Other privacy policies

Privacy statement for the electronic register of job applicants

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 HELSINKI or Nordenskiöldinkatu 12, 00250 HELSINKI
Tel. 020 634 11, http://www.kela.fi/administration

2 Contact information for register-related matters

If you have any questions about the electronic register of job applicants, you can contact our recruitment services at rekrytointi@kela.fi.

3 Name of the register and data subjects

The name of the register is the electronic register of job applicants.

The data subjects whose personal data are recorded in the register are internal and external candidates who apply for a position at Kela. Open positions at Kela are filled through an application process that can be public, internal or targeted. All open positions are published in Kela’s recruitment application, which is then used to manage the recruitment process. The recruitment application is the primary channel candidates use to apply for positions.

Each candidate creates a profile in the recruitment application. Candidates can delete their profile and any supporting documents they have uploaded to the recruitment application at any time. Candidates can also use the recruitment application to withdraw their application while it is still being processed.

4 Purpose and basis for the processing of personal data

Kela ensures the privacy of all candidates during the recruitment process and processes the personal data of the candidates in accordance with the applicable legislation. Personal data are processed for the purpose of collecting necessary data about the candidates in order to carry out each recruitment process and to select a candidate for the position and make their selection public. Candidates’ data are also used to carry out a feedback survey.

The legal basis for the processing of personal data is set out in Article 6(1)(b) of the General Data Protection Regulation (EU) 2016/679 (hereinafter the GDPR), i.e. the implementation of measures that precede the potential conclusion of an employment contract. To the extent that processing is necessary to ensure compliance with a statutory obligation that applies to the data controller, personal data are processed based on a legal obligation (Article 6(1)(c) of the GDPR). In addition to the above, a candidate’s personal data can be processed pursuant to Article 6(1)(a) of the GDPR in certain circumstances, i.e. with the consent of the data subject.

To the extent that personal data are processed on the basis of the data subject’s consent, the data subject can withdraw their consent at any time by notifying the data controller thereof. The withdrawal of consent has no implications for the lawfulness of any consent-based processing of data that took place prior to the withdrawal of consent.

During the recruitment process, Kela may ask the candidate for their consent in order to carry out aptitude testing. The candidate chosen for the position may undergo a security screening (security clearance) with their consent. More detailed information on the security clearance process and the rights of the person subjected to security screening is available on the Finnish Security and Intelligence Service’s website.

5 The register’s data content

The personal data Kela collects on candidates are personal data required by the relevant recruitment process, and personal data are collected only to the extent that is necessary to carry out the recruitment.

Kela can process e.g. the following personal data concerning the candidates during the recruitment process:

identifying information and contact information (first and last name, preferred name, email address, street address, postal code, postal district, country, phone number and photograph if any)
information provided by the candidate e.g. on their competence, education, work experience and language skills as well as other information provided by the candidate in connection with their application, such as their CV and cover letter
video interview material and the names and contact information of the candidate’s references
aptitude test results and the results of the security clearance process

What data are collected may vary based on what information the candidate provides and what position they have applied for.

The first and last name, street address, postal number, postal district and phone number of the candidate selected for a position will be transferred from the recruitment application to Kela’s HR system.

When a candidate uses Kela’s ura.kela.fi website, Kela collects cookies that are necessary for the technical operation and provision of the service. The cookies are primarily session-specific and deleted at the end of the session, with the exception of a cookie that is used to manage the website’s cookie banner.

When an internal candidate uses the recruitment application, the application uses necessary cookies that make it possible for the candidate to log in to the service. The cookies are primarily session-specific, with the exception of single sign-on (SSO) cookies.

6 Regular sources of data

Personal data are provided primarily by the candidate when they register their information in the recruitment application, create a profile and submit an application for an open position. Registered candidates can also later supplement the information they have provided for the positions they have applied for. If the candidate undergoes aptitude testing and/or the security clearance process with their consent, Kela will receive personal data concerning the candidate from the service provider that carries out the aptitude test and from the Finnish Security and Intelligence Service. If the services of a headhunting agency are used during the recruitment process, personal data will also be received from the headhunting agency. In addition, Kela receives personal data from the references provided by the candidate, if any.

7 Regular disclosure of data

The data stored in the electronic register of job applicants can be disclosed only to the extent required and permitted by the applicable legislation. Data are disclosed to the entity requesting them in accordance with the Act on the Openness of Government Activities. Data and documents are public unless expressly defined in law as confidential.

To the extent that it is necessary, data stored in the electronic register of job applicants can be disclosed to a headhunting agency or to a service provider that carries out aptitude testing if they process personal data on Kela’s behalf pursuant to an agreement or assignment. If a candidate is invited to attend a video interview, their name and email address will be transferred into the video interview application used by Kela to send the invitation.

8 Processing of personal data by service providers

Kela utilises third-party service providers during the recruitment process in the form of e.g. headhunting, aptitude testing or video interviews conducted via the relevant application. These service providers process personal data based on an agreement or assignment.

9 Transfer of data outside the EU or EEA

The personal data stored in the register are primarily not disclosed or transferred outside the EU or EEA. If an entity located outside the EU or EEA processes personal data in connection with a service provider’s processing of the said data, the parties must ensure that the personal data are processed in accordance with the applicable data protection legislation.

10 Retention period for personal data

The retention periods and the provisions that apply to the archiving and deletion of personal data that relates to a specific recruitment process are determined in accordance with Kela’s information management plan.

The application documents are retained in the recruitment application for a period of two years. The candidate’s personal data will be anonymised after two years have elapsed from the date on which they last logged in to the recruitment application. After the data are anonymised, the candidate can no longer be identified in the recruitment application. The anonymisation cannot be rolled back or reversed, which means that the identifying details that were present in the data cannot be restored. Basic information regarding internal applicants will remain in the recruitment application.

The service provider that carries out aptitude testing will retain the aptitude test results for a period of two years. Kela deletes the test results after the recruitment process has ended.

11 Automated decision-making and profiling

The personal data stored in the register are not used for profiling, and the processing of the personal data does not involve automated decision-making.

12 Data security principles that apply to the register

At Kela, data security and the protection of personal data are systematically taken into account in all use and processing of personal data. Kela processes all personal data in a secure manner and in compliance with the relevant legislation. All employees who process personal data at Kela are subject to a confidentiality obligation. The personal data stored in the electronic register of job applicants are processed only by appropriately authorised employees who require access to them to perform their official duties.

13 Rights of data subjects

Right of access

Data subjects have the right to obtain confirmation from the data controller as to whether the data controller processes personal data concerning the data subject. Where that is the case, data subjects have the right to access the personal data. You can view the information contained in your profile and in the supporting documents you have uploaded by logging in to the recruitment application. Alternatively, you can also ask Kela to provide this information to you.

Right to rectification

Data subjects have the right to request the correction and completion of any personal data that are incorrect, inaccurate or incomplete. You can use the recruitment application to correct or complete the information in your profile. Alternatively, you can also ask Kela to correct or complete this information on your behalf.

Right to erasure

In certain circumstances, data subjects have the right to request the erasure of their personal data from the register. You can delete your profile from the recruitment application. After you delete your profile, all of your personal data and job application data that are stored in the recruitment application will be anonymised. Please note that if you delete your profile while the recruitment process is still ongoing, this will be interpreted as you having withdrawn your application. Alternatively, you can also ask Kela to erase your data on your behalf.

Right to restrict the processing of your personal data

Data subjects have the right to restrict the processing of their personal data in certain cases set out in law. You can ask us to restrict the processing of your personal data e.g. if you feel that the personal data we process is incorrect or being processed unlawfully. Where this is the case, we can process your personal data only with your consent or in order to establish, exercise or defend a legal claim, for reasons of public interest or to protect the rights of another person.

If we rectify, erase or restrict the processing of your personal data based on your request, we are obliged to notify all parties to which your personal data has previously been disclosed of such rectification, erasure or restriction.

Right to transfer data to another data controller

You have the right to receive from the data controller personal data that pertains to you and which you have provided to the data controller yourself in a commonly used format so that you can transfer it to another data controller.

Exercising your rights as a data subject

You can exercise the rights set out above for data subjects by submitting a request to that effect via email to kirjaamo@kela.fi.

