Lenders can now report second-stage loans to the register and use the loan data in consumer lending. The reporting will continue until 31 March 2026. Read more in the news article.

The e-service and credit register extracts will include loans granted to business name entrepreneurs for their business activities and loans granted to agricultral and forestry operators.

Sharing information from the Positive credit register

Version history
Date of issue
12/1/2025
Record no.
VH/5874/06.00.00/2023
Validity
12/1/2025 - Until further notice

On 1 December 2025, the instructions were updated with the changes that were previously published in the instructions on sharing information from the register in the second stage: Sharing information from the Positive credit register as of 1 April 2026:

  • chapter 3 Users of the Positive credit register data: Data permission needed to access data was transferred here and content was added, content added to Lenders’ right of access to data, content added to Credit register extract’s purposes of use
  • chapter 4 Credit register extract information: information added about up-to-datedness, information on business loans added
  • Data permission needed to access data was transferred from chapter 5 of the previous version of the instructions to chapter 3
  • new chapter 5 Data user’s responsibilities was added
  • the instructions were also clarified in other respects.

 

This document is a summary description of the data shared from the Positive credit register, data recipients, purposes of use of the data and secure processing of the data.

The present document does not give detailed instructions on how lenders can request a data permission, transact with the Incomes Register Unit or technically retrieve a credit register extract. Further, the document does not discuss private individuals’ access to their own data or what rights data subjects have under the EU General Data Protection Regulation (GDPR).

You can find information about the above matters in the following instruction documents:

It is not within the competence of the Incomes Register Unit to give instructions on how lenders that are entitled to receive information should use credit register extract data in lending.

1 Terminology of the document

Data user refers to lenders and authorities that have a legal right to receive information from the register. Data users also include credit information agencies. They can be provided with information on a person’s voluntary ban on credits if the person who set the ban gives their consent to this.

Consumer credit refers to a consumer credit or comparable loan to which the provisions of chapter 7 or 7 a of the Consumer Protection Act (38/1978) are applied.

Other than consumer credit refers to such a loan, deferred payment or other financial arrangement granted to a natural person on which interest or other expenses are collected but which is not a consumer credit referred to above.

Borrower or debtor means a natural person to whom a consumer credit or other than a consumer credit has been granted. A natural person is always human. A private business operator (business name entrepreneur) is a natural person. Instead, legal persons, such as limited liability companies and general partnerships, are not natural persons.

Loan applicant refers to a natural person applying for a consumer credit or other than a consumer credit.

Lender refers to a business operator that, by agreement, grants or promises to grant a credit to a borrower as a loan, a deferred payment or another financial arrangement on which interest or expenses are collected. Lenders also include businesses that broker a consumer credit granted by a third party to a borrower (peer-to-peer loan broker).

For the purposes of this document, lenders also include operators that have the right or obligation, in a situation other than loan granting, to assess the borrower’s creditworthiness or the obligation to check that the information on the borrower is up to date.

Lenders that are entitled to use data shared from the Positive credit register are defined in section 21 of the Act on the Positive Credit Register (739/2022).

Credit register extract refers to a credit information report under the Act on the Positive Credit Register.

2 Confidentiality and publicity of the Positive credit register's data

2.1 Confidential information and personal data

Pursuant to section 3 of the Act on the Positive Credit Register, the information recorded in the register is confidential, with the exception of the name, Finnish Business ID or foreign business ID of a party with the reporting obligation. Information recorded in the Positive credit register may be disclosed only for purposes laid down in the Act on the Positive Credit Register.

The information in the Positive credit register is personal data whose processing must comply with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, and of the Data Protection Act (1050/2018), including sufficient information security and good data processing and data management practices. Data received from the register is subject to the obligation of secrecy and confidentiality, i.e. the data may not be disclosed or used for personal benefit or for the benefit of another (sections 22 and 23 of the Act on Openness).

2.2 Public information

The name, Finnish Business ID and foreign business ID of a party with the reporting obligation recorded in the Positive credit register are public information. Information on lenders that have been approved as notifiers and that have received decisions of approval on the opening of connections is available on the Positive credit register’s website.

Data notifiers

3 Use of the Positive credit register's data

3.1 Data permission needed to access data

As regards lenders, section 27 a of the Act on the Positive Credit Register states that a precondition for the disclosure of data from the Positive credit register is a decision issued by the Incomes Register Unit. The decision is issued in response to a lender’s application. In the application, the lender must provide a sufficient account of the company and its activities, the purpose of use of the data, and of data protection and control of data usage. Based on the lender’s application, the Incomes Register Unit issues a data permission decision granting the lender access to the data if the preconditions laid down in the act are met. Being the authority responsible for sharing data, the Incomes Register Unit must see, before sharing any data, that the party requesting data has ensured secure processing of confidential information and personal data requested from the register.

