Data protection
The Financial Stability Authority (FFSA) processes personal data carefully and in compliance with the EU General Data Protection Regulation. The principles governing the processing of personal data within the Authority are legality, reasonableness and transparency. For a general description of data protection, see the website of the Office of the Data Protection Ombudsman.
Privacy statement
The privacy statement provides information on the processing of personal data in various situations. Personal data consists of any information enabling the identification of a person. Personal data includes contact information and portraits, for example.
Controller
Financial Stability Authority
Työpajankatu 13, PO Box 70, FI-00581 Helsinki
rahoitusvakausvirasto(at)rvv.fi
As regards personal data in the Valtiolle.fi service, the controller is:
Government Shared Services Centre for Finance and HR.
Kauppakatu 40
80100 Joensuu
Switchboard +358 295 562 000.
The service centre is responsible for the technical performance of the Valtiolle.fi service and related issues, including usability, data integrity, protection and retention. The Financial Stability Authority is responsible for other duties of the controller, and it acts as the contact point for inquiries.
Data protection officer
Further information the processing of personal data by the Financial Stability Authority is provided by the Authority's data protection officer, Tanja Jyrkönen, tel. + 358 295 253 513, tanja.jyrkonen(at)rvv.fi.
Privacy policy
During the recruiting process, the Financial Stability Authority collects information relevant for filling vacant public-service positions and employment relationships. The processing of personal data is partly based on a statutory obligation (State Civil Servants Act (1994/750), the Administrative Procedure Act (2003/434), the State Budget Act (1988/423, section 24 b)) and partly on consent.
The recruitment register contains the following personal data on the applicants:
- Information related to the applications
- Information related to the administration of user rights of the Valtiolle.fi service
- Information related to background checks.
The applications contain information provided by the applicants themselves. These include, for example, the name, telephone number, sex, photograph, education and work experience, CV, education and qualification certificates, proof of employment, references and other necessary information related to the job application and the filling of the position.
The submission of an application through the Valtiolle.fi service requires registration. Information collected in this context include name, sex, date of birth, address, postal code, city, country, province, municipality and email address, and these are received directly from the applicant.
The FFSA’s recruitment process includes a suitability assessment and a personnel security clearance, where personal data are obtained, in addition to the data subject him/herself, also from the maker of the suitability assessment and the national security authority. The Act on the Protection of Privacy in Working Life (759/2004) provides for personality and suitability assessment tests. The Security Clearance Act (726/2014) provides for security clearances and the information used therein.
No profiling or automated decision making is used in recruitment.
Information collected in recruitment may be disclosed to third parties and other controllers or transferred to persons processing personal data only within the requirements and boundaries established by valid legislation.
Application documents are public documents, as referred to in the Act on the Openness of Government Activities (621/1999), which are made available on request, in accordance with the requirements of section 13 and section 16 of the Act. Confidential data are made available and disclosed only
- with the consent of the person concerned
- to the person concerned
- based on a legal right.
The Financial Stability Authority discloses or transfers information collected in recruitment on a regular basis to the following parties:
- Government Shared Services Centre for Finance and HR.
- System suppliers and server maintainers, such as the Government ICT Centre Valtori.
- The party conducting the suitability assessment. The Act on the Protection of Privacy in Working Life (759/2004) provides for personality and suitability assessment tests.
- National Security Authority. The Security Clearance Act (726/2014) provides for security clearances and the information used therein.
Processing of personal data outside the European Economic Area is based on the Commission’s standard clauses under the General Data Protection Regulation (Art. 46.2).
The data collected during recruitment are retained only for as long as and to the extent necessary with respect to the original purpose for which the personal data have been collected.
Data are deleted or disposed of as follows:
- Valtiolle.fi service: Applications concerning recruitment for vacancies are removed from the applicant's profile 12 months after the end of the recruitment process and open applications 12 months after they were last saved. The applicant's user data are removed after being unused for a year. The user is notified prior to the deletion. One may also request deletion of his/her user data by submitting a request in the Valtiolle.fi service.
- Financial Stability Authority: Applications, excluding that of the selected candidate, are deleted 2 years after the end of the recruitment process. Suitability assessments are disposed of immediately after the end of the recruitment process. The results of the security clearance are disposed of immediately after the end of the recruitment process or at the latest 6 months after receiving them. Other materials are disposed of in accordance with the Financial Stability Authority’s information management plan.
The Financial Stability Authority maintains a customer and stakeholder register to discharge its official duties and to handle administrative matters. The personal data contained in the register are used for the following purposes:
- crisis resolution planning, crisis management and crisis management preparation
- use of deposit guarantee scheme in a payout situation and preparation for this
- use of the national emergency account system and preparing for it
- providing information, particularly in deposit guarantee matters
- management of administrative matters, such as procurement and registry activity
- cooperation with authorities, such as cooperation bodies.