You can contact Kela’s Data Protection Officer by sending an email to tietosuoja@kela.fi.

Right to lodge a complaint with a supervisory authority

If you believe that your personal data is processed in a manner that breaches the GDPR, you have the right to lodge a complaint with the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
Mailing address: PO Box 800, 00531 Helsinki, Finland
Email: tietosuoja@om.fi

Please use the Ministry of Justice’s secure email system to send information that is sensitive or confidential. Instructions on how to send a secure email message are available on the website of the Office of the Data Protection Ombudsman at www.tietosuoja.fi/en/home.

Management system for administrative documents

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11, http://www.kela.fi/administration

2 Contact person for register-related matters

Jarmo Partanen

Tel. 020 634 11 (exchange)

3 Name of register

Management system for administrative documents (previously known as the registration and archival system for administrative documents)

4 Purpose and basis for the handling of personal data

The register is used for the registration, processing and archiving of administrative matters and documents and for the electronic signature of administrative documents. The handling of the data is based on the fulfilment of Kela’s statutory responsibilities.

5 In formation content of the register

The register contains data on matters which are pending or concluded and the documents associated with them, and the contact information of the persons and organisations initiating or otherwise related to the matter. Examples of matters that are recorded in the register include requests for statements, appointments of members to working groups, administrative complaints, other complaints, requests for information, procurement matters, requests for log data and requests to inspect register data.

The following identifying details are stored about the relevant persons and organisations:

name
address
email address
telephone number
contact person
organisation
job title.

6 Regular sources of data

The following sources of data are used: documents submitted by private individuals, organisations and government agencies, administrative documents drawn up by Kela, and data obtained from the registered persons themselves. In connection with the processing of administrative matters, data are received from e.g. the Parliamentary Ombudsman, the National Supervisory Authority for Welfare and Health (Valvira), police departments and ministries as well as Kela’s contractual partners and service providers. Data are also obtained from private individuals for example when an administrative matter is initiated.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The retention periods are set out in Kela’s information management plan, and they comply with the applicable legislation and the guidelines issued by the National Archives of Finland.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to you can check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not concern personal data that Kela needs to carry out its statutory duties.

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

Privacy statement for the procurement register

The data contained in the register are used for the purposes indicated in each tender process, including the verification of information presented in bids.

Privacy statement for the procurement register

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 www.kela.fi/administration

2 Contact person for register-related matters

Hannamaija Haiminen
Tel. 020 634 11 (exchange)

3 Name of register

Procurement register

4 Purpose and basis for the handling of personal data

The register is used to manage competitive tenders in accordance with the Act on Pub-lic Procurement and Concession Contracts (1397/2016) and the Act on Public Procurement in the Fields of Defence and Security (1531/2011). The data contained in the register are used for the purposes indicated in each tender process, including the verification of information presented in bids.

Other possible situations in which the data are used include appeals lodged against procurement decisions or requests for information concerning procurement documents. The basis for the processing of the data is the mandate imposed by the law on the data controller.

Within applicable limits, Kela needs to use the data content of this register also in competitive tender processes not within the scope of application of the Act on Public Procurement and Concession Contracts (small scale procurements). In situations such as this, Kela is justified in processing personal data to carry out its statutory duties in order to perform a task which is in the public interest.

5 Data content of the register

The personal data used in Kela’s procurement processes primarily consist of the names of the bidders’ contact persons, the organisations they represent, their position within the organisation, and their phone numbers, addresses and email addresses.
For the persons in charge at the bidding corporations, the data processes may include, in addition to the data described above, dates of birth listed in the obligation compliance report or customer liability report compiled by the Finnish Tax Administration’s Grey Economy Information Unit, as well as data contained in extracts from the criminal record.

On a case-by-case basis, also data on the educational and professional backgrounds of the suppliers’ personnel may be processed (for example in competitive tenders where the supplier designates a consultant or equivalent already at the offer stage and makes reference to the consultant’s educational and professional background).

In the context of references collected on a case-by-case basis through calls for tender, the personal data that are processed may include the name, organisation, position, phone number, address, email address of the reference target’s contact person, and in-formation about the reference target.

6 Regular sources of data

Information received from offerors or candidates participating in competitive tenders arranged by Kela in accordance with the Public Procurement Act. The information is provided by the offerors or candidates themselves. Extracts from criminal records are requested directly from the bidders.

Data in obligation compliance reports are obtained from the Finnish Tax Administration’s Grey Economy Information Unit in accordance with its governing law (1207/2010).

Additionally, Kela receives information from publicly available sources, including the Trade Register maintained by the Finnish Patent and Registration Office, the Vastuu Group’s Reliable Partner service (customer liability reports), and the business credit in-formation registers of Suomen Asiakastieto Oy and Bisnode Finland Oy.

7 Regular disclosure of data

None. However, on a case-by-case basis, data may be released on request in accordance with the Act on the Openness of Government Activities (621/1999). Data and documents held by a public authority are public unless expressly defined in law as confiden-tial.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Data are retained for as long as required under the law.

The retention periods are based on archival and records management laws, along with other specific laws, as well as the operational need to document and safeguard the due process rights of both government authorities and private individuals and organisations.

As a rule, procurement documents (including bids) are retained for 10 (ten) years, unless provided otherwise in legislation or official instructions.

The legislation may prescribe longer periods of retention as follows, such as:

Accepted bids, along with their supporting documents, are retained for at least as long as the procurement agreement and the obligations set out in the agreement remain in effect.
Procurement documents that are part of an appeal process (including bids) are retained at least for as long as the appeal process continues and, once the process has been concluded, for as long as any necessary remedial measures may require.

Information concerning extracts from the criminal record is not stored or retained but is returned or destroyed immediately after the extracts have been verified.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.
All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:
•   the specific information which is incorrect
•   the reason why it is incorrect
•   how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.
This right does not extend to personal data that Kela needs to carry out its statutory duties.
The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Privacy statement for the supplier and customer register

The register contains supplier and customer data used in the handling and archival of sale and purchase invoices. The data are used to pay organisations, private individuals and employees and to invoice organisations and private individuals. The data are used for billing reports.

Privacy statement for the supplier and customer register

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 HELSINKI or Nordenskiöldinkatu 12, 00250 HELSINKI
020 634 11, www.kela.fi/administration

2 Contact person for register-related matters

Jarkko Malinen
Tel. 020 634 11 (exchange)

3 Name of register

Supplier and customer register

4 Purpose and basis for the handling of personal data

The register contains supplier and customer data used in the handling and archival of sale and purchase invoices. The data are used to pay organisations, private individuals and employees and to invoice organisations and private individuals. The data are used for billing reports.

The handling of the data is based on the discharge of Kela’s statutory responsibilities and contractual fulfilment.

5 Information content of the register

Recipient details (organisation or private individual):

name
bank account
electronic invoicing address
Business ID
contact information
country code
customer account category, supplier account category
EPR validity period
payment details

6 Regular sources of data

Suppliers are recorded in the register based on a combination of data supplied by the supplier (e.g. on an invoice) and data obtained or verified from governmental registries.

Staff members are recorded either as suppliers or customers based on HR data.

Invoiced customers are registered on the basis of self-provided information.

Some of the customer and supplier data are retrieved from other Kela systems.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Customer data are retained in accordance with the Accounting Act.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to check the data concerning their person.

Data subjects who wish to check the data on their person must request the data from Kela's Registry.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not concern personal data that Kela needs in order to carry out its statutory duties.

Data subjects wishing to delete personal information must send a deletion request addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The purpose for handling personal data is to allow Kela’s newsletters to be sent to the subscribers. Personal data are not disclosed to outside parties and are not used for commercial marketing purposes.

Privacy statement for Kela’s newsletter subscriber address register

1 Data controller

The Social Insurance Institution of Finland (Kela)

PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki

020 634 11, www.kela.fi/administration

2 Contact person for register-related matters

Siiri Kärkkäinen

Tel. 020 634 11 (exchange)

3 Name of register

Address register for Kela's newsletters

4 Purpose and basis for the handling of personal data

The purpose for handling personal data is to allow Kela’s newsletters to be sent to the subscribers. The register contains such data as new orders submitted on the newsletter subscription form (see section 6). Subscribers give their consent to the processing of their data.

