Controller and registers

Purpose of processing data

The Incomes Information System is used to store the identifying and contact information of natural persons. The information is processed in a customer relationship management (CRM) system. We process personal data to identify natural persons and to assign information reported by payers to the correct individual.

The purpose of processing is to ensure the accuracy of data in the Incomes Register, as well as to perform other tasks of the Tax Administration’s Incomes Register Unit laid down in the Act on the Incomes Information System.

What data do we process?

In our CRM system, we process the following identifying and contact information obtained from the Population Information System:

• name
• identifying information, such as personal identity code
• addresses
• home municipality
• mother tongue and contact language
• death information
• non-disclosure for personal safety
• access-restricted data that is subject to non-disclosure for personal safety.

In our CRM system, we also process the following identifying and contact information concerning private traders or self-employed individuals obtained from the Business Information System:

• identifying information (Business ID and personal identity code)
• addresses
• company form
• line of business
• contact language.

For identified customers, memo and/or service request data may also be processed if the data is necessary for purposes such as giving advice to the customer.

Data that is subject to non-disclosure for personal safety reasons is only processed by staff members with separate access rights.

Where does the data come from?

The data has been stored in the Incomes Information System from the Population Information System and the Business Information System.

On what basis do we process data?

We process personal data to comply with the Incomes Register Unit’s statutory obligation (General Data Protection Regulation (EU 2016/679), Article 6 (1) (c)). The processing is provided for in the Act on the Incomes Information System (53/2018).

Disclosure of data

Identifying and contact information is not regularly disclosed from the CRM system.

Data users search for data from the Incomes Register on the basis of their statutory data access right. The search is done with the income earner’s personal identity code or some other unique identifier. In response, we return the identifier used in the order and the register data allocated to the identifier.

Processors

We use the following service providers for application management services, such as troubleshooting:

• Knowit Oy
• Gofore Oyj
• Gofore Verify Oy
• Tietoevry Oyj
• Digia Oyj
• Nortal Oy
• Consultor Finland Oy
• Twoday Oy
• Advania Finland Oy.

When processing personal data, application management uses a service management system provided by ServiceNow. Digia Oyj handles the on-call service regarding disruptions of the Incomes Information System.

Transfer of personal data to third countries

In principle, we do not disclose data to countries outside the EU/EEA. 

Retention of data

With regard to data retention, we comply with the Tax Administration's information management plan. We retain the data only for as long as necessary for the performance of the Incomes Register Unit's statutory task.

The identifying and contact information of natural persons is deleted no later than 10 years after the end of the year in which the natural person died or was declared dead. However, the data will only be deleted ten years from the end of the year during which the last data concerning income received or paid by the deceased or the estate was saved in the Incomes Register.

Purpose of processing data

The Incomes Register stores the wage, pension, and benefit data reported by payers. Earnings payment data is available in the Incomes Register from 2019 and pensions and benefits payment data from 2021.

The Incomes Information System is used to receive and store data reported by employers and other parties referred to in the Act and forward the data to authorities and other parties entitled to such data in order to fulfil the payers’ statutory reporting and disclosure obligation as well as to implement data access rights.

The Incomes Register forwards and discloses the data as it was saved in the Incomes Register. It does not modify or combine the data.

Whose data do we process?

We process the data of everyone with a Finnish personal identity code.

In addition, we process the data of foreign persons if the payer is required to submit a report to the Incomes Register. The reporting requirement is based on the obligation to provide information to a data user of the Incomes Register in both domestic and international situations.

Where does the data come from?

We receive the information from the payer of the wages or benefit income. The payer can be a company, other corporate entity or a household. We record the data in the Incomes Information System on the basis of the Act on the Incomes Information System (53/2018).

What data do we process?

The Incomes Register is used to record the mandatory data reported by employers and other payers and any voluntary additional information.

The detailed content of the stored data is described on the Documentation page in the following documents:

• Application instructions on the data contents of an earnings payment report
• Application instructions on the data contents of a benefits payment report

On what basis do we process data?

We process personal data to comply with the Incomes Register Unit’s statutory obligation (General Data Protection Regulation (EU 2016/679), Article 6 (1) (c)). The processing is provided for in the Act on the Incomes Information System (53/2018).

Disclosure of data

According to the Incomes Information System Act, the income data stored in the register is confidential. We only disclose data from the Incomes Register to public authorities and other organisations performing public tasks for the purposes laid down in the Act.

Disclosure of data from the Incomes Register

The disclosure of data is based on the Incomes Information System Act, which specifies the tasks for which we disclose data.

After disclosure, the data users process the data as independent controllers. You can also find more information on the processing of personal data on the data users’ websites.

Disclosure of data by virtue of the Act on Openness

According to the Act on the Incomes Information System, we can also disclose information for the following purposes laid down in the Act on the Openness of Government Activities (621/1999, Act on Openness):

• right of access to data of the party concerned
• right of access to a document pertaining to the party concerned
• provision of executive assistance
• processing of advance information, a preliminary ruling or a complaint.

Processors

We use the following service providers for application management services, such as troubleshooting:

• Knowit Oy
• Gofore Oyj
• Gofore Verify Oy
• Tietoevry Oyj
• Digia Oyj
• Nortal Oy
• Consultor Finland Oy
• Twoday Oy
• Advania Finland Oy.

When processing personal data, application management uses a service management system provided by ServiceNow. Digia Oyj handles the on-call service regarding disruptions of the Incomes Information System.

Transfer of personal data to third countries

In principle, we do not disclose data to countries outside the EU/EEA. 

Retention of data

Data retention periods are defined in the Act on the Incomes Information System. Data saved in the Incomes Register will be deleted after ten years from the beginning of the year following the year the data was saved.

With regard to data retention, we comply with the Tax Administration's information management plan. After the end of the retention period, data is either destroyed or archived in accordance with the archives act (Arkistolaki 831/1994).