Data protection

Privacy statement regarding the processing of personal data in securities markets supervision

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes personal data in its supervision of securities markets, and what rights the data subjects have.

1. Purpose of the processing of the personal data and the legal basis for the processing

The data is processed so that the FIN-FSA can detect and investigate possible cases of market abuse and monitor the fair and orderly functioning of the market and the activities of investment service providers.

The legal basis for processing the personal data is the need to process the data for the performance of the statutory tasks of the FIN-FSA:

The processing of notifications of ownership and voting rights (flagging notifications) reported to the FIN-FSA is based on chapter 9, section 5 of the Securities Markets Act.
The processing of prospectuses (including basic information documents) and offer documents is based on chapters 3 and 11 of the Securities Markets Act.
The processing of notifications of the transactions with financial instruments of the management of listed companies and their related parties is based on Article 19 of the Market Abuse Regulation (EU) No 596/2014 (MAR).
The processing of short selling notifications is based on Articles 5 and 6 of Regulation (EU) 236/2012 of the European Parliament and of the Council on short selling and certain aspects of credit default swaps.
The processing of trade reporting-related data and order data is based on Articles 25 and 26 of the Markets in Financial Instruments Regulation (EU) No 600/2014 (MiFIR).
The processing of insider lists is based on Article 18 of the MAR.
Requested additional information is processed on the basis of the supervisory powers of chapter 3 of the Act on the Financial Supervisory Authority.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

Natural persons subject to flagging obligation
The persons responsible for the prospectus and advisers, the members of the issuer’s governance and supervisory bodies and senior management, other persons discharging managerial responsibilities as well as related parties, the auditor with main responsibility and the issuer’s major shareholders
The persons responsible for the offer document, advisers, the persons acting as the offeror, persons related to them pursuant to section 11 subsection 5 of the Securities Markets Act as well as the members of the governance and supervisory bodies of the company subject to the offer, other senior management, the auditor with main responsibility and the major shareholders of the company subject to the offer
Holders of short positions (if a natural person)
The clients of trade-reportable transactions, the persons who made the investment decision and the persons responsible for the implementation of the decision
Persons with access to inside information who work for the issuers or for those acting on their behalf or on their account based on an employment contract or otherwise perform tasks through which they have access to inside information, such as advisers, accountants or credit rating agencies
The clients who gave the order, the persons who made the investment decision and the persons responsible for the execution of the order
Persons suspected of offences
Persons reporting data to the FIN-FSA

The personal data processed and sources of information:

Flagging information includes personal information such as name, domicile, home state, contact details and any other information provided in the flagging notification. Information is obtained from the data subject themselves or a party acting on their behalf.
Personal information included in prospectuses such as name, position in the company, address, mutual family relationships, work address, conflicts of interest. Information is obtained from a prospectus received from the issuer or from a party acting on its behalf or from a prospectus approved by the competent authority of another EEA state and notified to the FIN-FSA by the authority that approved it.
Personal information included in the offer document, such as name, position in the company, address and domicile. Information is obtained from the offeror itself or from a party acting on its behalf.
Management transactions include personal information such as name, position and details of transactions. The information is obtained from the data subject themselves or the issuer.
Personal information such as name, address, name of contact person, telephone number, fax number, email address and information on short positions is collected from the holders of short positions. The information is obtained from or the data subject themselves or from a party acting on their behalf.
Trade-reportable information includes personal information such as name, date of birth, nationality and personal identity code as well as information about trades. Information is obtained from the investment service provider that carried out the transaction, the reporting service provider or other EU/EEA supervisors. The names, personal identity codes, dates of birth and information on roles in companies of persons entered in a trade register are also obtained from the Trade Register of the Finnish Patent and Registration Office (PRH) and information on related parties (names, dates of birth and personal identity codes) from the Digital and Population Data Services Agency (DVV).
In insider lists, processed information includes personal information such as name, personal identity code, date of birth, birth surname, telephone number, position and home address as well as insider registration information. Information is obtained from the issuer or from a party acting on its behalf or on its account when requested by the FIN-FSA.
Order information includes personal information such as name, date of birth, nationality and personal identity code as well as information about orders. Information may be obtained from the trading venue where the order was sent for execution, from an authorised service provider acting on behalf of the trading venue, from the investment service provider that submitted the order or from supervisors in other EU/EEA countries.
Information about a suspected offence and the preliminary investigation, such as the name of the suspect and processing information received from the prosecution authority. Information is obtained from the data subject, the issuer (or a party acting on its behalf), the investment firm (or a party acting on its behalf), other supervisors in other EU/EEA countries, other public authorities, other parties or public sources.
Information related to the imposition of administrative sanctions.
Possible communication with the data subject.
Name, email address and telephone number as well as identification and authorisation information of the persons reporting information to the FIN-FSA (see also Data protection statement regarding the processing of the personal data of stakeholder representatives as well as persons submitting requests for information and other requests). When using Suomi.fi identification, identification and authorisation information is obtained from the Digital and Population Data Services Agency, which also collects for itself transaction information on the use of the service. Other information is obtained from the person themselves or the company they represent.

The information is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The FIN-FSA provides trade reports and offer book information containing personal data to the competent authorities of other EU/EEA countries.

For holders of short positions, information on those that exceed 0.5 per cent of the entire share capital is published on the FIN-FSA’s website. Information on position holders below 0.5 per cent is not published.

FIN-FSA-approved prospectuses prepared for the offering and listing of securities as well as offer documents for public purchase offers are published on the FIN-FSA’s website.

The FIN-FSA must notify the police immediately if criminal conduct is detected or suspected in the course of its supervisory activities. Administrative sanctions imposed by the FIN-FSA are reported to the European Securities Market Authority (ESMA). In addition, investigation requests and administrative sanctions within the scope of market abuse and investment services regulations are reported to ESMA in the form of aggregated information once a year.