To allow further development of the newsletters, the newsletter tool uses pixels to track the following information based on user actions to open the newsletter and the links it contains:

what newsletter topics are read
date and time at which the newsletter is read.

The data can be tracked on an individual-user level. Only the authors of the newsletters are authorised to look up statistical data as required by their professional responsibilities.

Personal data are not disclosed to outside parties and are not used for commercial marketing purposes.

5 Information content of the register

The register contains data on the customers according to the following classification: e-mail address and background organisation. The users’ IP addresses are used to track the opening of links.

6 Regular sources of data

The register is compiled from address data of the partners of Kela's Communications Section, publicly available Internet sources and subscriptions filed on the subscription form.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The personal data are stored as long as a particular newsletter is published. They are deleted if the subscriber cancels all of his or her newsletter subscriptions or if the email address is no longer in use.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

Subscribers can use the link at the end of the newsletter to correct inaccuracies.

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

Subscribers can cancel their subscription, following which their data are deleted from the register. The data can also be deleted from the register at the subscriber’s request, which will also cancel the subscription. Erasure requests may be emailed to viestinta(at)kela.fi.

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Privacy statement for Kela’s press release distribution system

The data are handled for the purpose of distributing press releases through the STT service. Personal data are not disclosed to outside parties and are not used for commercial marketing purposes.

Privacy statement for Kela’s press release distribution system

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11, www.kela.fi/administration

2 Contact person for register-related matters

Minna J. Rantala

Tel. 020 634 11 (exchange)

3 Name of register

Recipients of Kela press releases

4 Purpose and basis for the handling of personal data

The data are processed for the purpose of distributing press releases through the STT service. Personal data are not disclosed to outside parties and are not used for commercial purposes.

The basis for processing data is to perform a task in the public interest (Article 6(1), point (e) of the General Data Protection Regulation; Section 4 of the Data Protection Act). The data subject’s consent is also required.

5 Information content of the register

The register consists of e-mail addresses.

6 Regular sources of data

The register is compiled from address data of the partners of Kela's Communications Section, publicly available internet sources and subscriptions received by Kela’s Communications Unit.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The personal data are retained for as long as the distribution list is used.

The personal data are deleted if the subscriber cancels a press release subscription. The personal data are also deleted if the e-mail address is no longer valid.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to you can check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not concern personal data that Kela needs to carry out its statutory duties.

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Privacy statement for the Elämässä.fi website

This privacy statement only applies to the Elämässä.fi website. Elämässä.fi is a web publication for Kela’s clients. Elämässä.fi produces customer profiles for Kela’s clientele as well which complement the informational content on the kela.fi website.

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00101 HELSINKI or Nordenskiöldinkatu 12, 00250 HELSINKI
020 634 11, www.kela.fi/administration

2 Contact person for register-related matters

tel. +358 20 634 11 (exchange)

3 Name of register

Privacy statement for the Elämässä.fi website

4 What kind of data are collected and how?

The Elämässä.fi website does not use cookies. Elämässä.fin visitor data is collected using the cookie-free methods of the web analytics tool Matomo. The information is only used by Kela and is not disclosed to outside parties.

Among other things, the following information is collected about the use of the Elämässä.fi website:

From which channel the visitor comes to Elämässä.fi
What device and browser the visitor uses
What search words the visitor uses

5 For what purposes are data collected?

Kela uses the data collected to ensure that the Elämässä.fi website functions properly and to guarantee data security.

6 Transfer of data outside the EU or EEA

None.

7 How are data protected?

At Kela, data security and protection of personal data are systematically taken into account in all use and handling of information. The privacy and usability of personal data are ensured by employing the appropriate technical and administrative measures. Kela handles all personal data with data protection in mind and in the manner determined by law.

All persons at Kela who handle personal data sign a confidentiality agreement. The register data are used only by authorised persons who need them to perform their official duties.

Data are processed also by outside partners of Kela in accordance with specific agreements, in which case the partners act in the role of data processors.

8 How long are data stored?

As soon as Kela no longer needs certain data it has collected, the data are destroyed in a secure fashion.

9 What rights do the users of the service have?

Users have the right to check the information collected about them and to ask that incorrect information is corrected. Users can check and correct their personal information by sending Kela a request to that effect.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

10 Amendments to this privacy statement

Kela may amend this privacy statement without separate notice.

This cookie policy concerns the sosiaalivakuutus.fi website. Sosiaalivakuutus is an online publication for Kela’s stakeholders.

Cookie policy for www.sosiaalivakuutus.fi

This cookie policy concerns the sosiaalivakuutus.fi website. Sosiaalivakuutus is an online publication for Kela’s stakeholders. It focuses on issues of public policy with a special emphasis on social security. The articles published in Sosiaalivakuutus do not represent Kela’s official policy.

This cookie policy statement outlines how Kela and its partners use cookies and other similar tracking and personalisation technologies (hereinafter referred to collectively as “cookies”) on the sosiaalivakuutus.fi website. Cookies are used to collect information on how and when the website is used. This information helps to improve usability and to offer visitors to the www.sosiaalivakuutus.fi website targeted information.

Kela cannot identify individual users based on the data collected, because it does not capture the users’ name, contact details or personal data code. Behavioural data collected on the sosiaalivakuutus.fi website is not matched to other personally identifying data that Kela may handle in some other context.

Users can allow cookies by adjusting their preferences in the cookie banner. Users can decide not to allow cookies or access to location, or withdraw their consent at any time.

This cookie policy statement provides answers to the following questions:

How can I find Kela’s contact information?
What are cookies and what kind of information is collected with them?
For what purposes are cookies and the information associated with them used?
How long are data stored?
What options do users have regarding cookies?
What other means of control are available to users?
To whom are data released or transferred?
How are data protected?
How is this cookie policy revised or updated?

1. Contact information

The Social Insurance Institution of Finland (Kela)
PL 450, 00101 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
Telephone: 020 634 11
Contact person:
Henrik Jussila, >Editor in chief
Telephone: 020 634 1921
firstname.lastname(at)kela.fi

2. What are cookies and what kind of information is collected with them?

Like many other websites, the sosiaalivakuutus.fi website uses cookies and other similar tracking and personalisation technologies. Cookies are small text files containing information which are stored by the user’s browser and which collect information about visits to the sosiaalivakuutus.fi website.

Both first-party and third-party cookies are used on the sosiaalivakuutus.fi website. First-party cookies are created by the website whose address is shown in the address bar. The sosiaalivakuutus.fi website also uses third-party cookies from marketing technology providers and social media. Only the server that created the cookie can read the cookie and for example recognise a returning user.

On the sosiaalivakuutus.fi website, cookies are used among other things to collect information about

the number of visitors to the website
what types of devices are used to access the sosiaalivakuutus.fi website
the online address from which users access the website
individual pages visited.

The page requests made by visitors to the site are stored automatically in cookies and on the servers for the sosiaalivakuutus.fi website. Such information typically includes the user’s page request and its date and time, the IP address of the user’s device, and the type and language of the browser.

The information is in a format that prevents it from being matched to individual users without access to additional information. Cookies are not used to store information for example about the user’s name, email address, telephone number or home address. Kela is unable to match cookie data to specific individuals, and is taking steps to further minimise the potential to identify specific users. For example, when using web analytics tools, Kela deletes digits in the user’s IP address in order to prevent anyone from identifying specific users.

3. How are cookies and the information associated with them used?

The following types of cookies are used on the sosiaalivakuutus.fi website:

Functional cookies These cookies are used to ensure the proper functioning of the sosiaalivakuutus.fi website. For examples, Polyfill is used to remedy performance and functionality problems when using various browsers and older versions of such browsers. Polyfill receives network requests from the browser and activate the functionalities available on the website that are supported by the browser.
Cookies related to user metrics and analytics: Web analytics tools (Google Analytics and Piwik Pro) use cookies to collect statistical data. We collect data to analyse the number of visitors, to gauge users’ interest in various types of content and to identify different ways in which the service used, as well as to develop the site further.
Targeting cookies used for marketing communications Cookies allow Kela to target marketing communications to users who have visited the sosiaalivakuutus.fi website. Kela’s works together with the following partners: Adform, X (Twitter), MediaMath and Facebook. By deploying cookies from these service providers on its website, Kela makes it possible to collect information and to transmit it to the service providers. Further, Google Tag Manager (GTM) is used to manage these tracking tags.