The data permission is an administrative decision, to which the provisions of chapter 7 of the Administrative Procedure Act (434/2003) are applied and which can be appealed against under the Administrative Judicial Procedure Act (808/2019). The Incomes Register Unit is entitled to deny access to the data or cancel the data permission decision if the preconditions for the sharing of data prescribed by the Act on the Positive Credit Register or by other relevant legislation are not met.

The Act on the Positive Credit Register does not separately provide for authorities’ and credit information agencies’ data permission procedure but the procedure also applies to these data users.

A lender with a data permission can request data from the register for the purposes specified in the data permission. The lender must request changes to the data permission if the purposes of use specified in the permission need to be changed, for example because the lender’s activities change.

3.2 Lenders, and purposes of use of the credit register extract

Section 21 of the Act on the Positive Credit Register lays down provisions on lenders to which the credit register extract data referred to in section 22 can be disclosed, notwithstanding the confidentiality provisions. Further, section 21 of the act also lays down the purposes of use for which the Incomes Register Unit can disclose credit register extract data to lenders. The data may be used only for the purposes laid down in the Act on the Positive Credit Register. The lender is responsible for seeing that the information received from the Positive credit register is used according to law and in line with the data permission.

3.2.1 Use of data in lending

When granting loans according to the Consumer Protection Act, lenders are entitled to use the register’s data if they are obliged to assess the consumer’s creditworthiness in situations laid down in the said act. Starting on 1 April 2026, lenders can also use the register’s data to assess a consumer’s or other natural person’s creditworthiness for purposes laid down in section 21 of the Act on the Positive Credit Register. Further information about the allowed purposes of use of the credit register extract is given in chapter 3.2.3 of these instructions.

The Incomes Register Unit does not give advice or instructions on the assessment of creditworthiness, nor does it take a stand on when a lender must request a credit register extract or how old an extract can be used in lending. The use of a credit register extract in the assessment of creditworthiness according to the Consumer Protection Act is supervised by the Consumer Ombudsman and the Financial Supervisory Authority. The legality of the processing of personal data is supervised by the Data Protection Ombudsman.

Additional information about the use of credit register extract data and its purposes of use:

Consumer Protection Act (38/1978) (finlex.fi) (link to Finnish)
Act on Credit Institutions (610/2014) (finlex.fi) (link to Finnish)
Consumer Ombudsman's statement on the provision of consumer credits (kkv.fi) (link to Finnish)
Regulations and guidelines of the Financial Supervisory Authority 4/2018: Management of credit risks and assessment of creditworthiness by supervised entities in the financial sector (finanssivalvonta.fi)

3.2.2 Lenders’ right of access to data

In accordance with section 21 of the Act on the Positive Credit Register, data can be disclosed from the register to the following operators:

A.

A business operator that is an authorised supervised entity, an entity comparable to an authorised supervised entity or another supervised entity under section 4 of the Act on the Financial Supervisory Authority.

A lender or peer-to-peer loan broker entered in the register of lenders and peer-to-peer loan brokers.

A Finnish branch of a foreign EEA-supervised entity referred to in section 4, subsection 5 of the Act on the Financial Supervisory Authority. The branch may be a branch of a credit institution located in an EEA country or a branch of a credit institution established in an EEA country by a third country.

A foreign supervised entity providing services in Finland without a branch (section 4, subsection 5 of the Act on the Financial Supervisory Authority). Services can be provided without a branch only by such EEA-supervised entities that have an operating licence in another EEA country.

The above operators may have the right to receive data in the following situations:

  • Assessing of the consumer’s creditworthiness in situations where the lender, under the Consumer Protection Act, is obliged to test the consumer's creditworthiness before a loan contract is concluded or after the conclusion of the contract when the loan principal or credit limit is significantly increased.
  • Checking that the consumer’s data is up to date in situations where, under the Consumer Protection Act, the business operator is obliged to make sure the information on the consumer is up to date when the consumer and the lender agree on increasing the loan principal or credit limit after the loan contract has been concluded.
  • Assessing of the consumer’s creditworthiness in situations where the consumer requests a change to the terms of the loan other than raising the loan principal or credit limit and the change requires that the consumer’s creditworthiness should be assessed.
  • Providing or accepting a guarantee or third-party security if it is provided as collateral for the payment of a consumer credit recorded in the register.

