Controller
Social Insurance Institution of Finland
Nordenskiöldinkatu 12, 00250 Helsinki
P.O. Box 450, 00056 Kela
tel. 020 634 11
Person responsible for register issues or contact person
Data Protection Officer for Kanta Services
kanta@kanta.fi
Name of the register
Clients using the sandbox environment for Kanta Personal Health Record.
Purpose of processing personal data / purpose of use of the register
By virtue of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) and the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter Kela) acts as the organiser of the national information system services (the Kanta Services).
According to section 4 of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) (hereinafter the Client Data Act), Kela is the controller of data related to the use of wellbeing data entered in the Kanta PHR service pertaining to the national information system services (Kanta Services) and data related to the use of the service. For the maintenance of the service, Kela offers a sandbox environment for wellbeing application suppliers in support of the development of the integration of their application with the Kanta Personal Health Record service. Kela acts as controller of the client register for the sandbox environment of the Kanta Personal Health Record. The application supplier is responsible for ensuring that the data it has entered in the register is correct and up-to-date.
Client register for the sandbox environment for Kanta Personal Health Record and utilisation of the data
The application supplier of the client register for the sandbox environment of Kanta Personal Health Record saves its data when starting to use the sandbox environment that authorises Kanta Personal Health Record and when creating a username for itself for the sandbox environment. At the same time, the application supplier agrees that Kela can enter the data provided by the application supplier in the client register of the sandbox environment of Kanta Personal Health Record and process it for the purposes of this privacy policy in the way described in the policy. The application supplier cannot see the data entered by other application suppliers in the client register.
Kela may use the data entered in the register in order to find out the number of users of the service and, when necessary, in error investigation or maintenance situations. Kela may use the contact details entered in the register to contact the application supplier for maintenance purposes. Kela will not utilise the data entered in the register in any other ways.
Maintaining the client data
Application suppliers who have entered their data in the sandbox environment may get in touch with Kela by email if it is necessary to update or delete the data stored in the register. Kela will then update or delete the data in the register.
Storage of client data
The data is stored in the register for a maximum of 2 years from the date when the application supplier has notified Kela in writing that it will terminate the use of the sandbox environment.
Data content of the register
The register includes the following data:
- username
- password.
Regular data sources
Kela obtains the data from the application supplier using the sandbox environment that authorises the Kanta Personal Health Record. The application supplier enters the data in the client register when creating a username for the sandbox environment.
Regular disclosure of data and transfer of data outside the EU or the European Economic Area
The data shall not be transferred outside the EU or the European Economic Area.
Principles of protecting the register
Organisational principles
Kela contributes to the monitoring and supervising of the lawfulness of data processing. Kela also has an information security plan to ensure that data protection and information security are fulfilled. Kela provides written instructions on the processing of data and takes care of sufficient expertise and competence of its staff when processing the data.
Technical principles
At Kela, access to data in the client register has been restricted by only providing access rights to persons whose duties require such access.
A log is saved of the viewing and processing of data in the client register by Kela’s administrators.
Physical principles
The data entered in the client register is technically protected against editing and deleting.
Kela’s IT areas and the physical location of data are in Finland. Kela’s technical administrators have limited access to the IT areas when the management of their duties requires such access.
Access to the data
The application suppliers have the right to inspect any data concerning them that has been entered in the client register. A free-form and individualised request is sent by email to kirjaamo@kanta.fi.
Right to rectification
Application suppliers may request the rectification of data they have entered by emailing Kela to kanta@kanta.fi.
Right to lodge a complaint before the supervisory authority
If an application supplier deems that the processing of their personal data is in breach of the applicable data protection regulations (Articles 12–22 of the EU’s General Data Protection Regulation and other applicable data protection legislation), the client has the right to lodge a complaint before the competent regulatory authority.
Other rights related to the processing of personal data
Articles in the EU General Data Protection Regulation related to the rights of data subjects shall be applied to the processing of data.