Name of filing system or set of processing activities

International legal assistance in civil matters 

Purpose and legal basis of the processing of personal data 

The Ministry of Justice is the central authority in Finland for many treaties and EU statutes concerning international cooperation in civil law. As the central authority, the Ministry receives and transmits requests of Finnish and foreign courts of law and other judicial authorities to competent authorities in Finland and abroad. The requests may relate to service of documents, production of evidence or, for example, inquiries about legislation.

Personal data are processed for managing the above-mentioned requests and transmitting them to competent authorities in Finland and abroad. The processing is necessary to fulfill the statutory obligations of the Ministry of Justice as a central authority. 

The processing is mainly based on the following international instruments: 

• EU Service Regulation (European Parliament and Council Regulation (EU) No 2020/1784)
• Nordic Agreement on Mutual Legal Assistance (Finnish Treaty Series 26/1975) 
• Hague Service Convention 1965 (Finnish Treaty Series 51/1969) 
• EU Evidence Regulation (European Parliament and Council Regulation (EU) No 2020/1783) 
• Hague Evidence Convention 1970 (Finnish Treaty Series 37/1976) 
• Hague Convention of 1 March 1954 on Civil Procedure
• Agreement between Finland and Russia on Legal Assistance (Finnish Treaty Series 48/1980) and
• European Convention on Information on Foreign Law (Finnish Treaty Series 58/1990); 

and domestic legislation: 

• Act on International Legal Assistance and Recognition and Enforcement of Judgments in Civil and Commercial Law Matters (426/2015) and 
• provisions of the Code of Judicial Procedure (4/1734) concerning service of documents and taking of evidence.

Categories of data subjects and related categories of personal data

Requests for international legal assistance in civil matters concern 

• service of documents 
• requests related to taking of evidence and
• inquiries about legislation. 

The types of processed personal data may include, for instance, a person’s name, date of birth, address and civil status, in child custody cases the child’s circumstances, and in child maintenance cases the child’s and the family’s financial situation. 

Data are processed only to the extent that is necessary and indispensable for the consideration of a matter.

Collection of data 

As a rule, data are received from the Finnish court of law or foreign central authority or other competent authority requesting international legal assistance. Data may also be received from, for example, the parties to the matter, law offices, embassies of foreign states or the Ministry for Foreign Affairs. 

Moreover, a search of the Population Information System for data concerning matters under consideration may be conducted. 

Recipients or categories of recipients of personal data

The Ministry of Justice may disclose data concerning a matter under consideration to the parties to the matter, to the competent authorities of the state requesting international legal assistance or receiving such a request (courts of law in Finland and abroad as well as judicial authorities), and to central authorities. 

Data may also be disclosed on the basis of requests for data made by virtue of law by other public authorities, such as the Social Insurance Institution of Finland (Kela), healthcare and social welfare authorities, or the police.

Transfer of data to a third country or an international organisation 

The Ministry of Justice may transfer data concerning matters under its consideration outside the European Economic Area by virtue of applicable international treaties and in order to comply with obligations under them.

Data subjects’ rights

More detailed information about the rights of a data subject is available on the web page of the Ministry of Justice, 'Your data protection rights’ (in Finnish and Swedish).

Name of filing system or set of processing activities

International legal assistance in criminal matters 

Purpose and legal basis of the processing of personal data 

Personal data are processed for transmitting and managing requests for cross-border cooperation in criminal justice. The processing is necessary to fulfill the statutory obligations of the Ministry of Justice as a central authority. 

