Data protection

Purpose of the processing of personal data and the legal basis for the processing

Case management is an electronic directory and processing system for the authority’s pending cases. Case management is used to implement good information management practice and it serves as the authority’s case register (journal).

The maintenance of case management is based on legislation (e.g. chapter 5 section 18 of the Act on the Openness of Government Activities and The Act on Information Management in Public Administration).

Categories of data subjects and categories of personal data

Categories of data subjects:

• Cases initiated by organisations and private individuals, recipients of cases initiated by the authority, and processors and owners of cases in the Bank of Finland.

Categories of personal data:

• The name/organisation and, if necessary, the contact details of the initiator of cases registered in case management as well as the name of the case processor and the name of the case owner in the Bank of Finland.

Recipients or categories of recipients of the personal data

The Bank of Finland does not, as a rule, disclose data. Personal data is disclosed only in requests for information directed at case management cases and documents. Requests for information are processed on the basis of the Act on the Openness of Government Activities or other legislation. Public information is provided to those who request it. 

The processors mentioned in an extract from the official journal can be viewed on the Bank of Finland website with respect to public pending cases.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

Personal data are stored by the decision of the National Archives. Hard copies of the official journal are stored permanently. Documents are deleted when their storage period has ended.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them,
• to request rectification of incorrect data,
• to lodge a complaint about the processing of personal data with a supervisory authority.

Complete removal of data from the personal data file system is not possible, because hard copies of the official journal are stored permanently. Requests to change data are processed as requests for information.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

Cases may also be initiated anonymously. Contact details are required for communication. Failure to provide personal data may result in a negative decision on an application or notification, or the suspension of the process. 

Source of information

If another authority transfers a case to the Bank of Finland for processing, data are received from the authority transferring the case.

Purpose of the processing of personal data and the legal basis for the processing

Brochure orders received via the Bank of Finland online services order form are processed in the personal data file system. Data are processed so that ordered brochures can be delivered to those ordering them. Processing of data is based on consent.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Persons ordering brochures

Categories of personal data:

• The order form includes personal data, i.e. name and delivery address

Recipients or categories of recipients of the personal data

The Bank of Finland discloses order data to Grano Oy, which is responsible for the delivery of the brochures and acts as a processor of personal data.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

Personal data are stored for one year. The data are deleted when their storage period has ended.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them and the right to request that such data be rectified or erased or for processing to be restricted as well as the right to transfer data from one system to another.
• to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with a supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If persons ordering brochures do not provide their contact details, brochures cannot be delivered to them.

Purpose of the processing of personal data and the legal basis for the processing

Feedback received via the Bank of Finland online services is processed in the personal data file system. Data are processed so that feedback can be answered. The feedback must include the email address of the feedback provider so that the feedback can be answered. Processing of data is based on consent.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Feedback providers

Categories of personal data:

• The feedback form contains personal data such as name and email address (mandatory, if the feedback provider wishes an answer).

Recipients or categories of recipients of the personal data

The Bank of Finland does not disclose the personal data to external parties.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

The personal data are stored for the current and the previous and year. The data are deleted when their storage period has ended.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them and the right to request that such data be rectified or erased or for processing to be restricted as well as the right to transfer data from one system to another. New feedback must be sent to rectify data.
• to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with a supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If feedback providers does not provide an email address, their feedback cannot be answered.

Purpose of the processing of personal data and the legal basis for the processing

Electronic newsletter subscriptions made via the Bank of Finland’s online services are processed in the personal data file system. Data are processed so that electronic newsletters can be sent. A newsletter subscription must include the subscriber’s email address so the newsletter can be sent. Processing of data is based on consent.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Newsletter subscribers

Categories of personal data:

• A subscription includes personal data such as name and organisation (voluntary data) and email address (mandatory so that newsletters can be sent).

Recipients or categories of recipients of the personal data

The Bank of Finland discloses personal data to Koodiviidakko Oy, which provides the newsletter sending service.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

Data is stored in the system for the period of validity of the newsletter subscription. Each subscriber can cancel the subscription at any time via a link in the newsletter, at which time data relating to the subscriber is destroyed.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them and the right to request that such data be rectified or erased or for processing to be restricted as well as the right to transfer data from one system to another. To rectify or erase data, the subscriber must make changes via a link at the end of the newsletter.
• to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with a supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If a newsletter subscriber does not provide an email address, the subscriber cannot receive the newsletter.

Purpose of the processing of personal data and the legal basis for the processing

As the issuer of banknotes and coins, the Bank of Finland has a legal obligation to accept and, if certain conditions are met, exchange damaged banknotes and coins and withdraw them from circulation. Entries on exchanges are made in the register of customer payments in order to fulfil accounting obligations and prevent abuses

Categories of data subjects and categories of personal data

Categories of data subjects:

• Persons requesting the exchange of damaged banknotes or coins

Categories of personal data:

• Name, name of the company represented by the person, bank details, other contact details provided by the person, and the amount of money reimbursed

The information is received from the data subjects themselves.

Recipients or categories of recipients of the personal data

The Bank of Finland does not generally disclose personal data from the register of customer payments. Data may, however, be disclosed to those who have a legal right to receive the data, such as to the police authorities on suspicion of counterfeiting.

The following data processors are used in the processing of personal data:

• IT service providers
• communication service providers

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

Personal data are stored for as long as is necessary for implementing the processing of personal data in accordance with this register.

General description of technical and organisational security measures

In order to protect personal data against unauthorized access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorized persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

Rights of data subjects

The data subjects have the right:

• to request from the controller access to the personal data concerning them and the right to request
  that such data be corrected or for processing to be restricted
• to lodge a complaint about the processing of the personal data with the supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If a person does not provide the information necessary to exchange damaged banknotes or coins, an exchange cannot be made.

