suomi.fi
Go directly to contents.

Privacy statement for the Suomi.fi e-Authorizations mandate register

In connection with Suomi.fi e-Authorizations, the Digital and Population Data Services Agency maintains a mandate register. The data in the register is used in Suomi.fi e-Authorizations to verify the right to act on behalf of a person, company or organisation. The information in the mandate register is also used for end user advice and to investigate problems related to the registration and use of mandates.

1. Name of register

 Mandate register of Suomi.fi e-Authorizations and the event log file of the mandate register

2. Controller and contact person

Digital and Population Data Services Agency

Lintulahdenkuja 2, 00530 Helsinki 

PL 123, 00531 Helsinki

Telephone (switchboard) 02 9553 6000, email: kirjaamo(a)dvv.fi

Contact person in register-related matters

Mika King, Development Manager

Lintulahdenkuja 2, 00530 Helsinki 

Telephone (switchboard) 02 9553 6000, email: kirjaamo(a)dvv.fi

3. Data Protection Officer

Telephone (switchboard) 02 9553 6000, tietosuoja@dvv.fi

4. Purpose and legal basis for processing of personal data

The register functions as the mandate register of the Suomi.fi e-Authorizations and as the event log file of the register. The Digital and Population Data Services Agency produces Suomi.fi e-Authorizations in accordance with sections 3 and 4 of the Act on Common Administrative E-Service Support Services (Support Services Act, 571/2016). The register contains data on the mandates and mandate requests stored in the mandate register and the event data connected with them as well as application documents for the registration of mandates.

The data contained in the mandate register is used in the Suomi.fi e-Authorizations service to verify the right of an individual or a company/organisation to act on behalf of another party. The information in the mandate register is also used for end user advice and to investigate problems related to the registration and use of mandates. There are provisions on the mandate register especially in section 10(1) of the Support Services Act.

The data entered in the register is also used for the follow-up and monitoring of the mandate register and in-vestigation of any abuses and data security violations. The data stored in the register is also used for statistical purposes.

Under the Support Services Act, the Digital and Population Data Services Agency may agree with another authority on the provision of customer service related to Suomi.fi e-Authorizations. Based on the agreement, the employees of other authorities may process mandate applications and, based on them, register mandates in the mandate register. The authority only serving in an advisory capacity may review the data in the mandate register.

The Digital and Population Data Services Agency’s IT infrastructure service provider Valtori and its subcontractors manage the IT infrastructure of the Suomi.fi service registers.

5. Retention period of the personal data 

The data contained in the mandate register is retained by the controller until further notice. Validated man-dates are retained in the register even if their validity has expired or been cancelled. A mandate request is removed from the register if it has not been validated within six (6) months.  The controller will retain the data contained in the mandate register event log file for five (5) years from the moment when the mandate or the mandate request expires (section 13(2) of the Support Services Act).

The Digital and Population Data Services Agency has estimated that with regard to event data, a five-year (5) retention period is necessary, when taking into consideration the limitation periods for the most common offences related to the processing of personal data and the limitation period for offences in office, which is five years.

6. Register data content

The contents of the register comprise data on mandates and mandate requests and event data on the users’ activities. The register also contains mandate application documents and their appendices, on the basis of which an employee of the Digital and Population Data Services Agency or another authority has entered mandates in the mandate register.

Data content of the mandate register:

Details of the assignor (principal):

  • For individuals: unique identifier (usually personal identity code), first names and surname 
  • For companies and other organisations: unique identifier (usually Business ID) and name

Details of the individual validating the mandate:

  • Unique identifier (usually personal identity code), first names and surname
  1. The mandate is usually validated by the assignor (principal). If the assignor is a compa-ny/organisation, the mandate must be validated by an individual other than the as-signor (for example, the managing director).
  2. Two new features will be added to Suomi.fi e-Authorizations during 2020: 1) a feature in which an underage dependent person may act as the assignor (principal) and the guardians can validate the mandate, and
  3. 2) a feature in which the mandate granted by a company/organisation can be validat-ed by more than one person (for example, jointly by the Board members).
  4. A mandate recorded on the basis of a written application is always confirmed by the employee who has processed the application in question. The name and personal identity code of the employee are stored in connection with the mandate.

Details of the assignees

  • For individuals: unique identifier (usually personal identity code), first names and surname
  • For companies and other organisations: unique identifier (usually Business ID) and name

There are three types of mandates: validated mandates, expired mandates and mandate requests. The difference between a mandate request and a valid/validated mandate is that a mandate request has not been validated. A valid mandate has been validated.

Start and end date of the mandate

Mandate content (mandate code), which describes the matter that the mandate concerns

Mandate specifier, which specifies the mandate granted by the mandate code (for example, property identifier, register number or sub-organisation ID)

Mandate type:

  • Mandate for transactions
  • Right to grant a mandate (only for company mandates)
  • Mandate to represent (only for company mandates)
  • Representative’s right to grant a mandate (only for company mandates)

Unique identifier for the browsing session in which the mandate was created/validated/invalidated/removed

Technical signature of the mandate, which is created automatically when the mandate is validated.