The processing is based on the following international instruments: 

• European Convention on Mutual Assistance in Criminal Matters and its Additional Protocols
• European Convention on Extradition and its Additional Protocols 
• Convention on the Transfer of Sentenced Persons and its Additional Protocol 
• the Framework Decision on the Transfer of Sentenced Persons between the Member States of the European Union 
• agreements with international criminal courts 
• numerous bilateral treaties on cooperation in criminal justice; 

and domestic legislation: 

• Act on International Legal Assistance in Criminal Matters (4/1994) 
• Extradition Act (456/1970) 
• Act on International Co-operation in the Enforcement of Certain Penal Sanctions (21/1987) 
• Act on the Domestic Implementation of the Provisions of a Legislative Nature of the Framework Decision on the Transfer of Sentenced Persons within the European Union and on the Application of the Framework Decision (1169/2011) 
• Act on the Jurisdiction of the International Criminal Tribunal for the Former Yugoslavia and on Legal Assistance Provided to the Tribunal (12/1994) 
• Act on the Bringing into Force of the Provisions of a Legislative Nature of the Rome Statute of the International Criminal Court and on the Application of the Statute (1284/2000) 
• Legal Aid Act (257/2002).

Categories of data subjects and related categories of personal data 

Requests for international legal assistance in criminal matters concern the following categories of matters: 

• service of legal documents and obtaining of evidence 
• extradition 
• transfer of sentenced persons and 
• granting legal assistance for legal proceedings abroad. 

Persons, within the category of data subjects, whose matters are considered in these categories of matters

The processed personal data may include, for instance, a person’s name, date of birth, address, civil status, photographs, fingerprints, DNA data, criminal record extracts, imprisonment data, health data and property data. 

Data are processed only to the extent that is necessary and indispensable for the consideration of a matter. 

Collection of data 

As a rule, data are received from the police, courts of law, and foreign authorities. Data may also be received from, for example, law offices, embassies of foreign states, the Ministry for Foreign Affairs, and other central authorities. 

Recipients or categories of recipients of personal data

The Ministry of Justice may disclose data being processed to the parties to the matter, to the competent authorities of the state requesting international legal assistance or receiving such a request, and to central authorities. 

Data concerning a matter under consideration may be transferred outside the European Economic Area by virtue of applicable international treaties.

Name of filing system or set of processing activities

International legal assistance in family law matters 

Purpose and legal basis of processing of personal data 

The Ministry of Justice is the central authority in Finland for many treaties and EU statutes concerning international family law. As the central authority, the Ministry receives and transmits applications and requests concerning family law matters with international aspects to competent authorities in Finland and abroad. Such applications and requests may relate to procedures for returning children, the exercise of the right of access to a child, child welfare, the recovery of maintenance, and the protection of adults.

Personal data are processed for managing the above-mentioned requests and applications, and for transmitting them to competent authorities in Finland and abroad. The processing is necessary to fulfill the statutory obligations of the Ministry of Justice as a central authority. 

The processing is mainly based on the following international instruments: 

• Articles 12, 79, 80 and 82 of the Brussels II b Regulation (Council Regulation (EU) No 2019/1111) 
• Articles 8–9 and 31–35 of the Hague Convention on Child Protection 1996 (Finnish Treaty Series 9/2011) 
• Articles 8 and 21 of the Hague Convention on the Civil Aspects of International Child Abduction 1980 (Finnish Treaty Series 57/1994)
• EU Maintenance Regulation (Council Regulation (EC) No 4/2009)
• Hague Convention on the International Recovery of Child Support and Other Forms of Family Maintenance 2007 and the related Hague Protocol on the Law Applicable to Maintenance Obligations 2007
• New York Convention on the Recovery Abroad of Maintenance 1956 (Finnish Treaty Series 37/1962) 
• bilateral agreement between Finland and the United States for the enforcement of maintenance obligations, applied to matters pending prior to 1 January 2017 (Finnish Treaty Series 74/2007) 
• reciprocal arrangement between Finland and Ontario of Canada (Finnish Treaty Series 33/1990)
• convention between Finland, Iceland, Norway, Sweden and Denmark on the recovery of maintenance through coercive measures (Finnish Treaty Series 8/1963)
• Hague Convention on the International Protection of Adults 2000 (Finnish Treaty Series 11/2011)
• Nordic Marriage Convention (Finnish Treaty Series 20/1931); 

and domestic legislation: 