The personal data may otherwise be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

The FIN-FSA is party to an agreement concluded on 19 June 2019 between ESMA and third country authorities pursuant to Article 46(3) of the GDPR under which the personal data may be transferred to third country authorities which are party to the agreement.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to the personal data concerning them and the right to request that such data be corrected or for processing to be restricted and
to lodge a complaint about the processing of the personal data with the supervisory authority.

Access to data concerning data subjects themselves is not granted, however, if the disclosure of such data might jeopardise the performance of the statutory tasks of the FIN-FSA or the prevention or investigation of infringements of financial market regulations or for any other reason expressly provided for by law.

As the FIN-FSA is required to process the personal data for the performance of its statutory tasks, the data subject does not have the right to erase, transfer to another system or object to the processing of the data processed in accordance with this privacy statement.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Based on Article 19 of the Market Abuse Regulation, persons discharging managerial responsibilities, as well as persons closely associated with them, are obliged to submit information about their transactions to the issuer and to the FIN-FSA. Failure to report transactions to the FIN-FSA is subject to a penalty payment in accordance with chapter 15, section 2 of the Securities Markets Act.

Based on Regulation (EU) 236/2012 of the European Parliament and of the Council, holders of short positions are obliged to submit information on short positions to the FIN-FSA. Failure to report positions to the FIN-FSA is subject to a penalty payment in accordance with chapter 15, section 2 of the Securities Markets Act.

Under chapter 9, sections 5, 6, 6a, 6b and 9 of the Securities Market Act, shareholders are obliged to notify the FIN-FSA of significant holdings of shares and voting rights. Failure to comply with the notification obligation is subject to a penalty payment in accordance with chapter 15, section 2 of the Securities Markets Act.

The FIN-FSA’s supervised entities, other financial market participants and persons are obliged to provide the information requested by the FIN-FSA for supervisory purposes. Under section 33a of the Act on the Financial Supervisory Authority, the FIN-FSA may, under penalty of a fine, obligate a supervised entity or other financial market participant to comply with the obligation if the failure is not negligible.

Privacy statement – Client contacts and other advisory matters

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of clients of the FIN-FSA’s supervised entities and other financial market participants as well as others requesting advice who contact the FIN-FSA, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The personal data are processed in order to respond to contacts and to clarify matters. The processing is based on the need to process the personal data for the performance of the FIN-FSA’s supervisory and advisory tasks in the public interest. Any processing of personal data belonging to particular categories of personal data is directly related to a supervisory task laid down for the FIN-FSA in the Act on the Financial Supervisory Authority.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

The data subjects are clients of the FIN-FSA’s supervised entities and other financial market participants as well as other persons requesting advice who contact the FIN-FSA.

The following data are processed by the FIN-FSA:

name and contact information of the contacting person
the content of the contact and other communication with the contacting person
information related to the matter received from the supervised entity or other financial market participant mentioned in the contact
other information concerning the processing of the matter
log data, language choices and automated messages, if the data subject uses the FIN-FSA’s e-services.
identification data, if the data subject using an e-service is identified by means of Suomi.fi identification.

The personal data are obtained from the data subject themselves and from the supervised entity or other financial market participant that the matter concerns. When using Suomi.fi identification, the FIN-FSA receives identification information from the Digital and Population Data Services Agency (DVV), which also collects for itself transaction information on the use of the service.

Personal data are not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data of the client is disclosed to the supervised entity or other financial market participant that the matter concerns if the FIN-FSA considers the disclosure of the data to be necessary for the processing of the matter.

The personal data may be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities.

The data may be disclosed to other authorities if so required by law.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations.

6. General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to personal data concerning them and the right to request the rectification or erasure of such data or to restrict or object to processing.
to lodge a complaint about the processing of the personal data with the supervisory authority.

Statutory or contractual requirement to provide information and consequences of failure to provide such information

Failure to provide personal information may lead to the suspension of the processing of a matter pending in the FIN-FSA.

Privacy statement regarding the processing of the personal data of members of unemployment funds

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of those who have claimed benefits from unemployment funds, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The processing of the personal data of the data subjects is based on the obligation placed upon the FIN-FSA in the Unemployment Security Act to maintain a register of beneficiaries. The register of beneficiaries serves as the national base register for benefits paid by unemployment funds.

The data collected in the register of beneficiaries is used for the following purposes:

the supervision of unemployment funds;
compiling statistics on the benefits paid by unemployment funds;
investigating abuses related to benefits paid by unemployment funds; and
preparing and monitoring legislation.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

Persons who have claimed benefits from an unemployment fund

The personal data processed:

The personal identity code as well as background information, such as postcode, tax district and occupation, of benefit claimants
Information on membership of an unemployment fund
Information on the benefits paid and their allocation over time as well as information on the factors affecting the determination of the benefits
Information on the decisions taken by unemployment funds and the processing of unemployment benefit applications

The information of data subjects is obtained from the unemployment funds.

The information is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data of the data subjects are regularly disclosed to the Ministry of Social Affairs and Health (preparation and monitoring of legislation), Statistics Finland (statutory compilation of statistics), the Social Insurance Institution (statistics cooperation), the Employment Fund (disclosure based on the Act on the Financing of Unemployment Benefits) and the Finnish Centre for Pensions (for the purpose of assessing and determining the Employment Fund’s insurance contribution and forecasting pension expenditure).

The personal data is also disclosed for research purposes.

In addition, the personal data may be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to the personal data concerning them and the right to request that such data be corrected or for processing to be restricted
to lodge a complaint about the processing of the personal data with the supervisory authority.

