Controller and registers
The Tax Administration's Incomes Register Unit is a controller for the Incomes Information System as referred to in the European Union’s General Data Protection Regulation (EU 679/2016).
The Incomes Register Unit maintains the Incomes Information System and is responsible for the functioning and information security of the Incomes Information System together with the Tax Administration.
The Incomes Register Unit is also the controller of the Positive credit register
The Incomes Information System
The Incomes Information System consists of two parts
- the Incomes Register, which contains information submitted to meet the statutory reporting and disclosure obligation and information disclosed in compliance with the data access right, as well as
- a register containing identifying and contact information used for data verification and validation purposes.
In everyday language, the term "Incomes Register" is often used instead of "Incomes Information System."
The Incomes Information System is used to receive and store data reported by employers and other parties referred to in the Act and forward the data to authorities and other parties entitled to such data in order to fulfil the payers’ statutory reporting and disclosure obligation as well as to implement data access rights.
Read more about how we process information in the Incomes Information System:
Purpose of processing data
The purpose of processing is to ensure the accuracy of data in the Incomes Register, as well as to perform other tasks of the Tax Administration’s Incomes Register Unit laid down in the Act on the Incomes Information System.
What data do we process?
In our customer relationship management system, we process the following identifying and contact information obtained from the Population Information System:
- name
- identifying information, such as personal identity code
- addresses
- home municipality
- mother tongue and contact language
- non-disclosure for personal safety
- data that is subject to non-disclosure for personal safety.
In our customer relationship management system, we process also the following identifying and contact information about small businesses obtained from the Business Information System:
- identifying information (Business ID and personal identity code)
- addresses
- contact language.
Where does the data come from?
The data has been stored in the Incomes Information System from the Population Information System and the Business Information System.
On what basis do we process data?
We process personal data to comply with the Incomes Register Unit’s statutory obligation (General Data Protection Regulation (EU 2016/679), Article 6 (1) (c)). The processing is provided for in the Act on the Incomes Information System (53/2018).
Disclosure of data
We do not disclose identifying and contact information from the the Incomes Information System on a regular basis.
Data may only be disclosed by the data users for purposes laid down in law.
Processors
We use the following service providers for application management services, such as troubleshooting:
- Knowit Oy
- Gofore Oyj
- Gofore Verify Oy
- Tietoevry Oyj
- Digia Oyj
- Nortal Oy
- Consultor Finland Oy
- Twoday Oy
- Advania Finland Oy.
When processing personal data, application management uses a service management system provided by ServiceNow. Digia Oyj handles the on-call service regarding disruptions of the Incomes Information System.
Transfer of personal data to third countries
In principle, we do not disclose data to countries outside the EU/EEA.
Retention of data
With regard to data retention, we comply with the Tax Administration's information management plan. We retain the data only for as long as necessary for the performance of the Incomes Register Unit's statutory task.
The identifying and contact information of natural persons is deleted no later than 10 years after the end of the year in which the natural person died or was declared dead. However, the data will only be deleted ten years from the end of the year during which the last data concerning income received or paid by the deceased or the estate was saved in the Incomes Register.
Purpose of processing data
The Incomes Register stores the wage, pension, and benefit data reported by payers. Earnings payment data is available in the Incomes Register from 2019 and pensions and benefits payment data from 2021.
The Incomes Information System is used to receive and store data reported by employers and other parties referred to in the Act and forward the data to authorities and other parties entitled to such data in order to fulfil the payers’ statutory reporting and disclosure obligation as well as to implement data access rights.
The Incomes Register forwards and discloses the data as it was saved in the Incomes Register. It does not modify or combine the data.
Whose data do we process?
We process the data of all individuals who have a Finnish personal identity code.
What data do we process?
The Incomes Information System is used to store income data reported by payers.
Detailed information about the data is available on the ‘Documentation’ page in following documents:
- Application instructions on the data contents of an earnings payment report
- Application instructions on the data contents of a benefits payment report
On what basis do we process data?
We process personal data to comply with the Incomes Register Unit’s statutory obligation (General Data Protection Regulation (EU 2016/679), Article 6 (1) (c)). The processing is provided for in the Act on the Incomes Information System (53/2018).
Disclosure of data
Income and other payments recorded in the Incomes Register, and data on the income recipient and payer, are confidential. Data may only be disclosed for purposes laid down in law.
Disclosure of data by virtue of the Act on Openness
According to the Act on the Incomes Information System, we can also disclose information for the following purposes laid down in the Act on the Openness of Government Activities (621/1999, Act on Openness):
- right of access to data of the party concerned
- right of access to a document pertaining to the party concerned
- provision of executive assistance
- processing of advance information, a preliminary ruling or a complaint.
Processors
We use the following service providers for application management services, such as troubleshooting:
- Knowit Oy
- Gofore Oyj
- Gofore Verify Oy
- Tietoevry Oyj
- Digia Oyj
- Nortal Oy
- Consultor Finland Oy
- Twoday Oy
- Advania Finland Oy.
When processing personal data, application management uses a service management system provided by ServiceNow. Digia Oyj handles the on-call service regarding disruptions of the Incomes Information System.
Transfer of personal data to third countries
In principle, we do not disclose data to countries outside the EU/EEA.
Retention of data
Data retention periods are defined in the Act on the Incomes Information System. Data saved in the Incomes Register will be deleted after ten years from the beginning of the year following the year the data was saved.
With regard to data retention, we comply with the Tax Administration's information management plan. After the end of the retention period, data is either destroyed or archived in accordance with the archives act (Arkistolaki 831/1994).
Data security principles
As a government authority, the Tax Administration is obliged to comply with good data processing practices, an increased level of information security as provided in the Government Decree on information security in central government and, as a controller, the protection measures specified in Article 32 of the General Data Protection Regulation. The security of the Tax Administration's information systems is audited.
The data is protected against unauthorised viewing, modification and destruction. Such protection is based on access control, personal user identifiers and restriction of user rights.
The viewing and modification of data are restricted in accordance with staff duties, and any viewing and modification is logged.
The accuracy of the data is ensured through automated and manual computerised controls at different stages of data processing.
Backup copying and physical security procedures ensure the conservation of data. Data on paper, related to the register, is protected through access control and locked archives.
Confidentiality and public disclosure of data
Income and other payments recorded in the Incomes Register, and data on the income recipient and payer, are confidential. Data may only be disclosed for purposes laid down in law.
Recipients of personal data
Personal data is only disclosed from the Incomes Information System to the data users laid down in law. The intended uses and data access rights are provided for in law.
Source of data
The Incomes Register Unit obtains the income data saved in the Incomes Register from employers and other payers, and the identifying and contact information that is used for data verification and validation purposes from the Population Information System and Business Information System.
Payers have a statutory obligation to report data on wages, pensions, and benefits paid to the Incomes Register.
Correcting data
Payers are responsible for the accuracy of the data they have reported to the Incomes Register, and for correcting any errors in the data without undue delay.
If an income earner requests that data reported by a payer be corrected, the correction request must be submitted to the payer.
If technical errors are detected in the data, the Incomes Register Unit can request the payer to check the accuracy of the data it has reported to the Incomes Register.
Income earners and payers can submit and correct the contact information they have provided to the Incomes Information System via the e-service.
Data Protection Officer
The Data Protection Officer of the Tax Administration is Senior Specialist Noora Kontro, and the deputy is Senior Specialist Taito von Konow.
Customer service
Incomes Register customer service contact information, service hours, and call rates