Data protection, government’s joint data

The personal data of central government personnel is processed in statutory analysis and reporting services produced for the Government and central government organisations. The information provided by the government’s corporate services providers is utilised in the activities. The data can also be utilised in research.

The lawfulness of data processing in analysis and reporting service tasks is based pursuant to Article 6 (1)(c) of the General Data Protection Regulation on the controller’s statutory obligation, which is laid down in the Act on the State Treasury (1991/305 section 2 c) and the Act on the Finnish Government Shared Services Centre for Finance and HR (179/2019 Section 1 b).

Data from the Government’s shared corporate service providers’ data registers is utilised in analysis and reporting service activities, and they may contain personal data of central government personnel as well as, in some cases, personal data on procurement suppliers. Other unidentifiable data and other public information necessary for the implementation of analysis and reporting services may also be used in the activities.

We process personal data in accordance with legislation and good governance. As a rule, personal data is stored on the data platform only for the time and to the extent that is necessary for analysis assignments and reporting. Personal data will be stored for no longer than one year after the end of analysis or reporting if no further requirements are identified on the same topic.

Explore the government’s shared data areas for analysis and reporting activities with the PowerBI Navigator (in Finnish) >

PLEASE NOTE: The Data Content Navigator is updated as data areas are defined.

  • Processing of personal data in the State Treasury's analysis and reporting services

    1. Controller

    Name: State Treasury
    Address: Sörnäisten rantatie 13, P.O. Box 14, FI-00054 State Treasury
    Exchange: +358 (0) 295 50 2000
    E-mail: kirjaamo(at)valtiokonttori.fi

    2. Contact person in register-related matters

    Name: Henje Kasslin
    E-mail: henje.kasslin(at)valtiokonttori.fi
    tel. +358 295 50 2102

    Matters relating to the rights of the data subject, Data Protection Officer:
    Name: Heikki Kangas
    E-mail: tietosuojavastaava(at)valtiokonttori.fi
    tel. +358 295 50 2156

    3. Legal basis and purpose for processing of the personal data

    1. Production of analysis and reporting services: We process personal data as a part of our statutory analysis and reporting service tasks produced for the Government. Data from the central government’s shared corporate service providers is utilised in the activities, including personnel data. This data is used to produce analysis and reporting services to support the Government’s preparatory work and decision-making. Said data can also be utilised in research.

      The lawfulness of the processing of the data is based on the controller’s legal obligation in accordance with Article 6(1)(c) of the General Data Protection Regulation. Provisions on the analysis and reporting service task have been laid down in the Act on the State Treasury (305/1991, section 2, subsection 1, paragraph 5 and section 2 c).

     

    1. Maintenance of the customer register: We store the names of the customer’s contact persons in our customer register. The data will be used only to for purposes related to implementing the assignment and maintaining the customer relationship. The customer gives their consent by submitting the assignment to the analysis services.

     

    1. Collection of customer feedback (feedback form): The customer can provide their contact details on the feedback form. Providing the contact details is voluntary. The contact details provided by the customer are used only for responding to the feedback or for communicating about the further assignment requested by the customer. The customer gives their consent by writing their contact details on the feedback form.

    4. Personal data groups subject to processing

    1. Production of analysis and reporting services: Data from the data registers of the producers of joint corporate services for government is utilised in the production of the analysis and reporting services. In addition, these registers also contain personal data of central government personnel as well as, in some cases, personal data on procurement suppliers. The processed data may be combined with other necessary and available data to the extent that the prerequisites of processing are met.

      The analysis and reporting service activities do not involve processing the special categories of personal data referred to in article 9 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. An exception to this is that information on the duration of absence caused by an illness, occupational disease or occupational accident may be processed if this is necessary for the performance of the task. This matter is separately provided for in the Act on the State Treasury (305/1991, section 2 c, subsection 2).

