Go directly to contents.

Suomi.fi Messages privacy statement

Suomi.fi Messages is a secure messaging service developed and produced by the Digital and Population Data Services Agency (hereinafter “DVV”), which enables an organisation using Suomi.fi Messages (hereinafter “client organization”) to send electronic messages to a natural person or company using Suomi.fi Messages and to notify documents electronically. Some Suomi.fi Messages client organisations also receive messages sent by natural persons and companies via Suomi.fi Messages.

Some of the Suomi.fi Messages client organisations have also enabled the printing, enveloping and distribution (TKJ) service in Suomi.fi Messages, which allows these client organisations to send messages and notify documents by post via Suomi.fi Messages. If a client organisation sends messages to a natural person or company via the TKJ service, the sent messages are stored in Suomi.fi Messages even if the natural person or company has never activated Suomi.fi Messages or has stopped using Suomi.fi Messages. This ensures that sent messages are available to the natural person or company when they start using Suomi.fi Messages or return to the service.

Suomi.fi Messages client organisations act as controllers for the content of the messages they send. Suomi.fi Messages only serves as a messaging platform for messages sent by client organisations.

Suomi.fi Messages uses other Suomi.fi services as follows:

  • The Suomi.fi Web Service serves as the browser interface for Suomi.fi Messages
  • The Suomi.fi mobile application serves as the mobile interface for Suomi.fi Messages
  • Using Suomi.fi Messages in the Suomi.fi Web Service always requires strong identification with Suomi.fi e-Identification. The Suomi.fi mobile application requires strong identification with Suomi.fi e-Identification at regular intervals.
  • Suomi.fi e-Authorizations is used to grant the right to use the service on behalf of the authorizer.

The data processors of the Suomi.fi Messages register are the Government ICT Centre Valtori, Posti Messaging Oy and the Tax Administration. Suomi.fi Messages is used in an environment provided by Valtori, and Valtori provides user support for the environment. Posti Messaging Oy provides the TKJ service in Suomi.fi Messages. The Tax Administration enables activation of Suomi.fi Messages in the MyTax service.

For more information on Suomi.fi Messages, see the Service Management website for client organisations at https://palveluhallinta.suomi.fi/enOpens in a new window. and the Suomi.fi Web Service for natural persons and companies using the service at www.suomi.fiOpens in a new window..

1. Controller and contact persons

Digital and Population Data Services Agency 

Lintulahdenkuja 2, FI-00530 Helsinki 

PO Box 123, 00531 Helsinki, Finland

Telephone (switchboard): +358 295 536 000

Email: kirjaamo(a)dvv.fi

Contact person in register-related matters

Maria Juka-Lahdenperä, Chief Specialist

Lintulahdenkuja 2, 00530 Helsinki, Finland

Telephone (switchboard): +358 295 536 000

Email: kirjaamo(at)dvv.fi

2. Data Protection Officer

Telephone (switchboard): +358 295 536 000

Email: tietosuoja(a)dvv.fi

3. Purpose and legal basis for processing personal data

The Act on Common Administrative E-Service Support Services (Support Services Act 571/2016) contains provisions on Suomi.fi Messages and the production and development of the service. The processing of personal data in Suomi.fi Messages is based on compliance with the DVV’s statutory obligation as referred to in Article 6(1)(c) of the General Data Protection Regulation (EU) 2016/679.

DVV needs to store personal data in the Suomi.fi Messages register to comply with the task laid down for it in the Support Services Act. The following is a description of the purposes of the processing of personal data:

