Statements and guidelines

Data protection

Data protection means taking requirements for personal data processing into account in order to safeguard the rights of private individuals when collecting personal data and throughout the lifecycle of the data processing. Further information on data protection is available on the website of the Office of the Data Protection Ombudsman.

Name and contact details of controller and contact details of data protection officer

Financial Supervisory Authority
Business ID: 0202248-1
PO Box 103
00101 Helsinki
Email: kirjaamo(at)finanssivalvonta.fi
Tel. +358 9 183 51 (switchboard)

Contact details of the data protection officer:
Email: tietosuojavastaava@bof.fi
Tel. +358 9 1831 (switchboard)

Processing of personal data in the FIN-FSA

The FIN-FSA processes personal data, as a rule, in order to discharge its statutory official duties. When processing personal data, the FIN-FSA complies with the provisions of the EU’s General Data Protection Regulation (GDPR) and the Finnish Data Protection Act. The FIN-FSA’s privacy statements contain more detailed information on how the FIN-FSA processes personal data. The privacy statements can be found in the list below.

Privacy statements

Privacy statement regarding the processing of personal data in securities markets supervision

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes personal data in its supervision of securities markets, and what rights the data subjects have.

1. Purpose of the processing of the personal data and the legal basis for the processing

The data are processed so that the FIN-FSA can detect and investigate possible cases of market abuse and monitor the fair and orderly functioning of the market and the activities of investment service providers.

The legal basis for processing the personal data is the need to process the data for the performance of the statutory tasks of the FIN-FSA:

  • The processing of notifications of ownership and voting rights (flagging notifications) reported to the FIN-FSA is based on chapter 9, section 5 of the Securities Markets Act.
  • The processing of prospectuses (including basic information documents) and offer documents is based on chapters 3 and 11 of the Securities Markets Act.
  • The processing of notifications of the transactions with financial instruments of the management of listed companies and their related parties is based on Article 19 of the Market Abuse Regulation (EU) No 596/2014 (MAR).
  • The processing of short selling notifications is based on Articles 5 and 6 of Regulation (EU) 236/2012 of the European Parliament and of the Council on short selling and certain aspects of credit default swaps.
  • The processing of trade reporting-related data and order data is based on Articles 25 and 26 of the Markets in Financial Instruments Regulation (EU) No 600/2014 (MiFIR).
  • The processing of insider lists is based on Article 18 of the MAR.
  • Requested additional information is processed on the basis of the supervisory powers of chapter 3 of the Act on the Financial Supervisory Authority.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

  • Natural persons subject to flagging obligation
  • The persons responsible for the prospectus and advisers, the members of the issuer’s governance and supervisory bodies and senior management, other persons discharging managerial responsibilities as well as related parties, the auditor with main responsibility and the issuer’s major shareholders
  • The persons responsible for the offer document, advisers, the persons acting as the offeror, persons related to them pursuant to section 11 subsection 5 of the Securities Markets Act as well as the members of the governance and supervisory bodies of the company subject to the offer, other senior management, the auditor with main responsibility and the major shareholders of the company subject to the offer
  • Holders of short positions (if a natural person)
  • The clients of trade-reportable transactions, the persons who made the investment decision and the persons responsible for the implementation of the decision
  • Persons with access to inside information who work for the issuers or for those acting on their behalf or on their account based on an employment contract or otherwise perform tasks through which they have access to inside information, such as advisers, accountants or credit rating agencies
  • The clients who gave the order, the persons who made the investment decision and the persons responsible for the execution of the order
  • Persons suspected of offences
  • Persons reporting data to the FIN-FSA

The personal data processed and sources of information:

  • Flagging information includes personal information such as name, domicile, home state, contact details and any other information provided in the flagging notification. Information is obtained from the data subject themselves or a party acting on their behalf.
  • Personal information included in prospectuses such as name, position in the company, address, mutual family relationships, work address, conflicts of interest. Information is obtained from a prospectus received from the issuer or from a party acting on its behalf or from a prospectus approved by the competent authority of another EEA state and notified to the FIN-FSA by the authority that approved it.
  • Personal information included in the offer document, such as name, position in the company, address and domicile. Information is obtained from the offeror itself or from a party acting on its behalf.
  • Management transactions include personal information such as name, position and details of transactions. The information is obtained from the data subject themselves or the issuer.
  • Personal information such as name, address, name of contact person, telephone number, fax number, email address and information on short positions is collected from the holders of short positions. The information is obtained from or the data subject themselves or from a party acting on their behalf.
  • Trade-reportable information includes personal information such as name, date of birth, nationality and personal identity code as well as information about trades. Information is obtained from the investment service provider that carried out the transaction, the reporting service provider or other EU/EEA supervisors. The names, personal identity codes, dates of birth and information on roles in companies of persons entered in a trade register are also obtained from the Trade Register of the Finnish Patent and Registration Office (PRH) and information on related parties (names, dates of birth and personal identity codes) from the Digital and Population Data Services Agency (DVV).
  • In insider lists, processed information includes personal information such as name, personal identity code, date of birth, birth surname, telephone number, position and home address as well as insider registration information. Information is obtained from the issuer or from a party acting on its behalf or on its account when requested by the FIN-FSA.
  • Order information includes personal information such as name, date of birth, nationality and personal identity code as well as information about orders. Information may be obtained from the trading venue where the order was sent for execution, from an authorised service provider acting on behalf of the trading venue, from the investment service provider that submitted the order or from supervisors in other EU/EEA countries.
  • Information about a suspected offence and the preliminary investigation, such as the name of the suspect and processing information received from the prosecution authority. Information is obtained from the data subject, the issuer (or a party acting on its behalf), the investment firm (or a party acting on its behalf), other supervisors in other EU/EEA countries, other public authorities, other parties or public sources.
  • Information related to the imposition of administrative sanctions.
  • Possible communication with the data subject.
  • Name, email address and telephone number as well as identification and authorisation information of the persons reporting information to the FIN-FSA (see also Data protection statement regarding the processing of the personal data of stakeholder representatives as well as persons submitting requests for information and other requests). When using Suomi.fi identification, identification and authorisation information is obtained from the Digital and Population Data Services Agency, which also collects for itself transaction information on the use of the service. Other information is obtained from the person themselves or the company they represent.

In market abuse surveillance, personal data may be used to profile data subjects for securities trading. No personal data are used for automated decision-making.