    2. Customer register: The names of contact persons are stored in the customer register.

     

    1. Feedback form: The customer can provide their name and e-mail address on the feedback form.

    5. Regular data sources

    Data from the central government’s shared corporate service providers’ data registers is utilised in the analysis and reporting service activities. The registers contain data on planning and monitoring of operations, financial and human resources management, common basic information technology, procurement management, facility management, centralised training services, project management and organisational structure related to Government agencies and institutions. The central government’s shared corporate service providers include the Finnish Government Shared Services Centre for Finance and HR Palkeet, the Government ICT Centre Valtori, the Digital and Population Data Services Agency, Senate Properties, Hansel Oy, HAUS kehittämiskeskus Oy and the State Treasury.

    The above-mentioned registers contain personal data of central government personnel and of suppliers related to procurement. Other data disclosed by the customer and other public information necessary for the implementation of the analysis and reporting service may also be used in the activities.

    6. Transfer or disclosure of personal data

    As a rule, personal data is not disclosed outside the State Treasury. In assignments supporting employer activities, the final results of analyses can be processed at the personal level if the client has a statutory right to the processing of personal data.

    At the State Treasury, the data is only processed by the officials or persons acting on behalf of the State Treasury who need it in their duties. Access to data systems is restricted by access rights. Personal data is processed by trained data analysts and data engineers, who have been subject to a security clearance.

    7. Transfer and disclosure of data outside the EU or EEA.

    As a rule, the State Treasury does not transfer personal data outside the EEA. However, our processor (Microsoft Ireland Operations Limited) may transfer data that is being processed by it to its sub-processor (Microsoft Corporation). A limited amount of personal data may therefore be transferred to the United States in the data transfers between the processor and the sub-processor.

    The grounds for the transfer are the model contract clauses approved by the European Commission.

    8. Profiling and automatic decision-making

    The State Treasury does not carry out automated decision-making or profiling of persons based on the personal data utilised in the analysis and reporting service activities.

    9. Retention of personal data

    Production of analysis and reporting services: Data is processed in compliance with the Act on the State Treasury and appropriate safeguards. Before transferring data for analysis, it is protected by pseudonymisation. The results of the analysis and reporting service activities are anonymised through aggregation or other methods in such a way that an individual cannot be identified unless the analysis or report is produced for a party who has the right to process the personal data disclosed.

    As a rule, personal data is stored on the data platform only for the time and to the extent that is necessary for the assignments. Personal data will be stored for no longer than one year after the end of the assignment if no further requirements are identified on the same topic.

    Customer register and feedback form: The personal data in the customer register and the feedback form is stored until the relationship between the controller and the customer can be considered to have ended. The ending time is determined on the basis of the end date of the assignment or the date on which the feedback was submitted, plus five years.

    10. Data subject rights in analysis and reporting services

    The data subject has the right to ask the State Treasury for access to data concerning them and to request that the data be corrected.

    As the processing of personal data is based on the performance of a statutory task under article 6(1)(c) of the GDPR, the data subject does not have the right to object to the processing of personal data under article 21 of the GDPR.

    11. Right to lodge a complaint with a supervisory authority

    As a data subject, you have the right to submit the legality of the State Treasury’s activities for assessment by the Data Protection Ombudsman.

    Contact information:
    Office of the Data Protection Ombudsman
    Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki
    Postal address: P.O. Box 800, 00521 Helsinki
    Switchboard: +358 (0)29 56 66700
    Fax: +358 (0)295 56 66735
    E-mail: tietosuoja(at)om.fi

  • Processing of personal data in the Palkeet analysis and reporting services

    1. Controller

    Name: Finnish Government Shared Services Centre for Finance and HR
    Address: Kauppakatu 40, 80100 Joensuu, Finland
    Switchboard: +358 (0)2955 62000
    E-mail: kirjaamo(at)palkeet.fi

    Representative of the controller:
    Heikki Asikainen, heikki.asikainen(at)palkeet.fi

    Data protection officer:
    Sami Nikula, tietosuojavastaava(at)palkeet.fi

    2. Purpose of the processing of personal data in analysis services

    In the statutory analysis and reporting services provided by the Finnish Government Shared Services Centre for Finance and HR (hereinafter ‘Palkeet’), personal data is processed for the purpose of analysis if necessary with consideration to the subject of analysis. Data is produced for the management needs of customer agencies as well as for the development of the operations of the entire public administration.

