Data protection and handling of personal data | About Kela | KelaSkip to content

OmaKela payment form unavailable: The student healthcare fee cannot be paid from 31.3.2025 to 2.4.2025 Read more

Data protection and processing of personal data at Kela

What does data protection mean?

Data protection is a fundamental right and refers to the protection of personal data. Personal data means all data that relates to an identifiable person. Every person has rights that relate to their own personal data.

The most important data protection laws are the EU’s General Data Protection Regulation (the GDPR) and the Finnish Data Protection Act, which supplements it:

The GDPR and the Data Protection Act define what kind of personal data can be processed and in what ways.

Data controller refers to a person or organisation that determines the purposes for which and how personal data is processed. As a data controller, Kela processes, for example, personal data relating to its customers and employees.

Data subject refers to a person whose personal data is processed.

How does Kela process personal data?

In matters relating to Kela benefits, we can process your personal data, for example, when we

  • process your benefits
  • provide you with customer service
  • control our operations internally
  • carry out targeted customer service or customer communications.

In other matters, we can process your personal data, for example, when we

  • carry out our statutory duties in the fields of statistics and research
  • develop our operations
  • carry out our other operations, such as recruitment and procurements, and when we process administrative matters and newsletter subscriptions.

You: You provide us with personal data when you, for example, fill out applications or submit supporting documents.

Other authorities: Where provided by law, we can obtain your personal data from other authorities, such as the Digital and Population Data Services Agency (DVV) and the Tax Administration.

At Kela, your personal data is processed only by employees whose duties required them to process your personal data. Kela supervises the processing of personal data in various ways.

Kela employees are always obliged to keep your personal data confidential and safe from third parties.

Kela may make automated decisions in matters that do not require deliberation. An automatic decision is a decision that is made without human involvement. Automation enables faster and more efficient service.

If the matter requires deliberation, the decision is always made by a Kela employee.

In Finland, provisions regarding automated decisions made by authorities are set out in the Administrative Procedure Act (434/2003, in Finnish) and in the Act on Information Management in Public Administration (906/2019, in Finnish). Automated decisions can be appealed similarly to all other decisions made by Kela.

More information on automated decisions and how to appeal them is available on Kela’s website at automated decisions at Kela.

Kela discloses your personal data to other authorities in situations provided by law. In some cases, we may also disclose your personal data to other third parties if you have given your consent to such disclosure.

Kela can also disclose personal data for statistical or research purposes when allowed by the Act on the Secondary Use of Health and Social Data (552/2019, in Finnish) or based on rights of access established in separate Acts of Parliament. All data disclosed for such purposes is either anonymised or pseudonymised. Once your personal data has been anonymised, it can no longer be linked to you in any way. Pseudonymisation, on the other hand, means that you are no longer identifiable from the data without additional information.

Kela will disclose your personal data to another person if they are managing Kela matters on your behalf. More information on acting on behalf of another person in Kela-related matters is available on our website at acting on behalf of another person in Kela-related matters (Our Services). On the said page, we provide instructions on

  • acting on behalf of a child
  • acting on behalf of another adult
  • continuing powers of attorney
  • guardianship.

Kela has an obligation to retain your personal data. We have set the retention periods for personal data on the basis of different laws, such as those relating to benefits.

More information on retention periods is available in our privacy statements.

Our privacy statements offer more information on how we process personal data as they describe in more detail the different situations in which we process personal data.

Kela’s privacy statements

Privacy policies for the Kanta e-service (kanta.fi)

Your rights in relation to the processing of your personal data

As a data subject, you have certain rights in relation to your own personal data and how it is processed at Kela. Data subjects’ rights are based on the EU’s General Data Protection Regulation (the GDPR) and impacted by other laws, such as the Data Protection Act and the laws governing Kela’s operations. Please note that you may not be able to exercise all of your rights in all situations.

You have the right to know how your personal data is processed. This right is based on Articles 12, 13 and 14 of the GDPR.

This page contains information on how Kela processes personal data in its operations.

You have the right to rectify incorrect and inaccurate data. This right is based on Article 16 of the GDPR.

Please note that your right of rectification is not the same thing as your right to submit an appeal concerning a benefit decision issued by Kela.