Privacy statement reagrding Fit & Proper assessments

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of the management and significant shareholders of supervised entities and other financial market participants, of persons involved in insurance distribution and of private entrepreneurs registered in the FIN-FSA’s registers for the purpose of carrying out of Fit & Proper assessments and owner control, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The FIN-FSA processes the personal data of the management and significant shareholders of supervised entities for the purpose of carrying out Fit & Proper assessments and owner control.

The purpose of Fit & Proper assessments is to assess the fitness and propriety of members of the management bodies, the executive management and key function holders as well as the significant shareholders and founders of the FIN-FSA’s supervised entities and other financial market participants. Fit & Proper assessments are related to authorisation and registration requirements, owner control and the ongoing supervision of supervised entities and other financial market participants.

Fit & Proper assessments are made on the basis of EU and national legislation, such as

The Act on Credit Institutions
The Insurance Companies Act
Commission Delegated Regulation (EU) 2015/35 (Solvency II)
The Pension Insurance Companies Act
The Public Insurance Funds Act
The Act on Company Pension Funds and Industry-wide Pension Funds
The Act on Company Supplementary Pension Funds and Industry-wide Supplementary Pension Funds
The Farmers' Pension Act
The Seafarers’ Pension Act
The Unemployment Funds Act
The Local Mutual Insurance Associations Act
The Act on Investment Services
The Act on Common Funds
The Act on Alternative Investment Fund Managers
The Crowdfunding Regulation (EU) 2020/1503
The Act on Bondholder Representatives
The Payment Institutions Act
The Act on Insurance Distribution
The Act on Intermediaries of Consumer Credits Related to Residential Immovable Property
The Central Securities Depositories Regulation (EU) 909/2014
The Act on Trading in Financial Instruments
The Act on Virtual Currency Providers and
The Act on the Registration of Certain Credit Providers and Credit Intermediaries.

2. Categories of data subject, the personal data processed and information sources

Categories of data subjects:

Management personnel of the FIN-FSA’s supervised entities and other financial market participants (e.g. members of the board of directors and members of any supervisory board, and their deputies, the CEO and deputy CEO, the executive management and key function holders, for example the heads of internal audit, compliance and risk management.
Significant shareholders and founders of the FIN-FSA’s supervised entities and other financial market participants insofar as legislation requires the assessment of the fitness and propriety of shareholders
Natural persons and private entrepreneurs who are supervised entities of the FIN-FSA, or other financial market participants
Persons involved in insurance distribution.

The personal data processed are (there are some entity-specific differences in the personal data):

The person’s basic information (e.g. name, personnel identity code or date of birth, nationality, address and other contact information, information on previous work experience and education)
A statement on the person’s position and use of time related to their position
A statement that the person is not bankrupt and that they have full legal capacity; information from the Register of Guardianship Affairs; information from the Legal Register Centre’s Debt Restructuring Register and the Business Prohibition Register; information from the Register of Bankruptcies and Reorganisations; the person’s payment default information and information on enforcement; information on a possible controlled undertakings and information on other close links; an obligation compliance report; information from criminal and fine records; information on sanctions and public warnings issued by the FIN-FSA; any information obtainable from an authority of another state
Other information provided by the person themselves
Other information concerning the processing of a matter.

As a rule, the information of data subjects is obtained

From the data subjects themselves
From a supervised entity of the FIN-FSA or other financial market participant
From public registers and information services and other public sources (e.g. judicial administration registers, media)
From the registers of other authorities (e.g. the registers of the Finnish authorities, the registers of other countries’ authorities, and the registers of the European Central Bank (ECB) and the European Supervisory Authorities).

The information is not used in automated decision-making.

4. Recipients or categories of recipients of the personal data

The FIN-FSA discloses personal data related to the Fit & Proper assessments of members of the management of significant supervised entities (SIs) to the ECB for the purpose of assessing their fitness and propriety. The ECB follows its own data protection and information security practices when processing personal data related to Fit & Proper assessments in its own systems (see Privacy statement on the processing of personal data in the context of prudential supervision under the Single Supervisory Mechanism (europa.eu)).

The FIN-FSA may disclose Fit & Proper assessment data to authorities in other countries, the ECB and the European Supervisory Authorities.

The personal data may otherwise be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

The FIN-FSA is party to an agreement concluded on 19 June 2019 between ESMA and third country authorities pursuant to Article 46(3) of the GDPR under which the personal data may be transferred to third country authorities which are party to the agreement.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The data will be retained until the actions required by the Fit & Proper assessment and any related follow-up processes have been taken.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to the personal data concerning them and the right to request that such data be corrected or for processing to be restricted and
to lodge a complaint about the processing of the personal data with the supervisory authority.

Access to data concerning data subjects themselves is not granted, however, if the disclosure of such data might jeopardise the performance of the statutory tasks of the FIN-FSA or the prevention or investigation of infringements of financial market regulations.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Failure to provide personal information may lead to the suspension of a matter (e.g. a notification or an application) pending before the Financial Supervisory Authority or to an negative decision.

Data protection statement regarding the processing of the personal data of stakeholder representatives as well as persons submitting requests for information and other requests

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of stakeholder representatives as well as persons submitting requests for information and other requests, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The FIN-FSA processes the personal data of representatives of stakeholders, such as authorities, organisations and companies, in order to facilitate the FIN-FSA’s stakeholder work. The FIN-FSA processes the data of persons submitting requests for information and other requests in order to respond to the requests.

Stakeholder work includes, for example, events, bulletins, newsletters, responding to feedback providers, communication on social media, providing online services, stakeholder research and other surveys, and cooperation with authorities, international bodies and organisations.

The data of those who have been invited to, who have registered for and who have attended events are processed in order to manage the events and meetings.

The data of subscribers to bulletins and newsletters are processed for the purpose of sending the bulletins and newsletters.

The data of feedback providers are processed in order to respond to feedback.

