This page contains information on:

General instructions and notes for using the online form

Data permit applications are submitted by completing an online form which is available at https://lupa.findata.csc.fi/ (the link opens in a new window). You can log in to the system using Suomi.fi e-Identification.

Please find the technical releases related to the Health and Social Data Permit Authority Findata’s systems, such as maintenance outages, system malfunctions and operating restrictions here: Technical releases

NB! There is a maintenance outage in the system every day from 8 am to 9 am.

Currently, the system automatically logs the applicant out after a certain time limit, and the form is not saved automatically. We advise to to save your unfinished application approximately every 15 minutes.

We have detected problems when using Internet Explorer. We recommend using other browsers.

In case of problems, you can contact our Help Desk by e-mail: info@findata.fi or by phone: 029 524 6500 (open on weekdays from 9.00 to 11.00 and from 12.00 to 16.00).

Currently, the identification and thus, submitting a data permit application, is possible for persons who have a personal identity code registered in the Finnish Population Information System. The deployment of other identification methods is underway.

Back to top

Application statistics by 26 June 2020

  • Applications received in total: 148
    • Data permits: 98
    • Data requests: 27
    • Amendment applications: 23
  • Decisions taken in total: 38
    • Positives: 14
    • Negatives: 1
    • Lapsed: 23
  • Applications under process: 45
  • Pending applications: 65

Back to top

Instructions for submitting a data permit application

A data permit application can be used for applying for personal data from Findata. For the time being, it is advisable to look for information on the data content of the registers kept by controllers under the scope of Findata’s operations at the controllers’ websites.

If you require personal data from a single controller only, you should inquire information on the matter from the controller in question.

A fee is charged for the decision on the request for data resources and for processing the data. The final price of the service is determined based on the decision fee and hourly rate of compiling and processing data laid down in the payment decree of the Ministry of Social Affairs and Health.

In addition to the fees charged by Findata, the final price is affected by the data extraction and delivery fees based on the decrees concerning the controllers.

When commencing the processing of a data permit application, Findata requests the controllers to provide a price estimate for the extraction of the required data and conveys the information to the applicant who can either accept or reject the price estimate. The final price of the data resource is confirmed after disclosing the data. A separate processing fee is charged for any expired and negative decisions.

Read more: Pricing

Back to top

Information requested in the data permit application

PLEASE NOTE: This is a general description on the content of the application, and the details may be subject to changes. All applications are submitted via the online application system as of 1 April 2020.

  • Application type
    • The questions verify that the application falls within the scope of Findata’s operation.
  • Applicant information
    • Are you applying for a permit on behalf of a third party?
      • If yes, the names of all parties must be provided, a representative of the party in question must be appointed as an applicant and documentation on the assignment must be attached to the application.
    • Basic details of the applicant (private individual or organisation)
      • Details of the contact person
  • Details of the controller (if not the applicant)
  • Billing details
  • Purpose of data use
    • Purpose of use as per the Act on the Secondary Use of Health and Social Data (552/2019)
      • If the purpose is scientific research, attach the research plan.
    • Is this a thesis?
      • If yes, provide further information on the thesis.
    • Name of the project (optional)
    • A brief description of the intended use of the data (max. 500 characters)
  • Data utilisation plan
    • List the people who will process the data
    • The legal basis for the processing of the personal data (data from Findata)
    • Are you applying for access to special personal data? (Special or sensitive personal data covers topics such as ethnic origin, sexual orientation or behaviour, health data, biometric data and genetic data)
      • If yes, provide the legal basis for the processing.
    • Do you intend to combine other data with the data received from Findata?
      • If yes, list the other data resources to be used and their sources. (PLEASE NOTE: The data is delivered to Findata separately in compliance with separate instructions. Please do not append your data to the application.)
      • The basis for processing your own data
      • If data or research permits or ethics statements have been issued for your own data, provide information on the permits or statements (please do not append the actual documents).
      • Have you applied or will you apply for other corresponding permits?
        • If yes, provide further information.
  • Project funders/clients
    • Does the project involve a decision for restricting the rights of data subjects?
      • If yes, append the impact assessment as per the Data Protection Act (1050/2018).
  • Data processing
    • In which file format will the data be delivered to the remote access environment?
    • The project’s (estimated) total duration?
    • Data permit validity, i.e. the period of use for the data in the user environment (max. 5 years at a time)
    • In which countries is the data processed?
      • If other than EU or EEA countries: specify the transfer criteria as per the General Data Protection Regulation.
  • Extraction method
    • Extract all persons that fulfil the extraction criteria
    • Extract a random sample of persons that fulfil the extraction criteria
      • Size of the random sample
    • Stratified sample
      • Attach stratification table
    • Additional questions on the details of the extraction concerning each of the aforementioned options
  • The permit applicant submits the personal identity codes of the target group to Findata.
    • From which register or other source was the target group obtained?
    • Provide the legal basis for the processing.
  • Definition of conditions for the extraction of controls
    • Are controls to be extracted for the target group?
      • Which register will the controls be extracted from?
      • Extraction conditions
    • Will relatives be extracted for the target group?
      • Which register will the relatives be extracted from?
      • Extraction conditions
  • Data to be disclosed about the individuals
    • From which registers will the data be extracted?
    • Data to be extracted for the target set
      • Provide the following information for each register: controller, register, data to be extracted, time period of the extracted data
    • Data extracted from control persons (e.g. controls and relatives)
      • Provide the following information for each register: controller, register, data to be extracted, time period of the extracted data
  • Additional information and attachments