The use of third-party cookie data is governed by the terms and conditions of the third parties, which can be examined below:

Google Analytics

Purpose of use: To collect statistical data on the website and to analyse it in order to improve the website content.
Click here for more information on how Google uses cookies.

Piwik Pro

Purpose of use: To collect statistical data on the website and to analyse it in order to improve the website content.
Click here for more information on how Piwik Pro uses cookies.

Hotjar

Purpose of use: To collect statistical data on the website and to analyse it in order to improve the website content.
Click here for more information on how Hotjar uses cookies.

Google Tag Manager (GTM)

Purpose of use: To manage tracking tags such as Facebook and Adform pixels.
Click here for more information on how Google uses cookies.

Google Double Click

Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
More information: If the user has a Google account, Google may match the cookie to the user’s account. Click here for more information on how Google uses cookies for personalisation.

Facebook

Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
More information: Click here for more information on how Facebook uses cookies. Facebook may match a cookie related to a visit to the sosiaalivakuutus.fi website to a specific Facebook user who has a Facebook account.

Adform

Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
Click here for more information on how Adform uses cookies.

MediaMath

Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
Click here for more information on how MediaMath uses cookies.

X (Twitter)

Purpose of use: To personalise, implement and analyse marketing messages in order to display the kind of messages that users are most likely to find interesting.
Click here for more information on how X (formerly Twitter) uses cookies.

Polyfill

The purpose of the cookies is to ensure a consistent user experience on different browsers. The Polyfill service identifies the browser and the features it supports. It offers the browser a collection of codes designed to ensure that the various features on the site are displayed as consistently as possible to users of different browsers.
Click here for more information on how Polyfill uses cookies.

4. How long are data stored?

The cookies either expire after the session ends (i.e., until the user closes the browser) or they are persistent cookies with a lifetime of a few months or a few years. Users can affect the length of time for which the data collected with cookies is stored by clearing the cookies in their browser settings, which will reset their cookie profile.

Typical storage periods for data collected with cookies are as follows:

Functional cookies The data collected with functional cookies are usually deleted at the end of the sessions, or are stored for a maximum of one month.
Cookies related to user metrics and analytics: Cookies collected for this purpose are deleted from Hotjar or equivalent within 365 days. Data collected by Google Analytics is typically stored for 26 months and data collected by Piwik Pro for 36 months.
Targeting communications. The data collected for the purpose of targeted advertising is typically stored for a few months. For example Adform and Mediamath, both Kela partners, delete the data within 13 months.

5. What options do users have regarding cookies?

Users give their consent to the use of cookies and to the processing of the data collected with them when visiting the sosiaalivakuutus.fi website for the first time and by clicking the Allow button in the cookie banner. Users may decline or withdraw their consent by clicking on the Cookies Preferences button in the banner.

Users wishing to make choices that are specific to a particular partner we work with may visit the partners’ website to block cookies or change their preferences:

Google Analytics: Users can block the use of site data in Google Analytics by installing a browser add-on available here. The add-on prevents the Google Analytics JavaScript code running on the website (ga.js, analytics.js and dc.js) from sharing site usage data with Google Analytics.
Google DoubleClick: Users can manage Google’s advertising settings here.
X (Twitter): Users can manage X’s (formerly Twitter) advertising settings here.
Facebook: Users can manage Facebook’s advertising settings here.
Adform: Users can withdraw their consent to targeted advertising here.
MediaMath: Users can withdraw their consent to targeted advertising here.
Hotjar: Users can go here to prevent the collection of data.
Piwik Pro: Users can stop the collection of data by enabling Do not track in the browser settings. Browser-specific instructions: Internet Explorer, Firefox and Google Chrome.

Users can also use the browser settings to block or delete cookies. Blocking or deleting cookies may affect choices you have made previously on the website, for example deleting a cookie set previously on the website which forbids targeted advertising. Any selections made are browser-specific, which means that users must manage their preferences separately in each browser.

In Google Chrome, Internet Explorer and Mozilla Firefox, for example, cookies are deleted as follows:

Google Chrome 66

Launch Google Chrome.
Click the menu in the upper right-hand corner and select Options.
Click Show advanced settings.
Yes. Fill in the following data:.
Turn off “Allow sites to save and read cookie data (recommended)”.

Internet Explorer 11

Launch Internet Explorer.
Click the Tools icon (which looks like a gear) and select Internet Options.
Select the Privacy tab and click on Advanced.
Under First-party Cookies and Third-party Cookies, select Block. Also uncheck “Always allow session cookies”.
Then click OK.

Mozilla Firefox 52

Launch Firefox.
Click the menu in the upper right-hand corner and select Options.
Select Privacy & Security.
Choose “Firefox will” in the drop-down menu under History.
Select “Never remember history”.
Close the Options page.

If you block cookies, you can allow them again at any time. Deleting cookies will not make it more difficult to use the sosiaalivakuutus.fi website

6. What other options do users have?

Besides having the right to information about the handling of personal information, users have the right under the privacy law:

to check what personal information has been stored about them
to correct the information
to delete the information and to exercise their right to be forgotten
to withdraw a consent they have given earlier
to restrict the handling of the information
to ask that the information they have supplied, which is handled automatically based on their consent or an agreement, not be transferred from one system to another

By default, exercising the above rights requires Kela to identify each user. This means that users must supply additional information to allow them to be identified.

Changing the cookie preferences as described above is the primary way in which users can affect the processing of their data. Users can contact Kela by phone or use the Message function on Kela’s e-service, submit a written request to Kela’s Registry, or visit a Kela office personally. The contact information can be found in section 1. Users can also file a complaint with the supervisory authority at www.tietosuoja.fi.

7. To whom are data released or transferred?

Kela works with a number of reliable partners to target marketing and enables these partners to collect information on the sosiaalivakuutus.fi website by means of cookies and similar technologies. Please refer to section 3 for information on how the partners handle the data.

Certain service providers contracted by Kela (such as communications agencies) may have access to data created in connection with visits to the sosiaalivakuutus.fi website. These service providers may use the data only as appropriate to Kela’s requirements. In that context, Kela may transfer processed personal data outside the EU or ETA in compliance with prevailing legislation.

Kela seeks to ensure by contractual means that the partners and service providers handle the information in accordance with the prevailing legislation.

8. How are data protected ?

At Kela, data security and protection of personal data are systematically taken into account in all use and handling of information. The privacy and usability of personal data are ensured by employing the appropriate technical and administrative measures. Kela handles all personal data with data protection in mind and in the manner determined by law.

All persons at Kela who handle personal data sign a confidentiality agreement. The personal data are used only by authorised persons who need them to perform their official duties.

Data collected by means of cookies are also handled by certain external partners of Kela in accordance with separate agreements. Kela seeks to ensure by contractual means that the partners take the necessary steps to guarantee data security as required by legislation.

9. How is this cookie policy revised or updated?

Kela may update this cookie policy when appropriate, for example if the purposes for which the data are handled change or if the relevant legislation or government recommendations are revised. Information about the updates will be posted on the sosiaalivakuutus.fi website.

This cookie policy was published in connection with the implementation of a cookie banner on the sosiaalivakuutus.fi website, which allows users to manage their cookie preferences. It replaces the earlier privacy policy statement, which is available here.

Privacy statement for Kela’s Research Ethics Committee

The register is used to record and review requests for statement sent to Kela’s Research Ethics Committee for the purpose of carrying out an ethical review.

Privacy statement for Kela’s Research Ethics Committee

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 http://www.kela.fi/administration

2 Contact person for register-related matters

Seita Laaksoviita
kela.tutkimuseettinen.tmk@kela.fi
Tel. 020 634 11 (exchange)

3 Name of register

Register of statement requests submitted to Kela’s Research Ethics Committee

4 Purpose and basis for the handling of personal data

The register is used to record and review requests for statement sent to Kela’s Research Ethics Committee for the purpose of carrying out an ethical review. The register is also used to store documents. The handling of personal data is based on the fulfilment of Kela’s statutory responsibilities(section 2 of the Act on the Social Insurance Institution.

5 Data content of the register

The register contains the following types of personal data:

For the principal investigator: name, professional title, education, key professional responsibilities, organisation, address, email address and telephone number
For other participating researchers: name, education, professional title, organisation and key professional responsibilities.