In certain circumstances, you have the right to request the erasure of your personal data. You can request the erasure of your personal data, for example, when your data is no longer necessary or when your personal data has been processed in a manner that breaches the law.

Kela cannot erase your personal data if Kela is required to retain it for the purposes of carrying out a duty set out in law. For example, operations related to Kela’s benefit administration constitute this kind of duty.

Your right to erasure is based on Article 17 of the GDPR.

In certain circumstances, you have the right to restrict the processing of your personal data. You can restrict processing, for example, if you find that the personal data we process with regard to you is incorrect.

Restricting the processing of your personal data means that Kela cannot do anything to your data except retain it.

Your right to restrict the processing of your personal data is based on Article 18 of the GDPR.

The GDPR does, however, set out a few exceptions that allow for personal data to be processed even if the data subject has restricted the processing of their personal data.

In the context of Kela’s benefit administration, data subjects may not have the right to restrict the processing of their personal data if the data subject’s request to restrict the processing of their personal data is clearly unfounded.

You have the right to object to the processing of your personal data when your data is processed on the basis of a legitimate interest, the exercise of official authority or public interest. More information on the basis for the processing of your personal data is available in our privacy policies and statements.

You can object to the processing of your personal data if your personal data is going to be used, for example, for the purposes set out in the Act on the Secondary Use of Health and Social Data (552/2019, in Finnish). More information on how to object to the processing of your personal data is available on our website at data permits and data requests (Kela’s Info Tray).

If you exercise your right of objection, we will assess whether we should stop processing your personal data in accordance with your notice of objection or if legitimate grounds exist for us to continue processing your personal data.

Your right to object to the processing of your personal data is based on Article 21 of the GDPR.

Data subjects have the right to receive their personal data for the purposes of transmitting the data to another data controller if the data subject themselves has provided the data controller with the personal data in question and the processing is based on consent or a contract.

This right does not, as a rule, apply to Kela’s operations because this right cannot be exercised, for example, when personal data is processed for the purposes of carrying out Kela’s statutory duties.

Your right to data portability is based on Article 20 of the GDPR.

All data subjects have the right to submit a matter concerning the processing of personal data to a supervisory authority in charge of monitoring compliance with data protection legislation. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuoja.fi).

Your right to lodge a complaint is based on Article 77 of the GDPR.

You can send a request concerning your personal data to Kela’s Registry by email or by post.

If you send the request by email, we recommend that you use secure email. Please see the instructions on how to send a secure email message to Kela:

If you send the request by post, send it to Kela, Kirjaamo, PL 450, 00056 Kela.

You can also make the request by phone or by visiting one of Kela’s service points in person. Be prepared to prove your identity.

We will respond to requests concerning personal data within one month, and we will also notify you if we cannot comply with your request for statutory reasons.

If we cannot respond to your request within one month and there is a valid reason for this, we can extend the time limit by a maximum of two months. We will notify you of the extension to the time limit within one month of the date on which we received your request. We will also state the reasons for the extension.

Data subjects can usually submit a request concerning their personal data and receive a reply free of charge. However, in cases where the data subject’s request is clearly unfounded or unreasonable, Kela can charge a reasonable fee for responding to the request or refuse to carry it out.

Contact information and more information on how we process your personal data

Kela’s various privacy statements provide more detailed information on how we process your personal data across our operations. You can also contact Kela’s customer service in matters related to the processing of your personal data.

Kela's Data Protection Officer

Kela’s Data Protection Officer is responsible, for example, for making sure that Kela complies with all legislation that applies to the processing of personal data.

You can contact Kela’s Data Protection Officer in matters related to the processing of your personal data.

The Data Protection Officer’s email address is tietosuoja@kela.fi. We recommend that you use secure email.

What should you do if you suspect a personal data breach?

A personal data breach refers to an event that falls under the responsibility of the data controller and which results in personal data being destroyed, lost, changed, disclosed without authorisation or accessed by an entity that is not entitled to process it.

A personal data breach has occurred, for example, if a person receives a document that pertains to another person in the mail or if a person otherwise gains access to another person’s personal data without authorisation.

If you suspect that a data breach involving your personal data has occurred, please contact Kela’s customer service.

Last modified 27/3/2025