Data content of the event log file:

Event data connected with the use of the mandate register:

  • One of the following transactions carried out by the user:
  1. creation of a mandate or a mandate request,
  2. validation of a mandate,
  3. invalidation of a validated mandate, or
  4. removal of a mandate request or a received mandate.
  • Start date and end/invalidation/removal date of a mandate or a mandate request
  • Unique user identifier (usually the personal identity code)
  • Unique mandate identifier
  • Unique identification session identifier
  • Unique assignor identifier (usually the personal identity code or Business ID)
  • Unique assignee identifier (usually the personal identity code or Business ID)
  • Mandate content (mandate code), which describes the matter that the mandate concerns

Updating of changed data

  • Changes of the personal data kept in the Population Information System are updated and for them, details of the updates made are stored. However, for expired mandates, the details of the assignor (principal) or the assignee are not updated.
  • Changes in the basic company data (such as name) kept in the PRC registers are updated and for them, details of the updates made are stored.

Errors:

  • If the transaction is rejected, the reason for the rejection is entered. 
  • If the use of the services is interrupted because of an error, the cause of the error is entered.

Transaction time stamps.

7. Standard sources of information

 Sources for mandate register data:

  • Suomi.fi e-Identification, for which the unique identifier (usually the personal identity code) of the individual using the Suomi.fi Web Service (individual saving the mandate or the mandate request) is relayed
  • Trade register, Business Information System, Finnish Register of Associations, other basic registers (such as the register of prohibitions to pursue a business) or the mandate register, from which the organisational and role/mandate details of an identified individual acting on behalf of a company in the  Suomi.fi Web Service are retrieved
  • User of Suomi.fi e-Authorizations that saves or removes information on mandates and mandate requests
  • The Population Information System, on the basis of which the personal identity code and name data of the assignor or assignee entered by the party saving the mandate or the mandate request are verified. Name data is not saved in the mandate register as it is only used for the duration of the browsing session.
  • A partial copy of the Business Information System, from which the details of the assignor/assignee organisation entered by the party saving the mandate or the mandate request are retrieved.
  • In addition, information may be obtained from written mandate applications during an onsite visit, by post and by e-mail.

Sources for event data: 

  • Suomi.fi e-Identification for the personal identity code of the individual using Suomi.fi e-Authorizations and the unique identifier of the identification session.
  • Transactions in the mandate register (such as the creation, validation and removal of mandates)

8. Standard disclosure of information 

Information on valid mandates contained in the mandate register is disclosed for Suomi.fi e-Authorizations to specify the right to act on behalf of another party.

The controller may disclose information from the register to organisations using Suomi.fi e-Authorizations in their e-services, if the information has been saved during the use of these e-services or other services and if the organisation necessarily needs the information

  • to ensure and improve the functioning of its e-services
  • to ensure the data security of its e-services or to investigate disturbances in its data security
  • to demonstrate that data is processed in the correct manner or to otherwise examine problems related to the use of e-services.

On request, the controller may also disclose event data kept in the register to a data subject (individual or organisation) if the data concerns the data subject in question.

The disclosure of information to organisations using Suomi.fi e-Authorizations and the data subjects is based on section 14 of the Act on joint Central Government e-service Support Services.

The controller may also disclose data in the service to

  • police, criminal investigation and prosecuting authorities as well as a court of law for the purposes of preventing and investigating a crime
  • the Data Protection Ombudsman for the purpose of supervising data security.

Information may also be disclosed as statistics or in other formats so that individuals cannot be identified.

Information may also be disclosed for other purposes laid down in the law.

9. Transferring data outside the EU or the EEA 

No personal data is transferred outside the EU or the EEA.

10. Principles of register protection 

The data is protected taking into account data security and the management of access rights.

The register does not contain manual material. Manual material that may be created in liquidations is protected taking into account data security in locked facilities where access is monitored.

The data in the register can only be accessed by persons whose duties include processing such data. Log data is saved on the processing of data.

11. Existence of automated decision-making

No automated decision-making or profiling is performed on the basis of the data.

12. Rights of the data subject

Right of inspection

You can view your valid and expired mandates and mandate requests at Suomi.fi Web Service.

You and your organisation have the right to request that the controller provides you with access to the data on you, so that you can check the information that is kept on you. The request must be submitted in writing to Digital and Population Data Services Agency’s registry office. Be prepared to prove your identity.

You will receive the information you need within a month of the time your request was registered. However, for justified reasons the Digital and Population Data Services Agency can extend the aforementioned one-month timeline by two months at the most. In this case you will receive a notification.

Right to demand data correction

You can make corrections through Suomi.fi Web Service to valid mandates and mandate requests concerning them that are kept in the mandate register. 

Data subjects do not have the right to request corrections to event data or expired/removed mandates and mandate requests.

Limitations to the rights of the data subject with regard to the processing of personal data

The data subject does not have the right to request the deletion of their data, as the data processing is based on the law. For the same reason, the data subject does not have the right to object to the processing of their personal data or the right to have their data transferred to another system. 

13. The data subject’s right of appeal to the supervisory authority

The data subject has the right to lodge a complaint to the supervisory authority on the processing of their personal data. 

Additional information by the Office of the Data Protection Ombudsman