6 Regular sources of data

Personal data are obtained from the registered persons themselves.

7 Regular disclosure of data

No data are disclosed except to the members of Kela's Research Ethics Committee.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The statement requests are stored permanently.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to you can check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not concern personal data that Kela needs to carry out its statutory du-ties.

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Privacy statement for video surveillance recordings

Kela uses video surveillance to protect the life, health, property and information of its customers and staff members.

Privacy statement for video surveillance recordings

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 http://www.kela.fi/administration

2 Contact person for register-related matters

Anssi Suominen
anssi.am.suominen@kela.fi
Tel. 020 634 11 (exchange)

3 Name of register

Video surveillance recordings

4 Purpose and basis for the handling of personal data

Kela uses video surveillance to protect the life, health, property and information of its customers and staff members.

Personal data obtained through video surveillance is processed to protect the essential interests of Kela’s customers and staff and for the purpose of exercising official authority and performing tasks in the public interest. The use of video surveillance is based on chapter 5, section 16 of the Act on the Protection of Privacy in Working Life (13.8.2004/759).

5 Data content of the register

Video surveillance systems are used to collect and store video material about all individuals entering Kela premises where video surveillance is used. The individuals are identifiable either directly or indirectly based on their appearance. The video surveillance also involves processing information on the individuals’ presence and conduct on the premises.

6 Regular sources of data

Information is collected automatically by means of cameras connected to the surveillance system. The storage of data is based on motion detection.

7 Regular disclosure of data

In situations where a crime is suspected, data can be disclosed to government authorities in accordance with Finnish legislation. Data can be disclosed internally within Kela’s organisation for the purpose of investigating crimes and security incidents.

Data are not released outside the EU or for direct marketing purposes.

8 Transfer of data outside the EU or EEA

Data are not transferred outside the EU or the EEA.

9 Retention period for personal data

Video surveillance footage is stored for 30 days. The purpose of storing footage for this duration is to secure sufficient time to detect and investigate any security incidents recorded. The video surveillance system automatically deletes recordings at the end of the retention period.

Recordings used in the investigation of security incidents or in criminal investigations as defined in the Criminal Investigation Act are retained for the duration of the investigation and any subsequent legal proceedings. The duration of legal proceedings includes the applicable appeal periods.

10 Principles of register security

Kela exercises due care in all its operations and ensures appropriate data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties. Workplace units have designated personnel authorised to watch recordings.

11 Right of access

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us.

Alternatively, the request can be made by phone or by visiting a Kela customer service point. It can also be transmitted in a message via Kela's OmaKela e-service at www.kela.fi/omakela (in Finnish) or www.fpa.fi/mittfpa (in Swedish).

12 Right to rectification

Under Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data. The data consists of camera recordings that usually do not contain errors or inaccuracies.

A data subject who wishes to request correction of inaccurate data must submit a request to Kela.

The request must specify the following:
the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us.

Alternatively, the request can be made by phone or by visiting a Kela customer service point. It can also be transmitted in a message via Kela's OmaKela e-service at www.kela.fi/omakela (in Finnish) or www.fpa.fi/mittfpa (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

There is no right of erasure if the processing of the data is necessary for compliance with legal obligations or if the data are processed in order to perform a task that is in the public interest or to carry out official authority vested in the data controller.

A data subject who wishes to request erasure of inaccurate data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us.

The request can also be transmitted in a message via Kela's OmaKela e-service at www.kela.fi/omakela (in Finnish) or www.fpa.fi/mittfpa (in Swedish).Alternatively, the request can be made by phone or by visiting a Kela customer service point.

14 Right to restrict of processing

Under Article 18 of the General Data Protection Regulation, data subjects have, in certain situations, the right to request that the processing of their personal data be restricted. The data may still be stored but not otherwise processed without the consent of the data subject except for purposes specifically defined by legislation such as to establish a legal claim.

Data subjects who wish to restrict the processing of data must submit a request in their own words to Kela. The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us.

15 Right to object

Under Article 21 of the General Data Protection Regulation, data subjects have, in certain situations, the right to object to the processing of their personal data when it is done for the performance of a task that is in the public interest or to exercise public authority vested in the data controller and where there are grounds relating to their personal situation to deny the processing of the data.

The processing must be terminated except if the data controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

A data subject who objects to the processing of data must submit a request in their own words to Kela. The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us.

16 Right to lodge a complaint with the supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Privacy statement for the register of applications for research funding

Processing of applications for research funding.

Privacy statement for the register of applications for research funding

1 Data controller
The Social Insurance Institution of Finland (Kela)
PL 450, 00056 Helsinki or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11, http://www.kela.fi/administration

2 Contact person for register-related matters

Sari Miettinen
Tel. 020 634 11 (exchange)

3 Name of register

Register of applications for research funding under section 12 of the KKRL (Kela Rehabilitation) Act.

4 Purpose and basis for the handling of personal data

Processing of applications for research funding. The processing of the data is part of Kela’s statutory responsibilities.

5 Data content of the register

The register of research funding contains the following information:

name of the person signing the research contract;
name, professional title, educational background, organisation, address, email address and phone number of the principal investigator;
names, professional titles and organisations of other researchers listed in the application
CV and publication list for the principal investigator and any other members of the research team.

6 Regular sources of data

The personal data are obtained from the applicants themselves.

7 Regular disclosure of data

No personal data are disclosed.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Documents are retained either permanently or for a specific period of time according to the filing plan. The retention periods for personal data are also defined in the filing plan.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

According to Article 15 of EU Regulation 2016/679, data subjects have the right to access personal data concerning them, i.e., to check the data concerning their person.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Privacy statement for distribution addresses for Kela's research publications

The register is used when sending Kela’s printed research publications to organisations or persons that have subscribed to a printed publication and reported their address for this purpose to the contact person who maintains a list of the distribution addresses for Kela’s research publications.

Privacy statement for distribution addresses for Kela's research publications

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11, http://www.kela.fi/administration

2 Contact person for register-related matters

Tarja Hyvärinen
Tel. 020 634 11 (exchange)

3 Name of register

Distribution addresses for research publications

4 Purpose and basis for the handling of personal data

The register is used when sending Kela’s printed research publications to organisations or persons that have subscribed to a printed publication and reported their address for this purpose to the contact person who maintains a list of the distribution addresses for Kela’s research publications.

The publications are sent by the printing house Punamusta. Kela has an agreement with the printing house Punamusta on appropriate processing of the distribution addresses for research publications. Neither Punamusta nor Kela releases addresses for marketing purposes. The processing of the data is based on the consent of the registered persons.

5 Data content of the register

Name and postal address of the customer

6 Regular sources of data

The addresses in the register are obtained from the customers themselves.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The personal data are stored as long as the publication subscription is valid. The data are erased when the customer cancels the subscription.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

Under Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

Under Article 77 of the General Data Protection Regulation, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Privacy statement for the system used to process orders for Kela’s research and statistical publications

The register is used to send print research and statistical publications to individuals and entities who have either an email subscription or are subscribed through the University of Helsinki Helda digital archive.

Privacy statement for the system used to process orders for Kela’s research and statistical publications

1 Data controller

The Social Insurance Institution of Finland (Kela)
PO Box 450, 00056 Kela
020 634 11 http://www.kela.fi/administration

2 Contact person for register-related matters

Research and Statistical Publications, julkaisut@kela.fi
Tel. 020 634 11 (exchange)

3 Name of register

Subscriber register for Kela’s research and statistical publications

4 Purpose and basis for the handling of personal data

The register is used to send print research and statistical publications to individuals and entities who have either an email subscription or are subscribed through the University of Helsinki Helda digital archive. The address data are also used for invoicing. No address data are released to outside parties or used for marketing purposes.

5 Data content of the register

Customer's name, postal address and email address

6 Regular sources of data

The addresses in the register are obtained from the customers themselves.

7 Regular disclosure of data

None.

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

The data are deleted once the subscription has been delivered or has ended.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016679, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Register of monitoring the prescribing of medicines

The personal data are used for the purpose of monitoring compliance with the statutory obligations applicable to the prescribing of the least expensive biological medicine or biosimilar.

