Supo operations are subject to data protection legislation

The main general statute governing the processing of personal data in the work of Supo is the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018). There are also more detailed provisions in the Act on the Processing of Personal Data by the Police (616/2019), and chapter 7 of this Act in particular.

The aspects of personal data processing at Supo that fall within the scope of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018) mainly concern matters of administration. Supo is also bound by the Act on the Protection of Privacy in Working Life (759/2004) when processing personal data as an employer.
 

Supo has a statutory right to record personal data

Supo may process personal data when this is necessary for safeguarding national security, preventing, detecting and investigating activities and projects that jeopardise state or social order or state security, and preventing and detecting criminal offences that jeopardise state or social order or state security, and may record the said data in its registers.

Supo may process the following basic personal data when related to the foregoing requirements:

  1. personal ID number and date of birth
  2. identifying data based on physical characteristics, and sound and image recordings
  3. identifying data other than that referred to in points 1 and 2
  4. details of citizenship and family relationships
  5. details of place of residence
  6. details of education and profession or occupation, and of employment and service history
  7. contact details
  8. details concerning death or declaration of death
  9. identifying data that can be associated with a legal entity or natural person
  10. information related to a legal entity
  11. essential details relating to travel
  12. essential details concerning activities and behaviour

Supo may also process personal data falling under special categories (such as information concerning the ethnic origin of a person) where this is necessary for discharging the functions of Supo.

Supo also maintains a security clearance register containing details of individuals who have completed the security clearance process since 2015.

Data protection legislation gives data subjects the right to control use of their own information

This legislation regulates the rights of data subjects. Such rights include:

  • the right of inspection
  • the right to have information rectified, supplemented or erased
  • the right to have data processing restricted
  • the right to object to processing of personal data
  • the right of appeal to a supervisory authority

Right of inspection

You have a personal right to inspect information in the Supo security clearance register.

The Act on the Processing of Personal Data by the Police (616/2019) restricts the right to inspect certain Supo registers, meaning that individuals may not inspect these registers directly. You may exercise your rights as a data subject through the Data Protection Ombudsman. You may arrange a review of your information in Supo records that falls outside the scope of your right of inspection by submitting an inspection request to the Data Protection Ombudsman.

Rectification, erasure and supplementing of information 

A data subject is entitled to require a controller to rectify inaccurate, incomplete and incorrect personal data without undue delay. The data subject is also entitled to have data erased.

Other rights and further information

Subject to conditions prescribed in data protection legislation, a data subject is entitled to object to processing of personal data.

A data subject is also entitled not to be the subject of a decision based solely on automatic processing.

Subject to conditions prescribed in data protection legislation, a data subject is entitled to information from the controller concerning a data security incident.

Right to lodge a complaint with a supervisory authority

You are entitled to petition the Data Protection Ombudsman if you consider that processing of your personal data infringes data protection legislation.

Contact details of the Supo data protection officer

You may contact the Supo data protection officer in all matters related to processing of your personal data.