The processing of personal data is mainly based on the following legal grounds:
- Processing of personal data is necessary to comply with the statutory obligation of the controller. The Financial Stability Authority acts as Finland’s national resolution authority as well as the authority responsible for the deposit guarantee (section 2 of the Act on the Financial Stability Authority) and maintains the national emergency account system (section 3 of the act on certain arrangements for safeguarding security of supply in the financial sector, “Laki eräistä huoltovarmuuden turvaamisen järjestelyistä rahoitusalalla”). An authority must provide appropriate channels for service (sections 7–8 of the Administrative Procedure Act) and keep a record of the matters it takes for consideration (sections 25–26 of the Act on Information Management in Public Administration).
- Processing of personal data is necessary to implement an agreement to which the data subject is a party or a representative thereof.
- Processing of personal data is based on consent.
The data subjects of the customer and stakeholder register are employees of credit institutions and investment firms, representatives of partners, service providers and other authorities, customers of credit institutions, as well as other persons who contact the FFSA. The register contains contact and identification details, such as first and last name, email address, postal address, telephone number, personal identity code, account user name, time stamps and other information provided by contacting person. The data are mainly received from the data subjects themselves or an organisation representing them, from credit institutions or from the Suomi.fi service.
Automated decision-making is used in the payout of deposit guarantee compensation. The decisions are based on the material provided by the deposit bank from its data systems. Automated decision-making is necessary in order to pay compensation within the period laid down by law (chapter 5, sections 10 and 20 of the Act on the Financial Stability Authority).
Information collected in the customer and stakeholder register may be disclosed to third parties and other controllers or transferred to persons processing personal data only within the requirements and boundaries established by valid legislation.
The public documents referred to in the Act on the Openness of Government Activities (621/1999) are made available upon request, in accordance with the requirements of sections 13 and 16 of the Act. Confidential data are made available and disclosed only
- with the consent of the person concerned
- to the person concerned
- based on a legal right.
The Financial Stability Authority transfers information collected in customer and stakeholder register on a regular basis to the following parties:
- System suppliers and server maintainers, such as the Government ICT Centre Valtori.
Processing of personal data outside the European Economic Area is based on the Commission’s standard clauses under the General Data Protection Regulation (Art. 46.2).
The data collected for the customer and stakeholder register are stored only for as long as and to the extent necessary with respect to the original or compatible purposes for which the personal data have been collected.
Data are deleted or disposed of as follows:
- compilations of credit institutions’ employees and other stakeholders’ representatives: data are updated as necessary and at least once per year
- other materials: in accordance with the Financial Stability Authority’s information management plan.
The Financial Stability Authority’s announcements can be subscribed to on the FFSA website. Processing of personal data is based on consent.
The announcement subscription register contains the subscriber's email address. The information is received directly from the subscriber.
No profiling or automated decision making is used in dispatching the announcements.
Information collected in the announcement subscription register may be disclosed to third parties and other controllers or transferred to persons processing personal data only within the requirements and boundaries established by valid legislation or at the controller’s consent.
The Financial Stability Authority transfers information collected in the announcement subscription register on a regular basis to the following parties:
- System suppliers and server maintainers, such as the Government ICT Centre Valtori.
Processing of personal data outside the European Economic Area is based on the Commission’s standard clauses under the General Data Protection Regulation (Art. 46.2).
Information related to an announce subscription is retained until the subscription is cancelled by the subscriber. The subscription may be cancelled at any time. The cancellation link is included in every announcement delivered and on the same web page where the subscription is made.
Manual material is processed by trained personnel in locked premises corresponding to the protection need of the data concerned. All FFSA personnel have been subject to, at minimum, a concise background check.
Digital material is protected from unauthorised viewing, modification and destruction. The protection is based on user authorisation management, technical protection of databases and servers, physical protection of premises, access control, data traffic protection and data backups.
The right to access and process data is granted on the basis of working tasks. Access to the system is based on personal identification credentials. The Financial Stability Authority applies administrative controls to ensure the appropriateness of the activities.
Rights of the data subject
A request related to the rights of a data subject may be filed with the FFSA’s data protection officer (contact details at the beginning of the statement).
Data subjects have the right to receive information about what data are collected, for what purposes the data are used, what the legal basis of the processing of data is, and to whom data are disclosed.
Data subjects have the right to inspect what data concerning them have been saved in the personal data file system. An inspection request may be filed with the FFSA’s data protection officer (contact details at the beginning of the statement).
Data subjects have the right to request that the controller rectifies without undue delay inaccurate personal data concerning them. If data subjects contest the accuracy of personal data, they can request that processing of the data is restricted for a period enabling the controller to verify the accuracy of the personal data.
Taking into account the purposes of the processing, data subjects have the right to have incomplete personal data completed. Data subjects are primarily responsible themselves for notifying the controller of any changes in personal data or of any deficiencies in the data. The controller is responsible for the immediate correction of errors it notices itself.
Data subjects have the right to have erased personal data concerning them without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws the consent on which the processing is based, and where there is no other legal grounds for the processing.
- The personal data have been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in Union or Member State law.
Data do not need to be erased, despite a request to do so, where the controller has the right to process the data for the establishment, exercise or defence of legal claims.
Data subjects have the right to the restriction of processing where one of the following applies:
- The processing of the personal data is unlawful, in which case the controller is, in principle, obliged to erase the data, but the data subject opposes the erasure of the personal data and requests a restriction (discontinuation) of their use instead.