Purpose of the processing of personal data and the legal basis for the processing

Open data orders made via the Bank of Finland’s online services are processed in the personal data file system. The data are processed because the electronic key required for the use of open data is tied to the user, and so that personalised email messages can be sent to the data users. When users register for the services they must provide an email address, firstname and lastname. Processing of data is based on consent.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Users of the Open Data Service.

Categories of personal data:

• Open Data Service user data include a firstname, lastname and email address.

Recipients or categories of recipients of the personal data

Personal data are processed only for the purpose of implementing the Open Data Service in the Bank of Finland. Personal data are not disclosed outside of the Bank of Finland.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

Personal data are retained for as long as a person has access rights to the system. Data are erased when the access rights are terminated.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them and the restriction or erasure of such data or to object to processing as well as the right to transfer data from one system to another.
• insofar as processing of personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with a supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If a user does not provide information necessary for registration, the user cannot use the service.

Purpose of the processing of personal data and the legal basis for the processing

Licence applications for the BoF-PSS2 simulator that are received via the post box BoF-PSS@bof.fi are processed in the personal data file system. Data are processed in order that simulator software can be delivered to the right address. A licence application must contain the licence holder’s telephone number and email address, in order that a response to the application can be made. Processing of data is based on consent.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Holders of BoF-PSS2 simulator licences

Categories of personal data:

• A licence application contains information on the institution and organisation applying for the licence, information on the use of the simulator and information on the licence holder, such as name, telephone number and email address. 

Recipients or categories of recipients of the personal data

The Bank of Finland does not disclose the personal data to external parties.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

Personal data are stored while the simulator licence is valid or until the contact person for the simulator licence changes in the institution in question. A simulator licence is granted, in principle, until further notice. Data are deleted when the contact person for the simulator licence changes in the institution in question or if, in an update of the simulator personal data file system performed once per year, the contact person for the simulator licence in question cannot be reached. 

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them and the right to request the restriction or erasure of such data or to restrict processing or object to processing. 
• insofar as processing of personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with a supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If simulator licence applicants do not provide the requested personal data, their applications cannot be responded to and a licence cannot be granted.

Purpose of the processing of the personal data and the legal basis for the processing

The Bank of Finland manages visitor information and the Bank’s properties use camera surveillance and access control to ensure the security of employees, visitors and contractual partners, to protect property and confidential information, and to prevent and investigate incidents as well as crimes against property and persons.

The location of camera surveillance takes into account the requirements laid down in the Act on the Protection of Privacy in Working Life, i.e. camera surveillance is not generally used to monitor individual employees and cameras are not located in toilets, changing rooms or similar areas nor in work rooms designated for personal use. If it is necessary to target camera surveillance at a specific workstation, the people working at that workstation are informed of this separately.

The basis for processing the personal data is the need to process the personal data for the Bank of Finland’s performance of tasks in the public interest.

Categories of data subjects, categories of personal data and information sources

Categories of data subjects:

• Personnel
• Personnel of contractual partners conducting business in the properties
• Visitors
• Passers-by coming within the field of camera surveillance

Categories of personal data:

• Video or other image material of people and vehicles moving within the field of camera surveillance, the date and time of the event
• Names, personal identification codes and photographs of holders of access rights, lock access rights, keys and identifiers
• Information on access authorisations, lock access rights, keys and identifiers
• Access and closing events (event, date and time)
• Visitors’ first and last name, telephone number, email address, company/organisation represented, name of host, time of arrival and time of departure

The information is generally obtained from the data subjects themselves. In order to grant access rights, information is obtained from the data subject’s supervisor or the organisation in which the data subject is employed. Visitor information may also be obtained from the organisation that the person represents.  

Recipients or categories of recipients of the personal data

The Bank of Finland does not, as a rule, disclose personal data. In the event of an accident, data may be disclosed to an insurance company. If it is suspected that a crime has occurred, data may can be disclosed to the police. The personal data may be disclosed in possible requests for information insofar as the information is public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

The following processors are used in the processing of the personal data

• IT service providers
• providers of guarding and lobby services
• communications service providers

Information on the possible transfer of personal data to a third country or an international organisation

The personal data are not transferred outside of the EU or the EEA or to international organisations.

Period for which the personal data will be stored, or the criteria used to determine that period

Personal data are stored for as long as is necessary for implementing the processing of personal data in accordance with this register.

General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

Rights of the data subjects

The data subjects have the right:

• to request from the controller access to personal data concerning them and the right to request the correction of such data or to restrict or object to processing, and
• to lodge a complaint about the processing of the personal data with the supervisory authority.

Statutory or contractual requirement to provide information and consequences of failure to provide such information

If a visitor does not provide the information required for registration as a visitor, he or she cannot visit the Bank of Finland’s properties.

If a person does not provide the information required for access rights to be granted and is photographed, access rights cannot be granted.  

Purpose of the processing of personal data and the legal basis for the processing

The Bank of Finland library system’s customer data file system maintains the data of the organisation’s personnel and external customers in order to lend the library’s publications. The personal data are used for lending and reserving the library’s printed publications and for interlibrary loans as well as for renewing loans and self-service use of the library system.

Processing of the personal data is based, with respect to external customers, on consent and, with respect to the organisation’s personnel, on legitimate interest, because the service is provided to support the discharge of working duties.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Bank of Finland library system’s user data

Categories of personal data:

• The Bank of Finland library system’s user data include personal data, such as name, address, telephone number, organisation’s internal personal identification number, email address and contact language, and log data saved in the system for use of the system as well as lending history. A lending history can only be viewed on the request of the registered person.

Recipients or categories of recipients of the personal data

The Bank of Finland does not disclose personal data from the library system. Named employees of the system supplier (Axiell) have access to the customer data file system in information system maintenance and development duties.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

The personal data of Bank of Finland personnel are retained for as long as a person has access rights to the system. Data are erased when the access rights are terminated.