3. Recipients or categories of recipients of the personal data

The FIN-FSA provides trade reports and offer book information containing personal data to the competent authorities of other EU/EEA countries.

For holders of short positions, information on those that exceed 0.5 per cent of the entire share capital is published on the FIN-FSA’s website. Information on position holders below 0.5 per cent is not published.

FIN-FSA-approved prospectuses prepared for the offering and listing of securities as well as offer documents for public purchase offers are published on the FIN-FSA’s website.

The FIN-FSA must notify the police immediately if criminal conduct is detected or suspected in the course of its supervisory activities. Administrative sanctions imposed by the FIN-FSA are reported to the European Securities Market Authority (ESMA). In addition, investigation requests and administrative sanctions within the scope of market abuse and investment services regulations are reported to ESMA in the form of aggregated information once a year.

The personal data may otherwise be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

The FIN-FSA is party to an agreement concluded on 19 June 2019 between ESMA and third country authorities pursuant to Article 46(3) of the GDPR under which the personal data may be transferred to third country authorities which are party to the agreement.

(see Administrative arrangement for the transfer of personal data between EEA and non-EEA securities regulators - Data protection - www.finanssivalvonta.fi).

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to the personal data concerning them and the right to request that such data be corrected or for processing to be restricted and
  • to lodge a complaint about the processing of the personal data with the supervisory authority.

Access to data concerning data subjects themselves is not granted, however, if the disclosure of such data might jeopardise the performance of the statutory tasks of the FIN-FSA or the prevention or investigation of infringements of financial market regulations or for any other reason expressly provided for by law.

As the FIN-FSA is required to process the personal data for the performance of its statutory tasks, the data subject does not have the right to erase, transfer to another system or object to the processing of the data processed in accordance with this privacy statement.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Based on Article 19 of the Market Abuse Regulation, persons discharging managerial responsibilities, as well as persons closely associated with them, are obliged to submit information about their transactions to the issuer and to the FIN-FSA. Failure to report transactions to the FIN-FSA is subject to a penalty payment in accordance with chapter 15, section 2 of the Securities Markets Act.

Based on Regulation (EU) 236/2012 of the European Parliament and of the Council, holders of short positions are obliged to submit information on short positions to the FIN-FSA. Failure to report positions to the FIN-FSA is subject to a penalty payment in accordance with chapter 15, section 2 of the Securities Markets Act.

Under chapter 9, sections 5, 6, 6a, 6b and 9 of the Securities Market Act, shareholders are obliged to notify the FIN-FSA of significant holdings of shares and voting rights. Failure to comply with the notification obligation is subject to a penalty payment in accordance with chapter 15, section 2 of the Securities Markets Act.

The FIN-FSA’s supervised entities, other financial market participants and persons are obliged to provide the information requested by the FIN-FSA for supervisory purposes. Under section 33a of the Act on the Financial Supervisory Authority, the FIN-FSA may, under penalty of a fine, obligate a supervised entity or other financial market participant to comply with the obligation if the failure is not negligible.

 

Privacy statement – Client contacts and other advisory matters

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of clients of the FIN-FSA’s supervised entities and other financial market participants as well as others requesting advice who contact the FIN-FSA, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The personal data are processed in order to respond to contacts and to clarify matters. The processing is based on the need to process the personal data for the performance of the FIN-FSA’s supervisory and advisory tasks in the public interest. Any processing of personal data belonging to particular categories of personal data is directly related to a supervisory task laid down for the FIN-FSA in the Act on the Financial Supervisory Authority.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

The data subjects are clients of the FIN-FSA’s supervised entities and other financial market participants as well as other persons requesting advice who contact the FIN-FSA.

The following data are processed by the FIN-FSA:

  • name and contact information of the contacting person
  • the content of the contact and other communication with the contacting person
  • information related to the matter received from the supervised entity or other financial market participant mentioned in the contact
  • other information concerning the processing of the matter
  • log data, language choices and automated messages, if the data subject uses the FIN-FSA’s e-services.
  • identification data, if the data subject using an e-service is identified by means of Suomi.fi identification.

The personal data are obtained from the data subject themselves and from the supervised entity or other financial market participant that the matter concerns. When using Suomi.fi identification, the FIN-FSA receives identification information from the Digital and Population Data Services Agency (DVV), which also collects for itself transaction information on the use of the service.

Personal data are not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data of the client is disclosed to the supervised entity or other financial market participant that the matter concerns if the FIN-FSA considers the disclosure of the data to be necessary for the processing of the matter.

The personal data may be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities.

The data may be disclosed to other authorities if so required by law.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations.

6. General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to personal data concerning them and the right to request the rectification or erasure of such data or to restrict or object to processing.
  • to lodge a complaint about the processing of the personal data with the supervisory authority.

Statutory or contractual requirement to provide information and consequences of failure to provide such information

Failure to provide personal information may lead to the suspension of the processing of a matter pending in the FIN-FSA.

Privacy statement regarding the processing of the personal data of members of unemployment funds

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of those who have claimed benefits from unemployment funds, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The processing of the personal data of the data subjects is based on the obligation placed upon the FIN-FSA in the Unemployment Security Act to maintain a register of beneficiaries. The register of beneficiaries serves as the national base register for benefits paid by unemployment funds.

The data collected in the register of beneficiaries is used for the following purposes:

  • the supervision of unemployment funds;
  • compiling statistics on the benefits paid by unemployment funds;
  • investigating abuses related to benefits paid by unemployment funds; and
  • preparing and monitoring legislation.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

  • Persons who have claimed benefits from an unemployment fund

The personal data processed:

  • The personal identity code as well as background information, such as postcode, tax district and occupation, of benefit claimants
  • Information on membership of an unemployment fund
  • Information on the benefits paid and their allocation over time as well as information on the factors affecting the determination of the benefits
  • Information on the decisions taken by unemployment funds and the processing of unemployment benefit applications

The information of data subjects is obtained from the unemployment funds.

The information is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data of the data subjects are regularly disclosed to the Ministry of Social Affairs and Health (preparation and monitoring of legislation), Statistics Finland (statutory compilation of statistics), the Social Insurance Institution (statistics cooperation), the Employment Fund (disclosure based on the Act on the Financing of Unemployment Benefits) and the Finnish Centre for Pensions (for the purpose of assessing and determining the Employment Fund’s insurance contribution and forecasting pension expenditure).

The personal data is also disclosed for research purposes.

In addition, the personal data may be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to the personal data concerning them and the right to request that such data be corrected or for processing to be restricted
  • to lodge a complaint about the processing of the personal data with the supervisory authority.

