Other privacy policies | About Kela | KelaSkip to content

Kela’s other privacy policy statements

If you have questions about the privacy statements, you can contact the person mentioned in the relevant statement.

Inquiries can be sent to Kela’s appointed privacy officer by e-mail at tietosuoja (a) kela.fi

The personal data stored in the register are used by Kela for internal and external recruitment.

Privacy statement for the electronic register of job applicants

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 HELSINKI or Nordenskiöldinkatu 12, 00250 HELSINKI
Tel. 020 634 11, http://www.kela.fi/administration

2 Contact information for register-related matters

Human Resources Services
Tel. 020 634 11 (exchange)

3 Name of register

Electronic register of job applicants

4 Purpose and basis for the handling of personal data

The personal data stored in the register are used by Kela for purposes of recruitment: specifically to receive, review and store job applications, to make selections among candidates, and to inform candidates of the outcome of recruitments.  

The handling of the personal data is based on the candidates’ consent given upon registration with the service.

5 Data content of the register

The register contains data both on the candidate and the position applied for.

The following information is stored on candidates:

  • given name and family name, preferred name, email address, street address, postal code, country and telephone number
  • education and experience
  • language proficiency
  • procedures that are part of the recruitment (including pre-selection, interviews and aptitude testing)
  • application status (under review, cancelled, not selected)
  • candidate’s application history
  • other information provided by the candidate (CV, cover letter, other documents)
  • Information recorded by the reviewers
  • Video material and still images recorded at video interviews.

6 Regular sources of data

Personal information is obtained from the candidates when they register with the service or update application documents.

7 Regular disclosure of data

None.

The personal information may be transferred to service providers conducting headhunting or aptitude testing and handling personal information for Kela. Registered candidates are informed of the processing of their personal information either in the job announcement or in a personal interview.

The service provider carrying out aptitude testing is provided with the candidate’s name, application and phone number. Headhunting agencies are provided with information about the application (application and CV).

If candidates are called in for an interview, their name and email address are transferred to the video chat application so that they can be sent an invitation to a video interview. When registering as a user of the video chat application, candidates must accept the privacy statement for that application.

Kela obtains security clearances from the Finnish Security and Intelligence Service. The selected candidate’s consent is requested for purposes of security clearance. The consent can be given on the Finnish Security and Intelligence Service’s e-portal.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Application documents are retained for two years.
Personal information is anonymised two years after the last log-in to the recruitment service, whereby identifiable data is de-identified.

After anonymisation, it is no longer possible to run a search for candidates or to identify them from records, reports or transactions. It is also not possible to identify individuals by combining data or by using inference. A completed anonymisation cannot be rolled back, which means that the information cannot be returned to a searchable or viewable form.

10 Principles of register security

At Kela, data security and protection of personal data are systematically taken into account in all use and handling of information. Kela handles all personal data with data protection in mind and in the manner determined by law.

All persons at Kela who handle personal data sign a confidentiality agreement. The register data are used only by authorised persons who need them to perform their official duties. Along with Kela staff members, such persons can include service providers with a contractual right of access to the data.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Data subjects who wish to check their personal information can examine the information stored in or with their profile by logging in to the recruitment service. Alternatively, they can request the information from Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

Data subjects who wish to correct incorrect personal information can self-correct the information stored in or with their profile by logging in to the recruitment service. Alternatively, they can request Kela to correct the information.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.  

Data subjects may delete their information and application before the end of the retention periods described in section

The data can be deleted by logging into the recruitment service. After deletion, the personal data and the application data stored in the service are anonymised.

Deleting a profile before the recruitment process has been completed is equivalent to withdrawing the application.

Data subjects who wish to delete information about them in the register may request the deletion from Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The register is used for the registration of administrative matters and the archival of documents.

Registration and archival system for administrative documents

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11, http://www.kela.fi/administration

2 Contact person for register-related matters

Jarmo Partanen

Tel. 020 634 11 (exchange)

3 Name of register

Registration and archival system for administrative documents

4 Purpose and basis for the handling of personal data

The register is used for registration of administrative matters, for archiving documents and for electronic signing of administrative documents. The handling of the data is based on the fulfilment of Kela’s statutory responsibilities.

5 Information content of the register

The register contains data on matters which are pending or concluded and the documents associated with them, and the contact information of the persons and organisations initiating or otherwise related to the matter. The following types of data are stored about the relevant persons and organisations:

  • name
  • address
  • email address
  • telephone number
  • contact person
  • organisation
  • job title.

6 Regular sources of data

The following sources of data are used: documents submitted by private individuals, organisations and government agencies, administrative documents drawn up by Kela, and data obtained from the registered persons themselves.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The retention periods for personal data have been set in accordance with applicable acts and decrees and the guidelines issued by the National Archives of Finland.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to you can check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not concern personal data that Kela needs to carry out its statutory duties. 

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The data contained in the register are used for the purposes indicated in each tender process, including the verification of information presented in bids.

Privacy statement for the procurement register

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 www.kela.fi/administration

2 Contact person for register-related matters

Hannamaija Haiminen
Tel. 020 634 11 (exchange)

3 Name of register

Procurement register

4 Purpose and basis for the handling of personal data

The register is used to manage competitive tenders in accordance with the Act on Pub-lic Procurement and Concession Contracts (1397/2016) and the Act on Public Procurement in the Fields of Defence and Security (1531/2011). The data contained in the register are used for the purposes indicated in each tender process, including the verification of information presented in bids.

Other possible situations in which the data are used include appeals lodged against procurement decisions or requests for information concerning procurement documents. The basis for the processing of the data is the mandate imposed by the law on the data controller.

Within applicable limits, Kela needs to use the data content of this register also in competitive tender processes not within the scope of application of the Act on Public Procurement and Concession Contracts (small scale procurements). In situations such as this, Kela is justified in processing personal data to carry out its statutory duties in order to perform a task which is in the public interest.

5 Data content of the register

The personal data used in Kela’s procurement processes primarily consist of the names of the bidders’ contact persons, the organisations they represent, their position within the organisation, and their phone numbers, addresses and email addresses.
For the persons in charge at the bidding corporations, the data processes may include, in addition to the data described above, dates of birth listed in the obligation compliance report or customer liability report compiled by the Finnish Tax Administration’s Grey Economy Information Unit, as well as data contained in extracts from the criminal record.

On a case-by-case basis, also data on the educational and professional backgrounds of the suppliers’ personnel may be processed (for example in competitive tenders where the supplier designates a consultant or equivalent already at the offer stage and makes reference to the consultant’s educational and professional background).

In the context of references collected on a case-by-case basis through calls for tender, the personal data that are processed may include the name, organisation, position, phone number, address, email address of the reference target’s contact person, and in-formation about the reference target.

