Certificate information system

Digital and Population Data Services Agency 

Lintulahdenkuja 2, 00530 Helsinki 

PO Box 123, 00531 Helsinki, Finland

Telephone (switchboard) +358 (0)2 9553 6000,

Email [email protected]

 

Contact person in register-related matters

Jaripekka Turtiainen, Business Owner, Senior Advisor

Lintulahdenkuja 2, 00530 Helsinki 

Telephone (switchboard) +358 (0)2 9553 6000,

Email [email protected]
 

Telephone (switchboard) +358 2 9553 6000, tietosuoja(a)dvv.fi

The Digital and Population Data Services Agency provides nationwide certified electronic services and performances. The services and performances are intended to enable, implement and safeguard the functions and information management of society and the rights and obligations of its members. Personal data is processed to produce, distribute and manage certificates and certificate cards, to validate the electronic signatures contained in the documents sent to the validation service and to seal the documents sent to the seal service.

The personal data contained in the Certificate Information System are processed on the basis of Article 6 of the EU General Data Protection Regulation. Personal data is processed as part of the provision of statutory services by the Digital and Population Data Services Agency. The certificate information system is also used to process personal data under Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, under Regulation (EU) 2024/1183 of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework, under section 6 of the Act on Strong Electronic Identification and Electronic Trust Services (617/2009), and under section 6 of the Act on the Population Information System and Certificate Services provided by the Digital and Population Data Services Agency (661/2009).

The Digital and Population Data Services Agency maintains a certificate register on the personal certificates it has granted. Certificate register data will be kept on file for 5 years after certificate expiry.

Following information is saved in the register:

• Personal identity code, names and home address of the certificate holder/applicant

• Name of organisation applying for seal certificate

• Personal data on system users as follows: name, personal identity code, email

• The certificate holder’s unique identifier and registration number

• Certificate holder’s unique identifier

• Certificate serial number

• Purpose of the certificate

• Other necessary technical data related to the use of the certificate

• Certificate period of validity

• Information on the calculation method used in the creation of the public key for the certificate holder

• Name of the person who granted the certificate

• Revocation list, certificate directory, data contained on the registration forms, facial image of the applicant, personal and contact details given on the client contracts

Information is obtained from the following sources:

• Certificate applicants 
• System users 
• Population Information System 
• Central registers of social welfare and healthcare professionals 
• Client organisations for organisation cards and seal service
• Certificate services of the Digital and Population Data Services Agency 
• Certificate card producers 

Certificate card producers are provided with the information needed for producing cards once a day. As a rule, no information is disclosed to third parties.

The public information on the certificates contained in the certificate information system’s certificate directory is published on the internet in the public certificate directory of the Digital and Population Data Services Agency.

No data is transferred outside the European Union or the European Economic Area.

The data is protected by means of access control and can only be accessed from within the government network. Personal data is also protected by physical access control, access control and guidelines for the processing of personal data. The data is protected in the register by commonly used methods (e.g. passwords, firewall, regular updates of the server).

Decisions on applications submitted in the electronic OmaKortti service (renewals of organisation certificates and social welfare and healthcare professional certificates) are made on an automated basis. Automated decision-making is based on chapter 8b of the Administrative Procedure Act (434/2003). If the decision on your application is made on an automated basis, this is stated in the decision or client information made available to you (if the decision has been made available to your employer organisation). More information on the option of automated decision-making is also available in the electronic OmaKortti service and on the website of the Digital and Population Data Services Agency (The information is in Finnish).

If you submit your application outside the electronic OmaKortti service, the decision on your application will not be made on an automated basis. 

The Digital and Population Data Services Agency grants the citizen certificate for a personal identity card issued by the police or a Finnish mission abroad. The application for a personal identity card must be submitted in the police e-service, police licence services or in a Finnish mission abroad (diplomatic and consular missions). The application for the citizen certificate granted by the Digital and Population Data Services Agency must be submitted in connection with the application for the personal identity card. The Digital and Population Data Services Agency processes the applications for citizen certificates on an automated basis. Automated decision-making is based on chapter 8b of the Administrative Procedure Act (434/2003). No administrative decision is issued in connection with the issuing of the personal identity card containing a citizen certificate. Details of the automated decision concerning your citizen certificate application are provided in the client information sent to you. More information on the option of automated decision-making is also available on the website of the Digital and Population Data Services Agency (The information is in Finnish).
 

Right of inspection

You have the right to request that the controller provides you with access to your personal data The request can be submitted in writing to Digital and Population Data Services. registry office. Please be ready to prove your identity. The data stored in the register (organisational and social and healthcare certificate holders' data) can also be checked in an electronic service (OmaKortti, https://omakortti.dvv.fi/?culture=fi-FI), which is accessed by logging in with the help of Suomi.fi-identification.
You will receive the information you need within one month. If, for justified reasons, it is not possible to provide the information within this period, the Digital and Population Da-ta Services Agency may extend the deadline by up to 2 months. In this case, you will be notified.

Right to demand data correction

You have the right to request for your personal data to be corrected. Make the request in writing to the contact person of the register (please see section Controller and contact persons). In the correction request, you must indicate the information to be corrected and the exact change or information to be added to the record. Your identity will be verified at the time of the request.
If the Population Information System has been the source for personal data and the data in question is incorrect, the request for the correction of personal data must be submitted to the Population Information System.

Restrictions to the data subject’s rights in relation to personal data processing

Most of the services provided by the Digital and Population Data Services Agency are based on compliance with the controller’s statutory obligation, on the performance of a duty of public interest or the exercise of public authority. In such cases, you do not have the right to request the deletion of your data or its transfer to another system, and , as a rule, you cannot object to the processing of your personal data.

Consent-based processing of personal data

Processing of personal data is based on consent to the extent that it involves the publication of the certificate data in the public certificate directory of the Digital and Population Data Services Agency. Publication of the data with the consent of the data subject is based on Article 24(2)(f) of the eIDAS directive (910/2014): A qualified trust service provider providing qualified trust services shall use trustworthy systems to store data provided to it, in a verifiable form so that they are publicly available for retrieval only where the consent of the person to whom the data relates has been obtained. The data subject is requested to give their consent in connection with the certificate application.

If you think that your personal data is processed unlawfully, you can submit a complaint to the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman

Street address Lintulahdenkuja 4, 00530 Helsinki
Postal address PO Box 800, 00531 Helsinki, Finland
Email tietosuoja(at)om.fi
Telephone (switchboard) +358 (0)29 566 6700
Registry +358 (0)29 566 6768

For more information on submitting a complaint, see the website of the Office of the Data Protection Ombudsman at https://tietosuoja.fi/.