Privacy statement of Suomi.fi web service
Updated on 7 January 2020
1. Name of register
The data file and database of the Suomi.fi web service, and the event log file of the Suomi.fi web service and a partial copy of the event log file.
Name: Digital and Population Data Services Agency
Address: Lintulahdenkuja 2, 00530 Helsinki / Teknologiakatu 7, 67100 Kokkola
Telephone (switchboard) +358 (0)295 535 001, email kirjaamo(a)dvv.fi
3. Contact person in register-related matters
Development Manager Jari Suhonen
Telephone (switchboard) +358 (0)295 535 001
Senior specialist Pasi Ahola
Telephone (switchboard) +358 (0)295 535 001
4. Data Protection Officer
Leading Specialist Noora Kallio
Lintulahdenkuja 2, 00530 Helsinki
Telephone (switchboard) +358 (0)295 535 001, noora.kallio(a)dvv.fi
5. Retention period of the personal data contained in the personal data file
- The data in the Suomi.fi web service is stored for the duration of the identification session.
- The user’s favourites stored in the Suomi.fi web service’s data base are retained until the user personally removes this data. A personal identification code is used as a unique identifier and it is retained in the service for the time being.
- The data in the event log file of the Suomi.fi web service is kept on file for five (5) years.
- The data in the partial copy of the Suomi.fi web service event log file is kept on file for five (5) years.
The Digital and Population Data Services Agency has estimated that with regard to event logs a five-year (5) retention period is necessary, when taking into consideration the limitation periods for the most common offences related to the processing of personal data and the limitation period for hate crimes, which is five years.
6. Purpose and legal basis for processing of personal data
The register comprises the data file and database of the Suomi.fi web service administrated by the Digital and Population Data Services Agency and the event log file of the Suomi.fi web service and a partial copy of the event log file. Personal data is processed on the basis of the Act on Common Administrative e-Service Support Services (571/2016) in relation the Digital and Population Data Services Agency’s statutory duty.
- The data file of the Suomi.fi web service means the data stored in the cache of the web service.
- The database of the Suomi.fi web service means the data saved in the database of the web service.
- The event log file of the Suomi.fi web service means the data file to which log data on the events in the web service is saved.
- A partial copy of the Suomi.fi web service event log file means a data file to which some of the data in the event log file (3.) and the explanations for the event log data intended for their user are saved.
The purpose of processing personal data is to facilitate the production and development of the Suomi.fi services well as assuring their functionality. Personal data are processed to identify Suomi.fi web service users and for protecting the personal data processed in the service and to guarantee information security. Additionally, the register’s personal data are used to demonstrate that data processing in the service has been correct and to otherwise investigate errors, abuse and data protection violations.
With the help of the personal data processed in the Suomi.fi web service, information is maintained on users who have identified themselves in the web service using strong identification and retrieved their own data or data of the party (organisation, person) they represent from the basic registers or the Suomi.fi Messages service to view it in the web service (1.). Information is also maintained on users who have saved their own favourites (2.) or have retrieved event data from the partial copy (4.) of the event log file. The Suomi.fi web service also collects event data on the use of the web service (3.).
Storing the identified person’s personal data in the Suomi.fi web service is required so that the user can be identified with strong identification. Storing personal data also technically enables providing the user with access to their personal data or the data of the body they represent in different basic registers. It also enables access to messages in the Suomi.fi Messages service and to other data.
Additionally, statistical data is collected on all Suomi.fi web service users (also unidentified users). No embedding for social media (e.g. Facebook, Twitter) or video services that are located outside the European Economic Area (e.g. YouTube) have been built into the Suomi.fi web service. Suomi.fi video content is created using a secure Finnish service.
In addition, the data collected on the use of the Suomi.fi web service can be used to determine the extent to which the web service is used, to track expenses and their distribution, and for statistical purposes. When using the data for statistical purposes, the data will be published in such a way that individual persons cannot be identified.
The Digital and Population Data Services Agency’s IT infrastructure service provider Valtori and its subcontractors see to the Suomi.fi service registers'’ IT infrastructure.
7. Register data content
The following personal data is processed on users who have identified themselves:
- Personal identity code (1.–4.)
- Data required to use the web service, stored in the cache (1.)
- Own settings determined by the user (2.)
- Time stamps in the event log data (1., 3. and 4.)
- The data repository from which the user has retrieved his or her own data to view it in the web service (1., 3. and 4.)
- Messages retrieved from and delivered in the Suomi.fi Messages service (1., 3. and 4.)
- Certain data in the event log file and their explanations (4.)
Otherwise, data collected on Suomi.fi web service user traffic (IP address, visited pages, etc) is processed in statistical format, from which individual users cannot be identified.
