Data protection

During the recruiting process, the Financial Stability Authority collects information relevant for filling vacant public-service positions and employment relationships. The processing of personal data is partly based on a statutory obligation (State Civil Servants Act (1994/750), the Administrative Procedure Act (2003/434), the State Budget Act (1988/423, section 24 b)) and partly on consent.

The recruitment register contains the following personal data on the applicants:

• Information related to the applications
• Information related to the administration of user rights of the Valtiolle.fi service
• Information related to background checks.

The applications contain information provided by the applicants themselves. These include, for example, the name, telephone number, sex, photograph, education and work experience, CV, education and qualification certificates, proof of employment, references and other necessary information related to the job application and the filling of the position.

The submission of an application through the Valtiolle.fi service requires registration. Information collected in this context include name, sex, date of birth, address, postal code, city, country, province, municipality and email address, and these are received directly from the applicant.

The FFSA’s recruitment process includes a suitability assessment and a personnel security clearance, where personal data are obtained, in addition to the data subject him/herself, also from the maker of the suitability assessment and the national security authority. The Act on the Protection of Privacy in Working Life (759/2004) provides for personality and suitability assessment tests. The Security Clearance Act (726/2014) provides for security clearances and the information used therein.

No profiling or automated decision making is used in recruitment.

Information collected in recruitment may be disclosed to third parties and other controllers or transferred to persons processing personal data only within the requirements and boundaries established by valid legislation.

Application documents are public documents, as referred to in the Act on the Openness of Government Activities (621/1999), which are made available on request, in accordance with the requirements of section 13 and section 16 of the Act. Confidential data are made available and disclosed only

1. with the consent of the person concerned
2. to the person concerned
3. based on a legal right.

The Financial Stability Authority discloses or transfers information collected in recruitment on a regular basis to the following parties:

• Government Shared Services Centre for Finance and HR.
• System suppliers and server maintainers, such as the Government ICT Centre Valtori.
• The party conducting the suitability assessment. The Act on the Protection of Privacy in Working Life (759/2004) provides for personality and suitability assessment tests.
• National Security Authority. The Security Clearance Act (726/2014) provides for security clearances and the information used therein.

Processing of personal data outside the European Economic Area is based on the Commission’s standard clauses under the General Data Protection Regulation (Art. 46.2).

The data collected during recruitment are retained only for as long as and to the extent necessary with respect to the original purpose for which the personal data have been collected.

Data are deleted or disposed of as follows:

• Valtiolle.fi service: Applications concerning recruitment for vacancies are removed from the applicant's profile 12 months after the end of the recruitment process and open applications 12 months after they were last saved. The applicant's user data are removed after being unused for a year. The user is notified prior to the deletion. One may also request deletion of his/her user data by submitting a request in the Valtiolle.fi service.
• Financial Stability Authority: Applications, excluding that of the selected candidate, are deleted 2 years after the end of the recruitment process. Suitability assessments are disposed of immediately after the end of the recruitment process. The results of the security clearance are disposed of immediately after the end of the recruitment process or at the latest 6 months after receiving them. Other materials are disposed of in accordance with the Financial Stability Authority’s information management plan.

The Financial Stability Authority maintains a customer and stakeholder register to discharge its official duties and to handle administrative matters. The personal data contained in the register are used for the following purposes: 

• crisis resolution planning, crisis management and crisis management preparation
• use of deposit guarantee scheme in a payout situation and preparation for this
• use of the national emergency account system and preparing for it
• providing information, particularly in deposit guarantee matters
• management of administrative matters, such as procurement and registry activity
• cooperation with authorities, such as cooperation bodies.

The processing of personal data is mainly based on the following legal grounds:

• Processing of personal data is necessary to comply with the statutory obligation of the controller. The Financial Stability Authority acts as Finland’s national resolution authority as well as the authority responsible for the deposit guarantee (section 2 of the Act on the Financial Stability Authority) and maintains the national emergency account system (section 3 of the act on certain arrangements for safeguarding security of supply in the financial sector, “Laki eräistä huoltovarmuuden turvaamisen järjestelyistä rahoitusalalla”). An authority must provide appropriate channels for service (sections 7–8 of the Administrative Procedure Act) and keep a record of the matters it takes for consideration (sections 25–26 of the Act on Information Management in Public Administration).
• Processing of personal data is necessary to implement an agreement to which the data subject is a party or a representative thereof.
• Processing of personal data is based on consent.

The data subjects of the customer and stakeholder register are employees of credit institutions and investment firms, representatives of partners, service providers and other authorities, customers of credit institutions, as well as other persons who contact the FFSA. The register contains contact and identification details, such as first and last name, email address, postal address, telephone number, personal identity code, account user name, time stamps and other information provided by contacting person. The data are mainly received from the data subjects themselves or an organisation representing them, from credit institutions or from the Suomi.fi service.

Automated decision-making is used in the payout of deposit guarantee compensation. The decisions are based on the material provided by the deposit bank from its data systems. Automated decision-making is necessary in order to pay compensation within the period laid down by law (chapter 5, sections 10 and 20 of the Act on the Financial Stability Authority).