6 Regular sources of data

Information received from offerors or candidates participating in competitive tenders arranged by Kela in accordance with the Public Procurement Act. The information is provided by the offerors or candidates themselves. Extracts from criminal records are requested directly from the bidders.

Data in obligation compliance reports are obtained from the Finnish Tax Administration’s Grey Economy Information Unit in accordance with its governing law (1207/2010).

Additionally, Kela receives information from publicly available sources, including the Trade Register maintained by the Finnish Patent and Registration Office, the Vastuu Group’s Reliable Partner  service (customer liability reports), and the business credit in-formation registers of Suomen Asiakastieto Oy and Bisnode Finland Oy.

7 Regular disclosure of data

None. However, on a case-by-case basis, data may be released on request in accordance with the  Act on the Openness of Government Activities  (621/1999). Data and documents held by a public authority are public unless expressly defined in law as confiden-tial.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Data are retained for as long as required under the law.

The retention periods are based on archival and records management laws, along with other specific laws, as well as the operational need to document and safeguard the due process rights of both government authorities and private individuals and organisations.

As a rule, procurement documents (including bids) are retained for 10 (ten) years, unless provided otherwise in legislation or official instructions.

The legislation may prescribe longer periods of retention as follows, such as:

  • Accepted bids, along with their supporting documents, are retained for at least as long as the procurement agreement and the obligations set out in the agreement remain in effect.
  • Procurement documents that are part of an appeal process (including bids) are retained at least for as long as the appeal process continues and, once the process has been concluded, for as long as any necessary remedial measures may require.

Information concerning extracts from the criminal record is not stored or retained but is returned or destroyed immediately after the extracts have been verified.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.
All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:
•    the specific information which is incorrect
•    the reason why it is incorrect
•    how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.
This right does not extend to personal data that Kela needs to carry out its statutory duties.  
The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The register contains supplier and customer data used in the handling and archival of sale and purchase invoices. The data are used to pay organisations, private individuals and employees and to invoice organisations and private individuals. The data are used for billing reports.

Privacy statement for the supplier and customer register

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 HELSINKI or Nordenskiöldinkatu 12, 00250 HELSINKI
020 634 11, www.kela.fi/administration

2 Contact person for register-related matters

Jarkko Malinen
Tel. 020 634 11 (exchange)

3 Name of register

Supplier and customer register

4 Purpose and basis for the handling of personal data

The register contains supplier and customer data used in the handling and archival of sale and purchase invoices. The data are used to pay organisations, private individuals and employees and to invoice organisations and private individuals. The data are used for billing reports.

The handling of the data is based on the discharge of Kela’s statutory responsibilities and contractual fulfilment.

5 Information content of the register

Recipient details (organisation or private individual):

  • name
  • bank account
  • electronic invoicing address
  • Business ID
  • contact information
  • country code
  • customer account category, supplier account category
  • EPR validity period
  • payment details

6 Regular sources of data

Suppliers are recorded in the register based on a combination of data supplied by the supplier (e.g. on an invoice) and data obtained or verified from governmental registries.

Staff members are recorded either as suppliers or customers based on HR data.

Invoiced customers are registered on the basis of self-provided information.

Some of the customer and supplier data are retrieved from other Kela systems.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Customer data are retained in accordance with the Accounting Act.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to check the data concerning their person.

Data subjects who wish to check the data on their person must request the data from Kela's Registry.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not concern personal data that Kela needs in order to carry out its statutory duties.

Data subjects wishing to delete personal information must send a deletion request addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The purpose for handling personal data is to allow Kela’s newsletters to be sent to the subscribers. Personal data are not disclosed to outside parties and are not used for commercial marketing purposes.

Privacy statement for Kela’s newsletter subscriber address register

1 Data controller

The Social Insurance Institution of Finland (Kela)

PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki

020 634 11, www.kela.fi/administration

2 Contact person for register-related matters

Heidi Blomqvist

Tel. 020 634 11 (exchange)

3 Name of register

Address register for Kela's newsletters

4 Purpose and basis for the handling of personal data

The purpose for handling personal data is to allow Kela’s newsletters to be sent to the subscribers.  The register contains such data as new orders submitted on the newsletter subscription form (see section 6). Subscribers give their consent to the processing of their data.

To allow further development of the newsletters, the newsletter tool uses pixels to track the following information based on user actions to open the newsletter and the links it contains:

  • what newsletter topics are read  
  • date and time at which the newsletter is read. 

The data can be tracked on an individual-user level. Only the authors of the newsletters are authorised to look up statistical data as required by their professional responsibilities.

Personal data are not disclosed to outside parties and are not used for commercial marketing purposes.

5 Information content of the register

The register contains data on the customers according to the following classification: e-mail address and background organisation. The users’ IP addresses are used to track the opening of links.

6 Regular sources of data

The register is compiled from address data of the partners of Kela's Communications Section, publicly available Internet sources and subscriptions filed on the subscription form.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The personal data are stored as long as a particular newsletter is published. They are deleted if the subscriber cancels all of his or her newsletter subscriptions or if the email address is no longer in use.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

Subscribers can use the link at the end of the newsletter to correct inaccuracies.

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

Subscribers can cancel their subscription, following which their data are deleted from the register. The data can also be deleted from the register at the subscriber’s request, which will also cancel the subscription. Erasure requests may be emailed to viestinta(at)kela.fi.

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The data are handled for the purpose of distributing press releases through the STT service. Personal data are not disclosed to outside parties and are not used for commercial marketing purposes.

Privacy statement for Kela’s press release distribution system

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11, www.kela.fi/administration

2 Contact person for register-related matters

Ville Korhonen

Tel. 020 634 11 (exchange)

3 Name of register

Recipients of Kela press releases

4 Purpose and basis for the handling of personal data

The data are processed for the purpose of distributing press releases through the STT service. Personal data are not disclosed to outside parties and are not used for commercial purposes.

The basis for processing data is to perform a task in the public interest (Article 6(1), point (e) of the General Data Protection Regulation; Section 4 of the Data Protection Act). The data subject’s consent is also required.

5 Information content of the register

The register consists of e-mail addresses.

6 Regular sources of data

The register is compiled from address data of the partners of Kela's Communications Section, publicly available internet sources and subscriptions received by Kela’s Communications Unit.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The personal data are retained for as long as the distribution list is used.

The personal data are deleted if the subscriber cancels a press release subscription. The personal data are also deleted if the e-mail address is no longer valid.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to you can check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not concern personal data that Kela needs to carry out its statutory duties. 

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Statistical data on the use of the kela.fi website is collected by means of both first-party cookies deployed by Kela and by cookies from third-party providers. Piwik Pro is used to collect the statistical data.