Back to top

Processing of amendment applications

As of 1 April 2020, Findata will process amendment applications whenever the change concerns the data of multiple different controllers or private service providers. If an amendment application concerns the data of only one public controller, the controller that granted the permit will process the amendment application as before.

The decree of public charges issued by the Ministry of Social Affairs and Health specifies when an application to Findata counts as an amendment application and when a new data permit application is in fact being submitted. According to this decree, amendment applications are those which extend the period of validity of the permit and/or add to the number of persons entitled to process the data disclosed under the data permit.

If the amendment concerns the data itself, this is from the perspective of Findata a new data permit application

Back to top

Data transfer to third countries (outside the EU/EEA)

The processing of personal data abroad is counted as a transfer of personal data even if the data is in a remote access environment.

Under the EU’s Data Protection Regulation, data can be transferred within the European Economic Area (EU countries and Norway, Liechtenstein and Iceland) on the same grounds as within Finland.

If data is to be transferred or processed outside the aforementioned countries, i.e. in so-called third countries, there must be a legal basis for this in keeping with Chapter V of the GDPR.

The acceptable legal bases are listed below. It is sufficient that just one of these bases for data transfer is met.

1) decision of the European Commission on adequacy of data protection pursuant to Article 45, updated information available on the EU ‘s website https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_fi (opens in a new window)

  • At present (31 March 2020), the EU has assessed as adequate the data protection provided in the following countries: Andorra, Argentina, the Faroe Islands, Guernsey, Israel, Japan, Jersey, Canada (partial decision: commercial organisations), the Isle of Man, Switzerland, Uruguay, New Zealand, and the United States (partial decision under Privacy Shield framework). Negotiations are under way with South Korea.
  • If the requirements for the transfer are met on this basis, no other measures are required, and the data permit authority takes this criterion into account as a factor justifying the transfer in its data permit decision. This ‘safe country’ principal is the primary basis for data transfer.
  • For more information, see the website of the Data Protection Ombudsman: https://tietosuoja.fi/siirto-tietosuojan-riittavyytta-koskevan-paatoksen-perusteella (opens in a new window)

2) Standard contractual clauses on data protection pursuant to Article 46(2)

  • Standard contractual clauses (SCC) are standard contractual clauses approved by the European Commission that can be used in contracts between two controllers or between a controller and a processor.
  • These standard clauses can be viewed on the website of the Data Protection Ombudsman: https://tietosuoja.fi/komission-hyvaksymat-vakiolausekkeet (opens in a new window)
  • If this is given as the basis for data transfer, the data permit authority takes this criterion into account in the data permit decision. The data permit authority will make the data available outside the EU/EEA subject to this condition and only after the applicant / permit holder has submitted to the data permit authority the signed standard contractual clauses. Please note that standard contractual clauses may not be modified or added to, but must be approved as they are.

3) Binding corporate rules pursuant to Article 47

  • Binding corporate rules (BCR) refer to shared, binding rules for the transfer of personal data to third countries within a corporate group or group of companies engaged in joint economic operations.
  • For more information, see the website of the Data Protection Ombudsman: https://tietosuoja.fi/yritysta-koskevat-sitovat-saannot
  • If this is given as the basis for data transfer, the data permit authority will take this into account in the data permit decision. The data permit authority will make the data available outside the EU/EEA area subject to this condition and only after the applicant / permit holder has notified the data permit authority of the code of conduct in question, which must have been appropriately approved by a data protection ombudsman of an EU Member State.

4) Exceptions and safeguards under Article 49, such as the explicit consent of the subject to the proposed transfer after being informed of the risks associated with the transfer. This basis for transfer can only be used in exceptional cases.

Further information on the transfer of data to the United Kingdom following Brexit can be found on the website of the Data Protection Ombudsman: https://tietosuoja.fi/brexit (opens in a new window)

Back to top