Privacy statement for national contact point disclosure log

Privacy statement for national contact point disclosure log

This is a valid Privacy statement for national contact point disclosure log. The policy was updated on 1 January 2024.

Controller

Social Insurance Institution of Finland (Kela), P.O. Box 450, FI-00056 Kela

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Contact person for data file-related issues

Client enquiries about national contact point data-file related issues can be addressed to Kanta Services customer support at asiakaspalvelu@kanta.fi.

In matters concerning the rights of a data subject, please email enquiries to the Kanta Services’ Data Protection Officer at tietosuoja@kanta.fi.

Name of register

National contact point disclosure log

Purpose of data processing and grounds for processing personal data

Kela has a statutory obligation to maintain the national contact point. The content of these services is determined based on valid legislation (Section 23a of the Act on Electronic Prescriptions (61/2007), and Sections 60 and 71 of the Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023).

Electronic prescriptions stored in the Prescription Centre can be delivered from any pharmacy that has introduced electronic prescriptions and from pharmacies in European countries referred to in Section 23a of the Act on Electronic Prescriptions.

The patient data summary includes medication information and key patient data that can be transferred to another European country for health care purposes with the patient’s consent.

The national contact point stores a disclosure log of the delivery of a cross-border prescription or patient data summary to another European country.

A patient data summary data may be disclosed from Finland on the basis of the client’s consent. The client’s consent and denial of consent are recorded in the system for issuing declarations of intent maintained by the Kanta Services. A disclosure log is recorded when a patient data summary is disclosed to another European country on the basis of consent.

Content of the data file of cross-border prescriptions

  • Personal ID code
  • Name information (first name, middle name, last name)
  • Contents of prescriptions and dispensations

Content of the data file of patient data summaries

  • Personal ID code
  • General information about the person (first name, middle name, last name, address)
  • Medication information and key health data (summary provided by the Information Management System)

Regular sources of data

In Finland, Kela acts as the national technical electronic contact point between the Kanta Services and the national contact point of another EU country.

The information in the patient data summary is compiled from prescription data and key patient data from the Information Management System. Key health data are compiled into the Patient Data Repository from patient documents stored by health care service providers. Prescription data are obtained from the Prescription Centre, which is a data repository consisting of electronic prescriptions stored by prescribers and prescriptions stored by pharmacies.

Regular disclosure of data and transfer of data outside of the EU or the European Economic Area

Notwithstanding secrecy provisions and other provisions concerning the use of data, Kela may disclose information to another authority if the authority requesting the information has a statutory right to the information in question and the statutory requirements for disclosing the information are met.

The data will not be transferred outside of the EU or the European Economic Area.

Period for which personal data are stored

The disclosure log is stored for 12 years from the date of the log transaction.

Principles of data file security

Organisational principles of protection

Kela has an information security plan in place to ensure data protection and data security. Kela must have a designated data protection officer.

Kela provides written instructions on the processing of client data and the procedures to be followed, and it ensures that personnel have sufficient expertise and capabilities to process client data as part of their own operations.

Technical protection principles

The viewing of log data recorded in the usage log data file of a national contact point, or any other processing of data, requires strong identification of the processor and access rights management related to the system. The Digital and Population Data Services Agency is responsible for identification and certificate services. Social welfare and health care service providers and pharmacies are responsible for managing relevant access rights. The European Commission is responsible for the certification services of the national contact points.

Log data on the viewing, processing, and disclosure of data in social welfare and health care services is stored in the national contact point’s usage log.

Kela is obligated to carry out statutory tasks and required maintenance tasks, which is why Kela’s technical administrator is required to have limited access rights to the national contact point’s usage log data file. Kela is responsible for managing access rights to the national contact point’s usage log data file.

Physical protection principles

Data stored in the national contact point’s usage log data file is safeguarded by technical means against modification and deletion. Kela’s data centres and the physical locations where data are held are in Finland. Access to the data centres is restricted to Kela’s technical maintenance personnel as required by their duties.

Data subject’s right of access to their data

In accordance with Article 15 of the EU General Data Protection Regulation (2016/679), data subjects have the right to access the data stored about them on the national contact point’s disclosure log. The data subject has the right to request disclosure log data from Kela.