The data of visitors to the FIN-FSA’s website are collected using cookies in order to compile statistics on visitors and to execute the functionalities of the website. In social media, personal data are processed to monitor the visibility of the FIN-FSA and to participate in discussion.

The personal data of representatives of authorities, international institutions and organisations are processed for the purpose of cooperation.

In addition, the data of stakeholders is processed for the purpose of planning and developing the activities of the FIN-FSA.

The basis for processing the personal data is the need to process data for the controller’s performance of tasks in the public interest. However, the basis for processing is consent when the data subject is a subscriber of a newsletter or bulletin or the processed data are non-essential cookie data. The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

The data subjects are persons submitting requests for information and other requests as well as representatives of the FIN-FSA’s stakeholders, such as:

Representatives of authorities and international bodies
Representatives of organisations
The FIN-FSA’s supervised entities and other financial market participants and their representatives
Representatives of listed companies
Representatives of audit firms
Media representatives
Persons who have been invited to/who have registered for/who have attended FIN-FSA events and meetings
Former employees of the FIN-FSA
Subscribers to the FIN-FSA’s newsletters
Visitors to the FIN-FSA’s website and providers of feedback
Followers of and commenters on the FIN-FSA’s social media.

The personal data processed are

Name, title or position of the data subject and, if necessary, additional information related to these, organisation
End date of employment relationship, position and department or unit of former employees
The contact information of the data subject (email address, telephone number and possible other contact information) and possible communication bans
Communication with the data subject (e.g. email correspondence, online feedback form, responses to stakeholder research or other surveys, request for information or other requests, the response to a request, possible decision on a matter, information on the processing of a request).
Photographs and video recordings of events and meetings (participants are informed separately about possible video recording and photography)
Meeting information and information on invitations to, registrations for and participation in events
If necessary, special diets
Data collected by cookies (for more information on the use of cookies, see Cookies policy - Statements and guidelines - www.finanssivalvonta.fi).
Information on the following of the FIN-FSA’s social media channels, sharing and commenting on the FIN-FSA’s publications and sharing and commenting on other publications concerning the FIN-FSA.

The information of data subjects is, as a rule, obtained from the data subjects themselves and from organisations represented by the data subjects. The FIN-FSA also collects information from public sources such as organisations’ websites. Information about former employees is obtained from the Bank of Finland.

The information of stakeholder representatives and persons submitting requests for information and other requests is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data may be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

Photographs and video recordings of events and meetings may be published on the FIN-FSA’s website and in social media channels, provided that consent to publish the photographs or video recordings has been obtained from the persons clearly identifiable from the images. Photographs may also be released to the press for news coverage and non-commercial purposes.

The FIN-FSA discloses the personal data of those who have registered for and have participated in events to the Bank of Finland or to another organising party if the event in question is arranged as a joint event. If there is catering at the event, data may be disclosed to the organiser of the catering insofar as this is necessary.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

To request from the controller access to personal data concerning them and the right to request that such data be corrected or erased or for processing to be restricted or to object to the processing of their personal data.
Insofar as processing of personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal, as well as the right to transfer the data from the system to another. A newsletter subscriber may cancel the newsletter subscription at any time via a link in the newsletter.
To lodge a complaint about the processing of personal data with the supervisory authority.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

If a stakeholder does not provide their contact information or it cannot be found publicly, the FIN-FSA is unable to target that person in its stakeholder work.

If a person who has provided feedback via an online service wishes a response to the feedback, they must provide their email address on the feedback form.

If a subscriber of a newsletter or bulletin does not provide their email address, the newsletter or bulletin cannot be sent.

Requests for information directed at a public document do not have to be justified and the person making the request does not need to provide personal information. However, if the request concerns a confidential document or information that can only be disclosed under certain conditions, the data subject must provide the necessary information to the FIN-FSA.

If a person submitting a request other than a request for information does not provide the information necessary to process the request (e.g. the information necessary to identify the said person), the request cannot be processed.

Privacy statement regarding the processing of personal data of representatives of contractual partners and potential contractual partners

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of contractual partners and potential contractual partners and of their responsible personnel, representatives, owners and beneficial owners, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The FIN-FSA processes the personal data

to plan and implement procurement
to prepare and enforce contracts, and
for planning and developing the activities of the FIN-FSA.

The basis for the processing of the personal data is compliance with the legal obligations of the FIN-FSA, when the data are processed

to fulfil the obligations laid down under the Act on Public Procurement and Concession Contracts, the Act on Public Procurement in the Fields of Defence and Security or the Act on the Contractor’s Obligations and Liability
to comply with international sanctions regulations
to fulfil obligations related to accounting, financial statements preparation and auditing, or
to fulfil the obligations set out in the Act on Information Management in Public Administration.

In other processing, the basis for the processing of the personal data is the FIN-FSA’s performance of tasks in the public interest, the preparation and enforcement of contracts, or consent.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

Members of the governance, management and supervisory bodies, employees, owners, beneficial owners, representatives and persons registered in the Trade Register, or an equivalent foreign company register, of candidates and tenderers participating in procurement procedures and of potential subcontractors.
Reference contact persons indicated by candidates and tenderers participating in procurement procedures.
Representatives of candidates and other potential contractual or cooperation partners invited to market surveys.
Members of the governance, management and supervisory bodies, employees, owners, beneficial owners, representatives and persons registered in the Trade Register, or an equivalent foreign company register, of contractual partners and potential subcontractors.
Candidates and tenderers participating in procurement procedures, as well as contractual partners and their subcontractors, who are natural persons or private entrepreneurs.

