Social Insurance Institution of Finland
Nordenskiöldinkatu 12, 00250 Helsinki
P.O. Box 450, 00056 Kela
tel. 020 634 11
Person responsible for register issues or contact person
Data Protection Officer for Kanta Services
Name of the register
Clients using the sandbox environment for Kanta Personal Health Record.
Purpose of processing personal data / purpose of use of the register
By virtue of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) and the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter Kela) acts as the organiser of the national information system services (the Kanta Services).
According to section 4 of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) (hereinafter the Client Data Act), Kela is the controller of data related to the use of wellbeing data entered in the Kanta PHR service pertaining to the national information system services (Kanta Services) and data related to the use of the service. For the maintenance of the service, Kela offers a sandbox environment for wellbeing application suppliers in support of the development of the integration of their application with the Kanta Personal Health Record service. Kela acts as controller of the client register for the sandbox environment of the Kanta Personal Health Record. The application supplier is responsible for ensuring that the data it has entered in the register is correct and up-to-date.
Client register for the sandbox environment for Kanta Personal Health Record and utilisation of the data
Kela may use the data entered in the register in order to find out the number of users of the service and, when necessary, in error investigation or maintenance situations. Kela may use the contact details entered in the register to contact the application supplier for maintenance purposes. Kela will not utilise the data entered in the register in any other ways.
Maintaining the client data
Application suppliers who have entered their data in the sandbox environment may get in touch with Kela by email if it is necessary to update or delete the data stored in the register. Kela will then update or delete the data in the register.
Storage of client data
The data is stored in the register for a maximum of 2 years from the date when the application supplier has notified Kela in writing that it will terminate the use of the sandbox environment.
Data content of the register
The register includes the following data:
Regular data sources
Kela obtains the data from the application supplier using the sandbox environment that authorises the Kanta Personal Health Record. The application supplier enters the data in the client register when creating a username for the sandbox environment.
Regular disclosure of data and transfer of data outside the EU or the European Economic Area
The data shall not be transferred outside the EU or the European Economic Area.
Principles of protecting the register
Kela contributes to the monitoring and supervising of the lawfulness of data processing. Kela also has an information security plan to ensure that data protection and information security are fulfilled. Kela provides written instructions on the processing of data and takes care of sufficient expertise and competence of its staff when processing the data.
At Kela, access to data in the client register has been restricted by only providing access rights to persons whose duties require such access.
A log is saved of the viewing and processing of data in the client register by Kela’s administrators.
The data entered in the client register is technically protected against editing and deleting.
Kela’s IT areas and the physical location of data are in Finland. Kela’s technical administrators have limited access to the IT areas when the management of their duties requires such access.
Access to the data
The application suppliers have the right to inspect any data concerning them that has been entered in the client register. A free-form and individualised request is sent by email to firstname.lastname@example.org.
Right to rectification
Application suppliers may request the rectification of data they have entered by emailing Kela to email@example.com.
Right to lodge a complaint before the supervisory authority
If an application supplier deems that the processing of their personal data is in breach of the applicable data protection regulations (Articles 12–22 of the EU’s General Data Protection Regulation and other applicable data protection legislation), the client has the right to lodge a complaint before the competent regulatory authority.
Other rights related to the processing of personal data
Articles in the EU General Data Protection Regulation related to the rights of data subjects shall be applied to the processing of data.