A person may, acting by means of a power of attorney or as a legal representative on behalf of another adult, request the right to access the authorising person’s data stored in the national contact point’s disclosure log. A request for information made by a representative requires that the representative has the right to represent their client in the case in question. Kela will verify the person's right to receive the data. The disclosure of data may be refused on legal grounds.

A guardian may request access to their minor’s data in the national contact point disclosure log data file. Kela will verify the validity of guardianship when a guardian requests access to a minor’s data. The disclosure of data may be refused on legal grounds.

Requests for data should be directed to Kela (Registry, P.O. Box 450, FI-00056 Kela). Please see: Other rights related to the processing of personal data.

Right to request the rectification of inaccurate data

According to Article 16 of the EU General Data Protection Regulation (2016/679), the data subject has the right to obtain the rectification of inaccurate personal data concerning them.

A person may act using a power of attorney or as a legal representative on behalf of an adult and request the rectification of inaccurate personal data. A guardian may request the rectification of inaccurate personal data on behalf of a minor. Inaccurate prescription or patient data is rectified at the health care unit, social welfare services provider, or pharmacy where the inaccurate records were created. Service providers and pharmacies are always responsible for the content and accuracy of the data they record. Requests for the rectification of inaccurate information can be addressed to the data protection officer of the health care and social services provider or pharmacy.

If the request for rectification cannot be granted, the client will be issued a certificate of refusal. The certificate of refusal states the reasons why the client’s or legal representative’s claim was refused. After receiving a certificate of refusal, the client may refer the matter to the competent supervisory authority.

Right to lodge a complaint with a supervisory authority

If a client finds that their personal data have been processed in breach of the applicable data protection regulations, the client is entitled under Article 77 of the EU General Data Protection Regulation and Section 21 of the Data Protection Act to lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman.

Other rights related to the processing of personal data

In the MyKanta service, clients can view the social welfare and health care service providers or pharmacies to whom data has been disclosed.

Data subjects have the right to request disclosure log data for a patient data summary from Kela. The data subject has the right to know how Finnish pharmacies have processed the data subject’s prescription data obtained from abroad. The data subject may address a log data request to Kela.

A person acting by means of a power of attorney or as a legal representative on behalf of another adult may submit a request for information concerning the operators to whom patient data summaries have

been disclosed on the basis of consent by submitting a log data request to Kela. Kela will verify the person’s right to receive the data. The disclosure of data may be refused on legal grounds.

A guardian has the right to request information on the operators to whom patient data summaries have been disclosed with the minor’s consent by submitting a log data request to Kela. The disclosure of data may be refused on legal grounds.

The log data request can be made using the log data request form, which is available from social welfare and health care service providers, pharmacies and Kela customer service points that have joined the Kanta service, or at www.kanta.fi. Requests for log data should be directed to Kela (Registry, P.O. Box 450, FI-00056 Kela). A request for log data may also be made by contacting Kela’s Registry by phone or email (kirjaamo@kela.fi).

Access to log data dating further back than two years will not be granted without a special reason. The client may not use or disclose the log data received for any other purpose.

If, on the basis of log data, the client considers that their data have been processed inappropriately, they can request a report on the matter from the relevant social welfare and health care service provider or pharmacy. Upon request, Kela can provide the client with a report on the grounds for the use and sharing of their data.

If the client requires an explanation of the grounds for processing their data in the case of a pharmacy or a health care service provider in another European country, the request for clarification can be addressed to Kela (kirjaamo@kela.fi).

The client has the right to receive the same data again if there is a legitimate reason to do so in order to safeguard the client’s interests and rights. Kela has the right to charge a fee to cover the costs of providing data that have already been provided.

Kela’s operations and the maintenance of the Kanta Services are based on national legislation. For these reasons, the data subject’s right to erasure pursuant to Article 17 of the EU General Data Protection Regulation and the data subject’s right to data portability pursuant to Article 20 of the EU General Data Protection Regulation do not apply to data stored in the national contact point usage log data file. National legislation shall stipulate the retention period for the log data stored in the national contact point usage log data file, after which the data shall be destroyed.

Last updated 7.6.2024