• section 35, 35 a and 35 b of the Act on Child Custody and Right of Access (361/1983), 
• section 14 of the Act on the application of the Council Regulation concerning jurisdiction, and the recognition and enforcement of judgments in matrimonial matters and the matters of parental responsibility and the child abduction (454/2022) 
• section 2 of the Act on the Bringing into Force of the Provisions of a Legislative Nature of the Convention on Jurisdiction, Applicable Law, Recognition, Enforcement and Co-operation in Respect of Parental Responsibility and Measures for the Protection of Children, and on the Application of the Convention (435/2009) 
• Act on the Recognition and Enforcement of Maintenance Decisions Issued Abroad (370/1983)
• Act on the Application of the Council Regulation on Maintenance Obligations and the Convention on the International Recovery of Child Support and Other Forms of Family Maintenance (1077/2010) 
• Act on the Central Authority in Finland in Certain International Matters Relating to Maintenance (1076/2010) and
• Act on the Bringing into Force of the Provisions of a Legislative Nature of the Convention on the International Protection of Adults, and on the Application of the Convention (779/2010). 

Categories of data subjects and related categories of personal data 

Requests for international legal assistance in family law matters concern the following categories of matters: 

• applications for the return of a child 
• exercise of the right of access to a child
• child welfare matters and
• recovery of child maintenance and protection of adults. 

Persons, within the category of data subjects, whose matters are considered in these categories of matters

The types of processed personal data may include, for instance, a child’s name, parents’ names, a child’s and parents’ dates of birth, personal identity codes, addresses, and data on child custody. In certain cases, data may also be processed concerning a possible customer relationship with child welfare authorities, a child’s health data, data on a child’s circumstances and whereabouts, data on parents’ circumstances, and photographs of a child and parents. In child maintenance matters, data on the child’s and the parents’ financial situation are also processed. In matters of the protection of adults, the types of processed personal data may include, for example, names, dates of birth, personal identity codes, addresses, and guardianship data.

Data are processed only to the extent that is necessary and indispensable for the consideration of a matter.

Collection of data 

As a rule, data are received from the applicant and the competent authorities of Finland and the other state considering the matter (mainly social welfare authorities and central authorities under different treaties). Data may also be received from the parties to a matter. Moreover, a search of the Population Information System for data may be conducted. 

Recipients or categories of recipients of personal data

 The Ministry of Justice may disclose data being processed to the parties to the matter and to the competent authorities (e.g. social welfare authorities) of the state making or receiving a request for the consideration of the matter, and to central authorities. 

Data may also be disclosed on the basis of requests for data made by virtue of law by other public authorities, such as the Social Insurance Institution of Finland (Kela), healthcare and social welfare authorities, or the police.

The Ministry of Justice may transfer data concerning matters under its consideration outside the European Economic Area by virtue of applicable international treaties and in order to comply with obligations under them.

Data subjects’ rights

More detailed information about the rights of a data subject is available on the web page of the Ministry of Justice, 'Your data protection rights’ (in Finnish and Swedish).

Name of filing system or set of processing activities

Legal aid in matters considered abroad (international, free of charge) 

Purpose and legal basis of the processing of personal data 

Personal data are processed for the purpose of considering and deciding applications for legal aid for judicial proceedings abroad, and for receiving applications for legal aid from foreign judicial authorities or transmitting such applications to foreign judicial authorities. The processing of data is necessary to fulfill these statutory obligations.

The processing is based on the following international instruments: 

• EU Legal Aid Directive (Council Directive 2002/8/EC to improve access to justice in cross-border disputes by establishing minimum common rules relating to legal aid for such disputes) and 
• European Agreement on the Transmission of Applications for Legal Aid (Finnish Treaty Series 42/1980); 

and domestic legislation: 

• section 23, subsection 2 of the Legal Aid Act (257/2002). 