The personal data of the organisation’s external customers are retained for two years at most from the last lending date.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

The processing of the library system’s personal data and the data storage location have been agreed in a maintenance contract made with the system supplier (Axiell).

Paper commitment forms signed by customers from outside the organisation are stored in locked cabinets.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them and the restriction or erasure of such data or to object to processing as well as the right to transfer data from one system to another.
• to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with a supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If a user does not provide information necessary for registration, the user cannot use the service.

Source of information

The personal data of Bank of Finland and FIN-FSA employees are obtained from the Bank of Finland’s internal personal data file system on the basis of arrival notices.

The data of persons visiting the Bank of Finland for a short period, e.g. as visiting researchers, are saved on the basis of information received from the persons themselves or from research units.

Data of the organisation’s external customers are obtained from a registration form, completed by the customers themselves, which is available on the Bank of Finland website.

Purpose of the processing of personal data and the legal basis for the processing

The personal data file system is for discharging the employer duties in use in the Bank of Finland and the Financial Supervisory Authority (FIN-FSA). It is used to receive and process job applications.

The purpose of the personal data file system is:

• to notify job applicants of vacant positions in the Bank of Finland and the FIN-FSA.
• to process applications in document and video interview form for the filling of positions
• to interact with job applicants, e.g. sending information about application stages
• to prepare a comparison table of information reported by job applicants
• to collect a bank of open applications from the open applications of internal applicants (registration for job rotation)
• to report key figures on personnel recruitment, for example the number of open positions in the Bank of Finland and the FIN-FSA and the number of applications received

Categories of data subjects and categories of personal data

Categories of data subjects:

• Job applicants

Categories of personal data:

• Applicant’s identification information (name, date of birth, street address, telephone number, email address, gender (said information only for statistical purposes))
• Applicant’s education information (basic education, qualifications and their fields, yearof completion of studies, degree of completion of studies in progress, language skills and courses)
• Applicant’s work experience (details of three jobs/public-service employment 
  relationships, employers, duration of jobs/public-service employment relationships and brief job descriptions)
• Self-presentation (job applicant’s free-form presentation of him/herself, skills and work experience), video recording of videos of applicant and interviewer. In addition to video and audio, information about the date and time of the event will be stored in the personal data file system.
• Open internal application for internal job rotation (information saved in the personal data file system is provided by the applicants themselves).

Job applicants save information about themselves in the personal data file system using application forms. Applications submitted elsewhere than via the LAURA system are saved in the system manually.

Supervisors responsible for recruitment and personnel officers responsible for recruitment enter into the personal data file system recruitment process information, for example the progress of the recruitment process, those invited for interviews and personal assessments, the identifying information of the person selected for the position, and the stage of any background check and pre-employment physical examination .

The supervisor responsible for recruitment or a person authorised by him or her is responsible for saving into the personal data file system additional information necessary for filling the position. In the saving of information, the following are taken into consideration: the Act on the Employees of the Bank of Finland, the Data Protection Act, the Act of the Protection of Privacy in Working Life and the Act on the Openness of Government Activities.

Recipients or categories of recipients of the personal data

Disclosure of data is subject to laws and regulations. Data is not disclosed for direct marketing from the personal data file system. As a rule, data is not disclosed to external parties from the personal data file system.

The recruitment system is administered by LAURA rekrytointi Oy and the video service is administered by RecRight Oy, which act as processors of personal data.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

A job applicant’s application is stored in the system for two years from the submission of the application or an update made by the applicant. Open applications of individuals registered for internal job rotation are deleted from the personal data file system two years after their storage or updating, unless the application extends the storage period.

Data are deleted from the video service (RecRight Oy) two years after a video is made.

The application data of persons selected for a position are stored in the official journals of the Bank of Finland and the FIN-FSA under the Act on the Openness of Government Activities.

Archival and destruction of data are subject to the applicable provisions and regulations.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them and the restriction or erasure of such data or to object to processing as well as the right to transfer data from one system to another.
• to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with a supervisory 
  authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If an applicant does not provide personal data, his or her application cannot be processed.

Purpose of the processing of personal data and the legal basis for the processing

The Bank of Finland processes data in the Positive Credit Register in order to perform the following tasks laid down for it in the Act on the Bank of Finland:

• Executing monetary policy
• Ensuring the reliability and efficiency of the financial system and its development
• Compiling and publishing statistics as necessary for carrying out its activities

In accordance with the GDPR, the basis for processing the data is, therefore, that the processing of the personal data is necessary for the Bank of Finland's performance of its tasks in the public interest.

The personal data may also be processed for scientific research purposes in the public interest in accordance with the data protection regulations in force at any given time.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Debtors registered in the Positive Credit Register
• Guarantors registered in the Positive Credit Register

The personal data processed are:

• basic information on the debtor’s consumer credits, leases comparable to consumer credits and loans brokered to the debtor by a peer-to-peer loan broker (including information on lenders, loan identification numbers, numbers of debtors, dates of conclusion of loan contracts, types of loans, loan currencies, one-time expenses paid as the loan contract is concluded, amounts of lump sum loans, purposes of use of loans and payment plans and credit limits of running-account loans as well as start dates, instalments and transaction prices of leases)
• information on Kela guarantee receivables for student loans
• interest information (including total interest rates, marginal interest rates, types of interest, effective interest rate on date of conclusion, upper and lower limits of any interest rate corridors, any interest rate caps, and the end dates of any interest rate restrictions)
• information on collateral (types of any collateral, identifiers of guarantors)
• information on amortisations and deferments of amortisations (including amortisations paid, interest and other loan expenses, payment dates, remaining balances of lump sum loans and amounts of running-account loan balances)
• information on delayed amounts and on accelerations of loans (unpaid amount, original due date and date of acceleration)
• information on debt arrangements and business restructurings
• income information (gross and net income established during lending process and according to Income Register)
• information on end and transfer of loans

The information is obtained from the Positive Credit Register maintained by the Tax Administration in pseudonymised form, i.e. without names, contact details, personal identification numbers or loan numbers that would enable the Bank of Finland to identify individual debtors and guarantors. More information about the Positive Credit Register is available at: Positive Credit Register - Information for private individuals (vero.fi)

Recipients or categories of recipients of the personal data

The Bank of Finland does not disclose the personal data to third parties.

