Data protection

The duties of THL are defined in the Act on the National Institute for Health and Welfare (668/2008). According to section 2 of the Act, the statutory duties of THL include:

• monitoring and promoting the well-being and health of the population and the factors affecting these areas
• monitoring, developing and guiding social welfare and health care activities
• engaging in research activities related to social welfare and health care
• maintaining social welfare and health care registers and
• utilisation of data in the social and health care sector and engaging in international co-operation.

THL offers various statutory services and services that support statutory activities. These relate to areas such as patient and client work, decision-making and research. In addition, THL has a centralised system of special social welfare and health care services, including prisoners' health care, state mental hospitals, forensic medicine and forensic psychiatric services, the organisation and coordination of mediation services in criminal and civil cases with state reform schools.
Our services

The range of services also includes websites, newsletters and different kinds of events.

• About the thl.fi website
• Newsletters
• Events

THL maintains several national statistics databases, registers and other data collections that describe the Finnish social and health care service system. Data is produced on areas such as primary health care and specialised medical care, social services for children, working-age people and the elderly, and infectious diseases.

THL has collected a number of datasets for use in its research activities. Some of these cover the entire population (population surveys) while others cover just a subset. The data collected by THL mainly include the social and health data of citizens, which is why THL’s data resources are sensitive and confidential.

THL collects register data and statistical data from wellbeing services counties, municipalities, private social welfare and health care actors, Statistics Finland, the Social Insurance Institution of Finland and the Finnish Supervisory Agency. As part of the services of THL, data can also be collected from other authorities or from citizens themselves. In scientific studies conducted by THL, data is collected from subjects who have given their consent to participate in the study. Studies may also utilise information obtained from other sources relevant for the research topic.

THL also uses a stakeholder register, the data of which is collected from various sources including selected registers and stakeholders.

If you subscribe to THL newsletters or order publications, your customer data will be stored in the customer register of that service.

More detailed information on how THL processes personal data can be found in the privacy notices.
Privacy notices

THL uses the register-based, statistical and research data that it collects to carry out its statutory tasks, which include monitoring and promoting the well-being and health of the population and factors affecting these areas, monitoring, developing and directing social welfare and health care activities, and conducting research activities related to social welfare and health care.

Who does THL disclose data to?

The Act on the Secondary Use of Health and Social Data (Secondary Use Act, 552/2019) lays down the purposes for which data collected by THL may be used. According to section 2 of the Act, data may be disclosed for the following reasons in addition to its primary purpose: compilation of statistics, scientific research, development and innovation activities, education, knowledge management, steering and supervision of social welfare and health care by the authorities and planning and reporting duties of a government authority.

In addition to the collected data being used internally by THL, the Health and Social Data Permit Authority (Findata) may also grant permits for the use of THL data for external actors. However, such authorisation is only granted for the purposes laid down in the aforementioned Secondary Use Act. For more information on Findata’s activities, visit the Findata website.
Findata

In addition, data from THL’s national registers may be disclosed for clinical research under the Act on THL. For clinical drug trials, Fimea makes the decision in the matter.

To whom does THL not disclose data?

THL does not disclose data, for example, to insurance companies for consideration in individual insurance decisions nor to the Social Insurance Institution of Finland (Kela) for consideration in benefit decisions. In addition, the data is not disclosed for marketing or the specifying of personal, commercial services.

A data controller refers to an entity that determines the purposes and means of processing personal data. THL acts as the controller for the information it collects and is responsible for ensuring that the processing of personal data complies with the law. The processing of personal data requires that the controller has a legal basis for such processing.

The legal grounds for the processing of personal data by THL depends on which of its activities the data processing is part of. For example, when collecting and maintaining statutory registers or processing personal data within THL’s special social welfare and health care services, the basis for processing the data is:

• Article 6(1)(a) of the EU General Data Protection Regulation (data subject has given consent to the processing of his or her personal data); or
• Article 6(1)(c) of the EU General Data Protection Regulation (processing is necessary for compliance with a legal obligation to which the controller is subject).

In statistics, archiving and scientific research, on the other hand, the basis for processing is usually Article 6(1)(e) of the EU General Data Protection Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller).

When THL processes data for special categories of personal data (sensitive data), such as a person’s health data, the processing takes place on the basis of both one of the above mentioned criteria and also one of the following:

• Article 9(2)(a) (explicit consent),
• Article 9(2)(g) (processing is necessary for reasons of substantial public interest),
• Article 9(2)(i) (processing is necessary for reasons of public interest in the area of public health); or
• Article 9(2)(j) (archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).

More detailed, function-specific criteria for the processing of personal data can be found in the THL privacy notices.
Privacy notices

Under the EU General Data Protection Regulation (2016/679), a data subject has the right to obtain information about the processing of his or her personal data, to access the data including obtaining a copy of their own data, to rectify inaccurate data, to have the data erased and to be forgotten, to restrict the processing of data, to transfer the data from one system to another, to object to the processing of data and not to be subject to automated decision-making, as well as the right to receive compensation for data protection violations and to bring the matter before the Data Protection Ombudsman.

THL may only implement the rights of data subjects in respect to personal data for which THL is the controller. If you wish to exercise your rights in relation to the registers of bodies such as hospitals, health centres, social welfare authorities, the Social Insurance Institution of Finland or Statistics Finland, contact these organisations directly.