Starting on 1 April 2026, the above operators may also have the right to receive data in the following situations:

  • Testing of the debtor’s creditworthiness in order to make a loan contract or increase the loan principal or credit limit if the loan is to be granted to a natural person other than a consumer. Enters into force on 1 April 2026.
  • Testing of the creditworthiness of a debtor who requests a change to the terms of the loan other than raising the loan principal or credit limit, when the borrower is a natural person other than a consumer and when making the change requires that the debtor’s creditworthiness should be tested.Providing or accepting a guarantee or a third-party security if the guarantee or security is provided as collateral for the payment of a loan granted to a natural person other than a consumer and the loan is recorded in the register. Enters into force on 1 April 2026.

B.

A business operator other than those mentioned in item A that professionally grants loans to natural persons other than consumers to gain income or other financial benefit, except if the operator grants loans in Finland only occasionally or only to offer financing for the purchase of goods or services it sells.

Finnvera, a specialised financing company under the Act on the State-Owned Specialised Financing Company (443/1998).

Starting on 1 April 2026, the above operators may also have the right to receive data in the following situations:

  • Testing of the debtor’s creditworthiness in order to make a loan contract or increase the loan principal or credit limit if the loan is to be granted to a natural person other than a consumer. Enters into force on 1 April 2026.
  • Testing of the creditworthiness of a debtor who requests a change to the terms of the loan other than raising the loan principal or credit limit, if the loan is to be granted to a natural person other than a consumer. Enters into force on 1 April 2026.
  • Providing or accepting a guarantee or a third-party security if the guarantee or security is provided as collateral for the payment of a loan granted to a natural person other than a consumer and the loan is recorded in the register. Enters into force on 1 April 2026.

C.

Lenders other than those referred to in items A and B may have the right to receive data in the following situations:

  • Assessing of the consumer’s creditworthiness in situations where the lender, under the Consumer Protection Act, is obliged to test the consumer's creditworthiness before a loan contract is concluded or after the conclusion of the contract when the loan principal or credit limit is significantly increased.
  • Checking that the consumer’s data is up to date in situations where, under the Consumer Protection Act, the business operator is obliged to verify the information on the consumer is up to date when the consumer and the lender agree on increasing the loan principal or credit limit after the loan contract has been concluded.

3.2.3 Credit register extract’s purposes of use

A lender requesting a credit register extract from the register must specify the purpose of use of the credit register extract. The reported purpose of use must be the actual purpose of use of the extract and it must be in line with the data permission granted to the lender. In the request, the lender must state all the purposes of use for which the credit register extract about a person’s data will be used. Allowed purposed of use include

  • new consumer credit contract
  • increase of consumer credit principal or credit limit
  • change to terms of consumer credit
  • guarantee or third-party security for consumer credit
  • new loan contract for a person other than a consumer (as of 1 April 2026)
  • increase of the loan principal or credit limit of a loan granted to a person other than a consumer (as of 1 April 2026)
  • change to the terms of a loan granted to a person other than a consumer (as of 1 April 2026)
  • guarantee or third-party security for a loan granted to a person other than a consumer (as of 1 April 2026).

The first four purposes of use apply to consumer credits and loans comparable to them. The last four purposes apply to credits granted to natural persons other than consumers, and they are introduced on 1 April 2026.

New consumer credit contract is reported as the purpose of use when the lender is obliged to test the consumer's creditworthiness before concluding a new loan contract with the consumer.

Increase of consumer credit principal or credit limit is reported as the purpose of use when the loan principal or credit limit is raised in proportion to the original loan principal, i.e. the lender needs to reassess the consumer's creditworthiness or verify that the information on the consumer is up to date.

Change to terms of consumer credit is reported as the purpose of use of the extract when the debtor requests a change to the terms of a consumer credit that does not concern an increase of the loan principal or credit limit but requires that the debtor’s creditworthiness should be tested. Such changes include deferments of amortizations, extension of the loan period, changes to instalments and other similar changes to a payment plan, change of collateral, and changes to the reference rate, interest type or margin interest rate.

The change to the terms of the loan must be relevant to the assessment of the consumer's ability to manage their loans. The lender is not entitled to use the Positive credit register’s data when the change is irrelevant or insignificant to the debtor's ability to manage the loan, for example if the due date of a regular instalment is changed. Another precondition is that the debtor themself must apply for a change to the terms of the loan. The lender is thus not allowed to use the Positive credit register’s data on its own initiative: the debtor must have informed the lender that they will seek changes to the loan contract.