Information collected in the customer and stakeholder register may be disclosed to third parties and other controllers or transferred to persons processing personal data only within the requirements and boundaries established by valid legislation.

The public documents referred to in the Act on the Openness of Government Activities (621/1999) are made available upon request, in accordance with the requirements of sections 13 and 16 of the Act. Confidential data are made available and disclosed only

1. with the consent of the person concerned
2. to the person concerned
3. based on a legal right.

The Financial Stability Authority transfers information collected in customer and stakeholder register on a regular basis to the following parties:

• System suppliers and server maintainers, such as the Government ICT Centre Valtori.

Processing of personal data outside the European Economic Area is based on the Commission’s standard clauses under the General Data Protection Regulation (Art. 46.2).

The data collected for the customer and stakeholder register are stored only for as long as and to the extent necessary with respect to the original or compatible purposes for which the personal data have been collected.

Data are deleted or disposed of as follows:

• compilations of credit institutions’ employees and other stakeholders’ representatives: data are updated as necessary and at least once per year
• other materials: in accordance with the Financial Stability Authority’s information management plan.

The Financial Stability Authority’s announcements can be subscribed to on the FFSA website. Processing of personal data is based on consent.

The announcement subscription register contains the subscriber's email address. The information is received directly from the subscriber.

No profiling or automated decision making is used in dispatching the announcements.

Information collected in the announcement subscription register may be disclosed to third parties and other controllers or transferred to persons processing personal data only within the requirements and boundaries established by valid legislation or at the controller’s consent.

The Financial Stability Authority transfers information collected in the announcement subscription register on a regular basis to the following parties:

• System suppliers and server maintainers, such as the Government ICT Centre Valtori.

Processing of personal data outside the European Economic Area is based on the Commission’s standard clauses under the General Data Protection Regulation (Art. 46.2).

Information related to an announce subscription is retained until the subscription is cancelled by the subscriber. The subscription may be cancelled at any time. The cancellation link is included in every announcement delivered and on the same web page where the subscription is made. 

Manual material is processed by trained personnel in locked premises corresponding to the protection need of the data concerned. All FFSA personnel have been subject to, at minimum, a concise background check. 

Digital material is protected from unauthorised viewing, modification and destruction. The protection is based on user authorisation management, technical protection of databases and servers, physical protection of premises, access control, data traffic protection and data backups.

The right to access and process data is granted on the basis of working tasks. Access to the system is based on personal identification credentials. The Financial Stability Authority applies administrative controls to ensure the appropriateness of the activities.

Data subjects have the right to receive information about what data are collected, for what purposes the data are used, what the legal basis of the processing of data is, and to whom data are disclosed.

Data subjects have the right to inspect what data concerning them have been saved in the personal data file system. An inspection request may be filed with the FFSA’s data protection officer (contact details at the beginning of the statement).

Data subjects have the right to request that the controller rectifies without undue delay inaccurate personal data concerning them. If data subjects contest the accuracy of personal data, they can request that processing of the data is restricted for a period enabling the controller to verify the accuracy of the personal data.

Taking into account the purposes of the processing, data subjects have the right to have incomplete personal data completed. Data subjects are primarily responsible themselves for notifying the controller of any changes in personal data or of any deficiencies in the data. The controller is responsible for the immediate correction of errors it notices itself.

Data subjects have the right to have erased personal data concerning them without undue delay where one of the following grounds applies:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• The data subject withdraws the consent on which the processing is based, and where there is no other legal grounds for the processing.
• The personal data have been unlawfully processed.
• The personal data must be erased for compliance with a legal obligation in Union or Member State law.

Data do not need to be erased, despite a request to do so, where the controller has the right to process the data for the establishment, exercise or defence of legal claims.

 Data subjects have the right to the restriction of processing where one of the following applies:

• The processing of the personal data is unlawful, in which case the controller is, in principle, obliged to erase the data, but the data subject opposes the erasure of the personal data and requests a restriction (discontinuation) of their use instead.
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

Where a data subject has requested a restriction of processing, such personal data can (with the exception of storage) only be processed with the data subject’s consent OR for the establishment, exercise or defence of legal claims OR for the protection of the rights of another natural or legal person OR for reasons of important public interest of the Union or of a Member State.

Data subjects have the right to withdraw their consent to processing at any time. The withdrawal of consent shall not affect the lawfulness of the processing carried out prior to the withdrawal of consent.

There is no right to object where the processing of personal data is based on an agreement and is necessary for its implementation or where processing is necessary to fulfil a statutory obligation.

Data subjects have the right to object to the processing of their personal data where the processing of the personal data is based on the controller’s legitimate interest.

Where processing is based on consent or an agreement:

• Data subjects have the right to receive the personal data concerning them that they have provided to a controller in a structured, commonly used and machine-readable format and have the right to transfer those data to another controller.
• Data subjects have the right to have the data transferred directly to another controller where this is technically feasible and is not unreasonable for the controller. Exercising this right must not adversely affect the rights and freedoms of others.

Data subjects have the right to appeal to the supervisory authority if they consider that the processing of personal data concerning them violates data protection regulations. The national supervisory authority in Finland is the Office of the Data Protection Ombudsman.