It is worth remembering that although the Health and Social Data Permit Authority Findata and the Prisoners' health care operate under THL, they act as independent units and as the controllers of their own data. If you wish to inspect personal data that is held by Findata or Health Care Services for Prisoners, contact these organisations directly.

• Findata
• Health Care Services for Prisoners

The data subject has the following rights to THL data:

• Right of access to one’s personal data (Article 15)
• Right to rectify one’s data (Article 16)
• Right to erasure (Article 17)
• Right to restrict the processing of one’s data (Article 18)
• Right to object to the processing of one’s data (Article 21)
• Right not to be subject to automated decision‑making (Article 22).

However, the aforementioned rights under Articles 15–21 do not apply to data in which the person cannot be identified. By law, the statutory registers collected by THL may not be used for decision‑making concerning an individual person, which also applies to automated decision‑making as referred to in Article 22. The data subject’s register-specific rights depend on the basis for processing of personal data. THL has prepared forms to facilitate easier exercise of rights. THL records in the register all requests to exercise a data subject’s rights.

If you wish to exercise your rights as the data subject, you can find the instructions on this page under "How do I exercise my rights?"

Since THL has a statutory obligation within its field to collect, maintain and utilise data resources and registers in order to promote well-being and health, THL also has the right to collect and retain the data obtained for as long as this is needed for the performance of its duties. For this reason, the data subject’s information cannot, for example, be erased from statutory registers even if the data subject requests it (Article 17), nor can the processing be opposed (Article 21).

THL will retain the data it has obtained for as long as is necessary for the performance of its duties. After this, the data is removed in an appropriate manner. However, if the data in the personal data file has been collected with the consent of the data subject, the data subject always has the right to withdraw their consent to the use of personal data. At THL, personal data collected on the basis of consent may, for example, be included in research datasets, but if consent is withdrawn at a late stage of the study, the data can no longer be removed from results that have already been completed.

The right to restrict the processing of personal data (Article 18) is applicable in certain situations and may already be implemented directly as a result of other requests. For example, THL restricts the processing of personal data for the period of processing a request for the rectification of personal data (Article 16). The right to restrict the processing of data is also valid in situations where the data subject requires their personal data in order to prepare, present or defend a legal claim. The right to object under Article 21 may be restricted if the processing is necessary for the performance of a task carried out in the public interest, such as scientific research.

You can exercise your rights under the General Data Protection Regulation (GDPR) by submitting a written request to THL. The request may be freely worded, but you also have the option of using the Finnish or Swedish request forms.

The request should indicate which right you wish to exercise and which data the request concerns. In addition, the request must include contact details with which the applicant can be identified in the register and through which the applicant can be contacted if necessary for the processing of the request.

If a guardian wishes to exercise the rights provided by the GDPR on behalf of a minor, children over the age of 10 must, as a rule, also express their own consent, for example by signing a written request together with the guardian/guardians. It is recommended that the guardians discuss the request with the child and hear the child's opinion on the matter before making the request, even if the child is not yet able to make a decision on the matter. If, taking into account their age and level of development, the child is able to understand the matter and its significance, then they can decide on the exercise of their rights.

In order to implement the data subject’s rights, THL must verify their identity. This is important so that we can be sure that we are performing the measures on the data of the correct person. For this reason, we ask that requests be sent wherever possible via the Suomi.fi service.

A guardian can submit a request for a minor via the Suomi.fi service by registering for services provided on behalf of a minor. For instructions on how to act on behalf of a minor, see the link below ‘Instructions for starting to use Suomi.fi Messages’. A minor can also use Suomi.fi Messages themselves if they have personal means of strong identification.

• Suomi.fi messaging functions
• Instructions for using Suomi.fi messages

Do this

1. Log in to the Suomi.fi service with your personal online banking codes, a certificate card or a mobile certificate.
2. Go to "Compose a message".
3. Select "National Institute for Health and Welfare" as the recipient of the message.
4. Select "Registry" as the recipient’s service or issue.
5. Enter "THL: data subject rights" as the subject.
6. List the rights you wish to exercise in the message field.
7. Attach any form(s) by clicking "Add the attachments here".
8. Finally, click "Send the message" button.

The message will be delivered to the THL Registry, from where it will be forwarded on for further processing. We seek to process requests within one month of receiving them. If the processing of the request is complex or involves several registers, we may extend the processing time to three months. In this case, we will provide a more detailed reason for the extension of the processing time.

We will send a reply to the data subject on the implementation of the request / resolving the matter as a Suomi.fi message.

If you wish to cancel your request, send a message concerning the request to THL via the Suomi.fi service.

It is possible to exercise your rights even if you are unable for some reason to use the Suomi.fi service. In such cases, you will need to personally visit the THL reception in Helsinki or Kuopio. Bring with you a written request and an official ID, such as a passport or an ID card issued by the police.

If you have any further questions about the implementation of your rights, please contact our Data Protection Officer.

The lawfulness of THL’s processing of personal data is supervised by the THL Data Protection Officer and the Data Protection Ombudsman. In addition, the lawfulness of actions taken by authorities is supervised by the Parliamentary Ombudsman and the Chancellor of Justice.

The Finnish Supervisory Agency supervises THL’s secure data‑processing environments. The Finnish Transport and Communications Agency Traficom’s National Cyber Security Centre supervises THL’s compliance with cyber‑security risk‑management obligations. LVV and Traficom also monitor compliance with AI legislation within their respective areas of responsibility.

Further data can also be found on the website of the Office of the Data Protection Ombudsman.
Office of the Data Protection Ombudsman