The personal data processed are

Name, represented organisation, and position in the organisation, including signing rights
Contact information
Personal data contained in the register extracts of the represented organisation
Date of birth
Information about sanctions (management, owners and beneficial owners of tenderers and contractual partners to the extent required by sanctions regulations)
Criminal records and business links (candidates and tenderers participating in procurement procedures and members of their governance, management or supervisory bodies or those exercising powers of representation, decision-making or control: no criminal record information is retained, only information on whose criminal record information has been checked and when the information was checked is retained)
The data subject’s consent to the performance of personal security clearance vetting and the information required for this as well as the results of the vetting (if security clearance vetting is performed)
Information possibly obtained through facility security clearance vetting
Applications to the Defence Forces for exemption of key personnel from military service and the decisions on exemptions if the data subject carries out a task for which an exemption application is justified
Personal interviews and personal assessments
Information on the education and professional qualifications as well as the experience and other relevant skills with regard to the procurement object (those participating in tender evaluation, personal interviews and personal assessments).
Possible contracts with the data subject and the commitments of the data subject
Invoicing information
Information regarding the processing of contractual matters and the negotiation and fulfilment of the contract
Information obtained in connection with monitoring the financial situation and risks of the contractual parties selected through the procurement procedure (e.g. tax debt certificates).
Visiting information
Communication with the data subject

Information is mainly obtained from the data subjects themselves or from the organisation they represent. The FIN-FSA also obtains information from public sources such as the Trade Register maintained by the Finnish Patent and Registration Office, the Reliable Partner service maintained by Vastuu Group Oy, Rakentamisen Laatu RALA ry’s business search service and qualification register, Suomen Asiakastieto Oy’s business credit information registers, and the websites of organisations. Information may also be obtained from the public tender documents of other procurement units. Contact information may also be obtained from joint procurement units used by the FIN-FSA. The results of security clearance vetting are obtained from the Finnish Security and Intelligence Service (SUPO).

The information of data subjects is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The FIN-FSA may disclose personal data to the Bank of Finland or another party if the procurement object will also be used by the Bank of Finland or the other party or if the Bank of Finland or the other party has an option to join the end result of the procurement.

The FIN-FSA does not otherwise regularly disclose personal data.

Personal data may, however, be disclosed in possible requests for information concerning the data insofar as the data public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data (e.g. to the Finnish Competition and Consumer Authority for the purposes of its supervisory tasks.

In a possible dispute or in procurement-related appeal proceedings, the data may be disclosed to the court considering with the matter.

The data may also be made available to auditors to the extent that they consider it necessary to carry out an audit.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
communication service providers
providers of financial management services
the supplier of the Handi invoicing and ordering system
external consultants used in procurement procedures
tender services providers used in procurement procedures

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA. If the data are transferred outside of the EU or the EEA, an adequate level of protection of the personal data is ensured as required by data protection legislation, for example using standard contractual clauses approved by the European Commission, and such that processing of the personal data takes place in accordance with this privacy statement.

If a candidate or tenderer eligible for participation from outside the EU/EEA region participates in the procurement procedure, personal data may have to be provided to such a tenderer in notifications, decisions and justifications for decisions related to the procurement procedure, in requests for information, and in possible appeal and rectification request processes.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to the personal data concerning them as well as the right to request the correction or erasure of such data or a restriction of processing or to object to processing as well as the right to transfer data from one system to another.
insofar as processing of the personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
to lodge a complaint about the processing of the personal data with the supervisory authority.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

If a data subject does not provide the necessary information, the contract or planned cooperation cannot be entered into and any contract or cooperation already entered into or initiated might have to be terminated.

Privacy statement regarding personal data processed by the Financial Supervisory Authority in connection with its supervisory and inspection activities

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes personal data in connection with the fulfilment of the FIN-FSA’s statutory duties and the exercise of its powers, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The personal data are processed in the performance of the FIN-FSA’s statutory tasks, including in connection with the ongoing supervision of supervised entities, other financial market participants and auditors as well as audit activities and reporting obligations.

The processing of the data is based on the Act on the Financial Supervisory Authority and general financial sector and sector-specific EU and national legislation applicable to the FIN-FSA’s supervised entities and other financial market participants. The entities supervised by the FIN-FSA include banks, insurance and pension companies as well as other companies operating in the insurance sector, investment firms, fund management companies and the Helsinki Stock Exchange. More detailed information on sector-specific regulation is available at: Regulation by sectors - Regulation - www.finanssivalvonta.fi.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

Supervised entities and other financial market participants’
personnel (including management and members of governance bodies)
related parties
clients
guarantors, collateral providers
auditors
partners (e.g. consultants, bonding agents, outsourced services providers)
counterparties
beneficial owners
Other persons subject to the exercise of supervisory powers.

The personal data processed may include:

Name, position, organisation
Client relationship information (e.g. account and transaction information, credit information, income and asset information, information on investment experience, knowledge and objectives) to the extent that it is contained in individual supervisory or inspection material or in information regularly reported to the FIN-FSA. More detail on the information that the FIN-FSA’s supervised authorities must report regularly to the FIN-FSA is available at Reporting - www.finanssivalvonta.fi
Loans and other financing comparable to loans granted to related parties of credit institutions
Information on contracts between supervised entities/other financial market participants and their clients, counterparties and service providers to the extent that such contracts are contained in individual supervisory or inspection material. Counterparty information is also included in regular reporting, on which more detail is available at Reporting - www.finanssivalvonta.fi
Personal data contained in minutes of meetings and other documents of supervised entities
Communication between the supervised entity and the client (e.g. email correspondence)
Administrative sanctions
Reports of suspected abuse
Information about a suspected offence and the preliminary investigation, such as the name of the suspect as well as processing information received from the prosecution authority
Other information concerning the processing of matters.

When direct identification information such as name, date of birth or personal identity code is not required in inspection and supervisory activities, the supervised entity or other financial market participant is requested to provide the material without this information.

