Privacy policy statement of the Kanta Services client register

Privacy policy statement of the Kanta Services client register

This is the valid privacy policy for the Kanta Services client register, which was updated on 01.01.2024.

Controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Clients can direct enquiries about the Kanta Services client register to Kanta Services’ customer support at kanta@kanta.fi.

In matters concerning the rights of a data subject, please email enquiries to the Kanta Services’ Data Protection Officer at tietosuoja@kanta.fi.

Name of register

Kanta Services client register.

Purpose of processing personal data / purpose of use of the register

By virtue of the Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023) and the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter Kela) acts as the administrator of the national information system services (the Kanta services). In addition, Kela maintains the Pharmaceutical Database service and the Kanta client test service, and it coordinates the joint testing of systems.

In order to carry out its statutory duties, Kela needs the information of persons responsible and contact persons related to the use of services.

Clients of the Kanta Services

In this privacy policy, a client refers to:

  • social welfare and health care service providers and pharmacies that sign an undertaking on the use of Kanta Services
  • doctors or dentists with the right to practise health care professionally, who register as users of the Kelain service
  • information system providers who deploy the Kanta client test service and/or participate in the joint testing of information systems
  • application providers who integrate the application into the Kanta PHR
  • Kanta providers
  • Pharmaceutical Database intermediaries
  • other cooperation bodies who receive fault notifications or other communications (for example, invitations to meetings).

Client register of Kanta services and utilisation of the data

The client register of the Kanta Services is a client-specific dataset that is used for customer service, invoicing, and contacts between Kela and the client. The data are utilised, for example, to provide information to clients and to send fault notifications concerning the Kanta Services, Kela’s reception service for the purchasing and settlement of medicines, and the query service for direct reimbursement details. It is also possible to send queries to the contact persons/points given by the client in order to collect information from the client with regard to matters that are essential for Kela’s tasks. The collected data are used for the development of operations. Invoicing-related data (contact persons and addresses for invoicing) is used to invoice the user fees for Kanta Services.

Maintaining the client data

Social welfare and health care service providers and pharmacists using the Prescription service, the Patient Data Repository, the Archive of Imaging Data, or the Client Data Archive for Social Welfare Services record and update information and contact information related to their client account using the Kanta Extranet service on the Kanta Services client register.

Clients deploying other Kanta Services shall provide the client data on a service-specific contact form in connection with service deployment, whereupon the information will be manually recorded on the Kanta Services client register.

Doctors or dentists with the right to practise a social welfare or health care profession who use the Kelain service will record and update information and contact details related to their client accounts in the client register of Kanta Services using the Kelain service.

Other clients shall notify the client data either by telephone, post or email, in which case the Kanta services will manually record and update the data in the client register of Kanta services.

The roles of contact persons and contact points in the client register

On the client register, the contact persons and contact points of the client who is deploying the Kanta Services are connected to the client with roles that are used to create distribution lists by target group. The distribution lists are used in press releases, queries and other contacts. Depending on the Kanta Service to be deployed, the client shall provide Kela with contact details in relation to the following roles:

  • administrative contact person
  • technical contact person or organisation
  • Data Protection Officer
  • archivist of the Patient Data Repository
  • archivist of the client data archive in social welfare services
  • contact person for invoicing
  • recipient of fault notifications
  • Technical contact point for the Archive of Imaging Data.

The information system provider to be certified to use the Kanta Services shall notify Kela of the contact persons related to the development and maintenance of the system and joint testing. The Kanta agent shall report to Kela the contact persons related to the maintenance of the access point. All clients can report to Kela their contact person for fault notifications and the contact details for communications.

Retention of data

Applications signed by the client to become a client of the service, an undertaking for the client account in the Kanta Services, and approvals of the service description are all documents that are permanently stored in accordance with Kela’s information management plan. The client register of the Kanta Services retains information on when clients start and stop using the Kanta Services.

Information on the contact person or contact point, address information, and technical connection information given and maintained by a client who has taken the Kanta Services into use shall be deleted from the client register 10 years after the termination of the client account.

The contact details and addresses for invoicing provided by the client will be transferred to Kela’s client data register for sales invoices. Data retention is described in the privacy policy “Privacy statement for the supplier and customer register”.