Privacy statement for the Elämässä.fi website

This privacy statement only applies to the Elämässä.fi website. Elämässä.fi is a web publication for Kela’s clients. Elämässä.fi produces customer profiles for Kela’s clientele as well which complement the informational content on the kela.fi website.

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00101 HELSINKI or Nordenskiöldinkatu 12, 00250 HELSINKI
020 634 11, www.kela.fi/administration

2 Contact person for register-related matters

tel. +358 20 634 11 (exchange)

3 Name of register

Privacy statement for the Elämässä.fi website

4 What kind of data are collected and how?

Statistical data on the use of the kela.fi website is collected by means of both first-party cookies deployed by Kela and by cookies from third-party providers. Piwik Pro is used to collect the statistical data.

Such data can include

  • the number of visitors to the website
  • devices used to access the kela.fi website
  • the online address from which users access the website
  • specific pages visited

Learn more about the cookie policy of the Elämässä.fi website.

The data collected with the web analytics tool never includes the name, personal identity code or other identifying details about a particular individual. For example, the visitor’s IP address is pseudonymised when web analytics tools are used. Kela will never try to identify individual visitors to the website based on this data.

5 For what purposes are data collected?

Kela uses the data collected to ensure that the Elämässä.fi website functions properly and to guarantee data security. In addition, the data are used for site analytics and to produce information about the number of visitors, the usefulness of the content and the way the service is used as well as to further develop the content of the site.

6 Transfer of data outside the EU or EEA

As a rule, Kela will not transfer data about visitors to the Elämässä.fi site to other data controllers. However, certain service providers contracted by Kela (such as producers of online publications) may have access to data created in connection with visits to the Elämässä.fi website. These service providers may use the data only as appropriate to Kela’s requirements. In that context, Kela may transfer processed personal data outside the EU or EEA in compliance with prevailing legislation.

7 How are data protected?

At Kela, data security and protection of personal data are systematically taken into account in all use and handling of information. The privacy and usability of personal data are ensured by employing the appropriate technical and administrative measures. Kela handles all personal data with data protection in mind and in the manner determined by law.

All persons at Kela who handle personal data sign a confidentiality agreement. The register data are used only by authorised persons who need them to perform their official duties.

Data are processed also by outside partners of Kela in accordance with specific agreements, in which case the partners act in the role of data processors.

8 How long are data stored?

As soon as Kela no longer needs certain personal data it has collected, the data are destroyed in a secure fashion.

9 What rights do the users of the service have?

Users have the right to check the information collected about them and to ask that incorrect information is corrected. Users can check and correct their personal information by sending Kela a request to that effect.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

10 Amendments to this privacy statement

Kela may amend this privacy statement without separate notice.

This cookie policy concerns the sosiaalivakuutus.fi website. Sosiaalivakuutus is an online publication for Kela’s stakeholders.

Cookie policy for www.sosiaalivakuutus.fi

This cookie policy concerns the sosiaalivakuutus.fi website. Sosiaalivakuutus is an online publication for Kela’s stakeholders. It focuses on issues of public policy with a special emphasis on social security. The articles published in Sosiaalivakuutus do not represent Kela’s official policy.

This cookie policy statement outlines how Kela and its partners use cookies and other similar tracking and personalisation technologies (hereinafter referred to collectively as “cookies”) on the sosiaalivakuutus.fi website. Cookies are used to collect information on how and when the website is used. This information helps to improve usability and to offer visitors to the www.sosiaalivakuutus.fi website targeted information.

Kela cannot identify individual users based on the data collected, because it does not capture the users’ name, contact details or personal data code. Behavioural data collected on the sosiaalivakuutus.fi website is not matched to other personally identifying data that Kela may handle in some other context.

Users can allow cookies by adjusting their preferences in the cookie banner. Users can decide not to allow cookies or access to location, or withdraw their consent at any time.

This cookie policy statement provides answers to the following questions:

1. Contact information

The Social Insurance Institution of Finland (Kela)
PL 450, 00101 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
Telephone: 020 634 11
Contact person:
Henrik Jussila, >Editor in chief
Telephone: 020 634 1921
firstname.lastname(at)kela.fi

2. What are cookies and what kind of information is collected with them?

Like many other websites, the sosiaalivakuutus.fi website uses cookies and other similar tracking and personalisation technologies. Cookies are small text files containing information which are stored by the user’s browser and which collect information about visits to the sosiaalivakuutus.fi website.

Both first-party and third-party cookies are used on the sosiaalivakuutus.fi website. First-party cookies are created by the website whose address is shown in the address bar. The sosiaalivakuutus.fi website also uses third-party cookies from marketing technology providers and social media. Only the server that created the cookie can read the cookie and for example recognise a returning user.

On the sosiaalivakuutus.fi website, cookies are used among other things to collect information about

  • the number of visitors to the website
  • what types of devices are used to access the sosiaalivakuutus.fi website
  • the online address from which users access the website
  • individual pages visited.

The page requests made by visitors to the site are stored automatically in cookies and on the servers for the sosiaalivakuutus.fi website. Such information typically includes the user’s page request and its date and time, the IP address of the user’s device, and the type and language of the browser.

The information is in a format that prevents it from being matched to individual users without access to additional information. Cookies are not used to store information for example about the user’s name, email address, telephone number or home address. Kela is unable to match cookie data to specific individuals, and is taking steps to further minimise the potential to identify specific users. For example, when using web analytics tools, Kela deletes digits in the user’s IP address in order to prevent anyone from identifying specific users.

3. How are cookies and the information associated with them used?

The following types of cookies are used on the sosiaalivakuutus.fi website:

  • Functional cookies These cookies are used to ensure the proper functioning of the sosiaalivakuutus.fi website. For examples, Polyfill is used to remedy performance and functionality problems when using various browsers and older versions of such browsers. Polyfill receives network requests from the browser and activate the functionalities available on the website that are supported by the browser.
  • Cookies related to user metrics and analytics: Web analytics tools (Google Analytics and Piwik Pro) use cookies to collect statistical data. We collect data to analyse the number of visitors, to gauge users’ interest in various types of content and to identify different ways in which the service used, as well as to develop the site further.
  • Targeting cookies used for marketing communications Cookies allow Kela to target marketing communications to users who have visited the sosiaalivakuutus.fi website. Kela’s works together with the following partners: Adform, X (Twitter), MediaMath and Facebook. By deploying cookies from these service providers on its website, Kela makes it possible to collect information and to transmit it to the service providers. Further, Google Tag Manager (GTM) is used to manage these tracking tags.

The use of third-party cookie data is governed by the terms and conditions of the third parties, which can be examined below:

Google Analytics

  • Purpose of use: To collect statistical data on the website and to analyse it in order to improve the website content.
  • Click here for more information on how Google uses cookies.