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
Where a data subject has requested a restriction of processing, such personal data can (with the exception of storage) only be processed with the data subject’s consent OR for the establishment, exercise or defence of legal claims OR for the protection of the rights of another natural or legal person OR for reasons of important public interest of the Union or of a Member State.
Data subjects have the right to withdraw their consent to processing at any time. The withdrawal of consent shall not affect the lawfulness of the processing carried out prior to the withdrawal of consent.
There is no right to object where the processing of personal data is based on an agreement and is necessary for its implementation or where processing is necessary to fulfil a statutory obligation.
Data subjects have the right to object to the processing of their personal data where the processing of the personal data is based on the controller’s legitimate interest.
Where processing is based on consent or an agreement:
- Data subjects have the right to receive the personal data concerning them that they have provided to a controller in a structured, commonly used and machine-readable format and have the right to transfer those data to another controller.
- Data subjects have the right to have the data transferred directly to another controller where this is technically feasible and is not unreasonable for the controller. Exercising this right must not adversely affect the rights and freedoms of others.
Data subjects have the right to appeal to the supervisory authority if they consider that the processing of personal data concerning them violates data protection regulations. The national supervisory authority in Finland is the Office of the Data Protection Ombudsman.
Cookies on the website
The website uses cookies to ensure the technical functionality of the website, improve user experience and collect statistics on visitors on the website. The purpose of user tracking is to improve the quality and content of the site in a user-driven manner. User data will not be used for marketing or disclosed to anyone outside the Financial Stability Authority.
A cookie is a small text file placed and retained on the user's computer. Cookies do not damage the users’ hardware or files. The website uses both session-specific and tracking cookies. Session-specific cookies are stored in memory only as long as the browser is open. Only tracking cookies used to identify new and returning visitors will be retained.
We will ask for your consent for the use of cookies when you visit the rvv.fi site for the first time. You may allow or block optional cookies at any time in the cookie settings at the bottom of the page.
Necessary cookies
Some cookies are necessary for the performance of the website. Necessary cookies may be utilised for example in functionalities involving choices made by the visitor on the site. Necessary cookies are saved automatically in your browser when you use the rvv site.
AWSALB
A server environment cookie that improves the user experience by balancing server loads and ensuring that the user’s session can continue. The cookie is valid for a week.
AWSALBCORS
A server environment cookie that improves the user experience by balancing server loads and ensuring that the user’s session can continue. The cookie is valid for a week.
yja_cookie_acceptance
A website cookie that stores information about the acceptance of cookies and the extent of acceptance if the user has responded to a cookie acceptance message. The cookie is valid for one year.
COOKIE_SUPPORT
A publishing system cookie that stores information on whether or not users have enabled cookies in their browser settings. Valid for one year.
GUEST_LANGUAGE_ID
A publishing system cookie that stores information on users’ language preferences and preserves it for their next visit to the website. Valid for one year.
JSESSIONID
A content management cookie used for linking users to their sessions. The cookie expires when the session ends.
LFR_SESSION_STATE_<10161>
A publishing system cookie that stores a timestamp for the user’s visit and ensures that their session can continue. The cookie expires when the session ends.
__cf_bm, _cfuvid, cf_clearance
Server environment cookies used for detecting and preventing bot and malware traffic and attacks. The cookie expires when the session ends.
jsV, mtv1ConfSum, mtv1Pulse
Cookies used by the service to block spam, allowing the service to determine whether the user is a bot. The cookie is used when sending forms. Expires when the browsing session ends.
ID
The cookie used to identify the logged-in user. The cookie is valid for the duration of the session.
COMPANY_ID
A cookie used to track the logged-in user's login. The cookie is valid for the duration of the session.
Optional cookies
We will ask for your consent for the use of optional cookies when you visit the rvv.fi site for the first time. You can later allow or block optional cookies in the cookie settings at the bottom of the page.
Statistical cookies, or visitor and analytical cookies, collect data on the use of our online service. These cookies can be used to analyse the use of the website of the Financial Stability Authority and, based on this information, to improve the functionalities, content and structure of the website.
The website uses a third-party provider's Snoobi Analytics software. It works using a snippet installed on the website, which is run by the website visitor's terminal. Data related to the visit are recorded by the snippet in the analytics service.
The visitor's personal data are not recorded in the analytics service. Cookies will not be used in the Snoobi Analytics service for any other purposes than the collection of data for the Snoobi service and may not be used by other tools or the administrator of the website.
SnoobiID
General identifier (ID) for Snoobi Analytics. The cookie is valid for two years.
Snoobisession_rvv_fi
User tracking cookie to maintain a session. The cookie is valid for one session.
Snoobi30minute_rvv_fi
This user tracking cookie combines the data from visits where the user navigates to another tab or returns to the site within 30 minutes of exiting it. The cookie is valid for 30 minutes.
Cookies are used by the analytics service to collect for example the following data:
- session ID
- user ID (random figure)
- start and duration of the visit
- whether cookies are allowed
- default browser language
- pages that were visited
- landing page
- technical device data.