisations that utilise Suomi.fi identification and its users is based on section 14 of the Act on central government’s joint e-service support services (571/2016). 

The controller may also disclose data on the service to:

  • police, pre-trial investigation and prosecuting authorities as well as a court of law for the purposes of preventing and investigating a crime;
  • The Data Protection Ombudsman and the Data Protection Board for the purpose of supervising data security;

Information may also be disclosed as statistics or in some other format where individuals cannot be identified.

Additionally, information can be disclosed for other purposes pursuant to the law.

9. Transferring data outside the EU or the EEA

Personal data may not be transferred to areas outside the EU or EEA.

10. Principles of register protection

Data is protected taking into account data security and the management of access rights.  

The register does not contain manual materials. Manual materials which may be created in liquidations are protected taking into account data security in locked facilities where access is monitored.  

The data in the register can only be accessed by persons whose duties include processing such data. Log data is saved on the processing of data.

11. Automated decision-making and profiling

No automatic decision-making or profiling is performed on the basis of data from the personal data file.

12. Data subject’s rights

You have the right to request access to your personal data, meaning you can check the information that is kept on you in the personal data file. You can submit a request to access to your information to the Digital and Population Data Services Agency. Be prepared to verify your identity.

You will receive the information you need within a month. If, for come justified reason, the infor-mation cannot be provided to you in this time period, the Digital and Population Data Services Agency can extend the deadline by 2 months. In this case, you will be sent a notification on the mat-ter.

1.1 Right to demand data correction

No right to correct event logs.

1.2 Restrictions to the data subject’s rights in relation to personal data processing

Most of the services provided by the Digital and Population Data Services Agency are based on compliance with a statutory obligation or the use of public powers. In those cases, you do not have the right to demand the deletion of your data or its transfer to another system nor can you oppose the processing of your personal data, Moreover, the data subject does not have the right to request that the processing of their personal data should be limited.

13. The data subject’s right of appeal to the supervisory authority

You have the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of your personal data. 

Office of the Data Protection Ombudsman, PO Box 800, FI-00521 Helsinki

For more information see the Data Protection Ombudsman’s instructions