The information of data subjects is obtained

From the FIN-FSA’s supervised entities or other financial market participants
From other entities and persons (e.g. auditors and other parties subject to the exercise of supervisory powers)
Public registers and information services and other public sources (e.g. judicial administration registers, media, websites)
From the authorities of Finland and other countries, particularly from the ECB, the European Supervisory Authorities and European national supervisory authorities
Information may also be obtained from the data subjects themselves.

The information of data subjects is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

In EU legislation, the ECB has been assigned tasks related to supervising the stability of banks, which the FIN-FSA carries out together with the ECB, the European Supervisory Authorities and European national supervisory authorities.

The FIN-FSA carries out supervisory cooperation with the ECB, the European Supervisory Authorities, European national supervisory authorities and authorities of other countries, and discloses personal data for the purposes of this supervisory cooperation.

The FIN-FSA is obliged to disclose information to the Ministry of Finance, the Bank of Finland and the Financial Stability Authority for the performance of their statutory tasks. The information disclosed may also include personal data.

The FIN-FSA may disclose information to the prosecution and pre-trial investigation authority and Financial Intelligence Unit for the purposes of preventing, combating and investigating crimes.

Personal data may also be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

Personal data contained in administrative sanctions and other decisions may be published on the FIN-FSA’s website.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

The FIN-FSA is party to an agreement concluded on 19 June 2019 between ESMA and third country authorities pursuant to Article 46(3) of the GDPR under which the personal data may be transferred to third country authorities which are party to the agreement.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to the personal data concerning them and the right to request that such data be corrected or for processing to be restricted and
to lodge a complaint about the processing of the personal data with the supervisory authority.

Access to data concerning data subjects themselves is not granted, however, if the disclosure of such data might jeopardise the performance of the statutory tasks of the FIN-FSA or the prevention or investigation of infringements of financial market regulations or for any other reason expressly provided for by law.

Privacy statement regarding the processing of the personal data of management, owners and contact persons of supervised entities and other financial market participants

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of management, key function holders, owners and contact persons of supervised entities and other financial market participants, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The personal data are processed in the performance of the FIN-FSA’s statutory tasks, including in connection with the ongoing supervision of supervised entities and other financial market participants as well as audit activities and reporting obligations.

The processing of the data is based on the Act on the Financial Supervisory Authority and sector-specific EU and national legislation applicable to the FIN-FSA’s supervised entities and other financial market participants. The entities supervised by the FIN-FSA include banks, insurance and pension companies as well as other companies operating in the insurance sector, investment firms, fund management companies and the Helsinki Stock Exchange. More detailed information on sector-specific regulation is available at: Regulation by sectors - Regulation - www.finanssivalvonta.fi.

The processing is based on the need to process the personal data for the performance of the FIN-FSA’s tasks in the public interest.

The personal data may also be processed for archiving purposes in the public interest.

The personal data of management, owners and contact persons of the FIN-FSA’s supervised entities and other financial market participants is also processed in security market supervision, stakeholder work, inspections and supervision as well as in making Fit & Proper assessments, if legislation requires Fit & Proper assessments to be made. Information on the processing of personal data for these purposes is available in the FIN-FSA’s privacy statements on the processing of personal data in securities market supervision, the processing of the personal data of stakeholder representatives as well as persons submitting requests for information and other requests, the processing of personal data by the FIN-FSA in connection with its supervisory and inspection activities, as well as Fit & Proper assessments.

2. Categories of data subject, the personal data processed and information sources

With regard to the FIN-FSA’s supervised entities and other financial market participants, the data subjects are

the members of the governance bodies and the management (e.g. members of the board of directors and members of any supervisory board and their deputies, CEO and deputy CEO, members of the management body and key function holders, auditors)
significant owners and founders
reporters and
other contact persons.

In addition, the data subjects also include private traders operating in the financial market.

The personal data processed:

Name, telephone number, email address, entity, role/responsibility of the person and start and end date, any other information received from the data subject or the organisation they represent, authorisations to act on behalf of the represented organisation
With regard to the members of the governance bodies and the management of supervised entities and other financial market participants as well as private traders, the following information may also be processed: personal identity code or date of birth, place of residence or address, nationality, service language
Identification and log data, possible usernames and passwords, language choices and automated messages when the data subject uses electronic services (e.g. an e-service or reporting system)
With regard to those who have the downloaded the FIN-FSA’s applications, information on accepted licence agreements and installation packages for the applications and the login credentials of reporters who report via the applications are also processed
Information on the processing of applications and notifications
Communication with the data subject and any passwords used in communication
Information related to the invoicing of supervision and processing fees.

Information is obtained from the data subjects themselves or from the FIN-FSA’s supervised entities or other financial market participants. However, when using Suomi.fi identification, identification and authorisation information is obtained from the Digital and Population Data Services Agency, which also collects for itself transaction information on the use of the service.

The information is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

A list of supervised entities, a register of insurance intermediaries and a register of tied agents are available on the FIN-FSA’s website. With regard to mortgage brokers, crowdfunding intermediaries, bondholder representatives, virtual currency providers and insurance intermediaries, the names and positions of responsible persons are also available in the list of supervised entities or in the register of insurance intermediaries.

Everyone has the right to receive a register extract of the entries made in the register of pension funds and insurance funds and the register of unemployment funds.

The Bank of Finland is provided with information entered in the base register of entities maintained by the FIN-FSA and with information necessary for the invoicing of supervision and processing fees.

The FIN-FSA may also disclose information to the Financial Stability Authority to carry out its tasks in the fields of resolution, security of supply and the deposit guarantee.

Personal data may otherwise be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Financial management services providers
Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to personal data concerning them and the right to request the correction or erasure of such data or to restrict or object to processing.
to lodge a complaint about the processing of personal data with the supervisory authority.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

An authorisation cannot be granted and a registration in a register of the FIN-FSA cannot be made if the information required by law about an applicant natural person or private trader or an applicant entity’s members of governance bodies and management as well as key function holders is not provided to the FIN-FSA.