Privacy statement for the register used in the context of monitoring the prescribing of biological medicines and biosimilars

1 Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 www.kela.fi/administration

2 Contact person for register-related matters

Monika Fuss
laakevalvonta@kela.fi

3 Name of register

Register used in the context of monitoring the prescribing of biological medicines and biosimilars.

4 Purpose and basis for the handling of personal data

The personal data are used for the purpose of monitoring compliance with the statutory obligations applicable to the prescribing of the least expensive biological medicine or biosimilar. To achieve this purpose, Kela monitors the prescriptions issued via the Prescription Centre for biological medicines and biosimilars. Kela is authorised to obtain and process any data stored in the Prescription Centre that are necessary to carry out the monitoring. Kela is authorised to record data in a separate register whose data controller it is.

Compliance with the data controller’s legal obligations is the basis for the processing of the personal data. The obligations are based on the following legal provisions:

Act on Electronic Prescriptions 61/2007:

Section 5 a Prescribing of biological medicines
Section 24 b Prescribing of biological medicines: Guidance and monitoring
Section 26 a Consequences of non-compliance with section 5 a
Section 15 Release of data to government authorities and for scientific research

5 Data content of the register

Data used to carry out the monitoring mandate:

data on electronic prescriptions obtained from the Prescription Centre
data obtained from the prescriber, such as statements, messages and contact information, and including health and diagnostic data contained in the patient records of persons using biological medicines or biosimilars
name, identifier and residential address of the prescriber, obtained from Valvira, the National Supervisory Authority for Welfare and Health
data related to monitoring as specified in section 26 a of the Act on Electronic Prescriptions, such as requests for further information, notifications, orders and court documents
documents related to the conditional imposition of a fine
data on self-employed prescribers using an information system that does not meet the requirements set out in section 5 b of the Act on Electronic Prescriptions.

6 Regular sources of data

Data stored in the register are obtained from the Prescription Centre, from prescribers, from Valvira and from the Legal Register Centre.

7 Regular disclosure of data

Kela can disclose data stored in the register to a prescriber who is party to a matter that involves monitoring and to the Legal Register Centre for the purpose of the conditional imposition of a fine.

If Kela finds, in its role as monitor, that a self-employed prescriber is using an information system that does not meet the requirements set out in section 5 b of the Act on Electronic Prescriptions, Kela can report the matter to the competent Regional State Administrative Agency (section 24 b of the Act on Electronic Prescriptions).

8 Transfer of data outside the EU or EEA

None.

9 Retention period for personal data

Documents sent to or received from prescribers, appeal documents, and documents relating to the conditional imposition of a fine are retained for 70 years starting from when the document was created or arrived at Kela.

Data on self-employed prescribers using an information system that does not meet the requirements set out in section 5 b of the Act on Electronic Prescriptions are retained for a period of one year starting from when they were reported to the Regional State Administrative Agency.

10 Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.
All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11 Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to are authorised under the law to inspect data concerning themselves.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

12 Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.
The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.
This right does not extend to personal data that Kela needs to carry out its statutory duties.
The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration.

Alternatively, the request can be made by phone or by visiting a Kela customer service point or by sending a message on the OmaKela e-service (in Finnish) or MittFPA e-service (in Swedish).

14 Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

The use of Teams with partners

Microsoft Teams is a communication app for teamwork: meetings, instant messaging and file sharing. Teams is part of Microsoft’s range of cloud services. Kela uses Teams for video meetings and for cooperation with persons outside Kela.

The data controllers are Kela and Microsoft. We process personal data to enable the use of our services and to investigate possible malfunctions and errors. Additionally, we use anonymized data on Teams use to analyse and develop the services. By using Teams for cooperation and communication with Kela, you consent to the processing of your personal data in the service.

More information on the processing of personal data by Microsoft is available here: Microsoft Privacy Statement – Privacy at Microsoft

Personal data

The following user data are stored in the service: names, email addresses, profile pictures and IP addresses. Additionally, files stored in Teams or written information in Teams chats may contain personal data.

Personal data recorded during a meeting are video, if your camera is switched on, and audio, if your microphone is switched on. Additionally, conversations during meetings may contain personal data. The person organising a meeting can record the meeting if there is a specific reason for doing so, for example a need to watch the meeting afterwards. At the start of the meeting, the organiser will say if the meeting is being recorded and give the reason for and purpose of the recording. Not all meetings are recorded.

We store documents that may contain personal data for a maximum of six years in Teams. Recordings of meetings are stored for three years by default.

Persons outside Kela who use Teams for their teamwork with Kela must renew their user rights every 120 days.

Disclosure of data

Under normal circumstances, data will not be disclosed outside the EU or EEA. In some cases personal data concerning the use of Teams may be transferred outside the EA or EEA.

Do not process confidential data in Teams

Do not process (discuss, write, present or save) any confidential data in Teams. Confidential data includes details about Kela’s customers or security arrangements.

Reviewing, rectifying and erasing data

The request can be addressed to Kela’s Registry at kirjaamo@kela.fi

More information on the processing of personal data by Microsoft is available here: Microsoft Privacy Statement – Privacy at Microsoft

Address register maintained by the supplier of Kela’s brochures, benefit guides and forms

Kela orders brochures and forms for partner organisations through a contract supplier’s online store. The contract supplier receives address data in connection with the order, which results in the forming of an address register. In addition, some of the form orders by partner organisations require the checking of a doctor's license to practise. The licenses are checked by Kela, and no mention of it will remain in the contract supplier’s register.

1 Data controller

The Social Insurance Institution of Finland (Kela)

PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki

020 634 11 http://www.kela.fi/administration

2 Contact person for registerrelated matters

Maarit Heikkinen

Tel. 020 634 11 (exchange)

3 Name of register

Address register maintained by the supplier of Kela’s brochures, benefit guides and forms

4 Purpose and basis for the handling of personal data

Personal data is processed only for the purposes of delivering brochures, benefit guides and forms. The processing of personal data is based on the fulfilment of Kela’s statutory duties (section 2 of the Act on the Social Insurance Institution).

Kela’s partner organisations (the Client or Clients) are entitled to order paper forms, brochures and benefit guides issued by Kela. Kela forwards all orders made by the Clients to the supplier of Kela’s printed products (the Supplier), which then delivers the ordered brochures, benefit guides and forms to the relevant Client.

4.1 Processing of orders concerning forms

When a Client orders forms, the Client submits their order via email to lomakevarasto@kela.fi. Kela fills in the name, address and contact information of the Client as well as the details of the Client’s order in the Supplier’s online store. Some healthcare-related forms cannot be supplied to a Client who does not have a medical license. Where necessary, Kela will ascertain whether the Client has a medical license by performing a query to look up healthcare professionals.

4.2 Processing of orders concerning brochures and benefit guides

Clients order brochures and benefit guides intended for Kela’s partner organisations by filling out the online order form available on Kela’s website. The Client enters their name, address and contact information as well as the details of their order in the online order form. This data is then transferred electronically to the Supplier.

5 The register’s data content

The register contains the following identifying details:

name of the company/the Client
address
phone number (for deliveries).

In addition, the register contains other information concerning each order as detailed below:

form ID or name
the number of forms ordered by the Client
the names of the brochures or benefit guides ordered by the Client
the number of brochures or benefit guides ordered by the Client.

6 Regular sources of data

All personal data is obtained from the data subjects themselves.

7, Regular disclosure of data

Kela discloses the Client’s name, address and contact information as well as the details of their order to the Supplier based on the Client’s consent. Kela obtains the data it discloses to the Supplier from the online order form filled out by the Client on Kela’s website or from the email message sent by the Client to lomakevarasto@kela.fi.

8 Transfer of data outside the EU or EEA

No data is transferred to countries outside the EU or the EEA.

9 Retention period for personal data

Order data is retained by Kela for a period of six (6) years in accordance with the Accounting Act.

10 Data security principles that apply to the register

Kela exercises due care in all of its operations and ensures a high level of data protection and data security.

All Kela employees who handle personal data sign a confidentiality agreement. The data stored in the register may be used only by authorised persons who need access to the data to perform their official duties.

11 Right of access

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check what data concerning themselves is stored in the register.

Those who wish to check their data must submit a request to Kela.

The request can be addressed to Kela’s Registry at kirjaamo@kela.fi.