Categories of data subjects and related categories of personal data 

The considered categories of matters consist, on one hand, of those applications for legal aid for matters considered abroad which are decided by the Ministry of Justice or transmitted abroad, and, on the other hand, of applications for legal aid received from abroad for proceedings in Finland. 

The types of processed personal data may include, for instance, a person’s name, address, date of birth and personal identity code, data on a person’s financial position and property, and data on the subject matter of proceedings pending abroad. 

Data are processed only to the extent that is necessary and indispensable for the consideration of a matter. 

Collection of data 

As a rule, data are received from the applicant. 

Moreover, a search of the Population Information System for data concerning matters under consideration may be conducted. 

Recipients or categories of recipients of personal data

As a rule, data are disclosed only to the applicant. 

Transfer of data to a third country or an international organisation 

Data concerning a matter under consideration may be transferred outside the European Economic Area by virtue of applicable international treaties if the applicant’s request concerns the transmission of an application for legal aid outside the European Economic Area.

Data subjects’ rights

More detailed information about the rights of a data subject is available on the web page of the Ministry of Justice, 'Your data protection rights’ (in Finnish and Swedish).

Name of filing system or set of processing activities

Names Board

Purpose and legal basis of processing

The Names Board acts as an expert authority in matters concerning the application of the Act on Forenames and Surnames. The main task of the Names Board is to issue opinions on specific names to the Digital and Population Data Services Agency. The Board may also issue opinions to courts of law and other authorities. The Board does not issue opinions to private individuals.

The Names Board processes personal data for the purpose of performing its statutory duties. The processing is based on the Act on Forenames and Surnames, the Decree on Forenames and Surnames, and Article 6(1)(c) of the EU General Data Protection Regulation. Personal data is processed in order to record the event when a request for an opinion becomes pending, obtain the necessary information, prepare the matter for decision by the Names Board, and submit the opinion to the authority that requested it.

The Names Board sends the opinions to the requesting authority, which is usually the Digital and Population Data Services Agency. The Agency then makes the registration decision.

Categories of data subjects and related categories of personal data

The category of data subjects consists of persons on whom the Names Board issues an opinion.

Personal data is collected for processing using the personal data from the request for an opinion, and from the application for a change of name or the notification that are appended to the request. For this reason, the personal data processed varies on a case-by-case basis. Usually only the forename and/or surname are processed.

Collection of data

Personal data is collected for processing from the Digital and Population Data Services Agency's request for an opinion, and from the application for a change of name or the Notification of a Child's Name (notification) appended to the request. In addition, other necessary data may be verified through the Population Information System (electronic user interface) using the data subject's personal identity code. The Names Board may also examine the prevalence of specific names in the Population Information System.

Recipients or categories of recipients of personal data

The Names Board discloses information to the Digital and Population Data Services Agency.

Information on specific names that the Names Board supports or does not support is regularly disclosed to the media.

Data will not be disclosed or transferred outside Finland. 

Planned time limits for erasure of categories of personal data

As a rule, the Names Board stores personal data permanently. Incoming requests for advice and the advice and instructions provided are stored for two years.

Data subjects’ rights

More detailed information about the rights of a data subject is available on the web page of the Ministry of Justice, 'Your data protection rights’ (in Finnish and Swedish).

The Ministry of Justice is obliged to protect the contents of the message from unauthorised access. To be able to guarantee the information security of the message, the Ministry of Justice must collect some data based on which the parties to the communication can be identified. These include the email address of the sender and the recipient, the IP address of the device on which the message was opened, and technical details of the cookie installed by the web browser used. If SMS verification was used when sending the message, the recipient's telephone number is stored for 30 days from the date of sending the message.
The data collected are used and stored only for the purpose of implementing information security and investigating possible disruptions and information security incidents. The processing of personal data is necessary in order for the controller to comply with its legal obligations (Article 32 of the EU General Data Protection Regulation, section 31 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security).