 

Privacy statement reagrding Fit & Proper assessments

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of the management and significant shareholders of supervised entities and other financial market participants, of persons involved in insurance distribution and of private entrepreneurs registered in the FIN-FSA’s registers for the purpose of carrying out of Fit & Proper assessments and owner control, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The FIN-FSA processes the personal data of the management and significant shareholders of supervised entities for the purpose of carrying out  Fit & Proper assessments and owner control.

The purpose of Fit & Proper assessments is to assess the fitness and propriety of members of the management bodies, the executive management and key function holders as well as the significant shareholders and founders of the FIN-FSA’s supervised entities and other financial market participants. Fit & Proper assessments are related to authorisation and registration requirements, owner control and the ongoing supervision of supervised entities and other financial market participants.

Fit & Proper assessments are made on the basis of EU and national legislation, such as

  • The Act on Credit Institutions
  • The Insurance Companies Act
  • Commission Delegated Regulation (EU) 2015/35 (Solvency II)
  • The Pension Insurance Companies Act
  • The Public Insurance Funds Act
  • The Act on Company Pension Funds and Industry-wide Pension Funds
  • The Act on Company Supplementary Pension Funds and Industry-wide Supplementary Pension Funds
  • The Farmers' Pension Act
  • The Seafarers’ Pension Act
  • The Unemployment Funds Act
  • The Local Mutual Insurance Associations Act
  • The Act on Investment Services
  • The Act on Common Funds
  • The Act on Alternative Investment Fund Managers
  • The Crowdfunding Regulation (EU) 2020/1503
  • The Act on Bondholder Representatives
  • The Payment Institutions Act
  • The Act on Insurance Distribution
  • The Act on Intermediaries of Consumer Credits Related to Residential Immovable Property
  • The Central Securities Depositories Regulation (EU) 909/2014
  • The Act on Trading in Financial Instruments
  • The Act on Virtual Currency Providers and
  • The Act on the Registration of Certain Credit Providers and Credit Intermediaries.

2. Categories of data subject, the personal data processed and information sources

Categories of data subjects:

  • Management personnel of the FIN-FSA’s supervised entities and other financial market participants (e.g. members of the board of directors and members of any supervisory board, and their deputies, the CEO and deputy CEO, the executive management and key function holders, for example the heads of internal audit, compliance and risk management.
  • Significant shareholders and founders of the FIN-FSA’s supervised entities and other financial market participants insofar as legislation requires the assessment of the fitness and propriety of shareholders
  • Natural persons and private entrepreneurs who are supervised entities of the FIN-FSA, or other financial market participants
  • Persons involved in insurance distribution.

The personal data processed are (there are some entity-specific differences in the personal data):

  • The person’s basic information (e.g. name, personnel identity code or date of birth, nationality, address and other contact information, information on previous work experience and education)
  • A statement on the person’s position and use of time related to their position
  • A statement that the person is not bankrupt and that they have full legal capacity; information from the Register of Guardianship Affairs; information from the Legal Register Centre’s Debt Restructuring Register and the Business Prohibition Register; information from the Register of Bankruptcies and Reorganisations; the person’s payment default information and information on enforcement; information on a possible controlled undertakings and information on other close links; an obligation compliance report; information from criminal and fine records; information on sanctions and public warnings issued by the FIN-FSA; any information obtainable from an authority of another state
  • Other information provided by the person themselves
  • Other information concerning the processing of a matter.

As a rule, the information of data subjects is obtained

  • From the data subjects themselves
  • From a supervised entity of the FIN-FSA or other financial market participant
  • From public registers and information services and other public sources (e.g. judicial administration registers, media)
  • From the registers of other authorities (e.g. the registers of the Finnish authorities, the registers of other countries’ authorities, and the registers of the European Central Bank (ECB) and the European Supervisory Authorities).

The information is not used in automated decision-making.

4. Recipients or categories of recipients of the personal data

The FIN-FSA discloses personal data related to the Fit & Proper assessments of members of the management of significant supervised entities (SIs) to the ECB for the purpose of assessing their fitness and propriety. The ECB follows its own data protection and information security practices when processing personal data related to Fit & Proper assessments in its own systems (see Privacy statement on the processing of personal data in the context of prudential supervision under the Single Supervisory Mechanism (europa.eu)).

The FIN-FSA may disclose Fit & Proper assessment data to authorities in other countries, the ECB and the European Supervisory Authorities.

The personal data may otherwise be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

The FIN-FSA is party to an agreement concluded on 19 June 2019 between ESMA and third country authorities pursuant to Article 46(3) of the GDPR under which the personal data may be transferred to third country authorities which are party to the agreement.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The data will be retained until the actions required by the Fit & Proper assessment and any related follow-up processes have been taken.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to the personal data concerning them and the right to request that such data be corrected or for processing to be restricted and
  • to lodge a complaint about the processing of the personal data with the supervisory authority.

Access to data concerning data subjects themselves is not granted, however, if the disclosure of such data might jeopardise the performance of the statutory tasks of the FIN-FSA or the prevention or investigation of infringements of financial market regulations.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

Failure to provide personal information may lead to the suspension of a matter (e.g. a notification or an application) pending before the Financial Supervisory Authority or to an negative decision.

Data protection statement regarding the processing of the personal data of stakeholder representatives as well as persons submitting requests for information and other requests

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of stakeholder representatives as well as persons submitting requests for information and other requests, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The FIN-FSA processes the personal data of representatives of stakeholders, such as authorities, organisations and companies, in order to facilitate the FIN-FSA’s stakeholder work. The FIN-FSA processes the data of persons submitting requests for information and other requests in order to respond to the requests.

Stakeholder work includes, for example, events, bulletins, newsletters, responding to feedback providers, communication on social media, providing online services, stakeholder research and other surveys, and cooperation with authorities, international bodies and organisations.

The data of those who have been invited to, who have registered for and who have attended events are processed in order to manage the events and meetings.

The data of subscribers to bulletins and newsletters are processed for the purpose of sending the bulletins and newsletters.

The data of feedback providers are processed in order to respond to feedback.

The data of visitors to the FIN-FSA’s website are collected using cookies in order to compile statistics on visitors and to execute the functionalities of the website.