The request can also be made by phone, by visiting a Kela service point, or by sending a message in the OmaKela e-service.

12 Right of correction

Pursuant to Article 16 of the General Data Protection Regulation, data subjects have the right to request the correction of any inaccurate personal data stored in the register.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information that is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela’s Registry at kirjaamo@kela.fi.

The request can also be made by phone, by visiting a Kela service point, or by sending a message in the OmaKela e-service.

13 Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.

The request to erase personal data must be made to Kela.

The request can be addressed to Kela’s Registry at kirjaamo@kela.fi.

The request can also be made by phone, by visiting a Kela service point, or by sending a message in the OmaKela e-service.

14 Right to lodge a complaint with a supervisory authority

Pursuant to Article 77 of the General Data Protection Regulation, data subjects have the right to lodge a complaint with the Data Protection Ombudsman if the data subject is of the opinion that Kela infringes the General Data Protection Regulation when processing personal data.

Privacy statement for Kela’s Customer Community

1. Data controller

The Social Insurance Institution of Finland (hereinafter referred to as "Kela")
Address: Nordenskiöldinkatu 12, 00250 Helsinki
Business ID: 0246246-0

Contact information: 
Mailing address: PL 450, 00056 Kela
Telephone exchange: 020 634 11

Kela’s Data Protection Officer: tietosuoja@kela.fi

2. Name of register

Register of Kela's Customer Community.

3. Use of personal data

The data collected in the register are used in implementing research aimed at developing further Kela’s services. Kela uses the research findings exclusively for the purpose of developing its services and communications. The legal basis for processing personal data is the performance of a task in the public interest.

The register data are not combined with data concerning a person’s interactions with Kela as a customer, and participation or non-participation in the Customer Community has no effect on any customer relationship that a person may have with Kela or the benefits or services he or she may receive.

The replies/comments of Community members are processed confidentially, and the members’ contact information is not disclosed to third parties.

4. Types of personal data

The following types of data may be processed about a member:

a) Basic customer data
Email address (the only personal information all new members are asked upon registration)
Confirmation that a new member is 16 years of age or older.

b) Research findings
Members’ replies and comments submitted during research targeted at Community members

Depending on the goals and topic areas of specific research projects, members may also be asked for certain information classified as personal information. Such information (concerning, for instance, a person’s age or gender) will be anonymised immediately when the research data are analysed. This information is not inherently a part of the register of personal data, but a part of the research data, which is not stored separately anywhere.

5. Typical sources of personal data and the disclosure of personal data

Personal data are collected from the members themselves as they join and participate in the Community. Personal data can be made available to contracted entities that process it in accordance with Kela’s instructions. They are:

Pentagon Insight Oy
Bilendi Oy
LeanLab

6. Data security

Systems containing personal data are only accessible by staff with permission to process personal data. Such approved staff need a personal user ID and password to access personal data. Members’ personal data are stored on cloud servers and/or in databases, all of which are protected by passwords and firewalls.

7. Rights of data subjects

Each member has the right to access their personal data. Members can ask that errors in their personal data are corrected.

Each member has the right at any time to ask that their personal data are deleted, and Kela has an obligation to delete the data provided that a legal basis for processing them no longer exists. Members’ data are also deleted should they leave the Community.

Each member of the Community has the right to object to the processing of their personal data, to ask that the processing be restricted, and to file a complaint with a data protection authority (in Finland, the data protection ombudsman) in accordance with the General Data Protection Regulation.

Requests pertaining to the exercise of the rights of data subjects may be made by sending a written, signed request to the address provided in section 1.

Privacy statement for the peer review practice of Kela’s editorial staff committee for research publications

1. Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 http://www.kela.fi/administration

2. Contact person for register-related matters

Tarja Hyvärinen
tutkimusjulkaisut@kela.fi
Tel. 020 634 11 (exchange)

3. Name of register

Peer review practice of Kela’s editorial staff committee for research publications

4. Purpose and basis for the handling of personal data

Personal data are used in the peer review process for research publications and in the payment of referee fees.

The handling of personal data is based on the fulfilment of Kela’s statutory responsibilities (see section 2 of the Act on the Social Insurance Institution 731/200), the requirements of the Finnish Federation of Learned Societies concerning the regular documentation of the peer-review process, and the guidelines on good scientific practice of the Finnish National Board on Research Integrity.

The data are not used in automatic decision-making or profiling.

5. Data content of the register

The following data are stored for both accepted and rejected manuscripts: date the manuscript was received and the date the decision was sent out, the authors’ suggestion for publication, the names of the authors and the title of the manuscript, the names of the referees and their comments, and the decisions sent by the editorial staff committee to the authors concerning the publication.

The following personal data are handled for the purpose of paying the referee fee: name, personal identity code, bank details and mailing address.

6. Regular sources of data

Data are obtained from the data subjects themselves.

7. Regular disclosure of data

None.

When compliance with the standards of good scientific practice in peer review is evaluated, the controller makes the necessary data available to the persons in charge of good scientific practice at the organisation carrying out the evaluation.

8. Transfer of data outside the EU or EEA

None.

9. Retention period for personal data

Documents relating to the payment of fees are retained for 11 years. The retention period is based on the Accounting Act (1336/1997)

Other retention periods for personal data have been set in accordance with the guidelines issued by the National Archives of Finland and the applicable laws and decrees. The data are retained in accordance with the filing plan approved by the National Archives of Finland for either 2 years, 10 years, or permanently.

After the period of active use, data conforming to the filing plan are archived in the public interest or for purposes of scientific and historical study. In order to ensure compliance with good scientific practice, data concerning the peer review process cannot, as a general rule, be deleted.

The stored data are not public and are only handled by members of the executive committee of Kela’s editorial staff for research publications, all of whom are employees of Kela.

10. Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11. Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Data subjects who wishes to check their personal data must submit a request to Kela.

The request can be sent to Kela’s Registry at kirjaamo@kela.fi.

It can also be made by phone, by visiting a Kela customer service point, or by sending a message on the OmaKela e-service.

12. Right of correction

According to Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

The request for correction must be submitted to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be sent to Kela’s Registry at kirjaamo@kela.fi.

It can also be made by phone, by visiting a Kela customer service point, or by sending a message on the OmaKela e-service.

13. Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.

The request to erase personal data must be made to Kela.

The request can be sent to Kela’s Registry at kirjaamo@kela.fi.

It can also be made by phone, by visiting a Kela customer service point, or by sending a message on the OmaKela e-service.

14. Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

1. Joint controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
020 634 11 http://www.kela.fi/administration

2. Contact person for register-related matters

Archival service for the patient and client records of defunct private social and healthcare service providers toimintansa.lopettaneet@kela.fi.
Tel. 020 634 11 (exchange)

3. Name of register

Archival service for the patient and client records of defunct private social and healthcare service providers.

4. Purpose and basis for the handling of personal data

The handling of the data is based on the fulfilment of Kela’s statutory responsibilities.

Under section 16 of the Act on the Electronic Processing of Client Data in Social and Health Care Services (703/2023) (“Client Data Act”), Kela is the joint controller for the client records of defunct service providers. Kela shares the joint controllership with the wellbeing services county in whose area the service provider in question had its place of business. The City of Helsinki is in this privacy statement equated with the wellbeing services counties. As a joint controller, Kela is, in accordance with the Client Data Act, responsible for ensuring the security of the data and their storage and erasure. Further, Kela serves as the contact point referred to in article 26 of the General Data Protection Regulation to which citizens can submit their data requests. Each wellbeing services county carries out the other controller responsibilities specified in the Regulation.

The data are also used for purposes outlined in the Act on the Secondary Use of Health and Social Data.

5. Data content of the register

The register contains data on defunct private service providers that have, in accordance with the Client Data Act, handed over their client records to Kela for storage as well as data on the service providers’ clients. The register contains the following data on defunct private service providers:

name
personal identity code
business ID
name of company
contract reference number
contact person for the entity transferring the material
mode of operation and sector of service
type of material and date received
professional practice right and area of specialisation
start year and end year of the material
place of business.