The following processors are used in the processing of the personal data

• IT service providers
• communications service providers

Notification of possible transfer of personal data to a third country or an international organisation

The personal data are not, as a rule, transferred outside of the EU or the EEA. In individual cases, however, processors of the personal data may have access to personal data from outside the EU or EEA in connection with support and maintenance activities. If data are transferred outside of the EU or the EEA, an adequate level of protection of personal data is ensured as required by data protection legislation, for example by transferring data to a country where, by decision of the European Commission, an adequate level of data protection is ensured or using standard contractual clauses approved by the European Commission.

Period for which the personal data will be stored or the criteria used to determine that period

The personal data will be stored for 40 years. The storage period is based on the fact that, in order to perform the Bank of Finland’s tasks, it is essential that the data in the Positive Credit Register cover a sufficiently long history to provide a view of how household indebtedness develops in different economic cycles and financial conditions.

General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

Rights of data subjects

The data subjects have the right:

• to request from the controller access to personal data concerning them and the right to request the 
  correction of such data or to restrict or object to processing, and
• to lodge a complaint about the processing of the personal data with the supervisory authority.

Purpose of the processing of personal data and the legal basis for the processing

The data of persons registered for the Bank of Finland Museum’s guided tours and events are processed for the purpose of managing the guided tours and organised events. The data of persons invited to the Bank of Finland Museum’s events are processed in order to send invitations and receive responses. The basis for the processing is the Bank of Finland’s performance of a task carried out for reasons of public interest. The data of those who belong to the Bank of Finland Museum’s stakeholders and are subscribed to newsletters are processed based on the consent of the data subjects for the sending of event invitations and newsletters and other communication. In addition, the data of those who have registered for the Bank of Finland Museum’s guided tours and events and who belong to Bank of Finland Museum’s stakeholders are processed for the planning and development of the Bank of Finland Museum’s activities for the Bank of Finland’s performance of a task carried out for reasons of public interest.  

Categories of data subjects and categories of personal data

Categories of data subjects:

• Persons who have booked a guided tour
• Persons who have registered for an event
• Persons invited to events
• Newsletter subscribers 
• Respondents to questionnaire surveys
• Stakeholder representatives. Stakeholders are parties involved in promoting the financial literacy strategy and with whom the Bank of Finland Museum cooperates.

Categories of personal data:

• First name and last name, organisation, telephone number and email address
• If necessary, special dietary requirements
• Possible photographs and video recordings of events
• Answers to questionnaire survey by persons who booked a guided tour
• Other information and communication with data subjects, provided in connection with data subjects’ guided tour bookings, event registrations, responses to questionnaire surveys or other contacts.                      

Recipients or categories of recipients of the personal data

The personal data may be disclosed in possible requests for information concerning the data insofar as the information is public on the basis of the Act on the Openness of Government Activities (621/1999).

Photographs and video recordings of events may be published on the Bank of Finland’s website and in social media channels, provided that consent to publish the photographs or video recordings has been obtained from the persons clearly identifiable from the images. Photographs may also be disclosed to the media for news coverage of the event.

The Bank of Finland discloses personal data to the Financial Supervisory Authority or to another organising party if the organisation of a joint event is involved. If there is catering at the event, data may be disclosed to the organiser of the catering insofar as this is necessary.

The following processors are used in the processing of the personal data

• IT service providers
• communication service providers

Notification of possible transfer of personal data to a third country or an international organisation

Data are not, as a rule, transferred outside of the EU or the EEA. If a partner of an event is exceptionally outside the EU or EEA, disclosure of data to this partner will be reported separately in connection with registration for the event.  

Period for which the personal data will be stored or the criteria used to determine that period

The data of those who have been invited to an event, have registered for an event, have booked a guided tour and have answered a questionnaire survey will be stored for a maximum of one year after the organisation of the event or guided tour. Photographs and video recordings of the events are archived and stored permanently in the archive. The data of those registered in the stakeholder register and of subscribers to newsletters is stored indefinitely. Data are removed from the stakeholder register and/or sending of newsletters is discontinued if the data subject cancels the consent they have given or it is perceived that the data subject no longer belongs to the target group. The data are deleted or anonymised when their storage period has ended.  

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.  

Rights of data subjects

The data subjects in the register have the right:

• to request from the controller access to the personal data concerning them as well as the right to request the correction or erasure of such data or a restriction of processing or to object to processing as well as the right to transfer data from one system to another.
• to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with the Office of the Data Protection Ombudsman  

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If, when booking a guided tour, the person booking does not provide contact information (booker’s name, telephone number and email), the booking cannot be confirmed or implemented. If a participant does not provide the requested data insofar as the data relates to registration for an event, the Bank of Finland Museum cannot respond to the registration of the data subject.  

Source of information

As a rule, information is collected from the data subjects themselves. The information of those invited to events and to the stakeholder register may be obtained from the organisation represented by the data subject or collected from public sources, such as the website of the organisation represented by the data subject.  

Purpose of the processing of personal data and the legal basis for the processing

Personal data are processed to provide the Secure Rooms service. The Secure Rooms service is used to share confidential information.

The Act on Information Management in Public Administration requires that a recipient of confidential information be verified or identified in a sufficiently secure manner before the recipient gains access to process shared confidential information. Processing of personal data is therefore necessary to comply with a statutory obligation.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Users of the Secure Rooms service

Categories of personal data:

• Name and personnel identity code
• Email address and telephone number
• Communication with the data subject
• Log data on the use of the service
• Access rights

Identification information (name and personnel identity code) is collected via the Suomi.fi service and other information from the data subjects themselves.

