Privacy statement for customers of the sandbox environment of wellbeing data stored in Kanta Services

Privacy statement for customers of the sandbox environment of wellbeing data stored in Kanta Services

This is the current version of the privacy statement for customers of the sandbox environment of wellbeing data stored in Kanta Services. The statement was last updated on 12 February 2024.

Controller

Kela (Kansaneläkelaitos) - Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki PO Box 450, FI-00056 Kela Tel. 020 634 11

Controller's contact person

In matters related to the sandbox environment of wellbeing data stored in Kanta Services and other service-related questions, the application provider may contact Kanta Services by email at kanta@kanta.fi.

In matters concerning the rights of a data subject, please email enquiries to the Kanta Services’ Data Protection Officer at tietosuoja@kanta.fi.

Name of data file

Client data file of the sandbox environment of wellbeing data stored in Kanta Services (Kanta PHR).

Purpose of processing personal data / purpose of the data file

Under the Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023, 'Client Data Act') and the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter 'Kela') acts as the organiser of national information system services (Kanta Services).

According to section 73 of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (703/2023), Kela is the data controller for the wellbeing data and service usage data stored in the Kanta PHR service, which is part of the national information system services in health care, the Kanta Services. For the purposes of maintaining the service, Kela offers wellbeing application providers a sandbox environment to support the integration of applications in the Kanta PHR service. Kela is the controller of the data file of customers of the sandbox environment of wellbeing data stored in the

Kanta Services (Kanta PHR). Application providers are responsible for ensuring that the data they store in the data file is accurate and up-to-date.

Client data file of the sandbox environment of wellbeing data stored in Kanta Services and use of the data

In the client data file of the sandbox environment of wellbeing data stored in Kanta Services, the application provider stores its data once the provider begins using the authorising sandbox environment of the Kanta PHR and creates a user account in the sandbox environment. At the same time, the application provider agrees that Kela may store the data entered by the application provider in the client data file of the sandbox environment of wellbeing data stored in Kanta Services and process them for the purposes and in the manner described in this privacy statement. Application providers cannot access data entered in the client data file by other application providers.

Kela may use the data entered in the data file to determine the number of users of the service and, if necessary, for troubleshooting or maintenance purposes. Kela may use the contact information entered in the data file to contact application providers only for maintenance purposes. Kela does not process data entered in the data file for other purposes.

Maintenance of client data

An application provider that has stored its data in the sandbox environment may contact Kela by email if the stored data needs to be updated or removed from the data file. In this case, Kela will update or delete the data concerned.

Retention of client data

Data is stored in the data file for a maximum of two (2) years after the application provider has notified Kela in writing regarding its intention to stop using the sandbox environment.

Content of the data file

The data file contains the following data:

  • username
  • password.

Regular sources of data

Kela receives the data from the application provider that uses the authorising sandbox environment of the PHR. The application provider stores the data in the client data file when it creates a user account in the sandbox environment.

Regular disclosure and transfer of data outside the EU or the European Economic Area

The data will not be transferred outside the EU or the European Economic Area.

Principles of data file security

Organisational safeguards

Kela has a data security plan covering data security, privacy protection and information system use. Kela has a designated Data Protection Officer. Kela issues written instructions on data processing and ensures that personnel have sufficient expertise and competence for the processing.

Technical safeguards

At Kela, access to client data is restricted with access rights only to those employees whose duties require access.

A log is kept of all instances of accessing and processing client data by Kela's administrators.

Physical safeguards

Data stored in the client data file is safeguarded by technical means against modification and deletion.

Kela's data centres and the physical locations where data are held are in Finland. Access to the data centres is restricted to Kela's technical maintenance personnel as required by their duties.

Access to personal data

The application provider has the right to access its data stored in the client data file. The request can be free-form and should specify the data to be accessed. Requests can be made by email to kirjaamo@kela.fi.

Right to rectify data

The application provider may request the correction of its data by contacting Kela by email at kanta@kanta.fi.

Right to lodge a complaint with a supervisory authority

If the application provider considers that the processing of its personal data concerning violates applicable data protection regulations (EU General Data Protection Regulation, Articles 12–22 and other applicable data protection legislation), the client has the right to lodge a complaint with the competent supervisory authority.

Other rights related to the processing of personal data

The provisions of the EU General Data Protection Regulation on the rights of data subjects apply to the processing of data.

Last updated 16.2.2024