When using the social media channels, the FIN-FSA processes information of their social media users, which also includes personal data. The personal data of social media users are processed to analyse the FIN-FSA’s visibility on social media, the success of social media posts, the penetration of the FIN-FSA’s main messages and the volume, tone and level of social media conversations about the FIN-FSA. The analyses are used in communications to create a snapshot of the situation, develop communications and support action recommendations/decision-making for management and departments. The basis for processing the personal data of social media users for the aforementioned purposes is that communications on social media and evaluation of communications is necessary for the FIN-FSA’s performance of tasks in the public interest.

The personal data of representatives of authorities, international institutions and organisations are processed for the purpose of cooperation.

In addition, the data of stakeholders is processed for the purpose of planning and developing the activities of the FIN-FSA.

The basis for processing the personal data is the need to process data for the controller’s performance of tasks in the public interest. However, the basis for processing is consent when the data subject is a subscriber of a newsletter or bulletin or the processed data are non-essential cookie data. The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

The data subjects are persons submitting requests for information and other requests as well as representatives of the FIN-FSA’s stakeholders, such as:

  • Representatives of authorities and international bodies
  • Representatives of organisations
  • The FIN-FSA’s supervised entities and other financial market participants and their representatives
  • Representatives of listed companies
  • Representatives of audit firms
  • Media representatives
  • Persons who have been invited to/who have registered for/who have attended FIN-FSA events and meetings
  • Former employees of the FIN-FSA
  • Subscribers to the FIN-FSA’s newsletters
  • Visitors to the FIN-FSA’s website and providers of feedback
  • Followers of the FIN-FSA’s social media accounts and users who share and comment posts of the FIN-FSA and users who tag the FIN-FSA in their social media posts or use subject tags monitored by the FIN-FSA.

The personal data processed are

  • Name, title or position of the data subject and, if necessary, additional information related to these, organisation
  • End date of employment relationship, position and department or unit of former employees
  • The contact information of the data subject (email address, telephone number and possible other contact information) and possible communication bans
  • Communication with the data subject (e.g. email correspondence, online feedback form, responses to stakeholder research or other surveys, request for information or other requests, the response to a request, possible decision on a matter, information on the processing of a request).
  • Photographs and video recordings of events and meetings (participants are informed separately about possible video recording and photography)
  • Meeting information and information on invitations to, registrations for and participation in events
  • If necessary, special diets
  • Data collected by cookies (for more information on the use of cookies, see Cookies policy - Statements and guidelines - www.finanssivalvonta.fi).
  • Information on the following of the FIN-FSA’s social media channels, sharing and commenting on the FIN-FSA’s publications and sharing and commenting on other publications concerning the FIN-FSA and publications mentioning the FIN-FSA’s subject tags. 

The information of data subjects is, as a rule, obtained from the data subjects themselves and from organisations represented by the data subjects. The FIN-FSA also collects information from public sources such as organisations’ websites. Information about former employees is obtained from the Bank of Finland. The information of media representatives is also obtained from the directory of the association of economic journalists Taloustoimittajat ry and the media register of the press release distribution service STT Info.

The information of stakeholder representatives and persons submitting requests for information and other requests is not used in automated decision-making.

3. Joint controllers

The FIN-FSA is a joint controller with LinkedIn Ireland Unlimited Company (“LinkedIn”) with regard to the LinkedIn community page. When a LinkedIn user visits, follows, comments or otherwise reacts on the FIN-FSA’s LinkedIn page, the FIN-FSA and LinkedIn process the personal data together in order to develop the LinkedIn page and services. An Addendum (LinkedIn Pages Joint Controller Addendum), which specifies the responsibilities of the FIN-FSA and LinkedIn for complying with their obligations under data protection regulations, has been prepared for the joint register. In the Addendum, it has been agreed that LinkedIn is responsible for complying with obligations under EU data protection regulations, including informing LinkedIn users and enabling data subjects to exercise their rights. More information about the use of LinkedIn personal data and ways for data subjects to exercise their rights is available at: https://www.linkedin.com/legal/privacy-policy.

4. Recipients or categories of recipients of the personal data

The personal data may be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

Photographs and video recordings of events and meetings may be published on the FIN-FSA’s website and in social media channels, provided that consent to publish the photographs or video recordings has been obtained from the persons clearly identifiable from the images. Photographs may also be released to the press for news coverage and non-commercial purposes.

The FIN-FSA discloses the personal data of those who have registered for and have participated in events to the Bank of Finland or to another organising party if the event in question is arranged as a joint event. If there is catering at the event, data may be disclosed to the organiser of the catering insofar as this is necessary.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Communication service providers.

5. Information on the possible transfer of the personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

6. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

7. General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

8. Rights of the data subjects

The data subjects have the right:

  • To request from the controller access to personal data concerning them and the right to request that such data be corrected or erased or for processing to be restricted or to object to the processing of their personal data.
  • Insofar as processing of personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal, as well as the right to transfer the data from the system to another. A newsletter subscriber may cancel the newsletter subscription at any time via a link in the newsletter.
  • To lodge a complaint about the processing of personal data with the supervisory authority.

9. Statutory or contractual requirement to provide information and consequences of failure to provide such information

If a stakeholder does not provide their contact information or it cannot be found publicly, the FIN-FSA is unable to target that person in its stakeholder work.

If a person who has provided feedback via an online service wishes a response to the feedback, they must provide their email address on the feedback form.

If a subscriber of a newsletter or bulletin does not provide their email address, the newsletter or bulletin cannot be sent.

Requests for information directed at a public document do not have to be justified and the person making the request does not need to provide personal information. However, if the request concerns a confidential document or information that can only be disclosed under certain conditions, the data subject must provide the necessary information to the FIN-FSA.

Privacy statement regarding the processing of personal data of representatives of contractual partners and potential contractual partners

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of contractual partners and potential contractual partners and of their responsible personnel, representatives, owners and beneficial owners, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The FIN-FSA processes the personal data

  • to plan and implement procurement
  • to prepare and enforce contracts, and
  • for planning and developing the activities of the FIN-FSA.

The basis for the processing of the personal data is compliance with the legal obligations of the FIN-FSA, when the data are processed

  • to fulfil the obligations laid down under the Act on Public Procurement and Concession Contracts, the Act on Public Procurement in the Fields of Defence and Security or the Act on the Contractor’s Obligations and Liability
  • to comply with international sanctions regulations
  • to fulfil obligations related to accounting, financial statements preparation and auditing, or
  • to fulfil the obligations set out in the Act on Information Management in Public Administration.