Additionally, the following data are retained on the clients of defunct private service providers:

name
personal identity code
date of birth
date of death
social and health data
log data from the service provider
log data from Kela’s archival service

6. Regular sources of data

Data are obtained from defunct private service providers that, having ceased their operations, hand over their records to Kela for storage in accordance with the Client Data Act. Additional data are obtained from the registers listed below. The data are used to verify that the criteria for using the service are met and to update personal data:

Digital and Population Data Services Agency (population data system)
National Supervisory Authority for Welfare and Health (the Soteri service provider register)
Finnish Institute for Health and Welfare (The SOTE register of organisations)
Finnish Patent and Registration Office and Finnish Tax Administration (the Business Information System)

7. Regular disclosure of data

Under section 16 of the Client Data Act, Kela is responsible as joint controller for ensuring data security, storage and erasure. In its capacity as a contact point within the meaning of section 16 of the Client Data Act, Kela will only release data from the register to the wellbeing services county that carries out, as joint controller, the other responsibilities set out in the General Data Protection Regulation, such as the release of data.

Kela will only release data directly to the data subject if the data in question are log data created in the course of the operations of Kela's own archival service for the patient and client records of private social and healthcare service providers.

8. Transfer of data outside the EU or EEA

Data are not transferred outside the EU or the EEA.

9. Retention period for personal data

Stored social and healthcare data are retained for the period defined in the appendix to the Client Data Act. The regulations of the State Archive, the National Board of Antiquities and the National Archives of Finland concerning the archival of records are also applied.

10. Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11. Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

In accordance with the Client Data Act, Kela is responsible for the security, storage and erasure of data created in the course of the operations of private service providers. Other controller responsibilities defined in the General Data Protection Regulation, including concerning the right of access of data subjects to personal data, are carried out by the wellbeing services counties. Data subjects who wish to check their personal data can contact Kela. In its capacity as joint controller, Kela serves as the contact point for data subjects. Kela receives requests for access to data and forwards them to the relevant wellbeing services county according to the service provider’s registered place of business.

Log data created in the course of the operations of Kela’s archival service for private social and healthcare service providers are released directly to the data subject. Requests for log data can be submitted on a dedicated form.

The forms used to submit requests are found on Kela’s website (in Finnish) at www.kela.fi/yhteistyokumppanit-potilas-ja-asiakasasiakirjojen-arkistointipalvelu. Requests can be emailed to Kela’s archival service for private social and healthcare service providers at toimintansa.lopettaneet@kela.fi.

12. Right of correction

According to Article 16 of the General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data.

In accordance with the Client Data Act, Kela is responsible for the security, storage and erasure of data created in the course of the operations of service providers. Other controller responsibilities defined in the General Data Protection Regulation, including concerning the correction of data, are carried out by the wellbeing services counties. Data subjects who wish to make corrections to the data concerning their person can contact Kela. In its capacity as joint controller, Kela serves as the contact point for data subjects. Kela receives requests for the correction of data and forwards them to the relevant wellbeing services county according to the service provider’s registered place of business.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

Requests can be emailed to Kela’s archival service for private patient and client records at toimintansa.lopettaneet@kela.fi.

13. Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties. Patient and client data or log data stored in the register cannot be erased because the obligation to retain patient and client data and their retention period are specified in the Client Data Act. Where retention periods are based on mandatory provisions of law, data subjects do not have a right to have records concerning their person, the data such records contain or the relevant log data erased until the retention period specified by law has ended.

14. Right to file a complaint with a supervisory authority

According to Article 77 of the General Data Protection Regulation, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Register of contact information and price notifications

1. Data controller

The Social Insurance Institution of Finland (Kela)
PL 450, 00056 KELA or Nordenskiöldinkatu 12, 00250 Helsinki
Tel. 020 634 11, http://www.kela.fi/administration-contact-us

2. Contact person for register-related matters

laakevaihto@kela.fi
Tel. 020 634 11 (exchange)

3. Name of register

E-service for pharmaceutical companies: Register of contact information and price notifications

4. Purpose and basis for the handling of personal data

A person authorised by a pharmaceutical company can use the e-service to file price notifications for medicinal products.

The processing of data is based on the fulfilment of Kela’s statutory responsibilities (section 1 of the Ministry of Social Affairs and Health decree on generic substitution).

The data are not used for commercial marketing purposes.

5. Data content of the register

The register contains the following data about the person authorised by a pharmaceutical company:

Name
E-mail address
Address, phone number and fax number of the pharmaceutical company

6. Regular sources of data

The person authorised by a pharmaceutical company either submits the data to Kela, or Kela has a contractual arrangement to obtain the data from a source to whom the authorised person has submitted price notifications.

7. Regular disclosure of data

Kela releases data on price notifications (including the name and email address of the contact person) to the Pharmaceuticals Pricing Board (chapter 6, section 20 of the Health Insurance Act). Personal data is only released to entities with the right to access it.

8. Transfer of data outside the EU or EEA

None.

9. Retention period for personal data

The personal data contained in price notifications is retained for a period of one year from the receipt of the notification.

10. Principles of register security

Kela exercises due care in all its operations and ensures a high level of data protection and data security.

All Kela staff members who handle personal data sign a confidentiality agreement. The register data may be used only by authorised persons who need them to perform their official duties.

11. Right of access to data

Under Article 15 of the EU General Data Protection Regulation (EU 2016/679), data subjects have the right to access personal data concerning them. This means that persons included in the register have the right to check data concerning themselves.

Data subjects who wish to check their personal data must submit a request to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us

The request can also be made by phone or by visiting a Kela service point, or by sending a message on Kela’s e-service at www.kela.fi/asiointi.

12. Right of correction

According to Article 16 of EU Regulation 2016/679, the data subject has the right to request the correction of inaccurate personal data.

A data subject who wishes to request correction of inaccurate data must submit a request to Kela.

The request must specify the following:

the specific information which is incorrect
the reason why it is incorrect
how it should be amended.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us

The request can also be made by phone or by visiting a Kela service point, or by sending a message on Kela’s e-service at www.kela.fi/asiointi.

13. Right of erasure

Under Article 17 of the General Data Protection Regulation, data subjects have the right to request the erasure of their personal data.

This right does not extend to personal data that Kela needs to carry out its statutory duties.

The request to erase personal data must be made to Kela.

The request can be addressed to Kela's Registry. The contact information of the Registry can be found on Kela’s website at www.kela.fi/administration-contact-us

The request can also be transmitted as a message via Kela's e-service (www.kela.fi/asiointi). Alternatively, the request can be made by phone or by visiting a Kela customer service point.

14. Right to file a complaint with a supervisory authority

According to Article 77 of EU Regulation 2016/679, the data subject has the right to lodge a complaint with the Data Protection Ombudsman, if the data subject considers that the processing of Kela personal data relating to him or her infringes this Regulation.

Kela’s other privacy policy statements

Management system for administrative documents

Privacy statement for the procurement register

Privacy statement for the supplier and customer register

Privacy statement for Kela’s press release distribution system

Privacy statement for the Elämässä.fi website

Privacy statement for Kela’s Research Ethics Committee

Privacy statement for video surveillance recordings

Privacy statement for the register of applications for research funding

Privacy statement for distribution addresses for Kela's research publications

Privacy statement for the system used to process orders for Kela’s research and statistical publications

Privacy statement for the register used in the context of monitoring the prescribing of biological medicines and biosimilars

The use of Teams with partners

Personal data

Disclosure of data

Do not process confidential data in Teams

Reviewing, rectifying and erasing data

What do you think of this page?

Visitor statistics for Kela’s website

Do you consent to the collection of visitor statistics?

Kela’s other privacy policy statements

Management system for administrative documents

Privacy statement for the procurement register

Privacy statement for the supplier and customer register

Privacy statement for Kela’s newsletter subscriber address register

Privacy statement for Kela’s press release distribution system

Privacy statement for the Elämässä.fi website

Cookie policy for www.sosiaalivakuutus.fi

Privacy statement for Kela’s Research Ethics Committee

Privacy statement for video surveillance recordings

Privacy statement for the register of applications for research funding

Privacy statement for distribution addresses for Kela's research publications

Privacy statement for the system used to process orders for Kela’s research and statistical publications

Privacy statement for the register used in the context of monitoring the prescribing of biological medicines and biosimilars

The use of Teams with partners

Personal data

Disclosure of data

Do not process confidential data in Teams

Reviewing, rectifying and erasing data

What do you think of this page?