Data protection when handling personal data
When carrying out our tasks, we handle the personal data of persons insured for earnings-related pensions and other customers, our personnel and interest groups. In all our operations, we value the protection of the insured persons’ privacy and other basic rights.
When handling personal data, we follow the law as well as diligence and good data protection practices. Persons processing data are subject to statutory secrecy and have signed a pledge of secrecy.
Personal data refers to all notes that describe a natural person or their attributes or living conditions through which they or their family, or any other person living in the same household, can be identified.
Handled personal data
The information that we handle may include the following personal data:
- name and personal ID number of the registered individual,
- basic information (incl. address and other contact information, nationality, native language)
- family relations (data on children/dependants and parents)
- data on payment transactions
- employment and earnings data
- business data (incl. trade register data)
- earnings-related pension data (application and decision data)
- data on other benefits and compensations (Kela pensions and other benefits, compensations from Motor Liability and Worker’s Compensation insurance)
- foreign insurance and employment data,
- tax data,
- data and documents pertaining to the handling of cases,
- protection data (for example, orders of non-disclosure)
- notes on the release of data, and
- log data.
Sensitive data and orders of non-disclosure
The Finnish Centre for Pensions handles sensitive data (e.g. health information) as referred to in EU’s General Data Protection Regulation (GDPR) when handling its statutory or related tasks.
We can release sensitive data only in situations in which the law specifically states of the right or obligations to release them to certain parties despite secrecy regulations.
We do not handle or store in our registers address and domicile data that are subject to an order of non-concealment.
Access authority and operation control of personal data
The Finnish Centre for Pensions grants access authorities only to the extent necessary for employees to perform their work tasks. Access authorities are not granted based on position.
If the access authority permits that personal data is handled, the user must have an individualised user name.
We monitor the use of register data that includes personal data daily based on log data produced by the systems.
Accessing and releasing data
To perform its tasks, the Finnish Centre for Pensions has a statutory right to get data from the following parties:
- employers or other parties paying compensation for work,
- insurance and pensions insurance institutions that implement statutory pension insurance,
- authorities and other parties subject to the Openness Act,
- professional health care personnel referred to in the Act on Health Care Professionals,
- health care units such as referred to in the Act on the Status and Rights of Patients,
- parties implementing rehabilitation and other health care units, and
- social service producers or nursing institutions.
We release personal data only based on legislated rights to receive data and duties or rights to release data.
The following parties, among others, have the right to gain access to information from us for settling a matter or the implementation of statutory tasks:
- earnings-related pension providers,
- pension providers in EU and EEA countries and Switzerland,
- the authorities of countries with which Finland has a social security agreement,
- Kela (the Social Insurance Institution of Finland),
- Tax Administration,
- unemployment funds,
- social authorities,
- employment authorities,
- execution authorities,
- accident insurance companies, and
- the Pension Appeal Court and the Insurance Court.
Time limits for storing data
The Finnish Centre for Pensions has a statutory duty to store personal data for the implementation of earnings-related pensions and for its other statutory tasks. As for the time limits for storing data, we follow the regulations of the earnings-related pension acts (Chapter 128 of the Employees Pensions Act and Chapter 160 of the Self-employed Persons’ Pensions Act) and the Archives Act.
The data can be stored only for as long as it is necessary based on its purpose of use.
Transferring data outside the EU area or the EEA
Data is transferred from the registers of the Finnish Centre for Pensions outside the EU area or the EEA according to the social security agreements between Finland and the concerned states.
In some cases we have to transfer data for testing purposes outside the aforementioned areas. In such cases, we process the data in such a way that the personal data cannot be linked to a certain registered individual without additional information. In addition, the protection of personal data transfers are secured with agreements under EU’s template clauses.
Automated decisions and profiling
The Finnish Centre for Pensions has partly automated its process of granting A1 certificates for workers going to work abroad. We do not issue automated decisions or make automated profiling based on registered personal data in any other situations.
Rights of the registered and requests concerning the rights
The registered parties have rights that relate to viewing, processing and correcting their data. The following specifies what this means in terms of the registers of the Finnish Centre for Pensions.
Right to check your own data
Regardless of the regulations on secrecy, you have the right to know what information has been store in the personal registers of the Finnish Centre for Pensions, or that no information on you has been stored in our registers.
Right to demand that data be corrected or supplemented
If your data has been registered, you have the right to request the Finnish Centre for Pensions to correct information that is incorrect or unspecific in terms of the handling of your case.
Right to forbid or limit processing of data
In cases involving statutory pensions and its statutory tasks, the Finnish Centre for Pensions is under obligation to process personal data. As the registered party, you cannot forbid the processing of the data. The right to demand a limited processing of the data, as referred to in the General Data Protection Regulation (GDPR) of the EU, does not apply in statutory operations.
Right to transfer data
The right of a registered party to demand that the personal data be transferred to another system, as referred to in the General Data Protection Regulation (GDPR) of the EU, does not apply to statutory tasks. That means that it is not possible to transfer the data to another system.
Right to remove data
A register person’s right to demand that personal data be removed, as referred to in the General Data Protection Regulation (GDPR) of the EU, does not apply to the processing of data in relation to the statutory tasks of the Finnish Centre for Pensions. In other words, this type of data cannot be removed on demand for as long as they are necessary for the handling of statutory duties.
Right to appeal to authorities
If the Finnish Centre for Pensions does not carry out the request of the registered individual, it has to notify the registered individual why the request has not been carried out. The Finnish Centre for Pensions must send the notification as soon as possible, but no later than within one month from the date on which it received the request. At the same time, it has to inform the registered individual of their possibility to make an appeal to the supervising authority.
Requests concerning the rights of the registered individuals are to be addressed to the Data Protection Officer. Guardians of children under the age of 18 can make the request on behalf of the child. The Finnish Centre for Pensions recommends that no personal data is sent unencrypted if sent by e-mail. The requests can be submitted:
- in a letter or document that is signed by the person making the request,
- via the online service that requires identification, or
- in person (not via an agent) at the Customer Service Desk at the Finnish Centre for Pensions.
The Data Protection Officer of the Finnish Centre for Pensions ensures and supervises that data protection is implemented at the Finnish Centre for Pensions. The Data Protection Officer
- participates in the compiling of data protection and data security,
- educates on data protection, and
- functions as the contact person for the registered individuals in matters relating to data protection.
The Data Protection Officer at the Finnish Centre for Pensions is Marita Silmunmaa, marita.silmunmaa(at)etk.fi.