If the client’s application to join is left incomplete or cancelled after submission, the data in the application to join will be deleted. This will be done six months after the application was left incomplete or cancelled.

Information about contact persons and contact points submitted by a client who has not taken the Kanta services into use will be deleted from the client register when the client so requests.

A client’s contact details may also be deleted from the client register if it is discovered that they are no longer valid (e.g. an e-mail address is no longer used).

Information content of the register

The following information about clients who have joined as a user of the Kanta Services will be recorded on the register:

  • information about the Kanta Services used by the client
  • administrative address and invoicing address
  • information about the client’s contact persons/points (name, phone number, email, contact person role, certificate card number)
  • information about the client’s technical accession (access point and system data used by the client).

The following information about health care professionals who have taken Kelain into use is recorded on the register:

  • name
  • certificate card number
  • telephone number
  • email address
  • information about the deployment of the Kelain service.

Regular information sources of data

Basic data about social welfare and health care service providers, pharmacies, and pharmacists who deploy the Kanta Services are imported into the Kanta service from the National Code Service Valvira – Self-employed health care professionals code, the SOTE organisation register and the Pharmacy Register. In addition, the party deploying the Kanta Services shall provide information and contact details relating to the use of the services when joining as a user of the service. The client can edit the information as the client relationship continues.

Other clients can maintain their client data stored in the Kanta Services in a manner agreed upon separately.

Regular disclosure of data and transfer of data outside the EU or the European Economic Area

The contact person information and addresses for invoicing provided by the client are transferred to Kela’s client data register for sales invoices for the purpose of invoicing Kanta Services user fees.

The data shall not be transferred outside the EU or the European Economic Area.

Principles of protection of the register

Organisational protection principles

Kela has an information security plan in place to ensure data protection and data security. Kela must have a designated data protection officer.

Kela provides written instructions on the processing of client data and the procedures to be followed, and ensures that personnel have sufficient skills and expertise to process client data as part of their operations.

Kela must take the necessary measures on their own initiative if someone has unlawfully viewed, used or disclosed information stored on the client register.

Technical protection principles

Clients using the Kanta Services primarily manage their client data through the Kanta Extranet. Users log in to the Kanta Extranet using Suomi.fi identification and authorisations.

Clients who use Kelain manage their data through Kelain.

The processing of data on the client register by the client requires strong authentication and access rights to the Kanta Extranet or Kelain service.

Log data on the viewing and processing of client register data is stored in the client register log.

Kela is obligated to carry out statutory tasks and necessary maintenance tasks, the implementation of which requires that Kela’s technical administrator has limited access rights to the client register. Kela is responsible for managing user rights to the client register.

Physical protection principles

The data recorded in the client register is technically protected to prevent editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Kela’s technical maintenance staff have limited access to the IT areas when the management of their duties requires such access.

Right of access to your data

In accordance with Article 15 of the EU General Data Protection Regulation (2016/679), data subjects have the right to access the data stored about them on the client register.

The representative of the client organisation is entitled to check the data recorded of themselves in the client register. A free-form and individualised request is sent by email to kirjaamo@kela.fi.

Right to request rectification of inaccurate data

According to Article 16 of the EU General Data Protection Regulation (2016/679), the data subject has the right to obtain the rectification of inaccurate personal data concerning them.

A client using the Kanta service may correct their contact details related to their client account in the Kanta Ekstranet service or request correction via the Kanta service customer service kanta@kanta.fi.

Right to lodge a complaint to the regulatory authority

If a client finds that their personal data have been processed in breach of the applicable data protection regulations, the client is entitled under Article 77 of the EU General Data Protection Regulation and section 21 of the Data Protection Act to lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman.

Other rights related to the processing of personal data

The client register of the Kanta services is a service implemented and maintained by Kela. Kela’s operations are based on the national legislation. As a result of this, the data subject's right to erasure of data by virtue of Article 17 of the EU's General Data Protection Regulation and the data subject’s right to transmit the data from one system to another by virtue of Article 20 of the regulation shall not be applied to data recorded in the Kanta client register. The client data recorded in the client register will be destroyed after the retention period.

Last updated 15.2.2024