In other processing, the basis for the processing of the personal data is the FIN-FSA’s performance of tasks in the public interest, the preparation and enforcement of contracts, or consent.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

  • Members of the governance, management and supervisory bodies, employees, owners, beneficial owners, representatives and persons registered in the Trade Register, or an equivalent foreign company register, of candidates and tenderers participating in procurement procedures and of potential subcontractors.
  • Reference contact persons indicated by candidates and tenderers participating in procurement procedures.
  • Representatives of candidates and other potential contractual or cooperation partners invited to market surveys.
  • Members of the governance, management and supervisory bodies, employees, owners, beneficial owners, representatives and persons registered in the Trade Register, or an equivalent foreign company register, of contractual partners and potential subcontractors.
  • Candidates and tenderers participating in procurement procedures, as well as contractual partners and their subcontractors, who are natural persons or private entrepreneurs.

The personal data processed are

  • Name, represented organisation, and position in the organisation, including signing rights
  • Contact information
  • Personal data contained in the register extracts of the represented organisation
  • Date of birth
  • Information about sanctions (management, owners and beneficial owners of tenderers and contractual partners to the extent required by sanctions regulations)
  • Criminal records and business links (candidates and tenderers participating in procurement procedures and members of their governance, management or supervisory bodies or those exercising powers of representation, decision-making or control: no criminal record information is retained, only information on whose criminal record information has been checked and when the information was checked is retained)
  • The data subject’s consent to the performance of personal security clearance vetting and the information required for this as well as the results of the vetting (if security clearance vetting is performed)
  • Information possibly obtained through facility security clearance vetting
  • Applications to the Defence Forces for exemption of key personnel from military service and the decisions on exemptions if the data subject carries out a task for which an exemption application is justified
  • Personal interviews and personal assessments
  • Information on the education and professional qualifications as well as the experience and other relevant skills with regard to the procurement object (those participating in tender evaluation, personal interviews and personal assessments).
  • Possible contracts with the data subject and the commitments of the data subject
  • Invoicing information
  • Information regarding the processing of contractual matters and the negotiation and fulfilment of the contract
  • Information obtained in connection with monitoring the financial situation and risks of the contractual parties selected through the procurement procedure (e.g. tax debt certificates).
  • Visiting information
  • Communication with the data subject

Information is mainly obtained from the data subjects themselves or from the organisation they represent. The FIN-FSA also obtains information from public sources such as the Trade Register maintained by the Finnish Patent and Registration Office, the Reliable Partner service maintained by Vastuu Group Oy, Rakentamisen Laatu RALA ry’s business search service and qualification register, Suomen Asiakastieto Oy’s business credit information registers, and the websites of organisations. Information may also be obtained from the public tender documents of other procurement units. Contact information may also be obtained from joint procurement units used by the FIN-FSA. The results of security clearance vetting are obtained from the Finnish Security and Intelligence Service (SUPO).

The information of data subjects is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The FIN-FSA may disclose personal data to the Bank of Finland or another party if the procurement object will also be used by the Bank of Finland or the other party or if the Bank of Finland or the other party has an option to join the end result of the procurement.

The FIN-FSA does not otherwise regularly disclose personal data.

Personal data may, however, be disclosed in possible requests for information concerning the data insofar as the data public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data (e.g. to the Finnish Competition and Consumer Authority for the purposes of its supervisory tasks.

In a possible dispute or in procurement-related appeal proceedings, the data may be disclosed to the court considering with the matter.

The data may also be made available to auditors to the extent that they consider it necessary to carry out an audit.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • communication service providers
  • providers of financial management services
  • the supplier of the Handi invoicing and ordering system
  • external consultants used in procurement procedures
  • tender services providers used in procurement procedures

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA. If the data are transferred outside of the EU or the EEA, an adequate level of protection of the personal data is ensured as required by data protection legislation, for example using standard contractual clauses approved by the European Commission, and such that processing of the personal data takes place in accordance with this privacy statement.

If a candidate or tenderer eligible for participation from outside the EU/EEA region participates in the procurement procedure, personal data may have to be provided to such a tenderer in notifications, decisions and justifications for decisions related to the procurement procedure, in requests for information, and in possible appeal and rectification request processes.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to the personal data concerning them as well as the right to request the correction or erasure of such data or a restriction of processing or to object to processing as well as the right to transfer data from one system to another.
  • insofar as processing of the personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • to lodge a complaint about the processing of the personal data with the supervisory authority.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

If a data subject does not provide the necessary information, the contract or planned cooperation cannot be entered into and any contract or cooperation already entered into or initiated might have to be terminated.

Privacy statement regarding personal data processed by the Financial Supervisory Authority in connection with its supervisory and inspection activities

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes personal data in connection with the fulfilment of the FIN-FSA’s statutory duties and the exercise of its powers, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The personal data are processed in the performance of the FIN-FSA’s statutory tasks, including in connection with the ongoing supervision of supervised entities, other financial market participants and auditors as well as audit activities and reporting obligations.

The processing of the data is based on the Act on the Financial Supervisory Authority and general financial sector and sector-specific EU and national legislation applicable to the FIN-FSA’s supervised entities and other financial market participants. The entities supervised by the FIN-FSA include banks, insurance and pension companies as well as other companies operating in the insurance sector, investment firms, fund management companies and the Helsinki Stock Exchange. More detailed information on sector-specific regulation is available att: Regulation by sectors - Regulation - www.finanssivalvonta.fi.

The personal data may also be processed for archiving purposes in the public interest.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

  • Supervised entities and other financial market participants’
    • personnel (including management and members of governance bodies)
    • related parties
    • clients
    • guarantors, collateral providers
    • auditors
    • partners (e.g. consultants, bonding agents, outsourced services providers)
    • counterparties
    • beneficial owners
  • Other persons subject to the exercise of supervisory powers.

The personal data processed may include:

  • Name, position, organisation
  • Client relationship information (e.g. account and transaction information, credit information, income and asset information, information on investment experience, knowledge and objectives) to the extent that it is contained in individual supervisory or inspection material or in information regularly reported to the FIN-FSA. More detail on the information that the FIN-FSA’s supervised authorities must report regularly to the FIN-FSA is available at Reporting - www.finanssivalvonta.fi
  • Loans and other financing comparable to loans granted to related parties of credit institutions
  • Information on contracts between supervised entities/other financial market participants and their clients, counterparties and service providers to the extent that such contracts are contained in individual supervisory or inspection material. Counterparty information is also included in regular reporting, on which more detail is available at Reporting - www.finanssivalvonta.fi
  • Personal data contained in minutes of meetings and other documents of supervised entities
  • Communication between the supervised entity and the client (e.g. email correspondence)
  • Administrative sanctions
  • Reports of suspected abuse
  • Information about a suspected offence and the preliminary investigation, such as the name of the suspect as well as processing information received from the prosecution authority
  • Information relating to customer due diligence and to reports of suspicious transactions
  • Other information concerning the processing of matters.

