Privacy policy for the MyKanta log data

Privacy policy for the MyKanta log data

This is the valid privacy policy for the MyKanta log data. The policy was updated on 4 Jan 2024.

Controller

Kela (Kansaneläkelaitos) - Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
PO Box 450, 00056
Tel. 020 634 11

Contact person for data file-related issues

Kanta Services customer service asiakaspalvelu@kanta.fi

You can send enquiries to the Kanta Services’ data protection officer by e-mail: tietosuoja@kanta.fi.

Name of data file

MyKanta log data

Purpose of processing personal data / purpose of the data file

The Social Insurance Institution of Finland (hereinafter ‘Kela’) processes personal data in accordance with the EU's General Data Protection Regulation and other laws regulating the processing of personal data.

Under section 65 of the Act on the Client Data in Healthcare and Social Welfare (Client Data Act, 703/2023), Kela is responsible for the technical provision and maintenance of the citizens’ user interface (hereinafter referred to as MyKanta).

Kela acts as the controller of the MyKanta log register pursuant to section 70 of the Client Data Act (703/2023).

Logging in to MyKanta requires strong individual identification on the Suomi.fi site using online banking codes, a certificate card or a mobile certificate. The Digital and Population Data Services Agency is responsible for the joint Suomi.fi identification service for public administration e-services.

Information on identification and acting on behalf of another person in MyKanta is stored in the log data file.

The log data are used to verify identifications and transactions carried out on behalf of another person. The data makes it possible to, upon request, ascertain who has logged in to MyKanta and used functions for acting on behalf of another person, when, from which IP address, and on whose behalf.

Log data are also used to compile user statistics and to resolve problem situations (e.g. security-related problems, in which case Kela must verify the user data for the service).

Content of the data file

The data file contains the following data:

  • the logged in user’s personal identity code
  • time of login
  • IP address
  • timestamp
  • the personal identity code of the person acting on behalf of another person
  • the time at which the user acted on behalf of another person
  • the grounds for acting on behalf of another person (custody, right of access or authorisation)
  • name of the person who acted on behalf of other (from 10.10.2023)
  • right to act on behalf of another person (information on whether acting on behalf of another person is permitted).
  • data retrieved from the Population Information System (storage 5 years)
    • record of death (this information is no longer available from 14 September 2023)
    • date of death
    • domicile (permanent place of residence)
    • name

Regular sources of data

Log data are recorded when a citizen logs in to MyKanta. The citizen themselves selects an identification method / certification service provider and agrees to provide a personal identity code to the service provider in the identification. 

The record of death, the date of death, the name, domicile and the personal data of minor dependants are transmitted by the Population Information System of the Digital and Population Data Services Agency. 

The right to act on behalf of another person is provided by the Suomi.fi e-Authorizations service.

Regular disclosure and transfer of data outside the EU or the European Economic Area

No regular disclosure. The data will not be transferred outside the EU or the European Economic Area. 

Period for which the personal data are stored

In accordance with the retention time appendix to the Client Data Act, the retention period for log data shall be 12 years from when they are generated.

The data retrieved from the Population Information System contained in the log data are stored for five years, after which the data are destroyed (section 20 of the Act on the Population Information System and the Certificate Services of the Digital and Population Data Services Agency 661/2009).

Principles of data file security

Organisational measures

Kela has a data security plan in place to ensure data protection and data security. Kela has a named data protection officer. Kela provides written instructions on the processing of client data and the procedures to be followed, and it ensures that personnel have sufficient expertise and capabilities to process client data as part of their own operations. 

Technical protection

The information stored in the MyKanta log data file is technically protected from alteration and erasure. Only designated Kela employees have individually restricted access to the MyKanta log data file in order to carry out statutory vital maintenance tasks. Kela is responsible for managing user rights. 

Physical protection of locations and devices

Kela's data centres and the physical locations where data are held are in Finland. Access to the data centres is restricted to Kela's technical maintenance personnel as required by their duties.

Right to lodge a complaint with a supervisory authority

If a client finds that their personal data has been processed in breach of the applicable data protection regulations, the client is entitled under Article 77 of the EU’s General Data Protection Regulation and section 21 of the Data Protection Act to lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. 

Other rights related to the processing of personal data

The client is entitled to request their MyKanta log data from Kela.  

The client may act using a power of attorney or as a legal representative on behalf of an adult and request the right to access their MyKanta log data. Kela will verify the person's right to receive the data. The disclosure of data may be refused on legal grounds.

A guardian may request the right to access information on a minor stored in the MyKanta log data. Kela will verify the validity of the custody upon a guardian’s request to access a minor's data. The disclosure of data may be refused on legal grounds.

The log data request can be made using the log data request form, which is available from social welfare and health care service providers, pharmacies and Kela customer service points that have joined the Kanta service. Requests for log data should be directed to Kela (Registry, P.O. Box 450, 00056 Kela). A request for log data may also be made by contacting Kela's Registry by phone or email (kirjaamo@kela.fi). 

Access to log data dating further back than two years will not be granted without a legitimate reason. The client may not use or disclose the log data received for any other purpose.

The client has the right to receive the same data again if there is a legitimate reason to do so in order to safeguard the client's interests and rights. Kela has the right to charge a fee to cover the costs of providing data that have already been provided.

Last updated 18.1.2024