Privacy notice of Security clearance register

Privacy notice according to section 22 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018).


1. Name of register

2. Controller

3. Contact information of the controller and the data protection officer

4. Other contact information

5. Purpose of and legal basis for the processing of personal data

6. Data content of the register

7. Regular sources of data

8. Storage period of personal data

9. Disclosure and recipients of data

10. Right of access to information about a security clearance

11. Access to personal data; rectification, erasure and restriction of processing of personal data

12. Right to refer a case for handling by the Data Protection Ombudsman

1. Name of register

Security clearance register.

2. Controller

The joint controllers of the security clearance register are the Finnish Security and Intelligence Service and the Defence Command of the Finnish Defence Forces.

The Defence Command of the Finnish Defence Forces is the responsible controller, if the processed personal data concerns a vetting subject who operates in the Finnish Defence Forces or carries out a task given by the Finnish Defence Forces, or if the security clearance vetting is connected with the activities or procurements of the Finnish Defence Forces. The Finnish Security and Intelligence Service is the responsible controller, if the processed personal data concerns other vetting subjects.

In addition, the National Security Authority of the Ministry for Foreign Affairs and the Finnish Transport and Communications Agency Traficom have access to and the right to store information in the security clearance register.

Applied legal provisions:

  • Sections 48 and 48a of the Security Clearance Act (726/2014)

3. Contact information of the controller and the data protection officer

Finnish Security and Intelligence Service
Postal address: PO Box 151, 00121 HELSINKI
Street address: Katajanokanlaituri 3, Helsinki
Telephone: 0295 480 131 (exchange)
E-mail: kirjaamo(at)supo.fi

Secure e-mail in securemail.supo.fi and the addressee is kirjaamo(at)supo.fi

Defence Forces/Defence Command Finland
Postal address: PO Box 919, 00131 Helsinki
Street address: Fabianinkatu 2, 00131 Helsinki
Telephone: 02299 800 (exchange)
E-mail: kirjaamo.pe(at)mil.fi

4. Other contact information

National Security Authority
Telephone: 0295 16001 (exchange)
E-mail: nsa(at)gov.fi; [email protected]

Finnish Transport and Communications Agency Traficom
Telephone: 0295 345000 (exchange)
E-mail: kirjaamo(at)traficom.fi

5. Purpose of and legal basis for the processing of personal data

The purpose of the Security Clearance Act is to improve the prospects for preventing actions that could be detrimental to state security, national defence, Finland’s international relations, public safety or some other public interest comparable to these, or to a very significant private economic interest or to security arrangements for protecting the aforementioned interests.

A security clearance register is kept for the purpose of conducting security clearances, avoiding unnecessary security clearance vetting, communicating information between competent public authorities and ensuring that the integrity and dependability of vetting subjects are monitored. 

The processing of personal data in the security clearance register by the Finnish Security and Intelligence Service and the Defence Command of the Finnish Defence Forces is laid down in the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018). The processing of personal data by other public authorities is laid down in the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as in the Data protection Act (1050/2018).

Applied legal provisions:

  • Sections 1, 2 and 48 of the Security Clearance Act (726/2014)

6. Data content of the register

The following details on a person’s identity can be stored in the security clearance register:

  • personal identity code
  • former personal identity code
  • date of birth
  • surname, first name and any changes to names
  • municipality of birth
  • country of birth
  • native language
  • current nationalities
  • former nationalities
  • lack of nationality
  • previous and current temporary and permanent address details in Finland and abroad, and contact address
  • any non-disclosure for personal safety reasons
  • telephone number
  • e-mail address
  • details on education and training
  • previous and current official or working duties, and information about self-employment
  • employer
  • family relations
  • details describing assets, holdings and other financial commitments
  • foreign interests
  • UMA information system client number
  • details of travel documents

The security clearance register can also include information necessary for the preparation of a security clearance vetting, the notification of the outcome of the security clearance vetting, the monitoring of integrity and dependability, the granting and cancellation of a security clearance certificate, and compliance with international information security obligations.

Details contained in the Finnish Security and Intelligence Service’s data system, in information systems of other states that correspond to the Finnish Security and Intelligence Service’s data system, the security information register of the Finnish Defence Forces, and notifications submitted by the National Bureau of Investigation can be used for preparing a personal security clearance vetting, but such details are not stored in the security clearance register. 

Details that are part of specific personal data categories are processed in the security clearance register only when they are necessary for the purpose of use of the register. 

Applied legal provisions:

  • Sections 17, 23, 25 - 28, 31, 35 and 37 of the Security Clearance Act (726/2014)
  • Section 14 of the Act on International Data Protection Obligations (588/2004)
  • Section 11 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018)

7. Regular sources of data

Depending on the scope of the clearance, the post, and the security clearance applicant, register inspections can be made of the following sources and systems of data:

  • the population information system;
  • details concerning criminal records, the register of prohibitions to pursue a business, and the register of fines;
  • the national processing system of the record and case management system of the judicial administration’s national information system on criminal matters that are or have been included in the consideration of charges, or rulings on criminal matters in the ruling and notification system;
  • personal data files of the police containing information referred to in section 5, subsections 1 and 2; section 6 and section 11; section 12, subsection 1; section 48, subsection 1; and section 49 of the Act on the Processing of Personal Data by the Police (616/2019);
  • registers maintained by an authority in another country that correspond to the registers referred to above, in accordance with section 25, subsection 1, paragraphs 12 and 13 of the Security Clearance Act;
  • the register for the administration of military justice and the security information register maintained by the Defence Command Finland;
  • the personal data file of the Finnish Border Guard containing information referred to in section 7; section 8, subsections 1 and 2; and sections 9, 13, and 14 of the Act on the Processing of Personal Data by the Border Guard (639/2019), and the data processed in order to perform surveillance duties referred to in section 15 of the same Act;
  • the data referred to in section 7, subsections 1 and 2, and section 8 of the Act on the Processing of Personal Data by the Customs (650/2019);
  • registers concerning self-employed persons or entrepreneurs and their eligibility;
  • details concerning the eligibility of a responsible person at an enterprise, stored in a register maintained by an authority that supervises activities stipulated in legislation;
  • the Register of Aliens and the register of visas;
  • the Enforcement Register and the credit information register.