Guarantee or third-party security for consumer credit is reported as the purpose of use of the extract when a guarantee or third-party security is provided or accepted as collateral for the payment of a consumer credit recorded in the register. The lender is thus allowed to use the information of the credit register extract about the guarantor and the provider of a third-party security (pledger) when assessing the acceptability of the proposed collateral and the position of the collateral provider. Lenders may not use the credit register extract data for this purpose if a guarantee or a third-party security is deposited as collateral for a loan granted to a non-consumer.

New loan contract for a person other than a consumer is reported as the purpose of use when the customer’s creditworthiness is tested before the lender concludes a new contract on a loan other than a consumer credit with the debtor. This can be reported as a purpose of use starting on 1 April 2026.

Increase of the loan principal or credit limit of a loan granted to a person other than a consumer is reported as the purpose of use when the loan principal or credit limit of other than a consumer credit is raised, i.e. the lender needs to reassess the debtor's financial standing. This can be reported as a purpose of use starting on 1 April 2026.

Change to the terms of a loan granted to a person other than a consumer is reported as the purpose of use when the debtor requests a change to the terms of the loan that does not concern an increase of the loan principal or credit limit but requires that the debtor’s creditworthiness should be tested. Such changes include deferments of amortizations, extension of the loan period, changes to instalments and other similar changes to the payment plan, change of collateral, and changes to the reference rate, interest type or margin interest rate.

The change to the terms of the loan must be relevant to the assessment of the debtor's ability to manage their loans. The lender is not entitled to use the Positive credit register’s data when the change is irrelevant or insignificant to the debtor's ability to manage the loan, for example if the due date of a regular instalment is changed. Another precondition is that the debtor themself must apply for a change to the terms of the loan. The lender is thus not allowed to use the Positive credit register’s data on its own initiative: the debtor must have informed the lender that they will seek changes to the loan contract. This can be reported as a purpose of use starting on 1 April 2026.

Guarantee or third-party security for a loan granted to a person other than a consumer is reported as the purpose of use when a guarantee or third-party security is provided or accepted as collateral for the payment of a loan other than a consumer credit recorded in the register. The lender is thus allowed to use the credit register extract data on the guarantor and the provider of a third-party security (pledger) when assessing whether the proposed collateral or collateral provider is acceptable. Lenders may not use the credit register extract data if a guarantee or a third-party security is deposited as collateral for a loan granted to a borrower other than a natural person, such as a limited liability company. If a guarantee or third-party security is provided as collateral for the payment of a consumer credit recorded in the register, the purpose of use to be used is ‘Guarantee or third-party security for consumer credit’. This can be reported as a purpose of use starting on 1 April 2026.

3.2.4 Other allowed purposes of use of the credit register extract

Data received from the Positive credit register may be used only for the purpose for which it was shared from the register. In addition, however, data disclosed from the register at an earlier date may also be used for the purposes specified below.

  • Sharing data with the State Treasury

The lender may share data they have received from the Positive credit register with the State Treasury when applying for compensation under the Act on State Guarantees for Owner-Occupied Housing Loans (204/1996). Starting on 1 June 2026, the acts applicable instead of the above are the act on the first-home saver scheme (Laki asuntosäästöjärjestelmästä 339/2025) and the act on state guarantees for home loans (Laki asuntolainan valtiontakauksesta 340/2025). (Section 21, subsection 3 of the Act on the Positive Credit Register.)

  • Sharing data with the guarantor and the third-party security provider

The lender may share data it has received from the Positive credit register with the guarantor and the pledger when carrying out its duty to inform under sections 12 and 14 of the Act on Guaranties and Third-Party Pledges (361/1999, hereafter: Act on Guaranties) or if the person concerned has given their consent that the data may be shared with the guarantor or the pledger.

According to section 12 of the Act on Guaranties, the lender must inform the guarantor, before the guarantee is provided, of such issues relating to the principal debt covered by the guarantee that have a material impact on the guarantor's position, as well as the debtor's obligations and other circumstances relating to the debtor's ability to pay that can be deemed to be of interest to the guarantor.

According to section 14 of the Act on Guaranties, the guarantor has the right, during the period of validity of the guarantee, to ask the lender for information on the debtor's obligations and other circumstances relating to their ability to pay that can be deemed to be of interest to the guarantor. On the guarantor’s request, the lender can thus also share data received from the Positive credit register. However, the duty to inform under section 14 of the Act on Guaranties applies only to information that the lender knows of and that the lender can share with the guarantor without taking any separate action.