    The personal data processed in the analysis services provided by the Finnish Government Shared Services Centre for Finance and HR (Palkeet) is not subject to automated decision-making or profiling.

    3. Legal basis of the processing of personal data

    In the analysis services provided by Palkeet, the lawfulness of the processing of personal data is based on the controller’s statutory obligation in accordance with Subsection c of Section 1 of Article 6 of the General Data Protection Regulation (Act on the Finnish Government Shared Services Centre for Finance and HR, 8 February 2019/179, Subsection 3 of Section 1, according to which Palkeet is tasked with providing analysis and reporting services to its customers in order to support preparation and decision-making).

    4. Personal data processed

    The data used in the analysis services provided by Palkeet originates from registers maintained by Palkeet, its customer agency or another group operator. The personal data processed contains the personal data of government personnel. In some cases, the personal data processed may contain the personal data of suppliers of requisitions.

    The analysis and reporting service operations do not involve processing of special categories of personal data within the meaning of Article 9 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). However, there is an exception to this, as information on the duration of an absence caused by illness, occupational disease or accident at work is processed. This is specifically provided in the Act on the Finnish Government Shared Services Centre for Finance and HR (8 February 2019/179, Subsection 2 of Section 1 b).

    Prior to the transfer of the data for analysis, direct personal data is rendered unidentifiable through the pseudonymisation of the data. The results produced for publication in the analysis and reporting operations are anonymised or aggregated in such a way that no individual can be identified from the data, unless the analysis is implemented as a targeted service for a party that is entitled to process the personal data disclosed to it.

    5. Sources of personal data

    The analysis and reporting services utilise registers maintained by providers of the government’s joint group services that contain data concerning government agencies and departments regarding the planning and monitoring of operations, financial and HR management, common basic information technology, management of requisitions, premises management, centralised training services, project management, and organisational structure.  Providers of the government’s joint group services include the Finnish Government Shared Services Centre for Finance and HR (Palkeet), the Government ICT Centre (Valtori), the Digital and Population Data Services Agency, Senate Properties, Hansel Ltd and HAUS Finnish Institute of Public Management Ltd.

    The aforementioned registers contain the personal data of government personnel as well as the personal data of suppliers related to requisitions. Other anonymised information necessary for the implementation of analysis and reporting services, as well as other public information, may also be used in the operations.

    6. Transfer or disclosure of personal data

    In analysis services provided by Palkeet, personal data is not disclosed to third parties. The personal data processed is not transferred outside the EU or EEA.

    7. Technical and organisational security measures in the processing of personal data

    In the analysis services provided by Palkeet, personal data is only processed by analysts in an environment corresponding to the security level of the data, and at least a basic security check has been carried out by the Finnish Security and Intelligence Service regarding all persons who participate in the processing of the data. The data is protected against unauthorised viewing, alterations and erasure. The protection measures include user authorisation control, technical protection of databases and servers, physical protection of the facilities, access control, protection of telecommunications, and backup copies of the data. A right to access and process the data is granted if required by a work role, and the access to the systems is based on personal user IDs. The physical location of the data centres and data is within the EU or EEA. Furthermore, administrative controls are used in order to ensure that the operations are carried out appropriately.

    8. Retention of personal data

    As a general rule, the personal data processed in the analysis services provided by Palkeet is retained only for as long as and to the extent necessary for the implementation of the analysis. In the case of customer commissions, the data is retained for a maximum of one year from the end of the commission if no further needs arise for the same customer regarding the same subject.

    9. Rights of the data subjects

    According to the General Data Protection Regulation, the rights of the data subjects vary based on the grounds for the processing of personal data. As the legal basis for the processing of personal data in the analysis services provided by Palkeet is statutory, the rights of the data subjects are described according to the legal basis in question in this privacy policy.