When direct identification information such as name, date of birth or personal identity code is not required in inspection and supervisory activities, the supervised entity or other financial market participant is requested to provide the material without this information.

The information of data subjects is obtained

  • From the FIN-FSA’s supervised entities or other financial market participants
  • From other entities and persons (e.g. auditors and other parties subject to the exercise of supervisory powers)
  • Public registers and information services and other public sources (e.g. judicial administration registers, media, websites)
  • From the authorities of Finland and other countries, particularly from the ECB, the European Supervisory Authorities and European national supervisory authorities
  • Information may also be obtained from the data subjects themselves.

The information of data subjects is not used in automated decision-making.

3. Joint controllers

The FIN-FSA is a contracting party to the joint controllership arrangement established under Article 9a of Regulation (EU) No 1093/2010 of the European Parliament and of the Council between the European Banking Authority (EBA) and the European national supervisory authorities, on the basis of which personal data may be transferred to a common database of authorities (the so-called EuReCa database).

European national financial supervisory authorities shall report to the EuReCa database their findings on material deficiencies and serious risks in the systems, processes and administrative arrangements for the prevention of money laundering and terrorist financing of individual financial institutions. In addition, national supervisors will report to the scheme on the measures they have required financial institutions to take to address weaknesses.

The Parties to the joint arrangement must provide each other with reasonable assistance in complying with any data subject requests relating to personal data processed through EuReCA. Where a Party other than the EBA receives such a data subject request, it shall forward the request (or the part of the request that concerns the personal data processed through EuReCA) promptly to the following EBA mailbox eureca@eba.europa.eu. Where a data subject request is received by the EBA, the EBA is responsible for processing such requests with the help of the reporting authority that reported the personal data, and for informing the other Parties of the decision. The Party that received the request would be responsible for replying to it on the basis of the information communicated by the EBA. The Parties must also cooperate in the event of any data breach affecting EuReCA and notify the EBA and the relevant data protection authorities and data subjects where required.

More information on the EuReCa database: EuReCA The EBA’s AML/CFT Database (europa.eu) and the EuReCa database privacy policy: Data protection notice for EuReCA

4. Recipients or categories of recipients of the personal data

In EU legislation, the ECB has been assigned tasks related to supervising the stability of banks, which the FIN-FSA carries out together with the ECB, the European Supervisory Authorities and European national supervisory authorities.

The FIN-FSA carries out supervisory cooperation with the ECB, the European Supervisory Authorities, European national supervisory authorities and authorities of other countries, and discloses personal data for the purposes of this supervisory cooperation. For example, in connection with the joint controllership arrangement mentioned in section 3 above, the Financial Supervisory Authority may disclose information to the EBA in the authorities' joint EuReCa database.

The FIN-FSA is obliged to disclose information to the Ministry of Finance, the Bank of Finland and the Financial Stability Authority for the performance of their statutory tasks. The information disclosed may also include personal data.

The FIN-FSA may disclose information to the prosecution and pre-trial investigation authority and Financial Intelligence Unit for the purposes of preventing, combating and investigating crimes.

Personal data may also be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

Personal data contained in administrative sanctions and other decisions may be published on the FIN-FSA’s website.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Communication service providers.

5. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

The FIN-FSA is party to an agreement concluded on 19 June 2019 between ESMA and third country authorities pursuant to Article 46(3) of the GDPR under which the personal data may be transferred to third country authorities which are party to the agreement (see Administrative arrangement for the transfer of personal data between EEA and non-EEA securities regulators - Data protection - www.finanssivalvonta.fi).

6. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

7. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

8. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to the personal data concerning them and the right to request that such data be corrected or for processing to be restricted and
  • to lodge a complaint about the processing of the personal data with the supervisory authority.

Access to data concerning data subjects themselves is not granted, however, if the disclosure of such data might jeopardise the performance of the statutory tasks of the FIN-FSA or the prevention or investigation of infringements of financial market regulations or for any other reason expressly provided for by law.

Privacy statement regarding the processing of the personal data of management, owners and contact persons of supervised entities and other financial market participants

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes the personal data of management, key function holders, owners and contact persons of supervised entities and other financial market participants, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The personal data are processed in the performance of the FIN-FSA’s statutory tasks, including in connection with the ongoing supervision of supervised entities and other financial market participants as well as audit activities and reporting obligations.

The processing of the data is based on the Act on the Financial Supervisory Authority and sector-specific EU and national legislation applicable to the FIN-FSA’s supervised entities and other financial market participants. The entities supervised by the FIN-FSA include banks, insurance and pension companies as well as other companies operating in the insurance sector, investment firms, fund management companies and the Helsinki Stock Exchange. More detailed information on sector-specific regulation is available at: Regulation by sectors - Regulation - www.finanssivalvonta.fi.

The processing is based on the need to process the personal data for the performance of the FIN-FSA’s tasks in the public interest.

The personal data may also be processed for archiving purposes in the public interest.

The personal data of management, owners and contact persons of the FIN-FSA’s supervised entities and other financial market participants is also processed in security market supervision, stakeholder work, inspections and supervision as well as in making Fit & Proper assessments, if legislation requires Fit & Proper assessments to be made. Information on the processing of personal data for these purposes is available in the FIN-FSA’s privacy statements on the processing of personal data in securities market supervision, the processing of the personal data of stakeholder representatives as well as persons submitting requests for information and other requests, the processing of personal data by the FIN-FSA in connection with its supervisory and inspection activities, as well as Fit & Proper assessments.

2. Categories of data subject, the personal data processed and information sources

With regard to the FIN-FSA’s supervised entities and other financial market participants, the data subjects are

  • the members of the governance bodies and the management (e.g. members of the board of directors and members of any supervisory board and their deputies, CEO and deputy CEO, members of the management body and key function holders, auditors)
  • significant owners and founders
  • reporters and
  • other contact persons.

In addition, the data subjects also include private traders operating in the financial market.

