Skip to the content

Privacy Statement: the processing of personal data in the case management system and the electronic signature service linked to it

1 February 2024

1. Controller

Name: State Treasury
Address: Sörnäisten rantatie 13, PO Box 14, FI-00054 State Treasury
Other contact details: tel. +358 (0)295 50 2000, kirjaamo@valtiokonttori.fi

2. Contact person in register matters

Name: Riikka Soininen
Address: asiakirjahallinto@valtiokonttori.fi

Other contact details (incl. telephone number during office hours and email address)
kirjaamo@valtiokonttori.fi

3. Data Protection Officer

Denis Galkin, tietosuojavastaava@valtiokonttori.fi

4. Legal basis and purpose of personal data processing

Pursuant to Article 6(c) and (e) of the EU General Data Protection Regulation (2016/679), the processing of personal data in the case management system and the electronic signature service linked to it is based on compliance with the State Treasury’s legal obligation and the performance of a task carried out in the public interest.

The system is used to handle matters processed by the State Treasury and the documents associated with them from initiation of a matter until a decision has been made and the documents are archived or destroyed. The use of the system promotes the principle of openness and good administration as well as creates a case register referred to in the Act on Information Management in Public Administration (906/2019).

5. Data content of the register

Information is registered in the case management system as set out in sections 25 and 26 of the Act on Information Management in Public Administration.

The key data content consists of:

  • Metadata of matters and documents (incl. titles and dates)
  • Document content
  • Actors involved in processing the matter (including a party, document sender or recipient, author of a document)

The name of an actor involved in the processing is always registered. The following may also be registered:

  • Email address
  • Address
  • Telephone number
  • Personal identity code or an organisation’s business ID
  • Data indicating the organisation for which the data subject acts as a contact person.

In the electronic signature service, third parties may also sign documents on the State Treasury’ request. To enable them to sign, the name, email address, telephone number and organisation information of the signatory are registered in the case management system. These data are also automatically transferred to the signature service when documents are signed. Any personal data contained in the documents to be signed are also processed in the service.

6. Regular sources of data

The content of the register mainly consists of data obtained from data subjects themselves or other authorities.

The State Treasury’s various operating processes may have other regular data sources. These sources are detailed in the Privacy Statements specific to each function.

7. Regular disclosures of data

The Act on the Openness of Government Activities (621/1999) and the EU General Data Protection Regulation apply to any disclosure of data.

8. Regular disclosures of data and transfer of data to countries outside the EU or the EEA

The State Treasury does not transfer data to non-EU or EEA countries.

The information system services are based on services provided in Finland and the EU/EEA area.

9. Principles of register protection

The data are protected by managing user groups and access. Employees of the State Treasury can access the data as required by their duties.

Multifactor Authentication (MFA) is in use.

The data are encrypted in the database and when they are transferred over the internet. The database and files are additionally protected by double key encryption. Information on any modifications is stored in the change history. Data availability is ensured by making backup copies. The servers and active devices of the information system are located in protected and controlled facilities.

10. Storage period of data/criteria for determining the storage period

The storage periods of different data types in the case management system are determined individually for each operating process or document type.

Unless otherwise provided in some other Act, the storage period of datasets is determined in accordance with section 21 of the Act on Information Management in Public Administration.

Some of the processed data are archived pursuant to the Archives Act (831/1994).

Signatories’ personal data are retained for six months in the electronic signature service.

11. Information on automated decision-making (incl. profiling) as well as on the logic involved in data processing and its consequences for the data subject

No automated decision-making or profiling is used in the case management system.

The State Treasury provides information on the automated decision-making procedure otherwise used in its operating processes as laid down in section 28e of the Act on Information Management in Public Administration.

12. Right of access

The data subject has the right to access their data kept in the register. The requests should be sent to the registry office.

If the data subject has exercised their right of access less than one year ago, the controller may collect a fee based on the administrative costs arising from providing the data.

13. Rectification of data

Data subjects have the right to request corrections to any incorrect information on them contained in the register. The requests should be sent to the registry office.

14. Right to object to data processing

The State Treasury processes personal data in order to comply with its legal obligations, and the data subject does not have the right to object to the processing of their personal data.

15. Right to restriction of processing

The data subject has the right to restrict the processing of their personal data as specified in Article 18 of the General Data Protection Regulation.

16. Right to erasure

The State Treasury processes personal data in order to comply with its legal obligations, and the data subject does not have the right to have their personal data removed from the case management system.

The data subject has the right to request that a user account registered in the electronic signature service be deleted. The requests should be sent to the registry office.

17. Right to lodge a complaint

The data subject has the right to lodge a complaint with a supervisory authority if the data subject believes that their rights have been infringed by the actions of the controller.

18. Other rights

Personal data are not used or disclosed for direct advertising, distance selling or other direct marketing purposes, market research, opinion polls, registers of persons, or genealogies.

Additional theme

◄ All news