Piwik Pro

  • Purpose of use: To collect statistical data on the website and to analyse it in order to improve the website content.
  • Click here for more information on how Piwik Pro uses cookies.

Hotjar

  • Purpose of use: To collect statistical data on the website and to analyse it in order to improve the website content.
  • Click here for more information on how Hotjar uses cookies.

Google Tag Manager (GTM)

  • Purpose of use: To manage tracking tags such as Facebook and Adform pixels.
  • Click here for more information on how Google uses cookies.

Google Double Click

  • Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
  • More information: If the user has a Google account, Google may match the cookie to the user’s account. Click here for more information on how Google uses cookies for personalisation.

Facebook

  • Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
  • More information: Click here for more information on how Facebook uses cookies. Facebook may match a cookie related to a visit to the sosiaalivakuutus.fi website to a specific Facebook user who has a Facebook account.

Adform

  • Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
  • Click here for more information on how Adform uses cookies.

MediaMath

  • Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
  • Click here for more information on how MediaMath uses cookies.

X (Twitter)

  • Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
  • Click here for more information on how X (formerly Twitter) uses cookies.

Polyfill

  • The purpose of the cookies is to ensure a consistent user experience on different browsers. The Polyfill service identifies the browser and the features it supports. It offers the browser a collection of codes designed to ensure that the various features on the site are displayed as consistently as possible to users of different browsers.
  • Click here for more information on how Polyfill uses cookies.

4. How long are data stored?

The cookies either expire after the session ends (i.e., until the user closes the browser) or they are persistent cookies with a lifetime of a few months or a few years. Users can affect the length of time for which the data collected with cookies is stored by clearing the cookies in their browser settings, which will reset their cookie profile.

Typical storage periods for data collected with cookies are as follows:

  • Functional cookies The data collected with functional cookies are usually deleted at the end of the sessions, or are stored for a maximum of one month.
  • Cookies related to user metrics and analytics: Cookies collected for this purpose are deleted from Hotjar or equivalent within 365 days. Data collected by Google Analytics is typically stored for 26 months and data collected by Piwik Pro for 36 months.
  • Targeting communications. The data collected for the purpose of targeted advertising is typically stored for a few months. For example Adform and Mediamath, both Kela partners, delete the data within 13 months.

5. What options do users have regarding cookies?

Users give their consent to the use of cookies and to the processing of the data collected with them when visiting the sosiaalivakuutus.fi website for the first time and by clicking the Allow button in the cookie banner. Users may decline or withdraw their consent by clicking on the Cookies Preferences button in the banner.

Users wishing to make choices that are specific to a particular partner we work with may visit the partners’ website to block cookies or change their preferences:

  • Google Analytics: Users can block the use of site data in Google Analytics by installing a browser add-on available here. The add-on prevents the Google Analytics JavaScript code running on the website (ga.js, analytics.js and dc.js) from sharing site usage data with Google Analytics.
  • Google DoubleClick: Users can manage Google’s advertising settings here.
  • X (Twitter): Users can manage X’s (formerly Twitter) advertising settings here.
  • Facebook: Users can manage Facebook’s advertising settings here.
  • Adform: Users can withdraw their consent to targeted advertising here.
  • MediaMath: Users can withdraw their consent to targeted advertising here.
  • Hotjar: Users can go here to prevent the collection of data.
  • Piwik Pro: Users can stop the collection of data by enabling Do not track in the browser settings. Browser-specific instructions: Internet Explorer, Firefox and Google Chrome.

Users can also use the browser settings to block or delete cookies. Blocking or deleting cookies may affect choices you have made previously on the website, for example deleting a cookie set previously on the website which forbids targeted advertising. Any selections made are browser-specific, which means that users must manage their preferences separately in each browser.

In Google Chrome, Internet Explorer and Mozilla Firefox, for example, cookies are deleted as follows:

Google Chrome 66

  1. Launch Google Chrome.
  2. Click the menu in the upper right-hand corner and select Options.
  3. Click Show advanced settings.
  4. Yes. Fill in the following data:.
  5. Turn off “Allow sites to save and read cookie data (recommended)”.

Internet Explorer 11

  1. Launch Internet Explorer.
  2. Click the Tools icon (which looks like a gear) and select Internet Options.
  3. Select the Privacy tab and click on Advanced.
  4. Under First-party Cookies and Third-party Cookies, select Block. Also uncheck “Always allow session cookies”.
  5. Then click OK.

Mozilla Firefox 52

  1. Launch Firefox.
  2. Click the menu in the upper right-hand corner and select Options.
  3. Select Privacy & Security.
  4. Choose “Firefox will” in the drop-down menu under History.
  5. Select “Never remember history”.
  6. Close the Options page.

If you block cookies, you can allow them again at any time. Deleting cookies will not make it more difficult to use the sosiaalivakuutus.fi website

6. What other options do users have?

Besides having the right to information about the handling of personal information, users have the right under the privacy law:

  • to check what personal information has been stored about them
  • to correct the information
  • to delete the information and to exercise their right to be forgotten
  • to withdraw a consent they have given earlier
  • to restrict the handling of the information
  • to ask that the information they have supplied, which is handled automatically based on their consent or an agreement, not be transferred from one system to another

By default, exercising the above rights requires Kela to identify each user. This means that users must supply additional information to allow them to be identified.

Changing the cookie preferences as described above is the primary way in which users can affect the processing of their data. Users can contact Kela by phone or use the Message function on Kela’s e-service, submit a written request to Kela’s Registry, or visit a Kela office personally. The contact information can be found in section 1. Users can also file a complaint with the supervisory authority at www.tietosuoja.fi.

7. To whom are data released or transferred?

Kela works with a number of reliable partners to target marketing and enables these partners to collect information on the sosiaalivakuutus.fi website by means of cookies and similar technologies. Please refer to section 3 for information on how the partners handle the data.

Certain service providers contracted by Kela (such as communications agencies) may have access to data created in connection with visits to the sosiaalivakuutus.fi website. These service providers may use the data only as appropriate to Kela’s requirements. In that context, Kela may transfer processed personal data outside the EU or ETA in compliance with prevailing legislation.

Kela seeks to ensure by contractual means that the partners and service providers handle the information in accordance with the prevailing legislation.

8. How are data protected ?

At Kela, data security and protection of personal data are systematically taken into account in all use and handling of information. The privacy and usability of personal data are ensured by employing the appropriate technical and administrative measures. Kela handles all personal data with data protection in mind and in the manner determined by law.

All persons at Kela who handle personal data sign a confidentiality agreement. The personal data are used only by authorised persons who need them to perform their official duties.