The guarantor can ask the lender to share only such information received from the Positive credit register that the lender is entitled to receive from the register. The lender may disclose to the guarantor information it has received from the register during the credit relationship in situations related to the issuing of a loan or changing of a loan contract. The lender does not have the right to acquire information from the Positive credit register separately on the guarantor’s request, because such a purpose of use is not laid down in law.

According to section 41 of the Act on Guaranties, the lender’s duty to inform mentioned above also concerns providers of third-party security, so the lender has similar obligations towards security providers.

  • Meeting the obligations related to credit risk management

The lender may use the information on loan applicants received from the Positive credit register for purposes of testing creditworthiness to meet its obligations. These obligations are laid down in law and relate to the management of credit risks. However, such use of data concerns only lenders that are subject to credit risk management obligations laid down elsewhere in law.

Further information on other purposes of use

Act on State Guarantees for Owner-Occupied Housing Loans (204/1996) (finlex.fi) (link to Finnish)

Act on first-home saver scheme (339/2025) (finlex.fi) (link to Finnish) Effective as of 1 April 2026.

Act on state guarantees for home loans (340/2025) (finlex.fi) (link to Finnish) Effective as of 1 April 2026.

Act on Guaranties and Third-Party Pledges (361/1999) (finlex.fi) (link to Finnish)

3.2.5 Lender’s obligations to identify and provide information

Before requesting data, a lender using the Positive credit register’s data must identify the person in question and, if necessary, verify their identity.

A lender using the Positive credit register’s data must ensure that a natural person can receive information in advance on the use of their data and on the register from which the data is acquired.

If the lender rejects the applicant's credit application on account of the information received from the Positive credit register, it must inform the applicant immediately after the decision that the applicant’s loan information was used in decision-making and also specify the register from which the information was received.

3.2.6 Fees charged for the disclosure of data

Credit register extracts provided for lenders are subject to a charge. Chargeability is based on the Act and the Decree on Criteria for Charges Payable to the State (150/1992 and 211/1992, respectively), and on the Ministry of Finance's decree on charges payable for data shared from the Positive credit register (1108/2023). The Ministry of Finance's decree that is in force when a credit register extract is disclosed defines the charge payable for the extract. The decree is in force for a fixed term, and it will be renewed annually.

3.3 Authorities

The Positive credit register can share information with the following authorities for purposes of the authorities’ statutory tasks: the Bank of Finland, the Financial Stability Authority, the Financial Supervisory Authority, the Consumer Ombudsman, the Finnish Competition and Consumer Authority, and Statistics Finland. The authorities use the data, for example, to supervise and monitor the stability of the financial markets, to support and monitor the credit markets, and to support decision-making and compile statistics.

The information that the register shares with authorities differs from the data shared with lenders in credit register extracts. The information that the Positive credit register shares with authorities has been defined in accordance with each authority’s needs and purposes of use such that only information that is necessary for the statutory tasks of the authority in question is shared.

However, authorities are not charged for the data shared with them.

3.4 Sharing information on a voluntary ban on credits with credit information agencies

The register can share a voluntary ban on credits set by a private individual with credit information agencies. A natural person can set a voluntary ban on credits for themself in the Positive credit register’s e-service. The credit ban can be set for a fixed term or for an indefinite period. The person must also select a reason for the credit ban: a risk of identity theft, control of personal finances or other reason. If the loan applicant has a voluntary ban on credits, it is disclosed to the lender so that the lender knows to consider the lending with special caution and care.

The person can give their voluntary and specific consent that information about their voluntary ban on credits can be shared with credit information agencies. If the person gives their consent, information about the credit ban can be shared with all credit reference agencies. Currently, there are two agencies in Finland that conduct credit information business and process people's credit information: Dun & Bradstreet Finland Oy and Suomen Asiakastieto Oy. The Positive credit register refers to these agencies as ‘credit information agencies’.

Information on a voluntary ban on credits is not automatically transmitted from the Positive credit register to credit information registers referred to in the act on credit information (Luottotietolaki 527/2007): in order that the information could be shared, the natural person must take active action. The person can withdraw their consent at any time. Credit information agencies can record the information in a register referred to in the act on credit information and pass it on for purposes provided for in section 19 of the said act. Such purposes include, for example, lending of property, apartment rental, debtor's payment behaviour survey, inquiry for purposes of recovery, employment, and company assessment.

However, credit information agencies are not charged for the data shared with them.