The personal data processed:

  • Name, telephone number, email address, entity, role/responsibility of the person and start and end date, any other information received from the data subject or the organisation they represent, authorisations to act on behalf of the represented organisation
  • With regard to the members of the governance bodies and the management of supervised entities and other financial market participants as well as private traders, the following information may also be processed: personal identity code or date of birth, place of residence or address, nationality, service language
  • Identification and log data, possible usernames and passwords, language choices and automated messages when the data subject uses electronic services (e.g. an e-service or reporting system)
  • With regard to those who have the downloaded the FIN-FSA’s applications, information on accepted licence agreements and installation packages for the applications and the login credentials of reporters who report via the applications are also processed
  • Information on the processing of applications and notifications
  • Communication with the data subject and any passwords used in communication
  • Information related to the invoicing of supervision and processing fees.

Information is obtained from the data subjects themselves or from the FIN-FSA’s supervised entities or other financial market participants. However, when using Suomi.fi identification, identification and authorisation information is obtained from the Digital and Population Data Services Agency, which also collects for itself transaction information on the use of the service.

The information is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

A list of supervised entities, a register of insurance intermediaries and a register of tied agents are available on the FIN-FSA’s website. With regard to mortgage brokers, crowdfunding intermediaries, bondholder representatives, virtual currency providers and insurance intermediaries, the names and positions of responsible persons are also available in the list of supervised entities or in the register of insurance intermediaries.

Everyone has the right to receive a register extract of the entries made in the register of pension funds and insurance funds and the register of unemployment funds.

The Bank of Finland is provided with information entered in the base register of entities maintained by the FIN-FSA and with information necessary for the invoicing of supervision and processing fees.

The FIN-FSA may also disclose information to the Financial Stability Authority to carry out its tasks in the fields of resolution, security of supply and the deposit guarantee.

Personal data may otherwise be disclosed in possible requests for information concerning the data insofar as the data are public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Financial management services providers
  • Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations. If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for as long as necessary for the purposes of processing the personal data or to comply with statutory obligations. Insofar as the personal data are included in material that must be archived on the basis of a decision by the National Archives of Finland, the data will be retained permanently in the archives.

6. General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to personal data concerning them and the right to request the correction or erasure of such data or to restrict or object to processing.
  • to lodge a complaint about the processing of personal data with the supervisory authority.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

An authorisation cannot be granted and a registration in a register of the FIN-FSA cannot be made if the information required by law about an applicant natural person or private trader or an applicant entity’s members of governance bodies and management as well as key function holders is not provided to the FIN-FSA.

The FIN-FSA’s electronic services, reporting systems and other applications cannot be used if the data subject does not provide the information necessary for logging in.

Privacy statement regarding reports of suspected breaches

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes personal data in connection with reports of suspected breaches, as referred to in section 71a of the Act on the Financial Supervisory Authority, in chapter 7, section 9 of the Act on the Prevention of Money Laundering and Terrorist Financing and in the Act on the protection of persons reporting violations of European Union and national law (Whistleblower Protection Act), and what rights the data subjects have.

1. Purpose of the processing of the personal data and the legal basis for the processing

The FIN-FSA processes the personal data referred to in this privacy statement in connection with reports of suspected breaches received by the FIN-FSA pursuant to section 71a of the Act on the Financial Supervisory Authority, chapter 7, section 9 of the Act on the Prevention of Money Laundering and Terrorist Financing, and the Whistleblower Protection Act. The legal basis for the processing is compliance with a statutory obligation.

2. Categories of data subject, the personal data processed and information sources

Categories of data subject:

  • Persons making a report
  • Individuals who are the subject of a report or persons employed by the company which is the subject of a report (e.g. management personnel of the said company)
  • Other persons who may be mentioned in reports of suspected abuse.

The personal data processed:

  • Name of the data subject, organisation (no data will be processed with regard to the whistleblower if the report is made anonymously)
  • Contact information of the data subject (email address, telephone number and possible other contact information)
  • Information contained in the report, clarifications resulting from the report and information on the processing of the matter
  • Communication with the data subject (e.g. email correspondence)

As a rule, the information of data subjects is obtained from:

  • the person making a report
  • the parties to whom the report relates
  • public sources
  • other authorities.

The information is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data of the person making the report and the personal data of the subject of the notification are confidential.

The FIN-FSA may, however, disclose information to the prosecution and pre-trial investigation authority and Financial Intelligence Unit for the purposes of preventing and investigating crimes.

The FIN-FSA has outsourced the processing of personal data to the following service providers, who process personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Communication service providers.

4. Information on the possible transfer of the personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA or to international organisations.

The data may, however, be disclosed to a supervisory authority of another country if the suspected abuse is linked to another country.

If the data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation.

5. Period for which the personal data will be retained, or the criteria used to determine that period

The personal data will be retained for 5 years from the making of the report. The data will be deleted when their retention period has ended, unless their retention is necessary to safeguard the investigation of a crime, pending trials, official investigations or the rights of the whistleblower or the person who is the subject to a report.

6. General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to access the personal data concerning themselves and to request that such data be corrected or for processing to be restricted and
  • to lodge a complaint about the processing of personal data with the supervisory authority.

Data subjects have no right of access to the data, however, if

  • disclosure of the data could impede the investigation of suspected violations; or
  • restricting right of access is necessary and proportionate in order to safeguard the investigation of the accuracy of the report or to protect the identity of the whistleblower.

8. Statutory or contractual requirement to provide information and consequences of failure to provide such information

A report of suspected abuse may also be anonymous. An anonymous report may, however, adversely affect investigation of the suspected abuse if additional information cannot be requested from the whistleblower. An anonymous report may, however, contain sufficient information for the investigation of the matter.

Privacy Statement – Life insurance mortality research 2024

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679, how the Financial Supervisory Authority (FIN-FSA) processes personal data in life insurance mortality research, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

When calculating the technical provisions of life insurance companies, it is essential that the assumptions used regarding mortality are of high quality. Personal data collected in the connection with life insurance mortality research are processed in order to produce information on the mortality trends of life insured persons, i.e. aggregated mortality time series. The FIN-FSA uses mortality time series in its own supervisory work, for example when assessing the mortality assumptions of life insurance companies and forecasting life insurance mortality trends.

The processing is necessary for the performance of the FIN-FSA’s tasks in the public interest. The tasks of the FIN-FSA are based on the Act on the Financial Supervisory Authority, the Insurance Companies Act and Commission Delegated Regulation (EU) 2015/35 (Solvency II).