Competent authorities can verify information provided and acquire information for this purpose: 

  1. from the Tax Administration’s public taxation records;
  2. from registers established for public use that contain public information which describes engagement in business activity or assets;
  3. from credit and financial institutions with consent provided by the person subject to a clearance;
  4. for the determination of foreign interests, from a country or an international body from which the competent authority can obtain information for a security clearance procedure, in accordance with an international treaty or regulation.

In addition, notifications drawn up by the National Bureau of Investigation on the basis of the data in the personal data files of the police concerning the persons referred to in section 7, subsection 2 of the Act on the Processing of Personal Data by the Police may be used.

Applied legal provisions:

  • Sections 17, 23, 25 - 28, 31, 35 and 37 of the Security Clearance Act (726/2014)

8. Storage period of personal data

The personal data of the data subject is deleted from the security clearance register no later than three years from the conducting of a corresponding new security clearance or the expiry of the security clearance or security clearance certificate or from the date on which the task for which the security clearance has been conducted has ended or when the security clearance certificate was revoked.

Applied legal provisions:

  • Section 49 of the Security Clearance Act

9. Disclosure and recipients of data

In accordance with the Security Clearance Act, information is disclosed to the security clearance applicant, and to the vetting subject upon the exercise of the right of access to their own data.
 
Confidentiality provisions notwithstanding, the Finnish Security and Intelligence Service provides information to the Defence Command Finland, via a technical access connection, in accordance with section 50, subsection 1 of the Security Clearance Act.

Confidentiality provisions notwithstanding, the Finnish Security and Intelligence Service can, in a way deemed acceptable, provide information about the security clearance register via a technical access connection to an official designated by the Office of the President of the Republic of Finland, the Parliamentary Office, a ministry, or an agency in the administrative branch of the Ministry of the Interior, for an evaluation of the acquisition of a security clearance, in accordance with section 50, subsection 2, paragraphs 1-4 and subsection 4 of the Security Clearance Act.

Information is also disclosed to officeholders designated by the Office of the President of the Republic of Finland, the Parliamentary Office, agencies in the administrative branch of the Ministry of the Interior, and detachments of the Finnish Defence Forces, when such information is necessary for evaluating the need to acquire a security clearance or for the processing of permission to access or visit an area or property, referred to in section 15 of the Act on the Defence Forces (551/2007). Information is also disclosed, via a technical access connection, to the National Bureau of Investigation for combining such infor-mation with the data concerning the persons referred to in section 7, subsec-tion 2 of the Act on the Processing of Personal Data by the Police for the submission of notifications referred to in section 25, subsection 2 of the Security Clearance Act and for related consideration.

Disclosure of personal data to the National Security Authority shall be subject to the provisions of the Act on International Information Security Obligations.

Applied legal provisions:

  • Sections 6, 41 - 47 and 50 of the Security Clearance Act (726/2014)
  • Sections 11 and 17 of the Act on International Data Protection Obligations (588/2004)

10. Right of access to information about a security clearance

A general precondition for the conducting of security clearance vetting shall be that the vetting subject has given prior written consent for this.

The security clearance applicant must notify the vetting subject of the outcome of the security clearance vetting. If the outcome of the security clearance vet-ting is given in writing, this must also be presented for inspection or a copy given if requested.

Everybody has the right to obtain information from the competent public authority on whether they have been the subject of security clearance vetting. A vetting subject has the right, on request, to obtain from the competent public authority the information contained in the security clearance vetting. A request on the right of access should be submitted directly to the party that has prepared the security clearance vetting (the Finnish Security and Intelligence Service or the Defence Command of the Finnish Defence Forces; for contact details, see item 3).

Applied legal provisions:

  • Sections 5 and 6 of the Security Clearance Act

11. Access to personal data; rectification, erasure and restriction of processing of personal data

Data subjects have the right of access to information stored on them in the security clearance register, as laid down in the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (sections 23, 29 and 56), unless this right is restricted on the basis of section 28 of the Act.

Data subjects have the right to rectification, completion and erasure of their personal data and to restriction of handling, as laid down in the Act on the Handling of Personal Data in Criminal Matters and in Connection with Maintaining National Security (section 25), unless this right is restricted on the basis of section 28 of the Act.

Any requests on access to personal data should be submitted to the registry of the Finnish Security and Intelligence Service (see contact details in item 3).

Applied legal provisions:

  • Sections 23 - 26 and 28 - 29 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018)

12. Right to refer a case for handling by the Data Protection Ombudsman

The data subject has a right to bring the matter to the attention of the Data Protection Ombudsman, if the data subject considers that the processing of personal data related to him or her violates any law regarding processing of personal data.

Contact details of the Data Protection Ombudsman:
Office of the Data Protection Ombudsman
Postal address: PO Box 800, 00531 Helsinki
Telephone: 029 566 6700 (exchange)
E-mail (registry): tietosuoja(at)om.fi

Applied legal provisions:

  • Section 56 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018)