Further information about credit information agencies:

Act on credit information (Luottotietolaki 527/2007) (finlex.fi) (link to Finnish)
Dun & Bradstreet Finland Oy (dnb.com)
Suomen Asiakastieto Oy (asiakastieto.fi)

4 Credit register extract data

Data included in a credit information report according to section 22 of the Act on the Positive Credit Register is shared from the register with lenders. The Positive credit register uses the term ‘credit register extract’ for the credit information report referred to in the act.

The credit register extract is a summary of the information on a private individual saved in the Positive credit register. The information to be included in the credit register extract is defined in section 22 of the Act on the Positive Credit Register and listed in this chapter. Only information provided for in the act can be included in the credit register extract. Data on loans that have ended is not included in the extracts. Further, the credit register extract does not contain any history information about transactions related to current loans, such as information on deferments of amortizations, previous delayed amounts related to the loan or a private individual’s debt arrangement related to the loan. The information content of the extract is the same for all lenders that have the right to receive information from the register. The extract sent to a lender contains the most recent information on the individual’s loans that has been submitted to the register.

The credit register extract contains information on a private individual’s loans and income. If the person has set a voluntary ban on credits, this is also indicated in the extract. Income data means information on a person’s wages, pensions and benefits, and it is divided into wage data and benefits payment data in the extract. The income data is shown as monthly income for the past 12 full months. The income data is retrieved from the Incomes Register, to which only part of a natural person’s income is reported. The Incomes Register’s income data does not contain data on business name entrepreneurs’ private withdrawals or capital income, for example. More information about the income data contained in the extract is provided in chapter 4.2 of these instructions.

According to Article 18 (1)(a) of the General Data Protection Regulation, a data subject can request restriction of the processing of their data if they deny the accuracy of the data. Despite a request to restrict processing, data can be disclosed in credit register extracts and shared with the authorities specified in section 24 of the Act on the Positive Credit Register. The request to restrict processing is stated in the credit register extract. The statement tells the lender that they should consider some data included in the extract with extra caution and care and also use other sources, for example ask the person whose credit register extract it is. This statement is shown in the extract until the Incomes Register Unit has verified the accuracy of the data.

4.1 Up-to-dateness of the data

The data in the credit register extract does not necessarily show a person’s actual loan or income data in real time. This is because the data is shown both in the Positive credit register and in the Incomes Register with a certain delay. The delay is due to the reporting deadlines defined by law.

The lenders’ deadlines for reporting loan data to the register are the following:

  • information on new loan contracts: no later than on the calendar day following the date of contract conclusion.
  • loan transactions and changes to loan contract data: within two business days.
    • This information includes, for example, amortizations, delayed amounts related to the loan, and end of the loan contract.

Income data for the credit register extract is retrieved from the Incomes Register. Payers must report data on wages and benefits to the Incomes Register within five calendar days of the date of payment. An exception to this is payers reporting data on paper instead of using the electronic reporting channel. For them, the deadline for reporting is eight instead of five calendar days from the date of payment.

4.2 Data included in the credit register extract

Identifying data

  • personal identity code of the individual whose data the register extract contains
  • identifier of the organisation that requested the extract.

Voluntary ban on credits

  • If the person has a voluntary ban on credits in effect, the ban and the reason for it are indicated in the extract.

Summary of loan information

  • number of lenders and peer-to-peer loan brokers that have issued or brokered loans to the person
  • number of loan contracts that the person has
  • most recent loan-related payments in total, itemised by currency (each loan’s most recent amortization, interest payment or expense amount added together)
  • total monthly payments related to leasing contracts, itemised by currency (including interest and expenses)
  • number of loans where the person is a guarantor.

Loan details

  • loan type: lump-sum loan, running-account loan, guarantee receivable for a student loan or leasing
  • date of conclusion
  • number of debtors
  • loan currency
  • information whether collateral is included in the loan contract; if yes, the type of collateral
    • residential property, other immovable property, hire-purchased item, other movable property, other collateral, personal guarantee, government guarantee or other guarantee
  • the start and end dates of current and future deferment periods
  • due dates of instalments that are at least 60 days late, and unpaid instalment amounts
  • information about loan acceleration
  • information that the borrower has denied the accuracy of loan information
  • information that the loan issued to the borrower is included in a payment plan in a debt arrangement
  • information that the loan issued to the borrower is included in a business restructuring program
  • if a loan has been granted for business activities and a Business ID has been reported for the loan:
    • the borrower’s Business ID
    • the borrower’s business name
  • if the loan type is leasing:
    • start date of the leasing contract if the date is not the same as the date of conclusion
    • transaction price if redemption is required by the contract
  • if the loan type is lump-sum loan or guarantee receivable for a student loan:
    • loan’s purpose of use
      • home loan, home loan for first home, home loan for leisure house, home loan for investment purposes, student loan, consumer credit for the purchase of a vehicle or craft, other consumer credit, other loan, loan for operation of business, or guarantee receivable for a student loan
    • final due date of the payment plan
    • amount issued and amount paid
    • loan balance
    • amortization frequency (given in months, e.g. 1, 3 or 6)
    • payment method if the loan is to be paid as a lump sum (bullet) or if the last instalment is notably larger than the regular instalments (balloon)
  • if the loan type is running-account loan:
    • credit limit
    • amount of loan balance and the value date when the loan balance was checked.