2. Categories of data subject, the personal data processed and information sources

The data subjects are persons insured by Finnish life insurance companies with regard to business in Finland.

The personal data processed include:

  • Date of birth and possible date of death of the insured person
  • Gender of the insured person
  • Customer number or other identifier (but not the personal identification number or name) of the insured person
  • Date of entry into force of the insurance and possible date of termination of the insurance
  • Insurance product category and tariff (normal or increased tariff)

The information of the data subjects is obtained from the life insurance companies.

The information of data subjects is not used in automated decision-making.

3. Recipients or categories of recipients of the personal data

The personal data are not disclosed to other parties.

The FIN-FSA has outsourced the processing of the personal data to the following service providers, who process the personal data on the FIN-FSA’s behalf:

  • IT system and application suppliers
  • IT consultants
  • Communication service providers.

4. Information on the possible transfer of personal data to a third country or an international organisation

The personal data are not transferred outside of the EU or the EEA or to international organisations.

5. Period for which the personal data will be stored, or the criteria used to determine that period

The personal data will be stored for as long as necessary for the purposes of processing the personal data, but for no longer than two years.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to personal data concerning them, the right to request the rectification of such data or the restriction of the processing of such data, and the right to object to the processing of their personal data, and
  • to lodge a complaint about the processing of the personal data with the supervisory authority.

Privacy Statement – Data in the Positive Credit Register

This Privacy Statement describes, in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), how the Finnish Financial Supervisory Authority processes the personal data of debtors and guarantors registered in the Positive Credit Register maintained by the Tax Administration, and the rights of the data subjects.

1. Purpose of the processing of the personal data and the legal basis for the processing

The Financial Supervisory Authority (FIN-FSA) processes data in the Positive Credit Register in order to perform the following tasks laid down for it in the Act on the Financial Supervisory Authority:

  • supervise the activities of financial market participants as well as foster compliance with good practice in financial markets and public awareness of financial markets
  • grant authorisation to financial market participants, register financial market participants and confirm rules concerning their activities
  • monitor that financial market participants comply with the financial market provisions applicable to them, the regulations issued thereunder, the terms of their authorisation and the rules concerning their activities
  • issue regulations necessary for the application of the Act
  • monitor and evaluate developments in financial markets and the rest of the operating environment for financial market participants, and the evolution of other general operating conditions
  • make initiatives for the development of financial market legislation and other requisite measures, and participate in the preparation of legislation
  • foster the reliability of the corporate governance systems of financial market participants whose financial position the FIN-FSA monitors
  • collect and periodically publish comparable data on financial market participants’ financial position and otherwise foster access to information on financial services and financial market activity
  • participate in European Union cooperation within the framework of the European System of Financial Supervision (ESFS) and in other international supervisory cooperation
  • participate in the activities of the Single Supervisory Mechanism (SSM) and assist the European Central Bank (ECB) in the Single Supervisory Mechanism
  • prepare, together with the Ministry of Finance and the Bank of Finland, measures necessary to ensure the stability of the financial system as a whole and decide on such measures as separately provided for by law.

In addition, the FIN-FSA processes data in the Positive Credit Register for its supervisory task regarding the disclosure obligation laid down in section 28 of the Act on the Positive Credit Register.

In accordance with the General Data Protection Regulation (GDPR), the basis for processing the data is, therefore, that the processing of the personal data is necessary for the FIN-FSA’s performance of its tasks in the public interest.

2. Categories of data subjects, the personal data processed and information sources

Categories of data subjects:

  • Debtors registered in the Positive Credit Register
  • Guarantors registered in the Positive Credit Register

The personal data processed are:

  • basic information on the debtor’s consumer credits, leases comparable to consumer credits and loans brokered to the debtor by a peer-to-peer loan broker (including information on lenders, loan identification numbers, numbers of debtors, dates of conclusion of loan contracts, types of loans, loan currencies, one-time expenses paid as the loan contract is concluded, amounts of lump sum loans, purposes of use of loans and payment plans and credit limits of running-account loans as well as start dates, instalments and transaction prices of leases)
  • information on Kela guarantee receivables for student loans
  • interest information (including total interest rates, marginal interest rates, types of interest, effective interest rate on date of conclusion, upper and lower limits of any interest rate corridors, any interest rate caps, and the end dates of any interest rate restrictions)
  • information on collateral (types of any collateral, identifiers of guarantors)
  • information on amortisations and deferments of amortisations (including amortisations paid, interest and other loan expenses, payment dates, remaining balances of lump sum loans and amounts of running-account loan balances)
  • information on delayed amounts and on accelerations of loans (unpaid amount, original due date and date of acceleration)
  • information on debt arrangements and business restructurings
  • income information (gross and net income established during lending process and according to Income Register)
  • information on end and transfer of loans

The information is obtained from the Positive Credit Register maintained by the Tax Administration in pseudonymised form, i.e. without names, contact details, personal identification numbers or loan numbers that would enable the FIN-FSA to identify individual debtors and guarantors. More information about the Positive Credit Register is available at: Positive Credit Register - Information for private individuals (vero.fi)

3. Recipients or categories of recipients of the personal data

The FIN-FSA does not disclose the personal data to third parties.

The following processors are used in the processing of the personal data

  • IT service providers
  • communications service providers

4. Information on the possible transfer of personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA. In individual cases, however, processors of the personal data may have access to personal data from outside the EU or EEA in connection with support and maintenance activities. If data are transferred outside of the EU or the EEA, an adequate level of protection of personal data is ensured as required by data protection legislation, for example by transferring data to a country where, by decision of the European Commission, an adequate level of data protection is ensured or using standard contractual clauses approved by the European Commission.

5. Period for which the personal data will be stored, or the criteria used to determine that period

The FIN-FSA has set the storage period for data in the Positive Credit Register at 40 years, because typically, instead of a single loan, households have several long repayment period loans over their lifetime, in which case the natural review period is the lifetime of the household instead of the longest possible repayment period.

In addition, the length of the storage period is influenced by the fact that the FIN-FSA carries out macroprudential work covering the entire financial sector in close cooperation with the Bank of Finland and, in order to ensure effective cooperation between the authorities, it is justified that the Bank of Finland and the FIN-FSA have the same storage periods.

6. General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

7. Rights of the data subjects

The data subjects have the right:

  • to request from the controller access to personal data concerning them and the right to request the correction of such data or to restrict or object to processing, and
  • to lodge a complaint about the processing of the personal data with the supervisory authority.