Change of controller

A change of controller is planned and carried out in cooperation with the service providers, the information system providers and Kela. The administrative responsibility for the change lies with the service provider.

Patient, client and prescription data stored in the Kanta Services must have an active data controller who is responsible for the maintenance, storage and management of the data in their register. If there are changes to the organisation, for example, due to a company acquisition or a change in the company’s legal framework, the data controller information must also be updated. The service providers affected by the change will plan the change of controller together and agree who will be responsible for the required actions.

A change of controller occurs when the new controller continues to operate and use the data for client and patient work. The extent to which the data will be transferred to the new register is agreed between the new and the previous controller. 

In the change, the management of the data and access to the data it contains will be transferred to another service provider. The new controller can retrieve data from the register in question from Kanta, just as it can with any other piece of its data. 

Key concepts in the change of controller

A service provider is an operator who organises or provides social welfare services, healthcare services or joint social welfare and healthcare services. In public social welfare and healthcare services, service providers include, for example, wellbeing services counties. In private social welfare and healthcare services, the service provider can be a company, an independent healthcare professional or an association. 

If the service provider is responsible for providing a social welfare or healthcare service, it is also the controller of data generated in its activities.

The controller is the social welfare and healthcare service provider who is responsible for processing the personal data in the register. 

The controller is responsible for ensuring that

  • data are stored securely
  • data are correct
  • data are processed in accordance with the law
  • clients can check their data.

In public social welfare and healthcare services, the controller is the public authority that organises the services. For example, it could be a wellbeing services county.

In private social welfare and healthcare services, the service provider with whom the client has concluded a contract for the provision of the service is the controller of client data. 

If the social welfare or healthcare service is provided on behalf of another service provider (for example, as an outsourced service), the data is stored in the data file of the service provider who is responsible for organising the service. 

In occupational healthcare services, the controller is either the service provider with whom the employer has made a contract to provide occupational healthcare services or the employer who organises occupational healthcare services for its personnel itself.

A register is a data set containing structured personal data from which information is available on a specific basis. In this context, a register refers to registers of social welfare and healthcare client data.

A social welfare and healthcare service provider records the client data generated in its activities in the following registers:

  • to the patient data register, in the case of patient data
  • to the social welfare service client data register, in the case of social welfare service client data
  • in the occupational healthcare data register if the service provider organises the occupational healthcare services of its staff itself.

How to carry out a change of controller

The extent to which the operations are transferred to the new controller and what data will be transferred to the new data file is agreed between the new and the previous controller.

Contact your system providers and also agree with them on the change of controller and its schedule. If the data file contains imaging data, you should also plan the transfer of this data to the new data file with the system providers. 

If you wish, you can test the update of the controller information in the client test environment of the Kanta Services together with your system provider before the actual change of controller. For testing instructions, please email kanta@kanta.fi

Private service providers send word of a change in the service provider's information to the Soteri register of service providers (valvira.fi)(opens new window). The information is updated from Soteri to the Code Service maintained by THL. 

Public service providers will update the information themselves in the SOTE organisation register if there are changes to their service units. 

In addition, the information of public healthcare service providers must be valid in the data controller register of THL’s Code Service. Please send word of any changes by email to koodistopalvelu@thl.fi.

Read THL’s guidelines on checking and maintaining data in the SOTE organisation register in the public sector (yhteistyotilat.fi, in Finnish)(opens new window)

Kela is prepared to make changes of controller at the following times.

Dates for changes of controller in 2025: 

  • 30 January 2025
  • 27 February 2025
  • 31 March 2025
  • 29 April 2025
  • 22 May 2025
  • 30 June 2025
  • 28 August 2025
  • 30 September 2025
  • 30 October 2025
  • 27 November 2025

Dates for changes of controller in 2026: 

  • 29 January 2026
  • 26 February 2026
  • 31 March 2026
  • 29 April 2026
  • 28 May 2026
  • 30 June 2026
  • 31 August 2026
  • 30 September 2026
  • 29 October 2026
  • 30 November 2026

Notify Kela of a change of controller by sending a change notification form by email to kanta@kanta.fi. Fill in the form carefully.

Change notification form for change of controller (pdf, in Finnish)(opens new window)

Kela will send you confirmation of the date of the change of controller by email.

The service providers are responsible for ensuring that the change in the data controller information is made in both service providers' information systems and in Kela at the same time. This prevents errors and ensures that the information in the data file can be corrected later.

Kela will inform the contact persons indicated on the change notification form when it has logged the change of controller.

After termination, the service provider will no longer be charged for the user fees of the Kanta Services.
For instructions on how to terminate your client account, refer to the page Termination of client account in the Kanta Services.

After the change of controller, make sure you at least check the following with your information system provider:

  • documents are available in real time in the Kanta Services
  • all internal registers (health care, occupational healthcare and social welfare services) are operational 
  • management of data sharing is functional and denials of consent to data sharing made by clients work correctly
  • personnel’s access rights to the register and to outsourced service providers are set correctly
  • corrections and cancellations of documents can be made in the information system and in the Kanta Archivist’s User Interface.

Clients need to be informed, for example:

  • to whose register the data will be transferred 
  • whom they need to contact in the future about their data
  • that their consent to sharing their data and any denials of consent to share their data issued to the previous controller will remain valid even if the documents are transferred to the register
  • if the client is transferred as a client of the new controller, they can choose to give new denials of consent if they wish to deny sharing of their data in the future.

The obligation to inform clients of the change lies with the organisation responsible for processing personal data after the change is made (eur-lex.europa.eu)(opens new window).