Privacy statement for Katso service

Katso identification and e-authorisation service

 

Digital and Population Data Services Agency
Lintulahdenkuja 2, 00530 Helsinki
PL 123, 00531 Helsinki
Telephone (switchboard) 02 9553 6000, email kirjaamo(a)dvv.fi

Contact person in register-related matters

System Specialist Vesa Vanhalakka
Lintulahdenkuja 2, 00530 Helsinki
Telephone (switchboard) 02 9553 6000, email kirjaamo(a)dvv.fi

Telephone (switchboard) 02 9553 6000, [email protected]

 

The Katso service is produced by the Digital and Population Data Services Agency. The purpose of the Katso service register to hold data about users of Katso, e authorisations and events. The register contains data about natural persons who have identified themselves in order to use the Katso service (users), the organisations they represent, the e-authorisations and electronic mandates they have been given using the service, the officials who register customers, and event data related to the use of the service. Creating an ID for the Katso service requires strong identification of the user using Suomi.fi e-Identification.

The data stored in the register is used to identify the Katso service's user organisations and the users who represent them, and to manage the e-authorisations given in the service.

The data entered in the register is also used for developing the Katso service and for the follow-up and monitoring, fault investigation and investigation of any abuses and data security violations as well as for statistical needs.  The Digital and Population Data Services Agency produces the Katso service in accordance with section 3 subsection 1 paragraph 5 of the Act on Common Administrative E Service Support Services (571/2016). Personal data is processed with respect to statutory tasks of the Digital and Population Data Services Agency.

The Digital and Population Data Services Agency’s service provider, CGI, takes care of the provision of the Katso service and acts as the processor of personal data on behalf of the Digital and Population Data Services Agency.

The Tax Administration stores the manual material related to the provision of the Katso service.

The Controller retains the information about the holders of Katso IDs and the organisations they represent, the authorisations and electronic mandates they have been given using the service as well as event data for five (5) years from the resolution of the Katso service, which will occur by the end of year 2020.

The Digital and Population Data Services Agency has estimated that with regard to event data, a five-year (5) retention period is necessary, when taking into consideration the limitation periods for the most common offences related to the processing of personal data and financial offences and the limitation period for offences in office, which is five years.

 

The following data about holders of Katso IDs is stored in the register:

• Personal identify code or other identifying data
• Name
• Email
• Identification data (user ID) and encrypted permanent password and single use passwords
• Language: Finnish/Swedish/English
• Mobile phone number (if the user has given it)

The following data about the organisation that the user represents is stored:

• Name
• Business ID
• Address and street address
• Country

The following data about the registration official is stored:

• User ID
• Name

E-authorisation data:

• E-authorisation granted by (organisation representative)
• E-authorisation granted to (organisation or one/several representatives of an organisation)
• E-service provider whose roles the e-authorisation encompasses
• Roles/role group (scope of e-authorisation)
• Date created
• End date
• Status

Data about electronic mandates:

• Organisation as Assignor:
  • Organisation’s name, business ID or foreign business registration number, address and street address, country.
  • Name of the representative, identifier and type of identifier (Finnish or foreign personal identify code or foreign passport number), language (Finnish/Swedish/English) and email address.
  • The name, mobile phone number and email address of the representative of the agent organisation and a free-form covering letter to be sent to the representative.
• For an Assignor who is a private individual:
  • Name of the Assignor, personal identity code, address and street address, country, language (Finnish/Swedish/English), email address and information as to whether mandate is approved by a representative.
  • Name, personal identity code, language (Finnish/Swedish/English) and email address of representative of the Assignor, if any.
  • The name, mobile phone number and email address of the representative of the agent organisation and a free-form covering letter to be sent to the representative.
• E-service provider whose roles the mandate encompasses
• Roles/role group (scope of authorisation)
• Identifier of e-authorisation or electronic mandate
• Date created
• End date
• Status

Event data related to the creation and management of Katso IDs:

• Event data related to the creation of a Katso ID:
  • Procedures for the user
• Application status
• Katso sub-ID established
• Katso sub-ID confirmed
• Initialized Katso ID activated
  • Procedures for the registration official
• Name and log-in ID of registration official
• Specific log-in identifier
• Administrator's ID activated
• Log data related to management of Katso IDs:
  • Data about user log-ins to Katso service
• Time stamps for procedures if there is an event data entry for the procedure
• Technical error notification if a procedure is interrupted because of an error