  • DVV addresses messages to the correct party on the basis of a personal identity code or business ID.
  • DVV sends a notification of received and unread messages to the correct party based on the supplied email address. This way, a person acting on behalf of a natural person or company whose email address is stored in the service is also notified of received and unread messages in Suomi.fi Messages.
  • DVV uses the language setting to send notifications from Suomi.fi Messages in the correct language.
  • DVV uses the registered consent for electronic notifications to determine whether a message will be relayed electronically via Suomi.fi Messages or in another way.
  • By retaining messages, DVV enables users to read messages received in Suomi.fi Messages and sent from the service within the service.
  • DVV uses the information of a person’s death to close the Suomi.fi Messages mailbox of a natural person using Suomi.fi Messages to ensure that the person’s mailbox no longer receives messages after their death.
  • DVV stores event data (i.e. log data) on events in Suomi.fi Messages. DVV needs the event data to demonstrate that data processing in the service has been correct and to otherwise investigate errors, abuse and data breaches.
  • With regard to the Suomi.fi mobile application, DVV collects information of the user’s device so that DVV can reliably deliver the correct messages to the mobile user and also so that the user can manage their devices, for example if they lose their phone or change to a new one.
  • A Suomi.fi Messages mailbox is opened to all natural persons and companies receiving official messages via the TKJ service without separate service registration so that DVV can store personal data in the Suomi.fi Messages register even when the natural person or company has not yet given consent to electronic notification. The purpose is to retain messages sent via the TKJ service so that a natural person or company can access them after giving their consent to electronic notification, i.e. after activating Suomi.fi Messages.
  • DVV can use collected data to determine the extent to which the service is used and for cost monitoring and distribution and statistical purposes. When data is used for statistical purposes, the data is collected and published in such a way that individual persons (or companies) cannot be identified.
  • DVV may also anonymise collected data and use it as test material in the service.

4. Personal data retention period

Provisions on the processing and retention of personal data processed in Suomi.fi Messages are laid down in the Support Services Act. Under section 12.2 of the Support Services Act, DVV has the right to process stored data concerning the use of Suomi.fi Messages in order to demonstrate that the data processing carried out in Suomi.fi Messages has been correct or to otherwise provide and develop Suomi.fi Messages and ensure its functionality and information security. Under section 13.3 of the Support Services Act, DVV is obliged to keep register data concerning the consent for electronic notification, the data concerning the processing of data in the Suomi.fi Messages register and the data necessary for verifying the notification. In addition, DVV must retain messages relayed via Suomi.fi Messages for two years, unless the natural person or company using the service has deleted them before that.

Under sections 12.2 and 13.4 of the Support Services Act, DVV will delete data from the Suomi.fi Messages register immediately when there is no longer a legal basis for processing. DVV assesses the grounds and need for processing at least every five years, unless otherwise provided by law.

DVV has set the retention periods of the data in the Suomi.fi Messages register on the basis of the Support Services Act, data protection legislation, the Act on Information Management in Public Administration and other legislation.

DVV currently retains the data in the Suomi.fi Messages register as follows:

  • Received and sent messages are retained for two (2) years. A natural person or company using Suomi.fi Messages can delete messages received by them, in which case they are removed from the Suomi.fi Messages register.
  • Event data (i.e. log data) is retained for five (5) years, but in certain situations the retention period may be shorter. The data will be deleted from the register and destroyed automatically after the retention period ends. DVV has estimated that, with regard to event logs, a five-year (5) retention period is mainly necessary when taking into consideration the limitation periods for the most common offences related to the processing of personal data and the limitation period for offences in office, which is five years.
  • Other data in the Suomi.fi Messages register is retained for ten (10) years after the mailbox has been closed.

5. Personal data to be processed

The following personal data of a natural person who has activated Suomi.fi Messages is stored in the register:

  • Personal identity code
  • Death data
  • Information on a person having consented to electronic notifications. Persons may also withdraw their consent to electronic notifications and thus select paper mailing.
  • The email address a person has given for sending notifications
  • The language selected by a person: Finnish/Swedish/English
  • Received messages as well as their unique identifiers and metadata
  • Sent notifications
  • The time and date a notification was sent
  • The messages that a person has sent to a client organisation as well as their unique identifiers and metadata
  • Event data
  • Event data time stamps

Event data (log data) on the use of the service is recorded. Event data includes the data recorded on the processing activities performed by DVV and the client organisations and the measures targeted at the register. In addition, event data on a person’s activities is recorded when they use Suomi.fi Messages.

When a person identifies themselves, Suomi.fi e-Identification forwards the person’s name from the Population Information System to be displayed in the browser interface (Suomi.fi Web Service). However, the person’s name is not stored in the Suomi.fi Messages register.

DVV also stores in the register the messages that are sent by a client organisation to a person by paper mail via Suomi.fi Messages’ TKJ service. Messages sent by paper mail via the TKJ service are also stored in the register after a person has discontinued the use of Suomi.fi Messages, i.e. withdrawn their consent to electronic notifications and selected paper mail as the delivery method for messages.

