Data Protection

The Gateway to Information on Government Projects is a joint public online service for managing and publishing information about projects carried out by the Government and its ministries. 

The service contains personal data that the Prime Minister's Office handles for tasks carried out in the public interest, in accordance with Article 86 of the General Data Protection Regulation, taking into account the principle of public access to official documents. The personal data contained in the service has been obtained from Government employees who have entered information about projects into the system.

The data stored

The service contains such information as the names, email addresses and phone numbers of project coordinators, contact persons and members of working groups. 

Disclosure of data

No personal data contained in the service is transferred outside the European Union or the European Economic Area. 

Period for which the personal data is stored

After the completion of a project, the personal data of all the participants is automatically deleted from the webpages (except for the data relating to the contact person). After this, however, personal data can still be accessed through the interface to the service used by public officials within the Government. The data needs to be retained in the interface used by public officials for the compilation of reports on project participants and other tasks.

Kampus is the Government’s common virtual desktop, where each public official has access to an individual desktop customised to their work profile. Kampus supports the user’s own work, the work of the Government as a whole, as well as networking within the Government. Kampus contains an electronic workspace called Tiimeri. Access rights to Tiimeri can also be granted to persons outside the Government. Tiimeri is a service environment for e-working and networking. It enables cooperation across organisations.

The ministry handles personal data in Kampus in compliance with the statutory duties of the data controller as laid down in Article 6, paragraph 1, point (c) of the General Data Protection Regulation. The Prime Minister's Office is responsible for the common administrative and service tasks of the Government and its ministries.

The data stored

The Kampus register contains data provided by the users of Kampus, data obtained through the active directory user data service (AD), and usage data collected by the system. The data supplied by the AD includes the following compulsory information: name, work phone number, department, title, supervisor, work email address, office, organisation, unit, supervisor, Kieku number and organisation chart. Public officials also have the option of adding a photo or home phone number to their profile.

The following compulsory basic user information is recorded in Tiimeri: work email address, name and employer. Users can, if they wish, add other additional information to their profile.

Disclosure of data

Data stored in Kampus and Tiimeri is not disclosed. The data in these registers is not transferred or disclosed to countries outside the European Union and the European Economic Area.

Period for which the personal data is stored

The data is stored in the service throughout its life cycle.

The ministry has a case management system, which is an electronic case register and a document management system. We receive letters, feedback, inquiries and information requests that private individuals, representatives of interest groups, and journalists send to ministers and ministries. All letters from citizens and other calls and comments containing contact information are registered in the case management system, which creates a register number for the material to indicate processing.

We process personal data in accordance with Article 6, paragraph 1, point (e) of the General Data Protection Regulation. The processing is necessary for the performance of a task carried out in the public interest.

Registration indicates the arrival of a document, enables the different processing phases of cases to be monitored, contributes to the fulfillment of the publicity principle of documents, and generates case directories, reports and statistics.

The data stored

The names of people are needed to identify the initiator of a case (if a private individual), the public official handling the case and possibly the case itself.

Disclosure of data

Clients can request an extract from the register.

The data is not transferred outside the European Union or the European Economic Area. The data is retained in accordance with regulations concerning the authorities and the decisions on retention periods made by the National Archives of Finland.

Period for which the personal data is stored

We retain the data in accordance with the data control plan of the ministry. What this means in practice is that the letters from citizens that we answer are retained permanently. Instead, letters that do not lead to any measures being taken are retained for two (2) years after the end of the government’s term of office. Information requests and document requests are retained for ten (10) years. Brief information requests from journalists and other interest groups, which have been answered directly by email, are retained for one (1) year.

Data can be transferred to countries outside the EU of the EEC in conformity with the requirements of the General Data Protection Regulation of the EU. More detailed information are provided in the data protection record of the register.

Read the data protection record: stm.fi/tietosuojaselosteet

We collect the personal data needed to conduct surveys and register participants for events.

We process personal data in accordance with Article 6, paragraph 1, point (e) of the General Data Protection Regulation. The processing is necessary for the performance of a task carried out in the public interest.

The data stored 

The data collected varies depending on the case. When registering for an event, participants are typically requested to provide their name and email address. Depending on the event, other personal data may also be requested.

Disclosure of data

We may disclose data on a case-by-case basis to parties involved with the surveys, such as the security control personnel of ministries. Our subcontractors process personal data in their role as service providers.

Period for which the personal data is stored

For surveys, the appropriate storage period varies depending on the case.

In the case of registrations, the storage period is the time required for arranging the event and carrying out follow-up activities, except in certain cases where more time is required for financial administration, archiving, or the retention of technical backup copies.

Whistleblower protection allows people to safely report breaches. A report can be submitted using an internal or external whistleblowing channel. The internal whistleblowing channel of the Ministry of Social Affairs and Health is only available to people employed by the Government. Others, such as retired public officials or people employed by partners, may submit a report regarding the activities of the Ministry that they have observed in their work and that fall within the scope of the Whistleblower Act to the central external whistleblowing channel of the Office of the Chancellor of Justice. 

