Go directly to contents.
Suomi.fi e-Authorizations

Data protection

Privacy statement of Suomi.fi e-Authorizations register of customers, contact persons and official duties

The Digital and Population Data Services Agency maintains a register of customers, contact persons and officials for Suomi.fi e-Authorizations. The register contains the details of the organisations using Suomi.fi e-Authorizations and their representatives as well as the customer service officials (hereafter also referred to as ‘officials’) processing written mandate applications. The data kept in the register is used to identify the aforementioned persons and to manage administer and develop access rights, customer relationships and the service.

1. Name of register

Customer and contact person register, register of official duties and the event log of the management user interface of Suomi.fi e-Authorizations

2. Controller and contact persons

Digital and Population Data Services Agency
Lintulahdenkuja 2, 00530 Helsinki, Finland
PO Box 123, 00531 Helsinki, Finland
Telephone (switchboard): +358 295 536 000
Email: kirjaamo(at)dvv.fi

Contact person in register-related matters:
Tuuli Krekelä, Chief Specialist, Business Owner (Suomi.fi e-Authorizations)
Lintulahdenkuja 2, 00530 Helsinki, Finland
Telephone (switchboard): +358 295 536 000, email: kirjaamo(a)dvv.fi

3. Data protection officer

Telephone (switchboard) +358 295 536 000, tietosuoja@dvv.fi

4. Purpose and legal basis for processing personal data

The register serves as the customer and contact person register, the register of official duties and the event log of the management user interface of the Suomi.fi e-Authorizations. The Digital and Population Data Services Agency provides the Suomi.fi e-Authorizations under sections 3 and 4 of the Act on joint Central Government e-Service Support Services (571/2016). The Digital and Population Data Services Agency processes data kept in the register as part of its statutory task.

The data kept in the register is used to identify persons and to manage, administer and develop access rights, customer relationships and the service. The data kept in the register is also processed to protect the personal data processed in the service, to ensure information security, to investigate errors, to report incidents and to provide other information and to examine misuse and data breaches.

The information can also be used to monitor the extent to which Suomi.fi services are used and the costs arising from the services and for statistical purposes.

Valtori, which provides the Digital and Population Data Services Agency with IT infrastructure services, and its subcontractors manage the IT infrastructure of the Suomi.fi service registers.

5. Personal data retention period

The details of the customers and contact persons are retained for the duration of the customer relationship, after which the information is deleted.

The data in the event log of the Suomi.fi e-Authorizations management user interface and the official duties user data are retained for five (5) years. The Digital and Population Data Services Agency has determined that with regard to event data, a five-year (5) retention period is necessary when taking into consideration the most common limitation periods for offences related to the processing of personal data and the limitation period for offences in office, which is five years.

6. Register data content

The register contains:

  1. the details of the organisations using Suomi.fi e-Authorizations and the services of the Suomi.fi e-Authorizations as well as their employees who have access rights to the rule engine of their service;details of the system administrators administrating the agency-specific access rights to the official duties and officials who process written mandate applications and enter mandates in the authorisation register on the basis of the applications;
  2. and event data of the Suomi.fi e-Authorizations management user interface.

1. The following details of the organisations using Suomi.fi e-Authorizations and their employees are entered in the register:

  • name, business ID and contact information of the user organisation;
  • name, unique identifiers and description of the service attached by the user organisation to Suomi.fi e-Authorizations;
  • the user organisation’s contact person(s), job title and position of the contact person(s) in the user organisation, and the contact information, telephone number and email for the contact person(s);
  • the user organisation’s user(s), job title and position of the user(s) in the organisation, and their contact information, telephone number and email;
  • and other information essential for the management and development of customer relationships.

The name and the personal identity code are the details of the Digital and Population Data Service Agency’s system administrators entered in the register.

2. The following details of the official duties are entered in the register:

  • name and personal identity code of each agency’s system administrator;
  • and name and personal identity code of the ordinary officials using the register.
  • When an official enters a mandate in the authorisation register, the official in question is always entered as the person validating the mandate. The name and the personal identity code of the official are entered in the register in connection with the mandate. The details of the official are not shown to the end user.
  • The following event data on the use of the professional users’ interface is entered in the register: login details and the following measures carried out by the officials in question: registration or deletion of a mandate, browsing of mandate details.

