Data Protection

The information that we handle may include the following personal data:

• name and personal ID number of the registered individual,
• basic information (incl. address and other contact information, nationality, native language)
• family relations (data on children/dependants and parents)
• data on payment transactions
• employment and earnings data
• business data (incl. trade register data)
• earnings-related pension data (claim and decision data)
• data on other benefits and compensations (Kela pensions and other benefits, compensations from Motor Liability and Worker’s Compensation insurance)
• foreign insurance and employment data
• tax data
• data and documents pertaining to the handling of cases
• protection data (for example, orders of non-disclosure)
• notes on the release of data and
• log data.

The Finnish Centre for Pensions handles sensitive data as referred to in EU’s General Data Protection Regulation (GDPR) and related special legislation when handling its statutory or related tasks. For the main part, the sensitive data includes information on the health of the registered individuals. The earnings-related data acts require data on health as the basis for decisions issued on disability pensions and rehabilitation. The right to use sensitive personal data is issued only to the users who need the data in order to carry out their work tasks.

We can release sensitive data only in situations in which the law specifically states of the right or obligations to release them to certain parties despite secrecy regulations.

We do not handle or store in our registers address and domicile data that are subject to an order of non-concealment.

The Finnish Centre for Pensions grants access authorities only to the extent necessary for employees to perform their work tasks. Access authorities are not granted based on position.

If the access authority permits that personal data is handled, the user must have an individualised user name.

We monitor the use of register data that includes personal data daily based on log data produced by the systems.

To perform its tasks, the Finnish Centre for Pensions has a statutory right to get data from the following parties:

• employers or other parties paying compensation for work,
• insurance and pensions insurance institutions that implement statutory pension insurance,
• authorities and other parties subject to the Openness Act,
• professional health care personnel referred to in the Act on Health Care Professionals,
• health care units such as referred to in the Act on the Status and Rights of Patients,
• parties implementing rehabilitation and other health care units, and
• social service producers or nursing institutions.

We release personal data only based on legislated rights to receive data and duties or rights to release data.

The following parties, among others, have the right to gain access to information from us for settling a matter or the implementation of statutory tasks:

• earnings-related pension providers,
• pension providers in EU and EEA countries and Switzerland,
• the authorities of countries with which Finland has a social security agreement,
• Kela (the Social Insurance Institution of Finland),
• Tax Administration,
• unemployment funds,
• social authorities,
• employment authorities,
• accident insurance companies, and
• the Pension Appeal Court and the Insurance Court.

The Finnish Centre for Pensions has a statutory duty to store personal data for the implementation of earnings-related pensions and for its other statutory tasks. As for the time limits for storing data, we follow the regulations of the earnings-related pension acts (Chapter 128 of the Employees Pensions Act and Chapter 160 of the Self-employed Persons’ Pensions Act) and the Archives Act.

The data can be stored only for as long as it is necessary based on its purpose of use.

Data is transferred from the registers of the Finnish Centre for Pensions outside the EU area or the EEA according to the social security agreements between Finland and the concerned states.

In some cases we have to transfer data for testing purposes outside the aforementioned areas. In such cases, we process the data in such a way that the personal data cannot be linked to a certain registered individual without additional information. In addition, the protection of personal data transfers are secured with agreements under EU’s template clauses.

The Finnish Centre for Pensions has partly automated its process of granting A1 certificates for workers going to work abroad. We do not issue automated decisions or make automated profiling based on registered personal data in any other situations.