The FIN-FSA’s electronic services, reporting systems and other applications cannot be used if the data subject does not provide the information necessary for logging in.

Privacy statement regarding reports of suspected breaches

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes personal data in connection with reports of suspected breaches, as referred to in section 71a of the Act on the Financial Supervisory Authority, in chapter 7, section 9 of the Act on the Prevention of Money Laundering and Terrorist Financing and in the Act on the protection of persons reporting violations of European Union and national law (Whistleblower Protection Act), and what rights the data subjects have.

1. Purpose of the processing of the personal data and the legal basis for the processing

The FIN-FSA processes the personal data referred to in this privacy statement in connection with reports of suspected breaches received by the FIN-FSA pursuant to section 71a of the Act on the Financial Supervisory Authority, chapter 7, section 9 of the Act on the Prevention of Money Laundering and Terrorist Financing, and the Whistleblower Protection Act. The legal basis for the processing is compliance with a statutory obligation.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

Persons making a report
Individuals who are the subject of a report or persons employed by the company which is the subject of a report (e.g. management personnel of the said company)
Other persons who may be mentioned in reports of suspected abuse.

The personal data processed:

Name of the data subject, organisation (no data will be processed with regard to the whistleblower if the report is made anonymously)
Contact information of the data subject (email address, telephone number and possible other contact information)
Information contained in the report, clarifications resulting from the report and information on the processing of the matter
Communication with the data subject (e.g. email correspondence)

As a rule, the information of data subjects is obtained from:

the person making a report
the parties to whom the report relates
public sources
other authorities.

The information is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data of the person making the report and the personal data of the subject of the notification are confidential.

The FIN-FSA may, however, disclose information to the prosecution and pre-trial investigation authority and Financial Intelligence Unit for the purposes of preventing and investigating crimes.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations.

The data may, however, be disclosed to a supervisory authority of another country if the suspected abuse is linked to another country.

If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for 5 years from the making of the report. The data will be deleted when their retention period has ended, unless their retention is necessary to safeguard the investigation of a crime, pending trials, official investigations or the rights of the whistleblower or the person who is the subject to a report.

6. General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to access the personal data concerning themselves and to request that such data be corrected or for processing to be restricted and
to lodge a complaint about the processing of personal data with the supervisory authority.

Data subjects have no right of access to the data, however, if

disclosure of the data could impede the investigation of suspected violations; or
restricting right of access is necessary and proportionate in order to safeguard the investigation of the accuracy of the report or to protect the identity of the whistleblower.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

A report of suspected abuse may also be anonymous. An anonymous report may, however, adversely affect investigation of the suspected abuse if additional information cannot be requested from the whistleblower. An anonymous report may, however, contain sufficient information for the investigation of the matter.

Life insurance mortality research

Privacy Statement – Life insurance mortality research 2024

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes personal data in life insurance mortality research, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

When calculating the technical provisions of life insurance companies, it is essential that the assumptions used regarding mortality are of high quality. Personal data collected in the connection with life insurance mortality research are processed in order to produce information on the mortality trends of life insured persons, i.e. aggregated mortality time series. The FIN-FSA uses mortality time series in its own supervisory work, for example when assessing the mortality assumptions of life insurance companies and forecasting life insurance mortality trends.

The processing is necessary for the performance of the FIN-FSA’s tasks in the public interest. The tasks of the FIN-FSA are based on the Act on the Financial Supervisory Authority, the Insurance Companies Act and Commission Delegated Regulation (EU) 2015/35 (Solvency II).

2. Categories of data subject, the personal data processed and information sources

The data subjects are persons insured by Finnish life insurance companies with regard to business in Finland.

The personal data processed include:

Date of birth and possible date of death of the insured person
Gender of the insured person
Customer number or other identifier (but not the personal identification number or name) of the insured person
Date of entry into force of the insurance and possible date of termination of the insurance
Insurance product category and tariff (normal or increased tariff)

The information of the data subjects is obtained from the life insurance companies.

The information of data subjects is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data are not disclosed to other parties.

The FIN-FSA has outsourced the processing of the personal data to the following service providers, who process the personal data on the FIN-FSA’s behalf:

IT system and application suppliers
IT consultants
Communication service providers.

4. Information on the possible transfer of personal data to a third country or an international organisation

The personal data are not transferred outside of the EU or the EEA or to international organisations.

5. Period for which the personal data will be stored, or the criteria used to determine that period

The personal data will be stored for as long as necessary for the purposes of processing the personal data, but for no longer than two years.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to personal data concerning them, the right to request the rectification of such data or the restriction of the processing of such data, and the right to object to the processing of their personal data, and
to lodge a complaint about the processing of the personal data with the supervisory authority.

Data in the Positive Credit Register

Privacy Statement – Data in the Positive Credit Register

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), how the Finnish Financial Supervisory Authority processes the personal data of debtors and guarantors registered in the Positive Credit Register maintained by the Tax Administration, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The Financial Supervisory Authority (FIN-FSA) processes data in the Positive Credit Register in order to perform the following tasks laid down for it in the Act on the Financial Supervisory Authority:

supervise the activities of financial market participants as well as foster compliance with good practice in financial markets and public awareness of financial markets
grant authorisation to financial market participants, register financial market participants and confirm rules concerning their activities
monitor that financial market participants comply with the financial market provisions applicable to them, the regulations issued thereunder, the terms of their authorisation and the rules concerning their activities
issue regulations necessary for the application of the Act
monitor and evaluate developments in financial markets and the rest of the operating environment for financial market participants, and the evolution of other general operating conditions
make initiatives for the development of financial market legislation and other requisite measures, and participate in the preparation of legislation
foster the reliability of the corporate governance systems of financial market participants whose financial position the FIN-FSA monitors
collect and periodically publish comparable data on financial market participants’ financial position and otherwise foster access to information on financial services and financial market activity
participate in European Union cooperation within the framework of the European System of Financial Supervision (ESFS) and in other international supervisory cooperation
participate in the activities of the Single Supervisory Mechanism (SSM) and assist the European Central Bank (ECB) in the Single Supervisory Mechanism
prepare, together with the Ministry of Finance and the Bank of Finland, measures necessary to ensure the stability of the financial system as a whole and decide on such measures as separately provided for by law.