The technical services are provided by the Government Centre for Information and Communication Technologies (Valtori) and its contractual partner State Security Networks Ltd, which is a wholly state-owned company. The Ministry of Justice or the above-mentioned service providers do not seek to identify the party that opened the message on the basis of the data collected. If there is reason to suspect that information security of a message transmitted has been compromised, possibly due to an unlawful procedure, the Ministry of Justice or Valtori will ask the competent authority to investigate the matter.
More detailed information about the rights of a data subject is available on the web page of the Ministry of Justice, 'Your data protection rights’ (in Finnish and Swedish). 

Switchboard

The Government switchboard transfers telephone calls to public officials of the Ministry of Justice. The time of the call, the caller’s number, the number to which the call is transferred and the duration of the call are stored for calls incoming to the switchboard. Storing this technical data is necessary in order for the Ministry of Justice to comply with its legal obligations, in other words to transfer calls and communicate with its customers and stakeholders.

The Government switchboard service is provided by the Government ICT Centre Valtori, and Elisa Oyj is responsible for its technical implementation. The Ministry of Justice does not process data concerning the calls made to the switchboard, unless the switchboard forwards a call request made by the caller to the Ministry of Justice. In this case, the Ministry of Justice processes the data only for the time it takes to deal with the matter that the call request concerns. After this, the data is erased.

Calls to the switchboard are not recorded.

Direct calls to the Ministry of Justice

Telephone conversations conducted with public officials of the Ministry of Justice are not recorded. If necessary, data related to a call to the Ministry of Justice may be registered in the case management system of the Ministry of Justice. Typically, this is agreed upon separately. The personal data to be collected include the caller’s name and telephone number and, if necessary, other information necessary for dealing with the matter.  Further information on the processing of personal data related to this is available on the Ministry of Justice’s data protection page under Letters from citizens, feedback, inquiries, requests for information and requests for documents.

The telephone services of the Ministry of Justice are provided by the Government ICT Centre Valtori and Elisa Oyj. The Ministry of Justice processes the personal data of the parties to calls in Elisa Oyj’s system.

The telephone system has a statistics feature. It only collects data on the number of calls. Personal data is kept separate from this data.

Disclosure of data

As a rule, we do not disclose any data. Data can, however, be disclosed upon request in accordance with the Act on the Openness of Government Activities. Official documents are public, unless special provisions on their secrecy have been laid down by law.

Name of filing system or set of processing activities

Visiting the Ministry of Justice

Purpose of processing of personal data 

When you participate in events organised by the Ministry of Justice or events organised at our premises, the Ministry collects some of your personal data in advance. You must be able to prove your identity when arriving at our premises. Your personal data will be processed for the purpose of organising events appropriately and other cooperation and to ensure our common safety and security (access control and preparedness for rescue operations). Depending on the event, the Ministry of Justice may also be required to store some of your data related to the transparency of the use of government funds.

The Prime Minister’s Office is responsible for the camera surveillance of the premises of the Ministry of Justice (section 1 of the Government Decree on the Prime Minister’s Office). The related data protection statement is available on the website of the Prime Minister’s Office under ‘Data protection’. 

Legal basis of processing of personal data

The advance collection of data and verification of identity for the purpose of ensuring safety and security are based on a legal obligation that the Ministry of Justice is subject to (Article 6(1)(c) of the EU General Data Protection Regulation, section 8 of the Occupational Safety and Health Act).

Storage of your data after your visit for cooperation purposes is based on the performance of a task carried out in the public interest by the Ministry of Justice (section 4 of the Data Protection Act). If your name and organisation must be included in the bookkeeping material, the storage of this data is based on section 46 of the State Budget Decree.

Categories of data subjects and related categories of personal data

The category of data subjects comprises people visiting the Ministry of Justice and attending events organised by the Ministry of Justice or events organised at the Ministry's premises (e.g. stakeholders, journalists, interviewees).