Data collected by means of cookies are also handled by certain external partners of Kela in accordance with separate agreements. Kela seeks to ensure by contractual means that the partners take the necessary steps to guarantee data security as required by legislation.

9. How is this cookie policy revised or updated?

Kela may update this cookie policy when appropriate, for example if the purposes for which the data are handled change or if the relevant legislation or government recommendations are revised. Information about the updates will be posted on the sosiaalivakuutus.fi website.

This cookie policy was published in connection with the implementation of a cookie banner on the sosiaalivakuutus.fi website, which allows users to manage their cookie preferences. It replaces the earlier privacy policy statement, which is available here.

The register is used to record and review requests for statement sent to Kela’s Research Ethics Committee for the purpose of carrying out an ethical review.

Privacy statement for Kela’s Research Ethics Committee

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 http://www.kela.fi/administration

2 Contact person for register-related matters

Seita Laaksoviita
kela.tutkimuseettinen.tmk@kela.fi
Tel. 020 634 11 (exchange)

3 Name of register

Register of statement requests submitted to Kela’s Research Ethics Committee

4 Purpose and basis for the handling of personal data

The register is used to record and review requests for statement sent to Kela’s Research Ethics Committee for the purpose of carrying out an ethical review. The register is also used to store documents. The handling of personal data is based on the fulfilment of Kela’s statutory responsibilities(section 2 of the Act on the Social Insurance Institution.

5 Data content of the register

The register contains the following types of personal data:

  • For the principal investigator: name, professional title, education, key professional responsibilities, organisation, address, email address and telephone number
  • For other participating researchers: name, education, professional title, organisation and key professional responsibilities.

6 Regular sources of data

Personal data are obtained from the registered persons themselves.

7 Regular disclosure of data

No data are disclosed except to the members of Kela's Research Ethics Committee.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The statement requests are stored permanently.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to you can check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not concern personal data that Kela needs to carry out its statutory du-ties.  

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Kela uses video surveillance to protect the life, health, property and information of its customers and staff members.

Privacy statement: Video surveillance recordings

1 Data controller

The Social Insurance Institution of Finland (Kela)

PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki

020 634 11 http://www.kela.fi/administration

2 Contact person for register-related matters

Juha Takala

juha.takala@kela.fi

Tel. 020 634 11 (exchange)

3 Name of register

Video surveillance recordings

4 Purpose and basis for the handling of personal data

Kela uses video surveillance to protect the life, health, property and information of its customers and staff members.

Personal data obtained through video surveillance is processed to protect the essential interests of Kela’s customers and staff and for the purpose of exercising official authority and performing tasks in the public interest. The use of video surveillance is based on chapter 5, section 16 of the Act on the Protection of Privacy in Working Life (13.8.2004/759).

5 Data content of the register

Video surveillance systems are used to collect and store video material about all individuals entering Kela premises that use video surveillance. The individuals are identifiable either directly or indirectly based on their appearance. The video surveillance also involves processing information on the individuals’ presence and conduct on the premises.

6 Regular sources of data

Information is collected automatically by means of cameras connected to the surveillance system. The storage of data is based on motion detection.

7 Regular disclosure of data

In situations where the commission of a crime is suspected, data can be disclosed to government authorities in accordance with Finnish laws. Data can be disclosed within the Kela organisation for the purpose of investigating crimes and safety discrepancies.

Data are not released outside the EU or for direct marketing purposes.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Video surveillance footage is stored for 30 days. The duration of storage is such that there is sufficient time to detect and investigate any safety discrepancies recorded. The video surveillance system destroys recordings automatically after the retention period is over

Recordings used in the investigation of safety discrepancies or in criminal investigations as defined in the Criminal Investigation Act are retained for the duration of the investigation and any subsequent legal proceedings. The duration of legal proceedings includes the applicable appeal periods.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties or to pursue other legitimate interests. 

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Processing of applications for research funding.

Privacy statement for the register of applications for research funding

1 Data controller
The Social Insurance Institution of Finland (Kela)
PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11,  http://www.kela.fi/administration

2 Contact person for register-related matters

Sari Miettinen
Tel. 020 634 11 (exchange)

3 Name of register

Register of applications for research funding under section 12 of the KKRL (Kela Rehabilitation) Act.

4 Purpose and basis for the handling of personal data

Processing of applications for research funding. The processing of the data is part of Kela’s statutory responsibilities.

5 Data content of the register

The register of research funding contains the following information:

  • name of the person signing the research contract;
  • name, professional title, educational background, organisation, address, email address and phone number of the principal investigator;
  • names, professional titles and organisations of other researchers listed in the application
  • CV and publication list for the principal investigator and any other members of the research team.   

6 Regular sources of data

The personal data are obtained from the applicants themselves.

7 Regular disclosure of data

No personal data are disclosed.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Documents are retained either permanently or for a specific period of time according to the filing plan. The retention periods for personal data are also defined in the filing plan.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.  

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The register is used when sending Kela’s printed research publications to organisations or persons that have subscribed to a printed publication and reported their address for this purpose to the contact person who maintains a list of the distribution addresses for Kela’s research publications.

Privacy statement for distribution addresses for Kela's research publications

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11, http://www.kela.fi/administration

2 Contact person for register-related matters

Tarja Hyvärinen
Tel. 020 634 11 (exchange)

3 Name of register

Distribution addresses for research publications

4 Purpose and basis for the handling of personal data

The register is used when sending Kela’s printed research publications to organisations or persons that have subscribed to a printed publication and reported their address for this purpose to the contact person who maintains a list of the distribution addresses for Kela’s research publications.

The publications are sent by the printing house Punamusta. Kela has an agreement with the printing house Punamusta on appropriate processing of the distribution addresses for research publications. Neither Punamusta nor Kela releases addresses for marketing purposes. The processing of the data is based on the consent of the registered persons.

5 Data content of the register

Name and postal address of the customer

6 Regular sources of data

The addresses in the register are obtained from the customers themselves.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The personal data are stored as long as the publication subscription is valid. The data are erased when the customer cancels the subscription.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

Under Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.  

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

Under Article 77 of the General Data Protection Regulation, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The register is used to send print research and statistical publications to individuals and entities who have either an email subscription or are subscribed through the University of Helsinki Helda digital archive.

Privacy statement for the system used to process orders for Kela’s research and statistical publications

1 Data controller

The Social Insurance Institution of Finland (Kela)
PO Box 450, 00056 Kela
020 634 11 http://www.kela.fi/administration

2 Contact person for register-related matters

Research and Statistical Publications, julkaisut@kela.fi
Tel. 020 634 11 (exchange)

3 Name of register

Subscriber register for Kela’s research and statistical publications

4 Purpose and basis for the handling of personal data

The register is used to send print research and statistical publications to individuals and entities who have either an email subscription or are subscribed through the University of Helsinki Helda digital archive. The address data are also used for invoicing. No address data are released to outside parties or used for marketing purposes.

