Privacy notice: Stakeholder register of Finnish Institute for Health and Welfare

Privacy notice for data subjects

1. Controller

Finnish Institute for Health and Welfare (THL)
P.O. Box 30, FI-00271 Helsinki, Finland
tel. +358 29 524 6000 (switchboard)
E-mail: kirjaamo(at)thl.fi

2. Maintenance of the register and responsibility

Controller informs the data subjects about the personal data that is collected and the contact point which the data subject can access if required.

3. Contact persons in matters concerning the register

Niina Weckström 
tel. +358 29 524 6000 (switchboard)
E-mail: firstname.lastname(at)thl.fi

4. Data Protection Officer  

Jarkko Reittu
Data Protection Officer
tel. +358 29 524 7474
E-mail: firstname.lastname(at)thl.fi

5. Purpose of personal data processing

Register of stakeholders is used to support communication and cooperation with THL’s clients. With the consent of the data subject, the data can also be used in the marketing of services provided by THL.

6. Legal basis for the processing of personal data

The processing of personal data entered in the register is based on Article 6(e) of the General Data Protection Regulation and the Data Protection Act (1050/2018): section 4 sub-section 1 section 2.

The data processing is based on the performance of a task carried out in the public interest (Article 6(e) of the EU General Data Protection Regulation).

7. Contents of personal register

The register may contain data on the first name, last name, organisation and contact information of the data subjects. The contact information includes email, phone, and address. In addition, the register may also contain data on the profession, education and training of the data subject as well as information on their cooperation relationship with THL.

8. Regular sources of data

Data for the register is also collected directly from stakeholders and individuals as well as from organisations' public web-sites.

In the future, data may also be obtained from other sources of stakeholder information that are essential to the activities of the Ministry of Social Affairs and Health's administrative sector.

9. Integration with other systems

The data is used for mass mailing carried out using mailing systems. 

10. Regular disclosure of data

The personal data is not regularly disclosed.

11. Transfer of personal data to a third country or international organisation

The technical implementation of the register has been acquired as a service provided by a national operator, and it is possible that the data is transferred outside the EEA. The adequacy of data protection in the data transfer process is based on the EU-US Privacy Shield and on the binding rules through which the company Salesforce has committed to appropriate safeguards. These appropriate safeguards can be viewed in the Trust and Compliance Documentation at Saleforce's website.
Salesforce Trust and Compliance Documentation

12. Personal data storage period or criteria for determining the storage period

The storage period is determined by the need for use and the validity of the contact information. The person and his or her contact details are removed from the register either at the request of the data subject or if emails do not reach the recipient at the address in the register. The data is also deleted if the organisation that the person represents ceases to exist or the need for the contact information ceases.

13. Is there an intention to use the data in the register for purposes other than those for which it was collected?

The data is not used for any other purpose.

14. Principles for keeping the personal register secure

A. Manual material (storage and protection)

If a manual dataset is received for the register or printed out from the register, it is stored in a locked space. Unnecessary manual material is disposed of in a secure manner.

B. Data to be processed by the IT system (principles of access and control of access to the register and physical protection of devices)

Access to personal data is restricted to persons authorised by the controller, and these are all obliged to maintain confidentiality. The data network and IT devices on which the register is located are protected by appropriate administrative, physical and technical security measures. If necessary, the visibility and use of the data to be protected is restricted by access rights.

15. Access to data and right to inspection

The data subject has the right to have access to personal data concerning him or her and to inspect his or her data in the register. The request is addressed to the Finnish Institute for Health and Welfare, it should be sent to the registry in writing to the party mentioned in section 1 or through visiting in person so that one's identity can be verified.

16. Right to rectify incorrect data

The data subject has the right to demand the rectification of incorrect data in the register concerning him or her. As above (section 15), the request should be addressed in writing to the party listed in section 1.

17. Right to remove data

The data subject has the right to have the controller remove his or her personal data without undue delay. The request should be addressed to the party listed in section 1. The right to remove data does not apply to statutory data. 

18. Right to lodge a complaint with the supervisory authority

The data subject has the right to lodge a complaint with the supervisory authority (the Office of the Data Protection Ombudsman) if he or she considers that the processing of personal data is in breach of the General Data Protection Regulation.

19. Use of cookies

The registry does not have an external network service.