During a typical visit, your name, organisation, email address, and, in some cases, telephone number is recorded. In some cases, your job title or position is also recorded and, if necessary, information about dietary requirements that you have provided. Some visits involve payment of fees. Further information on the processing of personal data in this context is available in the data protection statement concerning financial administration, which can be found on the web page of the Ministry of Justice, ‘Data protection’.

Recipients or categories of recipients of personal data

When you visit the premises of the Ministry Justice or other government premises, your data will be processed on behalf of the government by Senate Properties Ltd and its subcontractor Avarn Oy. Other processors are also used for events organised outside government premises. These service providers have contractually agreed to process personal data only in accordance with the instructions they have received and to comply with the data security requirements during the processing of data.

Your data will not normally be disclosed outside the government unless the event venue needs the data for the purposes of its own security regulations. In certain training events, seminars and other similar events, the list of participants may, for the performance of a task of carried out in the public interest, be shared with other participants for networking and other cooperation purposes, unless you have objected to sharing your data. In the context of projects funded by the European Union, the names can be submitted to the European Commission.

If the visitor data form a participant list or another official document, it is, as a rule, a public document. Everyone has the right of access to public documents as provided in the Act on the Openness of Government Activities. In exceptional cases, the lists of participants in an international meeting, for example, may be kept secret under the Act on the Openness of Government Activities. The names and email addresses of guests invited to a meeting with an email calendar request are displayed in the electronic calendars of the public officials of the Ministry of Justice and are visible to all government officials.

In the case of a normal visit or another event without international connections, your data will not be transferred outside the European Union or the European Economic Area or to international organisations.

Planned time limits for erasure of personal data

Your data will be stored in the Senaattila facility booking system until the date of your visit. For regular events, the lists of participants and the participants’ contact details will be stored in a separate system until the next corresponding event with a similar topic is organised. In accordance with the Government data management plan, data on participants in certain events may be stored for ten years or permanently. These include events hosted by a minister, or any other functions organised by the Ministry that are regarded as highly important.

The Ministry of Justice also adheres to good governance and transparency in the use of government funds. If catering, such as coffee or lunch, is provided, your name and organisation may be included in our bookkeeping material, depending on the number of participants and the type of catering provided. This is the policy for official functions at least. We normally store receipts in our accounting system for six years from the end of the year of the visit. For projects funded by the European Union or for other externally funded projects, the storage period may be affected by different requirements of the sponsor, which may arise from EU legislation or an obligation or agreement concerning the Ministry of Justice.

Information on dietary requirements will be erased immediately after the event. More detailed information on the processing and storage times related to each visit is available from the officials organising the event or from the Data Protection Officer of the Ministry of Justice.

Data subjects’ rights

More detailed information about the rights of a data subject is available on the web page of the Ministry of Justice, 'Your data protection rights’ (in Finnish and Swedish). 

After the visit, you have the right to object to the storage of your data on the basis of your specific personal situation at any time. In such cases, the Ministry of Justice will erase your personal data, unless there are compelling legitimate grounds for storing the data that override your interests, rights and freedoms. Data may also need to be stored if this is necessary for the establishment, exercise or defense of legal claims. When information about your name and organisation must be included in the bookkeeping material, you cannot object to the storage of your data.
​​​

Whistleblower protection allows people to safely report breaches. A report can be submitted using an internal or external whistleblowing channel. The internal whistleblowing channel of the Prime Minister's Office is only available to people employed by the Prime Minister’s Office. Others, such as retired public officials or people employed by partners, may submit a report regarding the activities of the Prime Minister’s Office that they have observed in their work and that fall within the scope of the Whistleblower Act to the central external whistleblowing channel of the Office of the Chancellor of Justice. 

