Purpose of processing data
We process personal data to identify natural persons, to allocate the data reported by lenders to the correct individual, and to send a notification to the data subject through Suomi.fi Messages when a credit register extract is requested about their data.
The purpose of the processing is to ensure that the data in the Positive credit register is correct, to help the data subject to monitor the use of their data, and to perform the other tasks of the Tax Administration’s Incomes Register Unit laid down in the Act on the Positive Credit Register.
What data do we process?
In our customer relationship management system, we process the following identifying and contact information about people entered into the Population Information System and having a Finnish personal identity code:
- name
- identifying information, such as personal identity code
- addresses
- non-disclosure for personal safety
- mother tongue and contact language.
In our customer relationship management system, we process the following identifying and contact information about small businesses contained in the Business Information System.
- identifying information (Business ID and personal identity code)
- addresses
- contact language.
Where does the data come from?
We have received the data from the Incomes Register, which shares data with the Positive credit register by virtue of the act on the Incomes Information System (Laki tulotietojärjestelmästä 53/2018). The data has been stored in the Incomes Register from the Population Information System and the Business Information System.
Under the Act on the Positive Credit Register, the Incomes Register Unit has the right to update their data from the Population Information System and check a natural person’s personal data in order to verify its accuracy. The Incomes Register Unit has the right to update and check the Positive credit register’s data on a natural person’s business activities from the Trade Register and the Business Information System.
On what basis do we process data?
We process personal data to comply with the Incomes Register Unit’s statutory obligation (General Data Protection Regulation (EU 2016/679), Article 6 (1) (c)). The processing is provided for in the Act on the Positive Credit Register (739/2022).The personal identity code is processed so that a notification can be sent to the data subject through Suomi.fi Messages when a credit register extract about their data is requested from the register. The personal identity code is also processed to provide a service in the public interest (in accordance with Article 6 (1) (e) of the General Data Protection Regulation (EU 2016/679) and section 4, subsection 1, paragraph 2 of the Data Protection Act (1050/2018)).
Disclosure of data
Lenders and other businesses with the right of access to data specify the personal identity code of the target person when they request a credit register extract. We respond to the request by sending a credit register extract containing the personal identity code specified in the request and any registered data allocated to the personal identity code in question.
If the data subject has activated Suomi.fi Messages, they will receive a notification through Suomi.fi Messages if a lender requests a credit register extract about their data. The personal identity codes of the data subjects about whose data lenders request credit register extracts are therefore shared with the Digital and Population Data Services Agency, which uses the personal identity code to check whether the person in question has activated Suomi.fi Messages and then send a Suomi.fi message to notify the data subject that a credit register extract has been requested. The personal identity code is not shared with the Digital and Population Data Services Agency if the data subject has disabled notifications in the Positive credit register’s e-service. The controller of the Suomi.fi Messages service is the Digital and Population Data Services Agency.
We do not disclose other customer details on a regular basis.
Processors
The operational services of our customer relationship management system are provided by Tietoevry Corporation. The Positive credit register has been implemented on the Microsoft Azure cloud service platform. We use the following service providers for application management services, such as troubleshooting: Innofactor Platforms Ltd, Gofore Plc, Gofore Verify Ltd, Fujitsu Finland Ltd, Advania Finland Ltd, Futurice Ltd and Siili Solutions Plc. When processing personal data, application management uses a service management system provided by ServiceNow.
Transfer of personal data to third countries
In principle, we do not disclose data to countries outside the EU/EEA. However, in exceptional individual cases, Microsoft may have access to personal data during support and maintenance activities. In data transfer, the transfer basis under the General Data Protection Regulation is the European Commission's decision on the adequacy of data protection under Article 45(1) (Adequacy decision for the EU-US Data Privacy Framework, C(2023) 4745 final) or, where necessary, standard contractual clauses published by the European Commission.
Retention of data
With regard to data retention, we comply with the Tax Administration's information management plan. We retain the data only for as long as necessary for the performance of the Incomes Register Unit's statutory task.
The identifying and contact information of natural persons is deleted no later than 10 years after the end of the year in which the natural person died or was declared dead.
The identifying information submitted to the Digital and Population Data Services Agency about credit register extracts and the data on the sending of notifications through Suomi.fi Messages will be removed after 3 years.