Event data related to Katso log-ins:

• Data about the e-service that has been accessed using a Katso ID, if the transaction service uses a

Katso log-in directly (not via Suomi.fi e-Identification)

• Specific log-in identifier
• Time stamps related to log-in events
• Data about unsuccessful log-in attempts
• User's Katso ID

Event data related to issuing of e-authorisations and electronic mandates:

• Event data related to issuing of e-authorisations and electronic mandates:
  • Start and end dates of validity of e-authorisations and electronic mandates
  • Procedures undertaken by the user (creation, confirmation or termination of e-authorisation or electronic mandates)
  • Identifier of e-authorisation or electronic mandate
  • Identifier of issuer of e-authorisation or electronic mandate
  • Identifier of recipient of e-authorisation or electronic mandate
  • Contents of e-authorisation or electronic mandate (roles).
• Time stamps for procedures if there is an event data entry for the procedure
• Technical error notification if a procedure is interrupted because of an error.

Personal data is obtained from the customers of the service themselves, as well as from the population register system, the trade register, register of associations and the trusts register by virtue of Section 9 of the Act on Common Administrative e-Service Support Services.

The controller discloses the user’s personal identity code or other data used when logging on to the Katso service and/or the identifier data of the identification (user ID) to utilisers of the Katso service, i.e. authorities or other organisations that manage public services.

In addition, by virtue of Section 14 of the Act on Common Administrative e-Service Support Services, the controller may disclose register data to utilisers of the Katso service, i.e. authorities or other organisations managing public services, whose data is stored during the use of e-services or other transactions, if such organisation needs the data:

• to ensure and improve the functioning of its e-services
• for usage reporting of their e-service
• to ensure the data security of its e-services or to investigate disturbances in its data security
• to demonstrate that data is processed in the correct manner or to otherwise examine problems related to the use of e-services.

On request, the controller may also disclose event data kept in the register to a user of the Katso service if the data concerns the user in question. The controller may also disclose data in the service to

• police, criminal investigation and prosecuting authorities as well as a court of law for the purposes of preventing and investigating a crime
• the Data Protection Ombudsman for the purpose of supervising data security.

Information may also be disclosed as statistics or in other formats so that individuals cannot be identified. Eservice providers who use Katso identification are automatically supplied with monthly usage statistics for the Katso service. In other cases, data is disclosed on a case by case basis at the Controller’s discretion.

Information may also be disclosed for other purposes laid down in the law.

No personal data is transferred outside the EU or the EEA.

 

The Katso service telecommunication network and equipment where the register is located are protected by a firewall and other technical measures. Communications involving personal data are encrypted. Register data is protected against unauthorised access, modification and deletion. The protection is based on physical access control, personal user identification and limits to access. Rights to access and modify data are restricted to personnel according to their jobs, and records are kept of access to data as well as to modifications made to it.

Rights to data are ensured through computerised and manual controls in the data system at various stages of data processing. Back-up copies are made to ensure data is not destroyed and physical security measures are also in place. Hard copies of data related to the register are protected using access control and locked archives.

No automated decision-making or profiling is performed on the basis of the data.

Right of inspection

You and your organisation have the right to request that the controller provides you with access to the data on you, so that you can check the information that is kept on you. The request must be submitted in writing to Digital and Population Data Services Agency’s registry office. Be prepared to prove your identity. You will receive the information you need within a month of the time your request was registered. However, for justified reasons the Digital and Population Data Services Agency can extend the aforementioned onemonth timeline by two months at the most. In this case you will receive a notification.

Right to demand data correction

You have the right to demand that data stored on you is corrected. Submit your request in writing to contact person of the register (see contact information in section 2 above). Give a detailed description of what information must be corrected and how the correction should be made or how your data should be complemented. Be prepared to prove your identity.

Limitations to the rights of the data subject with regard to the processing of personal data

The data subject does not have the right to request the deletion of their data, as the data processing is based on the law. For the same reason, the data subject does not have the right to object to the processing of their personal data or the right to have their data transferred to another system.

In certain cases, the data subject has the right to have the processing of personal data restricted based on Article 18 of the EU’s General Data Protection Regulation.

The data subject has the right to lodge a complaint to the supervisory authority on the processing of their personal data.

Additional information by the Office of the Data Protection Ombudsman.