If the loan is included in a payment plan in a debt arrangement or in a business restructuring program, this will have an effect on what information is shown in the credit register extract. The loan amounts, number of lenders and amounts of guaranteed loans are included in the summary, but amortizations are not included in the sum total of the most recent payments. Other loan data is not shown in the register extract. The above, more limited information is also shown in the extract if the loan has several co-debtors and one of them is in a payment plan in a debt arrangement or in a business restructuring program.

The loan data in the extract also shows if the borrower has denied the accuracy of the data.

Income information

  • The credit register extract shows the person’s income reported to the Incomes Register for the past 12 calendar months.
    • Only information on full calendar months is shown, i.e. the ongoing month’s information is not included.
  • The income data can only include income that has been reported to the Incomes Register.
    • For example, income, grants and most capital income received by a business name entrepreneur are not reported to the register. Further, the entrepreneur’s income from employment is not reported if they are insured under the Self-Employed Persons’ Pensions Act or Farmers’ Pensions Act.
    • If no income has been reported to the Incomes Register for a person, the credit register extract shows that their income is €0 a month.
    • Read more on the Incomes Register's website about what income data and what benefits payment data payers must report to the Incomes Register.
  • In the credit register extract, the income is separated into wages and benefits and further into gross and net income by month. Income or benefit payers are not shown.
    • Wages are considered to include other income types reported to the Incomes Register except tax-exempt kilometre allowances, meal allowances and daily allowances.
    • Benefits are considered to include almost all benefits reported to the Incomes Register. The benefits are not itemised but all benefit amounts are added together.

Read more: Calculation of income data (xlsx)

If a person is added to the loan as a borrower after the loan has been reported to the register, it will affect what information is shown in the credit register extract: only the loan information valid when the person is a party to the loan is shown in the extract.

The following information is not shown in the extract at all:

  • the deferments of amortization that are no longer valid or that end on the same day as the person is added to the loan
  • the start date of a deferment period if the person has been added to the loan only after the period has started
  • the date of conclusion if the person has been added to the loan only after the contract conclusion
  • the amount issued and the amount paid if they did not change when the person was added to the loan and have not changed after that, either
  • the amount drawn against a running account and the value date if they did not change when the person was added to the loan and have not changed after that, either
  • the start date of a leasing contract if the person was added to the loan after that date.

Payment transactions are also not included in the sum total of the latest payments if their date of payment is earlier than or the same as the date when the person was added to the loan.

If a person does not have any active loans, i.e. loans reported to the Positive credit register but not reported as ended, the number of loans and the number of lenders that have issued loans are both 0. In addition, the extract shows the number of loans guaranteed by the person, the person’s income data and any voluntary ban on credits.

If the person has died, the lender that requested the credit register extract will only be notified that the person had died and given the date of death.

5 Data user's responsibilites

5.1 Processing of confidential personal data

A data user receiving data from the Positive credit register is the data’s controller, and they see to it that the personal data received is processed in compliance with law.

Data disclosed from the Positive credit register is personal data that must be processed in compliance with the provisions of the General Data Protection Regulation and the Data Protection Act (1050/2018).

According to section 23 a of the Act on the Positive Credit Register, a data user using a natural person’s data must identify the person in question and, if necessary, verify their identity before requesting data.

The data user must ensure, by technical and organisational measures, the appropriate security of data disclosed from the Positive credit register, including protection against unauthorised and unlawful processing. Personal data may be stored in an identifiable form only for as long as is necessary for the purposes of data processing (Article 5 of the General Data Protection Regulation. Further, the data disclosed must be destroyed in a secure manner when it is no longer needed for the purpose for which it was disclosed.

