In matters relating to Kela benefits, we can process your personal data, for example, when we

• process your benefits
• provide you with customer service
• control our operations internally
• carry out targeted customer service or customer communications.

In other matters, we can process your personal data, for example, when we

• carry out our statutory duties in the fields of statistics and research
• develop our operations
• carry out our other operations, such as recruitment and procurements, and when we process administrative matters and newsletter subscriptions.

You: You provide us with personal data when you, for example, fill out applications or submit supporting documents.

Other authorities: Where provided by law, we can obtain your personal data from other authorities, such as the Digital and Population Data Services Agency (DVV) and the Tax Administration.

At Kela, your personal data is processed only by employees whose duties required them to process your personal data. Kela supervises the processing of personal data in various ways.

Kela employees are always obliged to keep your personal data confidential and safe from third parties.

Kela may make automated decisions in matters that do not require deliberation. An automatic decision is a decision that is made without human involvement. Automation enables faster and more efficient service.

If the matter requires deliberation, the decision is always made by a Kela employee.

In Finland, provisions regarding automated decisions made by authorities are set out in the Administrative Procedure Act (434/2003, in Finnish) and in the Act on Information Management in Public Administration (906/2019, in Finnish). Automated decisions can be appealed similarly to all other decisions made by Kela.

More information on automated decisions and how to appeal them is available on Kela’s website at automated decisions at Kela.

Kela discloses your personal data to other authorities in situations provided by law. In some cases, we may also disclose your personal data to other third parties if you have given your consent to such disclosure.

Kela can also disclose personal data for statistical or research purposes when allowed by the Act on the Secondary Use of Health and Social Data (552/2019, in Finnish) or based on rights of access established in separate Acts of Parliament. All data disclosed for such purposes is either anonymised or pseudonymised. Once your personal data has been anonymised, it can no longer be linked to you in any way. Pseudonymisation, on the other hand, means that you are no longer identifiable from the data without additional information.

Kela will disclose your personal data to another person if they are managing Kela matters on your behalf. More information on acting on behalf of another person in Kela-related matters is available on our website at acting on behalf of another person in Kela-related matters (Our Services). On the said page, we provide instructions on

• acting on behalf of a child
• acting on behalf of another adult
• continuing powers of attorney
• guardianship.

Kela has an obligation to retain your personal data. We have set the retention periods for personal data on the basis of different laws, such as those relating to benefits.

More information on retention periods is available in our privacy statements.

Our privacy statements offer more information on how we process personal data as they describe in more detail the different situations in which we process personal data.

Kela’s privacy statements

Privacy policies for the Kanta e-service (kanta.fi)

You have the right to know how your personal data is processed. This right is based on Articles 12, 13 and 14 of the GDPR.

This page contains information on how Kela processes personal data in its operations.

You have the right to know what kind of personal data concerning you we process and the right to receive a copy of your personal data.

You also have the right to know, for example:

• the purposes for which we process your personal data
• the retention period of your data
• the source from which your data was obtained
• the parties to which we disclose your data.

You can exercise your right of access to ensure that we process your personal data properly and in accordance with the law.

How to exercise your right of access:

1. Fill out the form Request to review personal information (PDF) or submit a free-form request.

   1. You can fill out the form online or ask for a paper copy at a Kela service point.
   2. If you submit a free-form request to review your personal data, please disclose your name and contact details and state which data you want to review and from which period of time.
2. Send requests concerning your personal data to Kela’s Registry by email or by post.

   • If you send the request by email, we recommend that you use secure email. Please see the instructions on how to send a secure email message to Kela:
     • How to send secure email to Kela (PDF)
     • How to send secure email to Kela using Suomi.fi identification (PDF).
   • If you want to send your request by post, send it to Kela, Kirjaamo, PL 450, 00056 Kela.

Your right of access is based on Article 15 of the GDPR.

Read more about how you can exercise your rights.

You have the right to rectify incorrect and inaccurate data. This right is based on Article 16 of the GDPR.

Please note that your right of rectification is not the same thing as your right to submit an appeal concerning a benefit decision issued by Kela.

In certain circumstances, you have the right to request the erasure of your personal data. You can request the erasure of your personal data, for example, when your data is no longer necessary or when your personal data has been processed in a manner that breaches the law.

Kela cannot erase your personal data if Kela is required to retain it for the purposes of carrying out a duty set out in law. For example, operations related to Kela’s benefit administration constitute this kind of duty.

Your right to erasure is based on Article 17 of the GDPR.

In certain circumstances, you have the right to restrict the processing of your personal data. You can restrict processing, for example, if you find that the personal data we process with regard to you is incorrect.

Restricting the processing of your personal data means that Kela cannot do anything to your data except retain it.

Your right to restrict the processing of your personal data is based on Article 18 of the GDPR.

The GDPR does, however, set out a few exceptions that allow for personal data to be processed even if the data subject has restricted the processing of their personal data.

In the context of Kela’s benefit administration, data subjects may not have the right to restrict the processing of their personal data if the data subject’s request to restrict the processing of their personal data is clearly unfounded.

You have the right to object to the processing of your personal data when your data is processed on the basis of a legitimate interest, the exercise of official authority or public interest. More information on the basis for the processing of your personal data is available in our privacy policies and statements.

You can object to the processing of your personal data if your personal data is going to be used, for example, for the purposes set out in the Act on the Secondary Use of Health and Social Data (552/2019, in Finnish). More information on how to object to the processing of your personal data is available on our website at data permits and data requests (Kela’s Info Tray).

If you exercise your right of objection, we will assess whether we should stop processing your personal data in accordance with your notice of objection or if legitimate grounds exist for us to continue processing your personal data.

Your right to object to the processing of your personal data is based on Article 21 of the GDPR.

Data subjects have the right to receive their personal data for the purposes of transmitting the data to another data controller if the data subject themselves has provided the data controller with the personal data in question and the processing is based on consent or a contract.

This right does not, as a rule, apply to Kela’s operations because this right cannot be exercised, for example, when personal data is processed for the purposes of carrying out Kela’s statutory duties.

Your right to data portability is based on Article 20 of the GDPR.

All data subjects have the right to submit a matter concerning the processing of personal data to a supervisory authority in charge of monitoring compliance with data protection legislation. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuoja.fi).

Your right to lodge a complaint is based on Article 77 of the GDPR.

You can send a request concerning your personal data to Kela’s Registry by email or by post.

If you send the request by email, we recommend that you use secure email. Please see the instructions on how to send a secure email message to Kela:

• How to send secure email to Kela (PDF)
• How to send secure email to Kela using Suomi.fi identification (PDF).

If you send the request by post, send it to Kela, Kirjaamo, PL 450, 00056 Kela.

You can also make the request by phone or by visiting one of Kela’s service points in person. Be prepared to prove your identity.

We will respond to requests concerning personal data within one month, and we will also notify you if we cannot comply with your request for statutory reasons.

If we cannot respond to your request within one month and there is a valid reason for this, we can extend the time limit by a maximum of two months. We will notify you of the extension to the time limit within one month of the date on which we received your request. We will also state the reasons for the extension.

Data subjects can usually submit a request concerning their personal data and receive a reply free of charge. However, in cases where the data subject’s request is clearly unfounded or unreasonable, Kela can charge a reasonable fee for responding to the request or refuse to carry it out.