Privacy statement of Suomi.fi web service

Updated on 20 Augut 2022

In the Suomi.fi Web Service, you can find clearly written information about situations where you need the services provided by different authorities.

The informative content of the Web Service is grouped in two sections:

Information and services for citizens help you in different life situations.
Information and services for companies and organisations help you in the planning and set-ting up of your business and in the running of business operations.

Identified users can also

use Suomi.fi Messages and Suomi.fi e-Authorizations
view their own data kept in different registers
submit requests to change their data in accordance with the instructions provided by the register authority
use public administration e-services with a single identification.

Personal data of users that have identified themselves with Suomi.fi e-Identification and personal data connected with Suomi.fi Messages and Suomi.fi e-Authorizations are also processed through the Suomi.fi Web Service. The processing of this data is described separately in the services’ own privacy statements.

1. Controller and contact persons

Digital and Population Data Services Agency

Lintulahdenkuja 2, 00530 Helsinki, Finland

PO Box 123, 00531 Helsinki, Finland

Telephone (switchboard): +358 295 536 000

Email: kirjaamo(at)dvv.fi

Contact persons in register-related matters

Terhi Tuokkola, Chief Specialist

Lintulahdenkuja 2, 00530 Helsinki, Finland

Telephone (switchboard): +358 295 536 000

Email: kirjaamo(at)dvv.fi

Pasi Ahola, Chief Specialist

Lintulahdenkuja 2, 00530 Helsinki, Finland

Telephone (switchboard): +358 295 536 000

Email: kirjaamo(at)dvv.fi

2. Data Protection Officer

Telephone (switchboard): +358 295 536 000

Email: tietosuoja@dvv.fi

3. Purpose and legal basis for processing of personal data

The register comprises the cache memory of the Suomi.fi Web Service administered by the Digital and Population Data Services Agency, a database, the event log file of the Suomi.fi Web Service and a partial copy of the event log file. Personal data is processed on the basis of the Act on Common Administrative e-Service Support Services (571/2016) as part of the statutory duty of the Digital and Population Data Services Agency.

Information stored in the cache memory of the Suomi.fi Web Service.
The databases of the services under the Suomi.fi Web Service mean the data saved in the functionality databases of the services contained in the Web Service.
The event log file of the Suomi.fi Web Service means the register to which log data on the Web Service events is saved.
The event data of the Suomi.fi services means the register to which some of the event data of the Suomi.fi services and the event data explanations intended for their users are saved.

The purpose of processing personal data is to facilitate the production and development of the Suomi.fi services well as assuring their functionality. Personal data is processed to identify Suomi.fi Web Service users, to protect the personal data processed in the service and to guarantee information security. The personal data kept in register is also used to demonstrate that data processing in the service has been correct and to otherwise investigate errors, abuse and data breaches. Personal data needed for other services is also processed in the Suomi.fi Web Service. These other services refer to Su-omi.fi Messages and Suomi.fi e-Authorizations, for which separate privacy statements have been prepared.

With the help of the personal data processed in the Suomi.fi Web Service, information is maintained on users who have identified themselves in the Web Service using strong identification and retrieved their own data or data of the party (organisation, person) they represent from the basic registers or the Suomi.fi Messages to view the data in the Web Service (1. and 2.) or have retrieved event data from the activity history (4.). The Suomi.fi Web Service also collects event data on the use of the Web Service (3.).

Storing the identified person’s personal information in the Suomi.fi Web Service is required so that the user can be identified with strong identification and it is technically possible to provide the user with access to the user’s own personal data or the data of the party that the user represents in different basic registers or access to messages in Suomi.fi Messages or to other data.

Statistical data is also collected on all Suomi.fi Web Service users (including unidentified users). The data collected on the use of the Suomi.fi Web Service is used to determine the extent to which the Web Service is used, to track expenses and their distribution, and for statistical purposes. When the data is used for statistical purposes, the data will be published in such a way that individual persons cannot be identified. For more information about the user data and cookies collected from the Suomi.fi Web Service, go to Cookies.

Valtori, which provides the Digital and Population Data Services Agency with IT infrastructure services, and its subcontractors manage the IT infrastructure of the Suomi.fi service registers.

4. Personal data retention period

The data in the cache memory of the Suomi.fi Web Service is stored for the duration of the identification session.
The retention periods of the data stored in the databases of the services found under the Suomi.fi Web Service are described in the privacy statements of the Suomi.fi Messages and Suomi.fi e-Authorizations.
The data entered in the event log file of the Suomi.fi Web Service is retained for five (5) years.
The event data entered in the activity history of the Suomi.fi services is retained for five (5) years.

The Digital and Population Data Services Agency has estimated that with regard to event data, a five-year (5) retention period is necessary, when taking into consideration the limitation periods for the most common offences related to the processing of personal data and the limitation period for offences in office, which is five years.