Purpose of and grounds for the processing of personal data

Personal data is processed in connection with the tasks laid down in the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, the Whistleblower Act). Under section 30 of the Whistleblower Act, the controller may process data belonging to certain special categories of personal data and data related to criminal convictions and offences only if the processing is necessary for the purpose of the Act. 

Personal data is processed in accordance with Article 6, paragraph 1, point (c) of the General Data Protection Regulation (processing is necessary for compliance with a legal obligation to which the controller is subject). 

Processed data

Reports processed in matters concerning whistleblower protection may contain any personal data that the whistleblower has appended to the report. 

In matters concerning whistleblower protection, the personal data of the whistleblower is not stored in the contact information for the matter or document as the initiator of the matter, nor is the personal data of the reported person stored in the contact information for the matter or document. However, the personal data of the whistleblower and the reported person are processed in the documents concerning the report, such as the report itself.

The personal data of the whistleblower and the reported person under the Whistleblower Act are always treated as non-disclosable in their entirety.

Situations in which information on the identity of the whistleblower can be disclosed to another authority or to the reported person

Notwithstanding the non-disclosure obligation laid down in the Whistleblower Act, the person responsible for processing the report may disclose the identity of the whistleblower and other persons mentioned in the report, as well as any other information directly or indirectly indicating the identity of the persons, to a person appointed to verify the accuracy of the report, if this disclosure is necessary to verify the accuracy of the report.

In addition, notwithstanding non-disclosure provisions, the person responsible for processing the report may provide information on the identity of the whistleblower, the reported person and other persons mentioned in the report, as well as other information directly or indirectly indicating their identity, if it is necessary to provide this information:

1. to the competent authority for the purpose of verifying the accuracy of the report;
2. to the criminal investigation authorities for the purpose of preventing, detecting, investigating and considering prosecution of criminal offences;
3. to public prosecutors for the purpose of performing the official functions prescribed in section 9 of the Act on the National Prosecution Authority (32/2019);
4. to the reported person for the purpose of establishing, presenting or defending a legal claim in a court hearing or in out-of-court judicial or administrative proceedings. 

Separate provisions on the right of a party to access non-disclosable information are laid down elsewhere in law. 

The reported person has the right to disclose the identity of the whistleblower and to obtain information on the identity of the whistleblower from the authorities if this is necessary for establishing, presenting or defending a legal claim in judicial proceedings.

The person responsible for processing the report shall inform the whistleblower in advance of the disclosure of their identity, unless such information would jeopardise the verification of the accuracy of the report or a criminal investigation or trial related to the matter. The competent authority shall also provide the whistleblower with a written explanation of the grounds for the disclosure of non-disclosable information.

Processing of data is limited within the organisation and time-limited

In matters concerning whistleblower protection, personal data may only be processed by persons designated for the task in the ministry in question as referred to in the Whistleblower Act. 

Documents submitted to and prepared by the ministry and the personal data contained therein shall be stored in accordance with the document storage periods specified in the information management plan. The provisions of section 29, subsection 2 of the Whistleblower Act have been taken into account when determining the storage periods.

Data stored in the case management system shall not be transferred to third countries or international organisations.

Rights of data subjects

The right of a data subject to restrict the processing of their data does not apply to matters of whistleblower protection, and the right of a data subject to access their data may be restricted if this is necessary and proportionate with respect to ensuring the accuracy of the report or in order to protect the identity of the whistleblower. If only a part of the data on a data subject is such that it falls within the restriction on the right of access, the data subject shall have the right to access the remainder of the data. The data subject has the right to be informed of the reasons for the restriction and to request that this information be provided to the Data Protection Ombudsman in accordance with section 34, subsections 3 and 4 of the Data Protection Act (1050/2018).

Any requests for information concerning personal data, requests to rectify or supplement personal data and requests to restrict the processing of personal data shall be addressed to the controller.

The Government media service is meant for media representatives only and requires users to register to use the online service.

The media accreditation register contains information on media representatives who have been granted annual access (accreditation) to events organised on Government premises, with the exception of high-security events. The register is created annually based on the information provided by the media regarding the individuals who need accreditation.

We collect this data to ensure that those applying for membership of the media service and accreditation are representatives of the media and, thus, are entitled to use the service.

We process personal data in accordance with Article 6, paragraph 1, point (e) of the General Data Protection Regulation. The processing is necessary for the performance of a task carried out in the public interest.

The data stored

Persons registering for the media service are requested to provide their first name, last name, nationality, date of birth, email address, mobile phone number, address, organisation information, position or title and, in the case of freelancers, more specific details.

In the case of the media accreditation register, we request the organisation information, first and last name of the media representative, date of birth, position or title, email address, mobile phone number and photo. We also require the delivery address and name of the contact person for the purpose of delivering the access control card.