5 Data content of the register

Customer's name, postal address and email address

6 Regular sources of data

The addresses in the register are obtained from the customers themselves.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The data are deleted once the subscription has been delivered or has ended.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.  

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The personal data are used for the purpose of monitoring compliance with the statutory obligations applicable to the prescribing of the least expensive biological medicine or biosimilar.

Privacy statement for the register used in the context of monitoring the prescribing of biological medicines and biosimilars

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 www.kela.fi/administration

2 Contact person for register-related matters

Monika Fuss
laakevalvonta@kela.fi

3 Name of register

Register used in the context of monitoring the prescribing of biological medicines and biosimilars.

4 Purpose and basis for the handling of personal data

The personal data are used for the purpose of monitoring compliance with the statutory obligations applicable to the prescribing of the least expensive biological medicine or biosimilar. To achieve this purpose, Kela monitors the prescriptions issued via the Prescription Centre for biological medicines and biosimilars. Kela is authorised to obtain and process any data stored in the Prescription Centre that are necessary to carry out the monitoring. Kela is authorised to record data in a separate register whose data controller it is.

Compliance with the data controller’s legal obligations is the basis for the processing of the personal data. The obligations are based on the following legal provisions:

Act on Electronic Prescriptions 61/2007:

  • Section 5 a Prescribing of biological medicines
  • Section 24 b Prescribing of biological medicines: Guidance and monitoring
  • Section 26 a Consequences of non-compliance with section 5 a
  • Section 15 Release of data to government authorities and for scientific research

5 Data content of the register

Data used to carry out the monitoring mandate:

  • data on electronic prescriptions obtained from the Prescription Centre
  • data obtained from the prescriber, such as statements, messages and contact information, and including health and diagnostic data contained in the patient records of persons using biological medicines or biosimilars
  • name, identifier and residential address of the prescriber, obtained from Valvira, the National Supervisory Authority for Welfare and Health
  • data related to monitoring as specified in section 26 a of the Act on Electronic Prescriptions, such as requests for further information, notifications, orders and court documents
  • documents related to the conditional imposition of a fine
  • data on self-employed prescribers using an information system that does not meet the requirements set out in section 5 b of the Act on Electronic Prescriptions.

6 Regular sources of data

Data stored in the register are obtained from the Prescription Centre, from prescribers, from Valvira and from the Legal Register Centre.

7 Regular disclosure of data

Kela can disclose data stored in the register to a prescriber who is party to a matter that involves monitoring and to the Legal Register Centre for the purpose of the conditional imposition of a fine.

If Kela finds, in its role as monitor, that a self-employed prescriber is using an information system that does not meet the requirements set out in section 5 b of the Act on Electronic Prescriptions, Kela can report the matter to the competent Regional State Administrative Agency (section 24 b of the Act on Electronic Prescriptions).

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Documents sent to or received from prescribers, appeal documents, and documents relating to the conditional imposition of a fine are retained for 70 years starting from when the document was created or arrived at Kela.

Data on self-employed prescribers using an information system that does not meet the requirements set out in section 5 b of the Act on Electronic Prescriptions are retained for a period of one year starting from when they were reported to the Regional State Administrative Agency.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.
All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to are authorised under the law to inspect data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.
The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.
This right does not extend to personal data that Kela needs to carry out its statutory duties.  
The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The use of Teams with partners

Microsoft Teams is a communication app for teamwork: meetings, instant messaging and file sharing. Teams is part of Microsoft’s range of cloud services. Kela uses Teams for video meetings and for cooperation with persons outside Kela.

The data controllers are Kela and Microsoft. We process personal data to enable the use of our services and to investigate possible malfunctions and errors. Additionally, we use anonymized data on Teams use to analyse and develop the services. By using Teams for cooperation and communication with Kela, you consent to the processing of your personal data in the service.

More information on the processing of personal data by Microsoft is available here: Microsoft Privacy Statement – Privacy at Microsoft

Personal data

The following user data are stored in the service: names, email addresses, profile pictures and IP addresses. Additionally, files stored in Teams or written information in Teams chats may contain personal data.

Personal data recorded during a meeting are video, if your camera is switched on, and audio, if your microphone is switched on. Additionally, conversations during meetings may contain personal data. The person organising a meeting can record the meeting if there is a specific reason for doing so, for example a need to watch the meeting afterwards. At the start of the meeting, the organiser will say if the meeting is being recorded and give the reason for and purpose of the recording. Not all meetings are recorded.

We store documents that may contain personal data for a maximum of six years in Teams.  Recordings of meetings are stored for three years by default.

Persons outside Kela who use Teams for their teamwork with Kela must renew their user rights every 120 days.

Disclosure of data

Under normal circumstances, data will not be disclosed outside the EU or EEA. In some cases personal data concerning the use of Teams may be transferred outside the EA or EEA.

Do not process confidential data in Teams

Do not process (discuss, write, present or save) any confidential data in Teams. Confidential data includes details about Kela’s customers or security arrangements.

Reviewing, rectifying and erasing data

The request can be addressed to Kela’s Registry at kirjaamo@kela.fi

More information on the processing of personal data by Microsoft is available here: Microsoft Privacy Statement – Privacy at Microsoft

Kela orders brochures and forms for partner organisations through a contract supplier’s online store. The contract supplier receives address data in connection with the order, which results in the forming of an address register. In addition, some of the form orders by partner organisations require the checking of a doctor's license to practise. The licenses are checked by Kela, and no mention of it will remain in the contract supplier’s register.

1 Data controller

The Social Insurance Institution of Finland (Kela)

PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki

020 634 11 http://www.kela.fi/administration

2 Contact person for registerrelated matters

Riitta Keskitalo

Tel. 020 634 11 (exchange)

3 Name of register

Kela’s brochures and forms supplier’s address register

4 Purpose and basis for the handling of personal data

Personal data are used only for the purpose of delivering brochures and forms. The processing of the data is part of Kela’s statutory responsibilities. Kela's partner organisations have the right to receive paper forms from Kela at no cost.

5 Data content of the register

The register contains the following identifying details:

  • name of the company/person submitting the order
  • address
  • phone number (for deliveries)

Additional information included in the register:

  • form ID/form name
  • amount of forms ordered
  • brochure name
  • amount of brochures ordered

6 Regular sources of data

Data is received from the customers themselves.