When a person identifies themselves in the Suomi.fi web service, they are shown data on themselves that is transmitted by the Suomi.fi e-Identification (personal identity code, name, municipality of residence, address, email) of which the person’s personal identity code is retained in the Suomi.fi web service’s data base (2.). If data on the person who is signing in via e-Identification cannot be retrieved from the Population Information System, the identification instrument’s provider transmits the user’s personal identity code and name to the Suomi.fi identification event.
If the identified person uses the service on behalf of a person or an organisation, the data on the personal or organisation ID returned by the Suomi.fi service is temporarily stored in the register. (1., 3. and 4.)
The information concerning the success or failure of the identification will be recorded. If the use of the services is interrupted because of an error, the data on the cause of the error will be recorded.
Data on time stamps related to queries made to connected systems and registers and received replies, and data on sources and on the identifier used to make the query are recorded in the register. The identifier may be a personal identity code or an organisation code or some other unique identifier.
8. Standard sources of information
The register’s sources of information are the transactions in the web service, data repositories and services connected to the web service, the Suomi.fi Messages service, the data transmitted by Suomi.fi e-Identification and Suomi.fi e-Authorisations.
9. Standard disclosure of information
The controller of the data can disclose data recorded on the web service use as data from the event log file to the user organisation in connection with whose service use or other transactions this data has been recorded, if the user organisation needs the data:
- to ensure and improve the functionality of its web services;
- to take care of the information security of its web services or to investigate disturbances in its information security;
- to prove the validity of the data processing in connection with service use or
- to investigate problems concerning service use in some other way.
Additionally, the controller may, unless otherwise provided in Sections 11 and 12 of the Act on the Openness of Government Activities, disclose data recorded on the use of the web service:
- to a person on whose support service use or other use of the services the information has been recorded.
- for other identified purpose where the person on whose support service use or other use of the service the information has been recorded has given their express consent to this.
Data can also be disclosed as statistics and in other ways, however, in such a manner that personal information is not disclosed.
Data can also be disclosed on other legal grounds.
10. Transferring data outside the EU or the EEA
No personal data is transferred outside the EU or EEA.
11. Principles of register protection
The personal data processed in the Suomi.fi web service are protected as required by legislation, taking data security requirements into account.
Only users that have logged in using strong identification have access to the personal data in the web service. The internet connection to the web service is SSL-secured. Data temporarily stored in the web service has also been encrypted and the identification data processed in the web service is always transmitted using strong identification.
No manual material is produced by the register. Manual documentation associated with access to register data for the purpose of investigating faults is protected as required in legislation, taking the requirements of information security into account.
The data in the register can only be accessed by persons whose duties include processing such data.
12. Existence of automated decision-making
No automated decision-making or profiling is performed on the basis of the data from the personal data file.
13. Right of inspection
The data subject has the right to request that the controller provides them with access to their personal data (so that the data subject can check the information that is kept on them in the personal data file). Every person also has the right to check that there is no data on them or the organisation they represent in the register. The request must be submitted in writing to the Digital and Population Data Services Agency’s registry office.
The controller must respond to the request by the data subject without delay, and, as a rule, access will be given within a month of the time the request was registered. However, the aforementioned one-month timeline can be extended by at most two months, if the correction requested by the data subject so requires. The controller will notify the data subject of any possible extension to the period and of the reasons for the extension.
14. Right to demand data correction
The personal data shown on the Suomi.fi register view is only collected from other registers to show during the session in question and the information is not stored in the Suomi.fi web service. If you observe errors in the data, please request their rectification from the controller responsible for the register in question. For example, if rectifications need to be made to data in the Population Information System contact the Digital and Population Data Services Agency, and the data subject can also correct their own data in the Personal Data Inspection service (https://verkkopalvelu.vrk.fi/omat/Etusivu.aspx). If corrections need to be made to Traficom register data contact Traficom, in the case of National Land Survey of Finland data contact the National Land Survey of Finland, and so on.
The data subject does not have the right to request rectifications to event information saved in the Suomi.fi web service.
15. Cancelling data subject’s consent
Processing of the personal data is not based on consent.
16. Other rights of the data subject related to personal data processing
The data subject does not have the right to request the deletion of their data, as the data processing is based on the law. For the same reason, the data subject does not have the right to object to the processing of their personal data or the right to have their data transferred to another system. Moreover, the data subject does not have the right to request that the processing of their personal data should be limited.
17. The data subject's right of appeal to the supervisory authority
The data subject has the right to lodge a complaint to the supervisory authority on the processing of their personal data. The complaint is submitted to the supervisory authority:
Office of the Data Protection Ombudsman, PO Box 800, 00521 Helsinki
18. Other information
The Suomi.fi web service’s privacy statement can be viewed on the service website and at the Digital and Population Data Services Agency’s registry office.
Read more on general information on data protection at the Digital and Population Data Services Agency on its website.