In addition, the FIN-FSA processes data in the Positive Credit Register for its supervisory task regarding the disclosure obligation laid down in section 28 of the Act on the Positive Credit Register.

In accordance with the General Data Protection Regulation (GDPR), the basis for processing the data is, therefore, that the processing of the personal data is necessary for the FIN-FSA’s performance of its tasks in the public interest.

2. Categories of data subjects, the personal data processed and information sources

Categories of data subjects:

Debtors registered in the Positive Credit Register
Guarantors registered in the Positive Credit Register

The personal data processed are:

basic information on the debtor’s consumer credits, leases comparable to consumer credits and loans brokered to the debtor by a peer-to-peer loan broker (including information on lenders, loan identification numbers, numbers of debtors, dates of conclusion of loan contracts, types of loans, loan currencies, one-time expenses paid as the loan contract is concluded, amounts of lump sum loans, purposes of use of loans and payment plans and credit limits of running-account loans as well as start dates, instalments and transaction prices of leases)
information on Kela guarantee receivables for student loans
interest information (including total interest rates, marginal interest rates, types of interest, effective interest rate on date of conclusion, upper and lower limits of any interest rate corridors, any interest rate caps, and the end dates of any interest rate restrictions)
information on collateral (types of any collateral, identifiers of guarantors)
information on amortisations and deferments of amortisations (including amortisations paid, interest and other loan expenses, payment dates, remaining balances of lump sum loans and amounts of running-account loan balances)
information on delayed amounts and on accelerations of loans (unpaid amount, original due date and date of acceleration)
information on debt arrangements and business restructurings
income information (gross and net income established during lending process and according to Income Register)
information on end and transfer of loans

The information is obtained from the Positive Credit Register maintained by the Tax Administration in pseudonymised form, i.e. without names, contact details, personal identification numbers or loan numbers that would enable the FIN-FSA to identify individual debtors and guarantors. More information about the Positive Credit Register is available at: Positive Credit Register - Information for private individuals (vero.fi)

3. Recipients or categories of recipients of the personal data

The FIN-FSA does not disclose the personal data to third parties.

The following processors are used in the processing of the personal data

IT service providers
communications service providers

4. Information on the possible transfer of personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA. In individual cases, however, processors of the personal data may have access to personal data from outside the EU or EEA in connection with support and maintenance activities. If data are transferred outside of the EU or the EEA, an adequate level of protection of personal data is ensured as required by data protection legislation, for example by transferring data to a country where, by decision of the European Commission, an adequate level of data protection is ensured or using standard contractual clauses approved by the European Commission.

5. Period for which the personal data will be stored, or the criteria used to determine that period

The FIN-FSA has set the storage period for data in the Positive Credit Register at 40 years, because typically, instead of a single loan, households have several long repayment period loans over their lifetime, in which case the natural review period is the lifetime of the household instead of the longest possible repayment period.

In addition, the length of the storage period is influenced by the fact that the FIN-FSA carries out macroprudential work covering the entire financial sector in close cooperation with the Bank of Finland and, in order to ensure effective cooperation between the authorities, it is justified that the Bank of Finland and the FIN-FSA have the same storage periods.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

to request from the controller access to personal data concerning them and the right to request the correction of such data or to restrict or object to processing, and
to lodge a complaint about the processing of the personal data with the supervisory authority.

Data protection

Name and contact details of controller and contact details of data protection officer

Processing of personal data in the FIN-FSA

Privacy statements

Privacy statement regarding the processing of personal data in securities markets supervision

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

3. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period

6. General description of technical and organisational security measures

7. Rights of the data subjects

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Privacy statement – Client contacts and other advisory matters

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

3. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period

6. General description of technical and organisational security measures

7. Rights of the data subjects

Statutory or contractual requirement to provide information and consequences of failure to provide such information

Privacy statement regarding the processing of the personal data of members of unemployment funds

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

3. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period

6. General description of technical and organisational security measures

7. Rights of the data subjects

Privacy statement reagrding Fit & Proper assessments

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

4. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period

6. General description of technical and organisational security measures

7. Rights of the data subjects

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Data protection statement regarding the processing of the personal data of stakeholder representatives as well as persons submitting requests for information and other requests

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

3. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period

6. General description of technical and organisational security measures

7. Rights of the data subjects

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Privacy statement regarding the processing of personal data of representatives of contractual partners and potential contractual partners

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

3. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period

6. General description of technical and organisational security measures

7. Rights of the data subjects

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Privacy statement regarding personal data processed by the Financial Supervisory Authority in connection with its supervisory and inspection activities

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

3. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period

6. General description of technical and organisational security measures

7. Rights of the data subjects

Privacy statement regarding the processing of the personal data of management, owners and contact persons of supervised entities and other financial market participants

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

3. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period

6. General description of technical and organisational security measures

7. Rights of the data subjects

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Privacy statement regarding reports of suspected breaches

1. Purpose of the processing of the personal data and the legal basis for the processing

2. Categories of data subject, the personal data processed and information sources

3. Recipients or categories of recipients of the personal data

4. Information on the possible transfer of the personal data to a third country or an international organisation

5. Period for which the personal data will be retained, or the criteria used to determine that period