Recipients or categories of recipients of the personal data

The Bank of Finland does not, as a rule, disclose data to third parties.

Personal data may be disclosed in possible requests for information insofar as the information is public on the basis of the Act on the Openness of Government Activities (621/1999).

The following data processors are used in the processing of personal data:

• IT service providers
• communication service providers
• identification service providers

Notification of possible transfer of personal data to a third country or an international organisation

Personal data are not, as a rule, transferred outside the EU or the EEA. If data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation, e.g. standard contractual clauses approved by the European Commission.

Period for which the personal data will be stored or the criteria used to determine that period

Personal data are stored as long as the user name is used in the service. The log data of deleted user names are deleted quarterly.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems protected with appropriate technical security measures, taking risks into consideration. Manual material is located in premises to which unauthorised 
persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

Rights of data subjects

The data subjects in the register have the right:

• to request from the controller access to personal data concerning them and the right to request that such data be rectified or for processing to be restricted, and
• to lodge a complaint about the processing of personal data with the supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If a user does not provide information necessary for registration, the user cannot use the service.

Purpose of the processing of personal data and the legal basis for the processing

The Bank of Finland uses in its communications the following social media channels:

• X
• Facebook
• Instagram
• LinkedIn
• YouTube

When using the social media channels, the Bank of Finland processes information of other social media users, which also includes personal data, as an essential element of social media is that content is published there and it is possible to react to content. The personal data of social media users areprocessed to analyse the Bank of Finland’s visibility on social media, the success of social media posts, the penetration of the Bank of Finland's main messages and the volume, tone and level of social media conversations about the Bank of Finland. The analyses are used in communications to create a snapshot of the situation, develop communications and support action recommendations/decision-making for management and departments.

The basis for processing the personal data of social media users for the aforementioned purposes is that communications on social media and evaluation of communications is necessary for the Bank of Finland’s performance of tasks in the public interest. 

The Bank of Finland maintains a list of Bank of Finland staff on X to show which Bank of Finland experts are communicating on X. The maintenance of data on the list is based on the consent of the said experts.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Users of X, Facebook, Instagram, LinkedIn and YouTube who comment, share or otherwise react to posts on the Bank of Finland’s social media accounts
• Users of X, Facebook, Instagram and LinkedIn who tag the Bank of Finland in their social media posts or use subject tags monitored by the Bank of Finland
• Those who have registered to the list of Bank of Finland staff on X

The personal data processed are:

• Names/screen names of users of X, Facebook, Instagram, LinkedIn and YouTube, comments, sharings and other reactions to posts on the Bank of Finland’s social media accounts, posts mentioning the Bank of Finland or the Bank of Finland’s subject tags
• The X usernames of those who have registered to the list of Bank of Finland staff on X

The personal data are obtained from the data subjects themselves on social media services or from Meltwater, which produces and sells social media analysis reports.

Recipients or categories of recipients of the personal data

The Bank of Finland does not, as a rule, disclose the data. The personal data may be disclosed in possible requests for information insofar as the information is public on the basis of the Act on the Openness of Government Activities or the party requesting the data otherwise has the right to receive the data.

The following processors are used for the processing of the personal data

• IT service providers
• communications service providers
• providers of publicity and social media analysis services

Joint controllers

The Bank of Finland is a joint controller with Meta Platforms Ireland Limited ("Meta") with regard to the Facebook community pages. When a Facebook user comments, shares or otherwise reacts to content on the Bank of Finland’s Facebook community pages, the Bank of Finland and Meta process the personal data together in order to develop the community page and services. An Addendum (Facebook Controller Addendum), which specifies the responsibilities of the Bank of Finland and Meta for complying with their obligations under data protection regulations, has been prepared for the joint register. In the Addendum, it has been agreed that the Bank of Finland will provide these data and Meta is obliged to enable the data subjects to exercise their rights under Articles 15–20 of the EU General Data Protection Regulation (GDPR) in relation to personal data stored by Meta after joint processing. The information required by Article 13(1)(a) and (b) of the EU General Data Protection Regulation, further information on Meta’s processing of personal data and also on the legal basis on which Meta Ireland relies and the ways in which data subjects can exercise their rights against Meta Ireland, is available in Meta’s Privacy Policy at: https://www.facebook.com/about/privacy.

The Bank of Finland is a joint controller with LinkedIn Ireland Unlimited Company (“LinkedIn”) with regard to the LinkedIn community page. When a LinkedIn user visits, follows, comments or otherwise reacts on the Bank of Finland’s LinkedIn page, the Bank of Finland and LinkedIn process the personal data together in order to develop the LinkedIn page and services. An Addendum (LinkedIn Pages Joint Controller Addendum), which specifies the responsibilities of the Bank of Finland and LinkedIn for complying with their obligations under data protection regulations, has been prepared for the joint register. In the Addendum, it has been agreed that LinkedIn is responsible for complying with obligations under EU data protection regulations, including informing LinkedIn users and enabling data subjects to exercise their rights. More information about the use of LinkedIn personal data and ways for data subjects to exercise their rights is available at: https://www.linkedin.com/legal/privacy-policy

Notification of possible transfer of personal data to a third country or an international organisation

Data on social media are accessible from outside the EU and EEA. The Bank of Finland does not, as a rule, transfer the personal data included in analysis reports outside of the EU or the EEA. In individual cases, however, processors of the personal data may have access to reports or presentations from outside the EU or EEA in connection with support and maintenance activities. If the data are transferred outside of the EU or the EEA, an adequate level of protection of personal data is ensured as required by data protection legislation, for example by transferring data to a country where, by decision of the European Commission, an adequate level of data protection is ensured or using standard contractual clauses approved by the European Commission.