The following personal data on a natural person who acts on behalf of another natural person or company in Suomi.fi Messages is stored in the register:

  • Email address of the person acting on behalf of another party
  • Event data plus time stamps for the actions taken by a person acting on behalf of a party in the Suomi.fi Messages mailbox belonging to the party on whose behalf actions are being taken

Other personal data related to acting on behalf of another person is recorded in DVV’s Suomi.fi e-Authorizations service and in a centralised log file.

The following is also stored in the register for a natural person who is using the Suomi.fi mobile application:

  • Push notifications sent for incoming messages and the push notification send time
  • Device model
  • Unique login code

The person’s name, draft messages, cached attachments, PIN code and language setting are stored on the device itself.

Users can also identify themselves to the Suomi.fi mobile application with the biometric identification methods on their device, but this data is not stored in the Suomi.fi Messages register. The identification data is only retained on the user’s device.

For a natural person who has not activated Suomi.fi Messages, whose personal identity code is known to the client organisation and to whom the client organisation sends a message via the TKJ service, the following is stored in the register:

  • Personal identity code
  • Received messages as well as their unique identifiers and metadata

In this situation, the mailbox is generated automatically in Suomi.fi Messages. Messages sent by a client organisation to a natural person and stored in the Suomi.fi Messages register may contain personal data.

In exceptional cases, it is also possible for a client organisation to send messages to a natural person via the Suomi.fi Messages TKJ service in a way that no personal data is stored in the Suomi.fi Messages register.

Personal data processed for companies

As a rule, company data stored in the Suomi.fi Messages register is not personal data subject to data protection. However, messages sent by a client organisation to a company and messages sent by a company to a client organisation may contain personal data. Messages sent to a company via the TKJ service are stored in the same way as messages sent to natural persons.

Processing special categories of personal data and information on criminal convictions and offences

DVV does not collect or process information on special categories of personal data or information on criminal convictions or offences, but messages that pass through the service may contain such information. As the service provider of Suomi.fi Messages, DVV is not a party to electronic communications, and as a rule, DVV does not have the right to read the messages received or sent by natural persons or companies in the service. Suomi.fi Messages’ client organisations act as controllers for the content of the messages they send, and Suomi.fi Messages only serves as a messaging platform for messages sent by client organisations.

6. Standard sources of data

Data sources of the Suomi.fi Messages register include:

  • A natural person or company using Suomi.fi Messages and parties acting on their behalf (consent to electronic notification, language selection, email address, messages sent to client organisations, event data and information concerning mobile devices)
  • Suomi.fi e-Identification (relays the personal identity code from the Population Information System)
  • Population Information System (the death data of natural persons using Suomi.fi Messages is retrieved with a separate query)
  • Client organisations (personal identity code or business ID, messages, notifications, event data)
  • DVV (editing the settings of natural persons and companies using Suomi.fi Messages, event data)

In addition, the Tax Administration forwards to DVV information on consent to electronic notification and the email addresses and language selections of natural persons who have provided this information in the Tax Administration’s MyTax service. DVV registers the data in the Suomi.fi Messages register only after the person has identified themselves in Suomi.fi Messages and confirmed their email address. 

7. Disclosure of data

When providing the service, DVV has the right to disclose to the client organisation the information that is necessary for delivering notifications from the Suomi.fi Messages register and the information that is necessary for verifying notifications made via Suomi.fi Messages.

In connection with the use of Suomi.fi Messages, DVV discloses to the client organisation a personal identity code or business ID and message sent to the client organisation when a natural person or company responds to a received message or starts communication with a client organisation. The message may also contain personal data.

In addition, DVV may disclose data stored in the register on the use of Suomi.fi Messages to a client organisation whose data has been stored in connection with the use of an e-service or other services or which has been a party to communications relayed via Suomi.fi Messages if the client organisation needs data:

  • to ensure and improve the functioning of its e-service
  • to ensure the information security of its e-service or to investigate information security incidents
  • to prove the validity of data processing in connection with service use or
  • to investigate problems concerning service use in some other way.