5. Processed personal data

The following personal data is processed on users who have identified themselves:

1. Data saved in cache memory:

Personal identity code
Business ID
Data required for the use of the Web Service (such as information on website contents) to ensure a smooth user experience

2. Data processed in databases is described in the privacy statements of the Suomi.fi Messages and Suomi.fi e-Authorizations:

Personal identity code and business ID are used as search terms

3. Data saved in the event log file:

Personal identity code
Business ID
Information on identification using Suomi.fi e-Identification
Data searches in a register of an identified user or a person or organisation represented by the identified user connected to the Suomi.fi Web Service and the identification codes of both parties
Required event data of the use of the person’s Suomi.fi Messages and Suomi.fi e-Authorizations (including mandate applications). For more information, see the privacy statements for the above-mentioned services.
Event data time stamps

4. Data saved in event data:

Personal identity code
Business ID
The data repository from which the user has retrieved their data to view it in the Web Service
Identification in the Suomi.fi Web Service
Event data on the messages transmitted and processed through Suomi.fi Messages and on the measures targeted at them. For example ‘The user opened the message’.
Event data time stamps

A more detailed description of this personal data can be found in the privacy statements of the Suomi.fi Messages and Suomi.fi e-Authorizations. Otherwise, data collected on Suomi.fi Web Service user traffic (IP address, visited pages, etc.) is processed in statistical format, from which individual users cannot be identified. For example, IP addresses have been processed so that individual IP addresses cannot be identified.

When a person identifies themselves in the Suomi.fi Web Service, they are shown Population Information System data on themselves transmitted by the Suomi.fi e-Identification (personal identity code, name, municipality of residence, address, email) of which only the summary of the personal identity code (hash) is entered in the Suomi.fi Web Service database (2.). If data on the person who is logging in via Suomi.fi e-Identification cannot be retrieved from the Population Information System, the provider of the identification instrument transmits the user’s personal identity code and name to the Suomi.fi identification event.

If the identified person uses the service on behalf of a person or an organisation, the data on the personal or organisation ID returned by the Suomi.fi e-Authorizations is temporarily stored in the register. (1., 3. and 4.)

The information concerning the success or failure of the identification will be recorded. If the use of the services is interrupted because of an error, the cause of the error is entered.

Data on time stamps related to queries made to connected systems and registers and received replies, and data on sources and on the identifier used to make the query are recorded in the register. The identifier may be a personal identity code or an organisation code or some other unique identifier.

6. Standard sources of information

The register’s sources of information are as follows: transactions in the Web Service, data repositories and services connected to the Web Service, Suomi.fi Messages, and the data transmitted by Suomi.fi e-Identification and Suomi.fi e-Authorizations.

7. Disclosure of data

The controller may disclose event log file data saved on the use of the Web Service to customer organisations of the Digital and Population Data Services Agency that have connected their registers to the Suomi.fi Web Service. The controller may also disclose data to a customer organisation whose e-services use other Suomi.fi services and the data has been saved in connection with the use of the e-services or other services of this customer organisation if the customer organisation in question needs the data:

to ensure and improve the functioning of its e-services
to ensure the information security of its e-services or to investigate information security incidents
to prove the validity of the data processing in connection with service use or
to investigate problems concerning service use in some other way.

The controller may, unless otherwise provided in sections 11 and 12 of the Act on the Openness of Government Activities, disclose data recorded on the use of the Web Service:

to a person on whose support service use or other use of the services the information has been recorded.
for other identified purpose where the person on whose support service use or other use of the service the information has been recorded has given their express consent to this.

Data can also be disclosed as statistics and in other ways, however, in such a manner that personal data is not disclosed.

Data can also be disclosed on other legal grounds.

8. Transferring data outside the EU or the EEA

Personal data will not be transferred outside the EU or EEA countries or to internation-al organisations.

9. Automated decision-making

Personal data will not be used for automated decision-making.

10. Data subject’s rights

Right of inspection

The data subject has the right to request that the controller provides them with access to their personal data (so that the data subject can check the information that is kept on them in the personal data file). Every person also has the right to check that there is no data on them or the organisation they represent in the register. The request must be submitted in writing to the registry of the Digital and Population Data Services Agency.

The controller must respond to the request by the data subject without delay, and, as a rule, access will be given within a month of the time the request was registered. However, the aforementioned one-month timeline can be extended by two months at the most, if the correction requested by the data subject so requires. The controller will notify the data subject of any possible extension to the correction period and the reasons for the extension.

Go to Your data page of the Suomi.fi Web Service to check your information kept in the Population Information System.

Right to revision

You have the right to correct your personal data when you observe that it is inaccurate or incorrect. The request must be submitted in writing to the registry of the Digital and Population Data Services Agency. In the request for revision, state the information to be corrected and its exact change or addition. Be prepared to provide proof of identity.

If you find inaccurate or incorrect information in the Your data section of the Suomi.fi Web Service, contact the controller of the register in question. Instructions can be found in the details of each register.

Limitations to the rights of the data subject

Most of the services provided by the Digital and Population Data Services Agency are based on compliance with the controller’s statutory obligation or on the performance of a duty of public interest or the exercise of public authority. In such cases, you cannot request that your personal data be deleted or transferred to another system, and, as a rule, you cannot oppose the processing of your personal data.

Right to lodge a complaint with the supervisory authority

If you think that your personal data is being processed unlawfully, you can file a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman

Street address: Lintulahdenkuja 4, 00530 Helsinki, Finland

Postal address: PO Box 800, 00531 Helsinki, Finland

Email: tietosuoja(at)om.fi

Switchboard: +358 29 566 6700

Registry: +358 29 566 6768

For more information on filing a complaint, see the Office of the Data Protection Ombudsman website at https://tietosuoja.fi/Opens in a new window..

11. Other information

The privacy statement of the Suomi.fi Web Service can be viewed on the service web-site and at the registry of the Digital and Population Data Services Agency.

Read more on general information on data protection at the Digital and Population Data Services Agency on its website dvv.fi/en/data-protectionOpens in a new window..