Period for which the personal data will be stored or the criteria used to determine that period

The data contained in analysis reports are retained for 10 years. Presentation material related to analysis reports are retained for 6 years. Data regarding those registered in the list of Bank of Finland staff on X are retained until the person requests that they be removed from the list or stops working in the service of the Bank of Finland.

General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, the personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to the personal data being processed.

Rights of data subjects

The data subjects have the right:

•  to request from the controller access to the personal data concerning them as well as the right to request the correction or erasure of such data or a restriction of processing or to object to processing as well as the right to transfer data from one system to another.
• insofar as processing of the personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of the personal data with the supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

It is not possible to add a person to the list of Bank of Finland staff on X if the person does not provide their X username.

Purpose of the processing of personal data and the legal basis for the processing

The Bank of Finland and the Financial Supervisory Authority process personal data for the administration of organised events via, for example, the Lyyti service, email, telephone or letter.

The legal basis for the processing of personal data related to the sending of event invitations is to realise the legitimate interest of the controller. In respect of those who answer an event invitation, the legal basis for the processing of personal data is the consent granted by the data subject for the processing of personnel data.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Persons who have registered for an event

Categories of personal data:

• First name and last name, telephone number and email address
• If necessary, organisation and special diet
• Other information provided by the data subject in connection with registration

Recipients or categories of recipients of the personal data

The Bank of Finland and the Financial Supervisory Authority may disclose personal data to each other or to another organising party if the organisation of a joint event is involved. In addition, if an event has catering, data are disclosed to the catering organiser insofar as this is appropriate.

The Lyyti service is used in the administration of event registrations, and therefore Lyyti Oy acts as a processor of personal data.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not, as a rule, transferred outside of the EU or the EEA. If a partner of an event is exceptionally outside the EU or EEA, disclosure of data to this partner will be reported separately in connection with registration for the event.

Period for which the personal data will be stored or the criteria used to determine that period

Personal data is stored for as long for as this is necessary to facilitate both a registration made by a person and the associated event. Thereafter, personal data is generally stored for the organisation of new, similar events for two years, and with respect to events of Members of the Board of the Bank of Finland for one year after the end of their term of office. The data are deleted when their storage period has ended.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, appropriate technical and organisational security measures are used, taking potential risks into consideration. These measures include the use of secure equipment premises as well as administrative and technical information security solutions.

Rights of data subjects

The data subjects in the personal data file system have the right:

• to request from the controller access to personal data concerning them and the restriction or erasure of such data or to object to processing as well as the right to transfer data from one system to another.
• to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of personal data with a supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If a participant does not provide the requested data insofar as the data relates to registration for an event, the registration of the data subject cannot be accepted.

Purpose of the processing of personal data and the legal basis for the processing

The personal data of contact persons for data collections are processed for the implementation of the Bank of Finland’s statistical data collections and other data collections. The reporting entities of the Bank of Finland’s statistical data collections and other data collections include financial institutions, payment institutions, investment funds, capital and real estate funds and domestic credit institutions, foreign branches of credit institutions that are in a member state providing domestic data, other financial institutions, crowdfunding and peer-to-peer lending intermediaries, employment pension institutions, insurance institutions, companies, and registered legal entities and natural persons providing payment services without authorisation.

The Bank of Finland’s authority to obtain information is based on the following provisions:

• Council Regulation (EC) No. 2533/98 on the powers of the European Central Bank to collect statistical data, as amended by Council Regulation (EC) No. 951/2009.
• Act on the Bank of Finland (sections 26 and 28)
• Regulation on markets in financial instruments (EU) No. 600/2014 (MiFIR)
• Regulation of the European Central Bank concerning statistics on holdings of securities (ECB/2012/24),
• Regulation of the European Central Bank concerning statistics on interest rates applied by monetary financial institutions (ECB/2013/34),
• Regulation of the European Central Bank concerning statistics on the assets and liabilities of investment funds (ECB/2013/38),
• Regulation on payment transaction statistics of the European Central Bank (EKP/2013/43),
• Regulation of the European Central Bank concerning statistics on the money markets (ECB/2014/48),
• Regulation of the European Central Bank on statistical reporting requirements for insurance corporations (ECB/2014/50),Regulation of the European Central Bank on the collection of granular credit and credit risk data (ECB/2016/13, AnaCredit Regulation),
• Regulation of the European Central Bank on the balance sheet items of credit institutions and of the monetary financial institutions sector (ECB/2021/2),
• Regulation of the European Central Bank on statistical reporting requirements for pension funds (ECB/2018/2),
• Act on Payment Institutions, and
• Act on Credit Institutions.

The data of the recipients of minimum reserve calculations are processed in order to submit the minimum reserve calculations. The submission of minimum reserve calculations is based on the ECB’s regulation on the application of minimum reserves (ECB/2021/1).

The data of users of the Reporting Service and recipients of minimum reserve calculations are also processed to meet the obligations set out in Act on Information Management in Public Administration.

In addition, the data are processed for the planning and development of the Bank of Finland’s services, operations and information systems. In this regard, a basis for processing personal data is the need to process data for the controller’s performance of tasks in the public interest.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Contact persons for statistical data collections and other data collections
• Contact persons for recipients of minimum reserve calculations
• Users of the Reporting Service.

Personal data processed:

• Contact information: name, telephone number and email address
• The company that the person represents
• Communication with the data subject
• The following data are processed on the users of the Reporting Service: Identification information, including personal identification number, language selection, automated messages and log information about the use of the service.

Personal data are obtained from the data subjects themselves, from the company for which the contact person is registered, or from the Financial Supervisory Authority. When using Suomi.fi e-Identification, however, identification and authorisation information is obtained from the Digital and Population Data Services Agency, which also collects transaction data on the use of the Reporting Service.

Recipients or categories of recipients of the personal data

The Bank of Finland does not, as a rule, disclose data to third parties. Personal data may be disclosed in possible requests for information insofar as the information is public on the basis of the Act on the Openness of Government Activities or the party requesting the information otherwise has the right to receive the information.

