Privacy statement for the Certificate management system

Certificate management system

Digital and Population Data Services Agency
Lintulahdenkuja 2, FI-00530 Helsinki
Telephone (switchboard) +358 2 9553 6000, email kirjaamo(at)dvv.fi

Contact person for matters concerning the register
Development Manager Teemu Tukiainen
Lintulahdenkuja 2, FI-00530 Helsinki
Telephone: (switchboard) +358 2 9553 6000, email: kirjaamo(at)dvv.fi

Telephone (switchboard) +358 2 9553 6000, tietosuoja(a)dvv.fi

The Digital and Population Data Services Agency maintains a certificate register on the personal certificates it has granted; provisions on these are laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (Regulation).

Work to archive certificates must apply what is provided on archiving in legislation on electronic services (section 24 of the Act on Strong Electronic Identification and Electronic Trust Services (617/2009)). Certificate register data will be kept on file for at least 5 years after certificate expiry.

Personal data contained in the certificate information system is processed as provided in section 6 of the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and section 6 of the Act on the Digital and Population Data Services Agency (661/2009). Personal data is processed for the production, distribution and administration of certificates and certificate cards (Act 661/2009; section 61). The Digital and Population Data Services Agency is tasked with providing national certified electronic services and output. Services and outputs are produced to facilitate, implement and ensure society’s functions and information services, and the rights and obligations of members of society.

• Personal identity code, names and home address of the certificate holder/applicant
• Personal data on system users as follows: name, personal identity code, email
• The certificate holder’s unique identifier and registration number
• Certificate holder’s unique identifier
• Certificate serial number
• Purpose of the certificate
• Other necessary technical data related to the use of the certificate
• Certificate period of validity
• Information on the calculation method used in the creation of the public key for the certificate holder
• Name of the person who granted the certificate
• Revocation list, directory, data on registration forms, personal and contact information on customer contracts

• Certificate applicant (themselves)
• System users themselves
• Population Information System (consent required)
• Central register of healthcare professionals (consent required)
• With regard to organisation cards, the information supplied by customer organisations
• The Digital and Population Data Services Agency’s certificate service (own technical data from the certificate service)
• Certificate card producers provide card data (e.g. serial number for the certificate)

Certificate card producers are provided the information needed for producing cards once a day.

No personal data is transferred to areas outside the EU or EEA.

The public information on certificates contained in the certificate information system’s certificate directory is published on the internet in the Digital and Population Data Services Agency’s certificate directory.

The data is protected by means of access control. Manual material is located in locked facilities protected by access control.

Manual material

The certificate information system’s manual material is protected as required by legislation paying close attention to information security. A log is collected at a user level for online manual maintenance

Information processed electronically

The information in the certificate information system is protected as required by the legislation paying special attention to information security. Electronic information transfer is carried out via an encrypted connection. With regard to electronic notifications, the log is collected at the organisation level.

No automated decision-making or profiling is performed on the basis of the data from the personal data file.

Right of inspection

The data subject has the right to request that the controller provides them with access to their personal data (so that the data subject can check the information that is saved on them in the personal data file). The request can be submitted in writing to the contact person mentioned in section 3 of the privacy statement or in the electronic service, which will be launched in summer 2018. The data subject must be able to prove their identity at the time of the access request. A person can prove their identity by showing a valid ID when visiting an authority’s office or via electronic identification when accessing data in the electronic service.

The controller must respond to the request by the data subject without delay, and, as a rule, access will be given within a month of the time the request was registered. However, the aforementioned one-month timeline can be extended by at most two months, if the correction requested by the data subject so requires. The controller will notify the data subject of any possible extension to the correction period and the reasons for the extension.

Right to demand data correction

The data subject has the right to request that their personal data should be corrected. The request must be made in writing and the contact details are given in section 3 of this statement. The request can also be submitted via the electronic service which is to be launched in the upcoming future. The data subject must be able to prove their identity at the time of a correction request. A person can prove their identity by showing a valid ID when visiting an authority’s office or via electronic identification when requesting the correction of data in the electronic service.

The data subject must give a detailed description of what information must be corrected, the reason why the correction is needed, what they feel is the correct information and how the correction should be made. The controller must respond to the request by the data subject without delay, and, as a rule, the information will be corrected within a month of the time the request was registered. However, the aforementioned one-month timeline can be extended by at most two months, if the correction requested by the data subject so requires. The controller will notify the data subject of any possible extension to the correction period and the reasons for the extension.

If the Population Information System has been the source for personal data and the data in question is incorrect, the request for the correction of personal data must be submitted to the Population Information System.

Cancelling data subject’s consent

Processing of personal data is not based on consent.

Other rights of the data subject related to personal data processing

The data subject does not have the right to request the deletion of their data, as the data processing is based on the law. For this reason, the data subject does not have the right to object to the processing of their personal data or the right to have their data transferred to another system. The data subject does not have the right to request that processing of their personal data be limited.

The data subject has the right to lodge a complaint to the supervisory authority on the processing of their personal data.