DVV may, unless otherwise provided in sections 11 and 12 of the Act on the Openness of Government Activities (621/1999), disclose data recorded on the use of Suomi.fi Messages

  • to a natural person or company on whose use of the support service or other services the information has been recorded
  • to a natural person or a company on whose behalf someone has used the support service or used the service otherwise
  • for another identified purpose where the natural person or company on whose use of the support service or other services the information has been recorded has given their express consent to this.

DVV may also disclose data as statistics in a way that an individual natural person (or company) cannot be identified.

DVV may also disclose data on other legal grounds.

8. Transferring data outside the EU or the EEA

No personal data is transferred outside the EU or the EEA or to international organisations.

9. Cookies

The Suomi.fi Messages browser interface (Suomi.fi Web Service) and mobile user interface (Suomi.fi mobile application) as well as Suomi.fi e-Identification and Suomi.fi e-Authorizations used in Suomi.fi Messages only use essential cookies without which the services will not function correctly. The use of the cookies is described in more detail in the Suomi.fi Web Service.

10. Automated decision-making

No personal data is used for automated decision-making.

11. Data subject’s rights

Right of inspection

You can view the data stored in the Suomi.fi Messages register by identifying yourself in Suomi.fi Messages. In the service, you can for example check the choice of consent for electronic notification, the language choice for the service, email address, received and sent messages, and information about the Suomi.fi mobile application.

You can also view the event data of Suomi.fi Messages and the related identification by logging in to the Suomi.fi Web Service and switching to the Event data service.

If you cannot check your information via electronic services, you can send a request for an inspection to DVV’s registry at kirjaamo@dvv.fi. Be prepared to provide proof of identity.

DVV must respond to the request by the data subject without delay, and, as a rule, access will be given within a month of the time the request was registered. However, the aforementioned one-month timeline can be extended by two months at the most if the correction requested by the data subject so requires. DVV will notify the data subject of any possible extension to the correction period and the reasons for the extension.

Right to revision

By identifying yourself in Suomi.fi Messages, you can change the information stored in the Suomi.fi Messages register about you, such as the validity of your consent for electronic notification, your language selection for the service and the email address you use in the service. You can also delete a message you have received, which removes the message from the Suomi.fi Messages register. The right of a person acting on behalf of another person in Suomi.fi Messages is determined on the basis of the granted mandate.

You have the right to correct your personal data if you notice that it contains inaccurate or incorrect information. The request for corrections must be submitted in writing to the contact person of the registry. In your request, you must specify which information should be corrected and what changes or additions should be made. Be prepared to provide proof of identity.

Note, however, that event data (i.e. log data) generated in connection with the use of Suomi.fi Messages cannot be changed afterwards.

Please note that, for the data relayed from the Population Information System (personal identity code and death data), rectification of incorrect data must be requested from the controller responsible for the Population Information System (see the privacy statement of the Population Information System at https://dvv.fi/en/pis-privacy-statementOpens in a new window.). If there is an error in a message sent to Suomi.fi Messages by a client organisation, the rectification of the information must be requested from the client organisation in question. 

Limitations to the rights of the data subject

The processing of personal data in the Suomi.fi Messages service is based on compliance with DVV’s statutory obligation. For this reason, you do not as a rule have the right to have your personal data deleted or transferred to another system nor do you have the right to oppose or restrict the processing of your personal data. 

12. Right to submit a complaint to the supervisory authority

If you think that your personal data is processed unlawfully, you can submit a complaint to the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman

Street address: Lintulahdenkuja 4, 00530 Helsinki, Finland

Postal address: PO Box 800, 00531 Helsinki, Finland

Email: tietosuoja(at)om.fi

Switchboard: +358 29 566 6700

Registry: +358 29 566 6768

For more information on submitting a complaint, see the website of the Office of the Data Protection Ombudsman.Opens in a new window. 

13. Other information

The privacy statements concerning Suomi.fi Messages, Suomi.fi Web Service, Suomi.fi e-Identification and Suomi.fi e-Authorizations are available in the Suomi.fi Web Service at www.suomi.fiOpens in a new window. and in the DVV registry.

For client organisations that use Suomi.fi Messages, the processing of personal data is described in the privacy statements published by said client organisations. 

You can check the client organisations using Suomi.fi Messages in the Suomi.fi Web Service. 

Read more about DVV’s general data protection information.Opens in a new window.