3. The following information is entered in the event log of the Suomi.fi e-Authorizations management user interface:

  • personal identity code of the user of the management user interface;
  • the operation carried out and the time stamp;
  1. the following measures carried out by the system administrator of the Digital and Population Data Services Agency: addition of new services, issuing of technical identifiers, specification of mandate themes, and the management of service-specific rules;
  2. the following measures carried out by the system administrators of customer organisations: adding and editing information on ordinary users;
  3. and the following measures carried out by ordinary users in customer organisations: editing of the processing rules of acting on behalf of others.

7. Standard sources of data

The information is obtained from the notifications submitted by designated contact persons and users in the user organisations. Event data on the use of the management user interface is collected for the register.

The details of the system administrators of the official duties and the officials in question are obtained from the other government agencies that have concluded an agreement with the Digital and Population Data Services Agency on the management of Suomi.fi e-Authorizations customer service tasks.

8. Standard disclosure of information

The controller may disclose following data kept in the customer and contact person register:

  • to a user organisation, information on the user organisation in question, the service it has attached, and contact persons and users of the user organisation in question and, to meet essential needs, other information entered in the register in connection with the use of the user organisation’s service or other service use;
  • in the investigation of errors, to end users that have used Suomi.fi e-Authorizations (organisations or private persons), information on the user organisation or contact persons of the user organisation;
  • to the police, criminal investigation and prosecuting authorities as well as a court of law, information for the purposes of preventing and investigating a crime;
  • to the Data Protection Ombudsman, information for the purposes of data protection control.

The controller may, unless otherwise provided in sections 11 and 12 of the Act on the Openness of Government Activities (621/1999), disclose data on the use of the service entered in the register;

  • to a person on whose support service use or other use of the services the information has been entered in the register;
  • to a person on whose behalf someone has used the support service or otherwise used the service;
  • and for other identified purpose where the person on whose support service use or other use of the service the information has been entered in the register has given their express consent to this.

Information may also be disclosed as statistics, in other formats so that individuals cannot be identified; for other purposes laid down in the law.

9. Transferring data outside the EU or the EEA

No personal data is transferred outside the EU or the EEA.

10. Principles of register protection

The data is protected taking into account information security and the management of access rights.

The register does not contain manual material. Manual material that may be created in liquidations is protected taking into account information security in locked facilities where access is monitored.

The data in the register can only be accessed by persons whose duties include processing such data. Log data is saved on the processing of data.

11. Automated decision-making and profiling

No automated decision-making or profiling is performed on the basis of the data from the personal data file.

12. Data subject’s rights

Right of access

You have the right to request access to your personal data, which means that you can check the information that is kept on you in the personal data file. You can submit a request to access your personal data to the Digital and Population Data Services Agency. Be prepared to provide proof of identity.
You will receive the information that you have requested within a month. If, for a justified reason, the information cannot be provided to you within this time period, the Digital and Population Data Services Agency can extend the deadline by a maximum of 2 months. In this case, you will be sent a notification on the matter.

Right to demand data correction
You have the right to ask for your personal data to be corrected. Submit a written request to the register contact person (section Controller and contact persons). In the request, mention the data that should be rectified and the details of the change or the information that should be added to the register. Your identity will be verified in connection with the request.

Restrictions to the data subject’s rights in relation to personal data processing
The data subject does not have the right to request the deletion of their data, as the data processing is based on the law. For the same reason, the data subject does not have the right to object to the processing of their personal data or the right to have their data transferred to another system. Moreover, the data subject does not have the right to request that the processing of their personal data should be limited.

13. The data subject’s right of appeal to the supervisory authority

The data subject has the right to submit a complaint to the Data Protection Ombudsman regarding the processing of their personal data. Read more about the data subject’s right of appeal in the instructions issued by the Data Protection Ombudsman.Opens in a new window.

Other relevant privacy statements

Updated: 1/11/2024

Are you satisfied with the content on this page?