Purpose of and grounds for the processing of personal data

Personal data is processed in connection with the tasks laid down in the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, the Whistleblower Act). Under section 30 of the Whistleblower Act, the controller may process data belonging to certain special categories of personal data and data related to criminal convictions and offences only if the processing is necessary for the purpose of the Act. 

Personal data is processed in accordance with Article 6, paragraph 1, point (c) of the General Data Protection Regulation (processing is necessary for compliance with a legal obligation to which the controller is subject). 

Processed data

Reports processed in matters concerning whistleblower protection may contain any personal data that the whistleblower has appended to the report.

In matters concerning whistleblower protection, the personal data of the whistleblower is not stored in the contact information for the matter or document as the initiator of the matter, nor is the personal data of the reported person stored in the contact information for the matter or document. However, the personal data of the whistleblower and the reported person are processed in the documents concerning the report, such as the report itself.

The personal data of the whistleblower and the reported person under the Whistleblower Act are always treated as non-disclosable in their entirety.

Situations in which information on the identity of the whistleblower can be disclosed to another authority or to the reported person

Notwithstanding the non-disclosure obligation laid down in the Whistleblower Act, the person responsible for processing the report may disclose the identity of the whistleblower and other persons mentioned in the report, as well as any other information directly or indirectly indicating the identity of the persons, to a person appointed to verify the accuracy of the report, if this disclosure is necessary to verify the accuracy of the report.

In addition, notwithstanding non-disclosure provisions, the person responsible for processing the report may provide information on the identity of the whistleblower, the reported person and other persons mentioned in the report, as well as other information directly or indirectly indicating their identity, if it is necessary to provide this information:

1. to the competent authority for the purpose of verifying the accuracy of the report;
2. to the criminal investigation authorities for the purpose of preventing, detecting, investigating and considering prosecution of criminal offences;
3. to public prosecutors for the purpose of performing the official functions prescribed in section 9 of the Act on the National Prosecution Authority (32/2019);
4. to the reported person for the purpose of establishing, presenting or defending a legal claim in a court hearing or in out-of-court judicial or administrative proceedings. 

Separate provisions on the right of a party to access non-disclosable information are laid down elsewhere in law. 

The reported person has the right to disclose the identity of the whistleblower and to obtain information on the identity of the whistleblower from the authorities if this is necessary for establishing, presenting or defending a legal claim in judicial proceedings.

The person responsible for processing the report shall inform the whistleblower in advance of the disclosure of their identity, unless such information would jeopardise the verification of the accuracy of the report or a criminal investigation or trial related to the matter. The competent authority shall also provide the whistleblower with a written explanation of the grounds for the disclosure of non-disclosable information.

Processing of data is limited within the organisation and time-limited

In matters concerning whistleblower protection, personal data may only be processed by persons designated for the task in the ministry in question as referred to in the Whistleblower Act. 

Documents submitted to and prepared by the ministry and the personal data contained therein shall be stored in accordance with the document storage periods specified in the information management plan. The provisions of section 29, subsection 2 of the Whistleblower Act have been taken into account when determining the storage periods.

Data stored in the case management system shall not be transferred to third countries or international organisations.

Rights of data subjects

The right of a data subject to restrict the processing of their data does not apply to matters of whistleblower protection, and the right of a data subject to access their data may be restricted if this is necessary and proportionate with respect to ensuring the accuracy of the report or in order to protect the identity of the whistleblower. If only a part of the data on a data subject is such that it falls within the restriction on the right of access, the data subject shall have the right to access the remainder of the data. The data subject has the right to be informed of the reasons for the restriction and to request that this information be provided to the Data Protection Ombudsman in accordance with section 34, subsections 3 and 4 of the Data Protection Act (1050/2018).

Any requests for information concerning personal data, requests to rectify or supplement personal data and requests to restrict the processing of personal data shall be addressed to the controller.

More detailed information about the rights of a data subject is available on the web page of the Ministry of Justice, 'Your data protection rights’ (in Finnish and Swedish).