The data user must ensure the confidentiality of the received data in an appropriate manner. Confidential data is covered by the obligation of secrecy. (Act on the Openness of Government Activities (621/1999), sections 22 and 23.) The data user may not disclose confidential data received from the Positive credit register. Further, they may not use the data to the benefit of themself or others, nor to the detriment of others. Confidential data disclosed from the Positive credit register may be used and processed only in the purpose for which it was disclosed, unless otherwise prescribed by law. Confidential data disclosed from the Positive credit register may not be shared with a third party without legal grounds. More information about confidential data is provided in chapter 2.1.

5.2 Use of processors

‘Processor’ here is a processor according to the EU General Data Protection Regulation. It is a person or an organisation processing personal data on behalf of the data user (controller). However, ‘processor’ does not refer to employees working for the data user and processing personal data as part of their work. Read more about processors on the website of the Office of the Data Protection Ombudsman (tietosuoja.fi).

In order that the processing of personal data would fulfil the requirements of the General Data Protection Regulation, the data user may employ only such processors to process personal data that provide a sufficient guarantee for the use of approporiate technical and organisational measures. The data user is also responsible for the actions of the processors acting on their behalf and for the lawfulness of the processing.

The data user and processor must conclude a contract or other legal act in accordance with Article 28 of the EU General Data Protection Regulation on the processing of personal data. Further information about processors and the content of the data processing contract can be found on the website of the Office of the Data Protection Ombudsman (tietosuoja.fi) and on the website of the European Data Protection Board (edpb.europa.eu).

5.3 Ensuring of information security

The data user is responsible for seeing that the data received from the Positive credit register is appropriately protected and processed in a secure manner. Data users must see to the information security of workstations, servers and the information network, the safety of the facilities and the encryption of data so as to make sure that persons or organisations that are not authorised to process data disclosed from the Positive credit register cannot access the data. Data communications containing the Positive credit register’s confidential data must also be encrypted or otherwise protected.

The data user’s systems where data received from the Positive credit register is processed must have secure access management. Data access rights granted to persons employed by the data user must be defined based on the data they need to perform their work tasks. The access rights must be kept up to date. The data user must keep a log to monitor the use of data and to ease troubleshooting in case of technical problems. Vulnerability management processes must be in place. Further, sufficient guidance and training must be provided for employees processing the Positive credit register’s data to make sure the actions they take are in compliance with law.

Data can be disclosed from the Positive credit register only if the entity requesting an extract has a statutory right to do so and if the data user’s information system ensures, case by case, that the entity requesting data is handling a matter for which a credit register extract is needed.

5.4 Certificate

The data user receives a certificate issued by the Tax Administration for the use of an API for requesting credit register extracts. The certificate identifies the data user requesting data. Further information about certificates is available in the instructions on the use of certificates.

‘Certificate key pair’ refers to a pair of keys used in public key methods. The key pair consists of a public key and a private key. The private key is created by the user and it is known only to the user. The private key may never be handed over to anyone, not even to the Tax Administration.

The data user agrees to keep the certificate safe, ensuring it is available only to individuals who are entitled to use it. The data user is responsible for all the operations performed in the API, such as requesting and retrieving data, until the certificate is revoked. The data user is responsible for seeing that the party requesting data through the API has a legal right to process the data.

If the private key of the data user is lost or falls into the wrong hands or if the data user suspects that their certificate’s private key has been compromised, they must inform the Tax Administration immediately (see Revoking a certificate). In this way, unauthorised use of the API service can be prevented. Further, if the certificate is not needed, it must be revoked.

The certificate is specific to the organisation, so the data user and a processor acting on the data user’s behalf cannot use the same certificate. An additional certificate must be requested for the party acting on the data user’s behalf. If the certificate is used by an entity acting on the data user’s behalf, the data user must report the name and Business ID of the processor to the Incomes Register Unit. The data user is responsible for seeing that the certificate holder and the party using the certificate to request data have a legal right to process the data and to use the certificate in the API.

5.5 Reporting changes to activities

The data user must notify the Incomes Register Unit of any such changes in their activities that may have an effect on the data user’s right to receive information or on other preconditions for the disclosure of data. An example is a case where the purpose of use specified in the Incomes Register Unit's decision on the disclosure of data changes, or if changes take place in the information that was reported when the permission was applied for. The changes may relate to the nature of the data user’s activities, for example, or to matters related to the processing of personal data, such as data protection or the processors.

The data user must also keep the contact person information provided in the application up to date.

The Incomes Register Unit is entitled to deny access to data or cancel a decision made if the conditions for the disclosure of data prescribed in the Act on the Positive Credit Register or elsewhere in legislation are not met (section 27 a, subsection 2, Act on the Positive Credit Register).

Page last updated 12/1/2025