7, Regular disclosure of data

Data is disclosed to the contract supplier on the basis of a customer’s consent. Data is disclosed only for the purpose of delivering brochures and forms, and only in connection with orders.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The brochures and forms supplier retains the data for the entire term of the contract, at the end of which they are deleted.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

A data subject who wishes to check their personal data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/web/en/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point. It can also be transmitted in a message via Kela's OmaKela e-service at www.kela.fi/omakela (in Finnish) or www.fpa.fi/mittfpa (in Swedish).

12 Right of correction

According to Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/web/en/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point. It can also be transmitted in a message via Kela's OmaKela e-service at www.kela.fi/omakela (in Finnish) or www.fpa.fi/mittfpa (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.  

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/web/en/administration.

The request can also be transmitted in a message via the OmaKela e-service at www.kela.fi/omakela (in Finnish) or www.fpa.fi/mittfpa (in Swedish). Alternatively, the request can be made by phone or by visiting a Kela customer service point.

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

 1. Data controller

The Social Insurance Institution of Finland (hereinafter referred to as "Kela")
Address: Nordenskiöldinkatu 12, 00250 Helsinki
Business ID: 0246246-0

Contact information: 
Mailing address: PL 450, 00056 Kela
Telephone exchange: 020 634 11

Kela’s Data Protection Officer: tietosuoja@kela.fi

2. Name of register

Register of Kela's Customer Community.

3. Use of personal data

The data collected in the register are used in implementing research aimed at developing further Kela’s services. Kela uses the research findings exclusively for the purpose of developing its services and communications. The legal basis for processing personal data is the performance of a task in the public interest.

The register data are not combined with data concerning a person’s interactions with Kela as a customer, and participation or non-participation in the Customer Community has no effect on any customer relationship that a person may have with Kela or the benefits or services he or she may receive.

The replies/comments of Community members are processed confidentially, and the members’ contact information is not disclosed to third parties.

4. Types of personal data

The following types of data may be processed about a member:

a) Basic customer data
Email address (the only personal information all new members are asked upon registration)
Confirmation that a new member is 16 years of age or older.

b) Research findings
Members’ replies and comments submitted during research targeted at Community members

Depending on the goals and topic areas of specific research projects, members may also be asked for certain information classified as personal information. Such information (concerning, for instance, a person’s age or gender) will be anonymised immediately when the research data are analysed. This information is not inherently a part of the register of personal data, but a part of the research data, which is not stored separately anywhere.

5. Typical sources of personal data and the disclosure of personal data

Personal data are collected from the members themselves as they join and participate in the Community. Personal data can be made available to contracted entities that process it in accordance with Kela’s instructions. They are:

  • Pentagon Insight Oy
  • Bilendi Oy
  • LeanLab

6. Data security

Systems containing personal data are only accessible by staff with permission to process personal data. Such approved staff need a personal user ID and password to access personal data. Members’ personal data are stored on cloud servers and/or in databases, all of which are protected by passwords and firewalls.

7. Rights of data subjects

Each member has the right to access their personal data. Members can ask that errors in their personal data are corrected.

Each member has the right at any time to ask that their personal data are deleted, and Kela has an obligation to delete the data provided that a legal basis for processing them no longer exists. Members’ data are also deleted should they leave the Community.

Each member of the Community has the right to object to the processing of their personal data, to ask that the processing be restricted, and to file a complaint with a data protection authority (in Finland, the data protection ombudsman) in accordance with the General Data Protection Regulation.

Requests pertaining to the exercise of the rights of data subjects may be made by sending a written, signed request to the address provided in section 1.

1. Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 http://www.kela.fi/administration

2. Contact person for register-related matters

Tarja Hyvärinen
tutkimusjulkaisut@kela.fi
Tel. 020 634 11 (exchange)

3. Name of register

Peer review practice of Kela’s editorial staff committee for research publications

4. Purpose and basis for the handling of personal data

Personal data are used in the peer review process for research publications and in the payment of referee fees.

The handling of personal data is based on the fulfilment of Kela’s statutory responsibilities (see section 2 of the Act on the Social Insurance Institution 731/200), the requirements of the Finnish Federation of Learned Societies concerning the regular documentation of the peer-review process, and the guidelines on good scientific practice of the Finnish National Board on Research Integrity.

The data are not used in automatic decision-making or profiling.

5. Data content of the register

The following data are stored for both accepted and rejected manuscripts: date the manuscript was received and the date the decision was sent out, the authors’ suggestion for publication, the names of the authors and the title of the manuscript, the names of the referees and their comments, and the decisions sent by the editorial staff committee to the authors concerning the publication.

The following personal data are handled for the purpose of paying the referee fee: name, personal identity code, bank details and mailing address.

6. Regular sources of data

Data are obtained from the data subjects themselves.

7. Regular disclosure of data

None.

When compliance with the standards of good scientific practice in peer review is evaluated, the controller makes the necessary data available to the persons in charge of good scientific practice at the organisation carrying out the evaluation.

8. Transfer of data outside the EU or EEA

None.

9. Retention period for personal data

Documents relating to the payment of fees are retained for 11 years. The retention period is based on the Accounting Act (1336/1997)

Other retention periods for personal data have been set in accordance with the guidelines issued by the National Archives of Finland and the applicable laws and decrees. The data are retained in accordance with the filing plan approved by the National Archives of Finland for either 2 years, 10 years, or permanently.

After the period of active use, data conforming to the filing plan are archived in the public interest or for purposes of scientific and historical study. In order to ensure compliance with good scientific practice, data concerning the peer review process cannot, as a general rule, be deleted.

The stored data are not public and are only handled by members of the executive committee of Kela’s editorial staff for research publications, all of whom are employees of Kela.

10. Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11. Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Data subjects who wishes to check their personal data must submit a request to Kela.

The request can be sent to Kela’s Registry at kirjaamo@kela.fi.

It can also be made by phone, by visiting a Kela customer service point, or by sending a message on the OmaKela e-service.

12. Right of correction

According to Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be sent to Kela’s Registry at kirjaamo@kela.fi.

It can also be made by phone, by visiting a Kela customer service point, or by sending a message on the OmaKela e-service.

13. Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties. 

The request to erase personal data must be made to Kela.

The request can be sent to Kela’s Registry at kirjaamo@kela.fi.

It can also be made by phone, by visiting a Kela customer service point, or by sending a message on the OmaKela e-service.

14. Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

1. Joint controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 http://www.kela.fi/administration

2. Contact person for register-related matters

Archival service for the patient and client records of defunct private social and healthcare service providers toimintansa.lopettaneet@kela.fi.
Tel. 020 634 11 (exchange)

3. Name of register

Archival service for the patient and client records of defunct private social and healthcare service providers.

4. Purpose and basis for the handling of personal data

The handling of the data is based on the fulfilment of Kela’s statutory responsibilities.

