Controller
Kela (Kansaneläkelaitos) - Social Insurance Institution of Finland
Nordenskiöldinkatu 12, FI-00250 Helsinki
PO Box 450, FI-00056 Kela
Tel. 020 634 11
Contact person for data file issues
For data file issues regarding patient data to be shared with a wellbeing application, clients can contact Kanta Services’ Customer Support at asiakaspalvelu@kanta.fi.
In matters concerning the rights of a data subject, please email enquiries to the Kanta Services’ Data Protection Officer at tietosuoja@kanta.fi.
Name of data file
Log data file of patient data to be shared with a wellbeing application
Purpose of and grounds for personal data processing / purpose of the data file
The processing of personal data is based on Section 74(2) of the Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023), according to which it is possible to show or provide information stored about a person in national information systems services to that person through a national user interface or wellbeing application, except for information that the client is not entitled to receive according to Section 11(2) of the Act on the Openness of Government Activities, Section 34 of the Data Protection Act, or other legislation. In order to upload data to a wellbeing application, the client must take the wellbeing app into use and consent to data sharing. In addition, sharing and usage log data concerning the processing of the individual’s personal data, except for the recipient’s personal data, may be shown to the individual via the user interface.
The information in the log data file is used to verify that Kela processes patient data stored in the Kanta Services in accordance with the law. Kela also uses log data for troubleshooting.
Period for which the personal data are stored
Log data are retained for 12 years after their generation, after which the data will be deleted.
Kela does not have the right to process log data stored in the Kanta Services more extensively than is necessary to perform tasks related to the maintenance of the Kanta Services. Kela processes personal data in accordance with the EU General Data Protection Regulation and other laws regulating the processing of personal data.
Content of the data file
The log data file of patient data to be shared with a wellbeing application records an event number, information on how the event ended, and messages from wellbeing applications.
The log data file contains the following information:
- granted and removed access rights to wellbeing apps
- information that the user has received the Sharing of patient data with a wellbeing application information and the date when the user was informed.
- the wellbeing applications with which data have been shared and when
- what patient data have been shared.
The above data are recorded when wellbeing applications receive patient data. The log data file does not contain any document content or personal data.
Information on the patient data that have been shared is stored in the Patient Data Repository (processing log).
For clarity, let it be known that when sharing patient data with a wellbeing application, the information about users described below will be stored in the Kanta Services when the user takes the service into use and whenever the user grants access rights to applications or receives information about a change in the sharing of patient data with a wellbeing application.
- user’s personal identity code
- information about access rights granted to wellbeing applications or denied by the user
- information that the user has received the Sharing patient data with a wellbeing application information and the date when the user was informed.
Regular sources of data
The service gathers data from patient data disclosed from the Patient Data Repository and from access rights in the authorisation service.
Regular disclosure and transfer of data outside the EU or the European Economic Area
Notwithstanding the confidentiality provisions and other provisions concerning the use of data, Kela may share data with another authority if the authority requesting the data has a statutory right to the data in question and the legal requirements for the disclosure are met.
No data will be transferred outside the EU or the European Economic Area.
A commitment has been made with wellbeing application suppliers to disclose personal data between the data controllers.
Principles of data file security
Organisational principles of protection
Kela shall have a data security plan in place to ensure data protection and data security. Kela shall have a named data protection officer.
Kela provides written instructions on the processing of client data and the procedures to be followed, and it ensures that personnel have sufficient expertise and capabilities to process client data as part of their operations.
Principles of technical protection
Viewing or other processing of the log data stored in the log data file of patient data to be shared with a wellbeing application requires strong identification of the processor and the management of system-related access rights. The Digital and Population Data Services Agency is responsible for identification and certificate services.
Principles of physical protection
The data stored in the log data file of patient data that is to be shared with a wellbeing application is protected against alteration and deletion using technical means. Kela’s data centres and the physical locations where data are held are in Finland. Access to the data centres is restricted to Kela’s technical maintenance personnel as required by their duties.
Right of access to your own information
In accordance with Article 15 of the EU’s General Data Protection Regulation (2016/679), the data subject has the right to access their own data that has been stored in the log data file of patient data that is to be shared with a wellbeing application. The data subject has the right to request processing log data from Kela.
A person may act on behalf of an adult by power of attorney or as a legal representative, and may request access to the data in the log data file for patient data to be shared with the wellbeing application. A request for information made by a representative requires that the representative has the right to represent their client in the case in question. Kela will verify the person’s right to receive the data. The disclosure of data may be refused on legal grounds.
Requests for data should be directed to Kela (Registry, P.O. Box 450, FI-00056 Kela). Please refer to other rights related to the processing of personal data.
Right to lodge a complaint with a supervisory authority
If a client finds that their personal data have been processed in breach of the applicable data protection regulations, the client is entitled under Article 77 of the EU’s General Data Protection Regulation and Section 21 of the Data Protection Act to lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman.
Other rights related to the processing of personal data
The data subject has the right to request that Kela provide the log data for patient data to be shared with a wellbeing application. The data subject can submit a request for log data to Kela.
A person may act on behalf of an adult by power of attorney or as a legal representative, and may request information on the wellbeing applications with which data have been shared on the basis of consent by submitting a request for log data to Kela. Kela will verify the person’s right to receive the data. The disclosure of data may be refused on legal grounds.
A guardian has the right to request information on the wellbeing application with which data have been shared on the basis of a minor’s consent by submitting a request for log data to Kela. Kela will verify the validity of the custody upon a guardian’s request to access a minor's data. The disclosure of data may be refused on legal grounds.
Log data requests can be submitted using the log data request form, which is available from social welfare and health care service providers that have joined the Kanta Services, from pharmacies, and from Kela’s customer service points, plus the www.kanta.fi website. It is also possible to request log data by phone or email. Please direct requests to Kela Registry (kirjaamo@kela.fi) or Kela Registry, P.O. Box 450, FI-00056 Kela.
Access to log data dating further back than two years will not be granted without a special reason. The client may not use or disclose the log data received for any other purpose.
The client has the right to receive the same data again if there is a legitimate reason to do so in order to safeguard the client’s interests and rights. Kela has the right to charge a fee to cover the costs of providing data that have already been provided.
Kela’s operations and maintenance of the Kanta Services are based on national legislation. For these reasons, the right of the data subject under Article 17 of the EU General Data Protection Regulation to erasure and the right of the data subject under Article 20 to data portability between systems do not apply to the data stored in the log data file for patient data to be shared with a wellbeing application. National legislation regulates the retention period of log data stored in the log data file for patient data to be shared with a wellbeing application, after which the data will be destroyed.