Disclosure of data

We do not transfer personal data outside the European Union or the European Economic Area. We also do not disclose personal data for purposes such as direct marketing, market surveys and opinion polls, yearbooks or genealogical studies.

Period for which the personal data is stored

We retain the data regarding Government media service membership until the media representative indicates that they no longer require the user ID.

The media accreditation register is renewed annually based on the previous year’s information. We retain the previous year’s information for no longer than one year.

The data stored

Name of traveller, email address, postal address, personal identity code, bank account, cost pool, the individual’s travel, cost and driving data, data on the individual’s charge card and travel account purchases.

Job vacancies are published in the Valtiolle.fi (state recruitment portal) service, which is also the main channel for submitting applications for employment.

In the Valtiolle.fi service, we collect data which is essential for the selection process and which applicants themselves provide when submitting an application. At the end of the application process, we compile a memo in which we compare the applicants’ merits in accordance with the Public Servants Act and the instructions and recommendations issued by the Office for the Government as Employer. A list of applicants and a summary of merits are appended to the memorandum.

We process the data of applicants in accordance with Article 6, paragraph 1, point (c) of the General Data Protection Regulation, as well as with the Public Servants Act (750/1994), the Decree on Public Servants (971/1994) and the Act on the Protection of Privacy in Working Life (759/2004). 

The security clearance data of the appointed person is processed in accordance with sections 45 and 58–59 of the Security Clearance Act.

Systems

• Applications are submitted and processed in the valtiolle.fi service provided by Palkeet, the Finnish Government Shared Services Centre for Finance and HR.

• We conduct video interviews using the Recright video interview toolLink to an external website.

• Applications, proposals for appointments and decisions on appointments are archived in the Government’s VAHVA case management system.

• Appointment-related matters decided on in the government plenary session and the presidential presentation are processed using the electronic decision support system.

The data stored

We collect the following personal data: identification data (name, gender, address, phone number, email address, and other contact information); personal information that the applicant has included in their application, such as education and work experience; other information supplied by the applicant in support of their application, such as a personal record or CV, school and study certificates, certificates of employment and testimonials, and references supplied by the applicant, video material recorded during the application process; as well as other necessary information relating to the application for employment and the filling of the position.

Other information stored

Descriptions of the positions/tasks to be applied for

Disclosure of data

As a rule, we do not disclose the data. However, we disclose personal data, upon request, in accordance with the Act on the Openness of Government Activities. The data and documents are public, unless special provisions on their secrecy have been laid down by law. We do not disclose data to countries outside the European Union or the European Economic Area. 

Period for which the personal data is stored

Applications for vacancies are removed from the profile created by the applicant in the valtiolle.fi system twelve (12) months after the end of the recruitment process. Applications are removed from the section of the valtiolle.fi service visible to the employer three (3) months after the end of the recruitment process.

In the ministry, the storage periods for data related to the recruitment process are determined specifically in accordance with the Archives Act (831/1994), the regulation of the National Archives (AL 16465/07.01.01.03.02/2016) and the office’s data management plan. The general retention period for recruitment documents (application documents) is two (2) years, unless otherwise provided. The general retention period is based on the Non-Discrimination Act (1325/2014) and the Act on Equality between Women and Men (609/1986). We provide more detailed information about processing times upon request.

Newsletters and other material on current issues can be ordered via our website. Personal data given when ordering are processed by the ministry's staff and our service provider Emaileri, with whom we have agreed on how personal data is to be processed.

We process your personal data to comply with the statutory obligation of the ministry (Article 6(1)(c) of the General Data Protection Regulation and section 20 of the Act on the Openness of Government Activities) and based on your consent.

The data stored

At the subscription service for newsletters and material on current issues we store the email address provided when ordering.

Disclosure of data

We transfer no personal data outside the EU or the EEA except for the email addresses of subscribers to the internal EU Presidency newsletter. We also do not disclose personal data for purposes such as direct marketing, market surveys and opinion polls, yearbooks or genealogical studies.

Period for which the personal data is stored

Data are stored in the subscription service for material on current issues and subscription system for the newsletter until the subscriber terminates the subscription or the material is no longer published.

Data submitted via a feedback form are removed one year after the feedback was submitted.

The website feedback form can be used to submit questions and feedback.

We process personal data in accordance with Article 6, paragraph 1, point (e) of the General Data Protection Regulation. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data stored

When submitting feedback via the feedback form, users are requested to provide their name. If the person submitting the feedback wishes to receive an answer to their question, we will require an email address. Users have the option to provide the name of their organisation, if they wish.

Disclosure of data

We do not transfer personal data outside the European Union or the European Economic Area. We also do not disclose personal data for purposes such as direct marketing, market surveys and opinion polls, yearbooks or genealogical studies.

Period for which the personal data is stored

Information submitted via a feedback form is removed one year after the feedback was submitted.