    9.1 Right to be informed of the processing of personal data

    According to Article 12 of the General Data Protection Regulation, the processing of personal data must be transparent, and the data subjects have the right to receive information about the processing of their personal data. For the analysis services provided by Palkeet, this right is implemented through documentation pertaining to data protection. The data protection practices followed in all service provision of Palkeet are described in the appendix to the service agreement as well as in more detail in this privacy policy with regard to the analysis services.

    9.2 Right to access data (Data subject’s right to check what data is saved about them)

    According to Article 15 of the General Data Protection Regulation, data subjects have the right to access their own personal data. In the analysis services provided by Palkeet, data subjects are entitled to receive from Palkeet, i.e. the controller, within a reasonable time a confirmation on whether their personal data is processed, and, if the data is processed, to access their personal data.

    If a data subject is unable to personally check the personal data processed about them, they can submit an inspection request to the representative of the controller (see section 1 of this privacy policy). If less than one year has passed since the data subject last used their right of inspection, Palkeet may, as the controller, charge a fee based on the administrative costs of disclosing this information, in accordance with Article 12(5).

    9.3 Right to rectification

    In the analysis services provided by Palkeet, data subjects have the right to request Palkeet to rectify any inaccurate personal data kept about the data subjects without undue delay in accordance with Article 16 of the General Data Protection Regulation. Depending on the data and the limitations on the right of access, the data may also be rectified by the data subjects themselves, their supervisor by request of the data subject, or an HR management representative of the data subject’s employer agency based on a written personal data notification submitted by the data subject.

    9.4 Right to restrict processing

    According to Article 18 of the General Data Protection Regulation, data subjects have the right to request the controller, i.e. Palkeet in the case of the analysis services it provides, to restrict processing if:

    • the data subject denies the accuracy of their personal data, in which case its processing will be restricted until Palkeet, as the controller, has verified the accuracy of the data;
    • the processing violates legislation, and the data subject objects to the erasure of their personal data and instead demands that the use of the data be restricted;
    • Palkeet, as the controller, no longer requires said personal data for processing purposes, but the data subject needs the data to establish, file or defend a legal claim.

    If a data subject denies the accuracy of their personal data, the processing of said data will be restricted until Palkeet, as the controller, is able to verify its accuracy. The data subject must submit a request, accompanied by the grounds based on which the request is made, to the controller’s representative (see section 1 of this privacy policy), after which Palkeet, as the controller, will restrict the processing of the personal data in question within the information system. The processing is restricted by limiting access to the data, in order to prevent its use.

    9.5 Notification obligation regarding rectification or erasure of personal data or restriction of processing

    According to Article 19 of the General Data Protection Regulation, the controller, i.e. Palkeet in the case of the analysis services it provides, is obligated to communicate any rectification or erasure of personal data and restriction of processing carried out in accordance with Articles 16 and 18 to each recipient to whom personal data has been disclosed, unless this proves to be impossible or involves disproportionate effort. As the controller, Palkeet must inform the data subject about these recipients if the data subject requests it. If a data subject requests information about the recipients, they must submit this request to the controller’s representative (see section 1 of this privacy policy).

    9.6 Right to not be subject to automated decision-making

    According to Article 22 of the General Data Protection Regulation, data subjects have the right to not be subject to automated decision-making. In the case of the analysis services provided by Palkeet, this right of the data subjects is implemented as a general rule, as no automated decision-making or profiling is applied to the personal data processed.

    9.7 Right to file a complaint with a supervisory authority

    Data subjects always have the right to submit the lawfulness of the processing of their personal data to the Data Protection Ombudsman for evaluation.

    Contact information:
    Office of the Data Protection Ombudsman
    Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki
    Postal address: PO Box 800, 00521 Helsinki
    Switchboard: +358 (0)2956 66700
    Fax: +358 (0)2956 66735
    E-mail: tietosuoja(at)om.fi