The Bank of Finland uses the following data processors:

• IT service providers
• Communication service providers.

Notification of possible transfer of personal data to a third country or an international organisation

Data are not transferred outside the EU or the EEA or to international organisations.

Period for which the personal data will be stored or the criteria used to determine that period

Contact information is stored for as long as the person is a reporting contact person for statistical data collections and other data collections or a contact person for recipients of minimum reserve calculations. Right of access data for the Reporting Service are stored two years from the last time the Reporting System was used. Other data are stored as long as necessary for the purposes of processing personal data or to comply with statutory obligations.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

Rights of data subjects

The data subjects have the right:

• to request from the controller access to personal data concerning them as well as the right to request the rectification or erasure of such data or restriction of processing or to object to processing as well as the right to transfer data from one system to another
• insofar as processing of personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
• to lodge a complaint about the processing of personal data with a supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If the user of the Reporting Service does not provide the information necessary to register as a user, the Reporting Service cannot be used.

Reporting entities must comply with the reporting requirements of the European Central Bank (ECB) related to statistics or the requirements set by the Bank of Finland. Reporting entities must submit the information of one or more contact persons for statistical data collections or other data collections to the relevant national central bank.

In accordance with Article 7(1) of Regulation (EC) No. 2533/98, the ECB may impose sanctions on reporting entities that do not comply with the statistical reporting requirements set out in regulations or decisions.

Purpose of the processing of personal data and the legal basis for the processing

Personal data are processed to provide the TREX Sites service. The TREX Sites service is used to share confidential information.

The Act on Information Management in Public Administration requires that a recipient of confidential information be verified or identified in a sufficiently secure manner before the recipient gains access to process shared confidential information. Processing of personal data is therefore necessary to comply with a statutory obligation.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Users of the TREX Sites service

Categories of personal data:

• Name and personnel identity code
• Email address and telephone number
• Communication with the data subject
• Log data on the use of the service
• Access rights

Identification information (name and personnel identity code) is collected via the Suomi.fi service and other information from the data subjects themselves.

Recipients or categories of recipients of the personal data

The Bank of Finland does not, as a rule, disclose data to third parties.

Personal data may be disclosed in possible requests for information insofar as the information is public on the basis of the Act on the Openness of Government Activities (621/1999).

The following data processors are used in the processing of personal data:

• IT service providers
• communication service providers

Information on the possible transfer of personal data to a third country or an international organisation

Personal data are not, as a rule, transferred outside the EU or the EEA. If data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation, e.g. standard contractual clauses approved by the European Commission.

Period for which the personal data will be stored or the criteria used to determine that period

Personal data are stored as long as the user name is used in the service. The log data of deleted user names are deleted quarterly.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, destruction or other unlawful processing, personal data are processed in systems protected with appropriate technical security measures, taking risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process personal data in order to perform their duties have access to the personal data being processed.

Rights of data subjects

The data subjects in the register have the right:

• to request from the controller access to personal data concerning them and the right to request that such data be rectified or for processing to be restricted, and
• to lodge a complaint about the processing of personal data with the supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If a user does not provide information necessary for registration, the user cannot use the service.

Purpose of the processing of personal data and the legal basis for the processing

The Bank of Finland uses photographs, video recordings and audio recordings in its external and internal communications. Images and recordings are taken of organised events and, in the case of personnel, in other ways (e.g. promotional photographs for the Bank of Finland’s website and other publications, and video and audio recordings for sharing information).

Audiovisual and visual content attracts attention better and makes materials easier to understand. Recordings of events serve those for whom the topic of the event is relevant, but who cannot attend the event. Sharing images of personnel within the organisation and, in the case of management, also online is necessary to identify and reach people. The basis for the processing of photographs and recordings is therefore necessary for the Bank of Finland’s performance of tasks carried out in the public interest.

The consent of the data subject is requested for the publication of photographs and recordings, unless the data subject is in such a position at the Bank of Finland that the photograph or recording can be published without consent for the Bank of Finland’s performance of tasks carried out in the public interest.

Photographs, video recordings and audio recordings may also be processed for archival purposes in the public interest and for scientific or historical research purposes in accordance with the data protection regulations in force at any given time.

Categories of data subjects and categories of personal data

Categories of data subjects:

• Bank of Finland personnel
• Participants in Bank of Finland events
• Photographers

Categories of personal data:

• Photographs
• Video recordings
• Audio recordings
• Any information recorded in the metadata of photographs and recordings, such as the photographer, the name of a person appearing in the image or recording, the title, the organisation, the event where the image was taken or the recording made.

The information is generally obtained from the data subjects themselves

Recipients or categories of recipients of the personal data

Photographs, video recordings and audio recordings may be published on the Bank of Finland’s website and in social media channels, provided that consent to publish the photographs or video recordings has been obtained from the persons clearly identifiable from the images. Images of personnel may also be published for the Bank of Finland’s performance of tasks carried out in the public interest (e.g. publishing a recording of a press conference, publishing pictures of management).

Photographs may be released to the press for media coverage and non-commercial purposes. Images of the Bank of Finland’s management and experts are made available to the media and stakeholders on the Bank of Finland’s website.

Photographs, video recordings and audio recordings may be released in response to possible requests for information insofar as they are public on the basis of the Act on the Openness of Government Activities or the party requesting them is otherwise entitled to receive them.

The following data processors are used in the processing of personal data:

• IT service providers
• Communication service providers
• Photographic service providers
• Design and layout service providers

Notification of possible transfer of personal data to a third country or an international organisation

Images published on the Bank of Finland’s website and the Bank of Finland’s social media channels are generally also available outside the EU or the EEA. As a general rule, photographs, video recordings and audio recordings are not otherwise transferred outside the EU or EEA. If personal data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation, e.g. standard contractual clauses approved by the European Commission.

