Privacy statement for revocation service and recordings of the revocation service’s telephone calls

Revocation service and recordings of the revocation service’s telephone calls

Digital and Population Data Services Agency

Lintulahdenkuja 2, FI-00530 Helsinki 

Telephone (switchboard) +358 2 9553 6000, email kirjaamo(at)dvv.fi

Contact person for matters concerning the register:

Development Manager Teemu Tukiainen

Lintulahdenkuja 2, FI-00530 Helsinki 

Telephone: (switchboard) +358 2 9553 6000, email: kirjaamo(at)dvv.fi

Telephone (switchboard) +358 29 553 6000, tietosuoja(a)dvv.fi

The archiving of certificates must comply with what is laid down on archiving in legislation on electronic services (section 24 of the Act on Strong Electronic Identification and Electronic Trust Services (617/2009)). Certificate register data will be kept on file for at least 5 years after certificate expiry.

Personal data is processed in the revocation system in pursuant to what is specified in the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and the Act on the Digital and Population Data Services (661/2009) provided by the Digital and Population Data Services Agency on the reception of certificate revocation requests and the transfer of revocation events to the certificate system. Section 25 of the he Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and section 61 of the Act on Digital and Population Data Services Agency (661/2009) contain provisions of the revocation service. In addition to this, the Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (Regulation) contains provisions on the provision of the revocation service. Telephone calls to the revocation system are recorded. The purpose of the recordings is to ensure the legal protection of the customer and the Digital and Population Data Services Agency as well as to take security aspects into account, to improve the quality of the service and to monitor the quality of the service. The Digital and Population Data Services Agency can separately request the recording for a single telephone call from the Supplier’s (Nets Oy) contact person when required by an error investigation or other reason.

The revocation service is notified of the service certificates that the certificate holder or the certification authority wishes to revoke before their stipulated expiry date. The following data is stored in the register:

• The name or ID code of the Nets Oy customer service employee, who answered the phone call.
• The start time and end time of the call
• The reason for the revocation request

Organisation certificate:

• When calling the revocation service, the request maker gives the identification code that gives them the right to submit a revocation request, if the customer has been given such a code.
• The contact information and name of the request maker and the name, the name of the organisation, the unique 9-character code for the certificate holder, the organisation unit, the time at which the card was issued and email address.

Citizen certificate:

• The request maker will be asked for information that will make it possible to identify them, and this information will be checked from the Population Information System. In practice, this means a personal identity code, which will be used to look up the party’s electronic customer service code in the Population Information System.

• The holder of an identity card granted by the police 'themselves / another person on behalf of the identity card holder (e.g. a guardian may cancel a minor’s card)
• The police at the time the card holder reports the card is lost
• A representative / employee of an organisation
• Digital and Population Data Services Agency
• The card factory has the possibility of reporting the revocation of a certification, but this is very exceptional
• The person who submits a revocation request must always be reliably identified at the time a revocation request is submitted.

Telephone calls made to the revocation service are recorded on tape.

Revocation requests are submitted once a month by Nets Oy to the Digital and Population Data Services Agency.

The can separately request the Digital and Population Data Services Agency the recording for a single telephone call from Nets Oy when required by an error investigation or other reason.

The publishes a revocation Digital and Population Data Services Agency list for the certifi-cates it has granted as part of its directory service. E-service providers must always check the validity of a user’s certificate when they sign into the system. Revocation lists are published in the Fineid directory. An updated revocation list is published every hour. Everyone has free and open access to revocations lists. Anyone can access revocation lists with a LDAP or widget and further process them, where necessary, with the tools that come with open SSL.

Certificate revocation lists (CRLs) electronically signed by the Certification Authority (CA) contain the serial numbers of the revoked certificates for the relevant certificate types and the date and time after which transactions made with the certificates in question can no longer be authorised. In addition to the serial number, the list may cite the reason code for the revocation of the certificate. The revocation lists do not contain personal data or card serial numbers.

Keeping the revocation list’s data public and the disclosure of data is based on the Act on the Digital and Population Data Services Agency (661/2009) and specifically section 61 of said act, as well as on the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and specifically section 25 of this act.

Additionally, the provision of the revocation service is provided on in Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (Regulation).

No personal data is transferred to areas outside the EU or EEA.

The data is protected by means of access control. Manual material is located in locked facili-ties protected by access control.

Manual material

The material recorded from the revocation telephone service is manual and will be retained for a period of 6 months. Requests by email are archived by the in paper format and processed by persons, whose job description includes the processing of these materials. The rev-ocation service’s manual material is protected as required by legislation paying close attention to information security. The manual material related to revocation is location in an area protected by access control.

Information processed electronically

The server on which recordings are retained is located in an area protected by access control. Personal data may only be processed by persons whose job description include the processing of recordings. The data contained in the revocation service is protected as required by legislation paying special attention to information security.

No automated decision-making or profiling is performed on the basis of the data from the personal data file.

Right of inspection

The data subject has the right to request that the controller provides them with access to their personal data (so that the data subject can check the information that is saved on them in the personal data file). The request can be submitted in writing to the contact person mentioned in section Controller and contact person of the privacy statement. The data subject must be able to prove their identity at the time of the access request. They can prove their identity by showing a valid ID when visiting an authority’s office. The controller must respond to the request by the data subject without delay, and, as a rule, access will be given within a month of the time the request was registered. However, the aforementioned one-month timeline can be extended by at most two months, if the correc-tion requested by the data subject so requires. The controller will notify the data subject of any possible extension to the correction period and the reasons for the extension.

Right to demand data correction

The data subject has the right to request that their personal data should be corrected. The request must be made in writing and the contact details are given in section Controller and contact person of this statement. The data subject must be able to prove their identity at the time of a correction request. They can prove their identity by showing a valid ID when visiting an authority’s office. The data subject must give a detailed description of what information must be corrected, the reason why the correction is needed, what they feel is the correct information and how the correction should be made. The controller must respond to the request by the data subject without delay, and, as a rule, the information will be corrected within a month of the time the request was registered. However, the aforementioned one-month timeline can be extended by at most two months, if the correction requested by the data subject so requires. The controller will notify the data subject of any possible extension to the correction period and the reasons for the extension.

Cancelling data subject’s consent

Processing of personal data is not based on consent.

Other rights of the data subject related to personal data processing

The data subject does not have the right to request the deletion of their data, as the data processing is based on the law. For this reason, the data subject does not have the right to object to the processing of their personal data or the right to have their data transferred to another system. The data subject does not have the right to request that processing of their personal data be limited.

The data subject has the right to lodge a complaint to the supervisory authority on the processing of their personal data.