Under section 16 of the Act on the Electronic Processing of Client Data in Social and Health Care Services (703/2023) (“Client Data Act”), Kela is the joint controller for the client records of defunct service providers. Kela shares the joint controllership with the wellbeing services county in whose area the service provider in question had its place of business. The City of Helsinki is in this privacy statement equated with the wellbeing services counties. As a joint controller, Kela is, in accordance with the Client Data Act, responsible for ensuring the security of the data and their storage and erasure. Further, Kela serves as the contact point referred to in article 26 of the General Data Protection Regulation to which citizens can submit their data requests. Each wellbeing services county carries out the other controller responsibilities specified in the Regulation.

The data are also used for purposes outlined in the Act on the Secondary Use of Health and Social Data.

5. Data content of the register

The register contains data on defunct private service providers that have, in accordance with the Client Data Act, handed over their client records to Kela for storage as well as data on the service providers’ clients. The register contains the following data on defunct private service providers:

  • name
  • personal identity code
  • business ID
  • name of company
  • contract reference number
  • contact person for the entity transferring the material
  • mode of operation and sector of service
  • type of material and date received
  • professional practice right and area of specialisation
  • start year and end year of the material
  • place of business.

Additionally, the following data are retained on the clients of defunct private service providers:

  • name
  • personal identity code
  • date of birth
  • date of death
  • social and health data
  • log data from the service provider
  • log data from Kela’s archival service

6. Regular sources of data

Data are obtained from defunct private service providers that, having ceased their operations, hand over their records to Kela for storage in accordance with the Client Data Act. Additional data are obtained from the registers listed below. The data are used to verify that the criteria for using the service are met and to update personal data:

  • Digital and Population Data Services Agency (population data system)
  • National Supervisory Authority for Welfare and Health (the Soteri service provider register)
  • Finnish Institute for Health and Welfare (The SOTE register of organisations)
  • Finnish Patent and Registration Office and Finnish Tax Administration (the Business Information System)

7. Regular disclosure of data

Under section 16 of the Client Data Act, Kela is responsible as joint controller for ensuring data security, storage and erasure. In its capacity as a contact point within the meaning of section 16 of the Client Data Act, Kela will only release data from the register to the wellbeing services county that carries out, as joint controller, the other responsibilities set out in the General Data Protection Regulation, such as the release of data.

Kela will only release data directly to the data subject if the data in question are log data created in the course of the operations of Kela's own archival service for the patient and client records of private social and healthcare service providers.

8. Transfer of data outside the EU or EEA

Data are not transferred outside the EU or the EEA.

9. Retention period for personal data

Stored social and healthcare data are retained for the period defined in the appendix to the Client Data Act. The regulations of the State Archive, the National Board of Antiquities and the National Archives of Finland concerning the archival of records are also applied.

10. Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11. Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

In accordance with the Client Data Act, Kela is responsible for the security, storage and erasure of data created in the course of the operations of private service providers. Other controller responsibilities defined in the General Data Protection Regulation, including concerning the right of access of data subjects to personal data, are carried out by the wellbeing services counties. Data subjects who wish to check their personal data can contact Kela. In its capacity as joint controller, Kela serves as the contact point for data subjects. Kela receives requests for access to data and forwards them to the relevant wellbeing services county according to the service provider’s registered place of business.

Log data created in the course of the operations of Kela’s archival service for private social and healthcare service providers are released directly to the data subject. Requests for log data can be submitted on a dedicated form.

The forms used to submit requests are found on Kela’s website (in Finnish) at www.kela.fi/yhteistyokumppanit-potilas-ja-asiakasasiakirjojen-arkistointipalvelu. Requests can be emailed to Kela’s archival service for private social and healthcare service providers at toimintansa.lopettaneet@kela.fi.

12. Right of correction

According to Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

In accordance with the Client Data Act, Kela is responsible for the security, storage and erasure of data created in the course of the operations of service providers. Other controller responsibilities defined in the General Data Protection Regulation, including concerning the correction of data, are carried out by the wellbeing services counties. Data subjects who wish to make corrections to the data concerning their person can contact Kela. In its capacity as joint controller, Kela serves as the contact point for data subjects. Kela receives requests for the correction of data and forwards them to the relevant wellbeing services county according to the service provider’s registered place of business.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

Requests can be emailed to Kela’s archival service for private patient and client records at toimintansa.lopettaneet@kela.fi.

13. Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties. Patient and client data or log data stored in the register cannot be erased because the obligation to retain patient and client data and their retention period are specified in the Client Data Act. Where retention periods are based on mandatory provisions of law, data subjects do not have a right to have records concerning their person, the data such records contain or the relevant log data erased until the retention period specified by law has ended.

14. Right to file a complaint with a supervisory authority

According to Article 77 of the General Data Protection Regulation, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

1. Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
Tel. 020 634 11, http://www.kela.fi/administration-contact-us

2. Contact person for register-related matters

laakevaihto@kela.fi
Tel. 020 634 11 (exchange)

3. Name of register

E-service for pharmaceutical companies: Register of contact information and price notifications 

4. Purpose and basis for the handling of personal data

A person authorised by a pharmaceutical company can use the e-service to file price notifications for medicinal products.

The processing of data is based on the fulfilment of Kela’s statutory responsibilities (section 1 of the Ministry of Social Affairs and Health decree on generic substitution).

The data are not used for commercial marketing purposes.

5. Data content of the register

The register contains the following data about the person authorised by a pharmaceutical company:

  • Name
  • E-mail address
  • Address, phone number and fax number of the pharmaceutical company

6. Regular sources of data

The person authorised by a pharmaceutical company either submits the data to Kela, or Kela has a contractual arrangement to obtain the data from a source to whom the authorised person has submitted price notifications.

7. Regular disclosure of data

Kela releases data on price notifications (including the name and email address of the contact person) to the Pharmaceuticals Pricing Board (chapter 6, section 20 of the Health Insurance Act). Personal data is only released to entities with the right to access it. 

8. Transfer of data outside the EU or EEA

None.

9. Retention period for personal data

The personal data contained in price notifications is retained for a period of one year from the receipt of the notification.

10. Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11. Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Data subjects who wish to check their personal data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us

The request can also be made by phone or by visiting a Kela service point, or by sending a message on Kela’s e-service at www.kela.fi/asiointi.

12. Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

A data subject who wishes to request correction of inaccurate data must submit a request to Kela.

The request must specify the following:

  • the specific information which is incorrect
  • the reason why it is incorrect
  • how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us

The request can also be made by phone or by visiting a Kela service point, or by sending a message on Kela’s e-service at www.kela.fi/asiointi.

13. Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties. 

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us

The request can also be transmitted as a message via Kela's e-service (www.kela.fi/asiointi). Alternatively, the request can be made by phone or by visiting a Kela customer service point.

14. Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Last modified 6/11/2024