Period for which the personal data will be stored or the criteria used to determine that period

Photographs, video recordings and audio recordings are stored for as long as is necessary for implementing the processing of personal data in accordance with this register. Insofar as photographs and recordings are included in material that must be archived on the basis of a decision by the National Archives of Finland, they will be stored permanently in the archives.

General description of technical and organisational security measures

In order to protect the personal data against unauthorised access, disclosure, destruction or other unlawful processing, photographs, video recordings and audio recordings are processed in systems that have been protected with appropriate technical data protection solutions, taking potential risks into consideration. Manual material is located in premises to which unauthorised persons are prevented from accessing. Only those employees who need to process the personal data in order to perform their duties have access to unpublished photographs, video recordings and audio recordings being processed.

Rights of data subjects

The data subjects have the right:

• to request from the controller access to personal data concerning them and the right to request the correction or erasure of such data or to restrict or object to processing.
• insofar as processing of the personal data is based on consent, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• to lodge a complaint about the processing of the personal data with the supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

If data subjects do not wish to have their voice or image recorded in an event that is to be recorded, they must submit any questions or comments in writing or after the recording of the event has been completed.

Purpose of the processing of personal data and the legal basis for the processing

Personal data is processed in order to carry out the Household Finance and Consumption Survey 2023. The implementation of the Household Finance and Consumption Survey and the use and processing of the underlying data is necessary to perform the Bank of Finland’s public interest tasks. These tasks comprise the performance of duties pertaining to the European System of Central Banks, preparation of monetary policy, macroprudential analysis of the financial system and compilation of statistics.

Categories of data subjects and categories of personal data

The data subjects comprise persons belonging to private households residing permanently in Finland and invited to participate in the Household Finance and Consumption Survey 2023 based on random sampling.

Personal data to be processed:

• Direct identification data: personal identity code, interview identification number, name, telephone number and address as well as email address. Statistics Finland processes direct identification data on behalf of the Bank of Finland, which does not have access to direct identification data at any stage.
• Other data: demographic data (for example, age, gender, marital status, level of education), income data (for example household salaries, benefits, pensions, investment income), housing data (for example, dwelling size, form of housing, rent amount, value of owner-occupied dwelling), debt data (for example, housing loans and card credit), entrepreneurship and wealth data, employment data, insurance-related data, consumption data and other data related to living conditions and wealth. More information on the survey is presented at Statistics Finland’s survey site https://www.stat.fi/en/surveys/tuel

The data inquired in the questionnaire of the Household Finance and Consumption Survey are obtained from the data subjects responding to the survey. Other information is collected by Statistics Finland from the following controllers and registers:

• Digital and Population Data Services Agency’s population data system and Statistics Finland's database on the Finnish population
• Tax Administration’s tax database
• Kela (Social Insurance Institution of Finland) registers of pension insurance, medical expense reimbursement, child maintenance allowance, student aid and housing allowance
• Institute for Health and Welfare’s data on supplementary or preventive social assistance collected 
  from municipalities
• Centre for Pensions’ pension contingency register
• Statistics Finland’s register of completed education and degrees
• State Treasury's register of compensations for military injuries
• FIN-FSA’s data on earnings related unemployment allowance
• Data warehouse for early childhood education and care (VARDA)
• Statistics Finland's company register
• Employment Fund (formerly Education Fund) data

Recipients or categories of recipients of the personal data

Household Finance and Consumption Survey 2023 is part of the Eurosystem’s joint Household Finance and Consumption Survey (HFCS). The data of the Household Finance and Consumption Survey excluding direct identification data will be submitted to the ECB, and the ECB and the Bank of Finland are joint controllers of the data. There is a valid arrangement between the ECB and the Bank of Finland determining the responsibilities of the parties in ensuring compliance with the obligations under the General Data Protection Regulation (GDPR). Each party is responsible for informing their respective data subjects, and the data subjects may contact either one of the joint controllers if they choose to exercise their rights under the GDPR. Further information on the Eurosystem’s Household Finance and Consumption Survey is available at: Household Finance and Consumption Survey (HFCS) (europa.eu).

The Bank of Finland gives personal data to Statistics Finland for the purpose of the Households’ Assets 2023 statistics, for the compilation of a national time series as well as for the researcher and data service.

The following processors are used in the processing of personal data

• Statistics Finland
• IT service providers
• Communication service providers

Notification of possible transfer of personal data to a third country or an international organisation

Personal data are not, as a rule, transferred outside the EU or the EEA. If data are transferred outside of the EU or EEA, an adequate level of personal data protection is ensured, as required by data protection legislation, e.g. standard contractual clauses approved by the European Commission.

Period for which the personal data will be stored or the criteria used to determine that period

Complete statistical data, which does not include direct identification data, will be retained as long as necessary for the purposes of processing of personal data.

General description of technical and organisational security measures

In order to protect personal data against unauthorised access, disclosure, erasure or other unauthorised processing, the personal data is processed in systems protected by appropriate data security solutions with a view to the risks involved. Manual data are located in premises without access by inappropriate parties. Only employees that have a need to process personal data in order to perform their duties have access to the personal data. In the data available to the Bank of Finland, personal data has been pseudonymised, and there are no direct identification data of individual persons, such as name, personal identity code and contact details.

Rights of data subjects

The data subjects have the right:

• to request from the controller access to personal data concerning them and the rectification or restriction or erasure of such data or to object to processing. Data will not be erased from complete statistical data on request.
• to lodge a complaint about the processing of the personal data with the supervisory authority.

Statutory or contractual requirement to provide data and consequences of failure to provide such data

Participation in the Household Finance and Consumption Survey is voluntary. However, responding is highly recommended in order for information on Finns’ living conditions and livelihood to be as accurate as possible and for all kinds of population groups and situations of life to be represented in the statistics 
as well as possible.