Data Protection

Information for data subjects on the processing of personal data in legal aid and financial and debt counselling

Controller

National Legal Services Authority
Email: oikeuspalveluvirasto(at)oikeus.fi
tel. +358 29 56 60010

Data Protection Officer until 2 February 2025

Mika Kanervisto
email: mika.kanervisto(at)oikeus.fi
tel. +358 29 56 61908

Data Protection Officer from 3 February 2025 onwards

Sami Nikula

Purpose and legal basis for processing

The processing of personal data is based on legislation (EU General Data Protection Regulation Article 6(1)(c)). The National Legal Services Authority organises statutory legal aid services provided by legal aid offices (Laki Oikeuspalveluvirastosta 1133/2023 [act on the National Legal Services Authority], section 2)

Legal aid offices issue legal aid decisions pursuant to the Legal Aid Act (257/2002), provide legal aid under the Legal Aid Act, and practise advocacy under the Advocates Act (496/1958). In addition, legal aid offices provide financial and debt counselling as laid down in the act on financial and debt counselling (Laki talous- ja velkaneuvonnasta 813/2017).

Personal data is processed for the performance of these tasks.

Personal data is also used to monitor and develop the performance of tasks, and to create related statistics and reports.

Processing of personal data falling under Article 9 is required for the establishment of legal claims.
Special categories of personal data within the meaning of Article 9 are processed, because they are required for the provision of the services referred to in section 1 of the act on financial and debt counselling.

The bases for the processing are in Article (9) (2) (f) and (g).

The provided chat service is anonymous and does not involve personal data processing. Legal aid offices may save chat conversations that do not include personal data for the purposes of training and quality control. The chat service coordinators of legal aid offices are responsible for the chat service. For more information, contact the legal aid offices.

If a meeting is organised on TEAMS the participants are instructed to join the meeting through a browser. This way, no personal data is collected. If the participants do not follow the instructions or Microsoft changes its practices, it is possible that personal data is collected.

Categories of data subjects and related categories of personal data

The register comprises the case management systems of legal aid offices, which include a client register, document management systems and a paper archive.
The following types of personal data are collected when they are required for the performance statutory duties:

• Name and personal identity code, or if no personal identity code exists, date and place of birth
• Profession, education, work history
• Information on business activities (current and/or discontinued)
• Family relations
• Name, personal identity code, profession and financial situation of spouse
• Name, personal identity code, and financial situation of children
• Contact details of a previous spouse
• Tax and income information of members of the same household
• Case number generated by the system
• Address, telephone number or other contact details as well as any prohibitions on the disclosure of contact details
• Language, nationality and civil status
• Health information insofar as it is necessary for carrying out statutory obligations
• Information on financial situation and type of housing
  
  Some offices or customer premises may have recording video surveillance systems. In these cases, a separate register is kept for each of the premises. More information on video surveillance can be requested from each office.
  
  The following information may be collected on cases and their handling:
  
• Documents, information and photographs required for handling a legal case or providing financial and debt counselling in a case
• Applications, decisions and agreements
• Information on the client’s assets, expenses, income and debt
• Creditor and debt information
  
  The following data may be collected on officials:
  
• Name
• Title
• Personal identity code
• Municipality of residence
• Official title
• Access rights
• Actions performed and log data

Recipients of personal data or categories of recipients

Legal aid decisions in court cases are disclosed to the relevant court. The decisions are disclosed to other parties only with consent from the client.

The Act on Preventing Money Laundering and Terrorist Financing (444/2017) also lays down obligations to disclose data to the supervisory authority.

Data is disclosed from the legal aid offices’ information systems to the judicial administration’s national information system in accordance with the act on the judicial administration’s national information system (Laki oikeushallinnon valtakunnallisesta tietovarannosta 955/2020). The Legal Register Centre is the controller of the judicial administration’s national information system.

Transfer of personal data to third countries

Register data is not disclosed or transferred outside the European Union or the European Economic Area (EEA).

If a case and the client’s interests or legal claims (under Article 49) so require, it may be necessary to transfer personal data outside the EEA. In this case, sufficient protection of the data is ensured and the disclosure is only made with consent from the client.

Time limits for the erasure of different categories of data

A records management plan guides the erasure of data. Case records are erased 10 years after each case is closed. Register data (retained for determining disqualification) is erased after 25 years.

Legal aid offices do not collect data that would need to be retained indefinitely.

Sources of personal data

Applicants, clients, counterparties, involved parties, and authorities such as the Finnish Tax Administration, the Incomes Register, Kela, the Population Information System, the Finnish land ownership system, the Finnish Transport and Communications Agency Traficom, the National Enforcement Authority Finland, the Police of Finland, Finnish courts, banks, the guardianship authority, parishes, creditors, and the Legal Register Centre.

According to section 8 of the act on financial and debt counselling, counsellors have the right to receive information for the performance of their duties from the Finnish Tax Administration and Kela. From 1 January 2025 onwards, information is received form the Finnish Tax Administration, Kela and the National Enforcement Authority Finland pursuant to section 18 of the act on the National Legal Services Authority.

Pursuant to section 22, subsection 1 of the Act on Information Management in Public Administration (906/2019), information is received from authorities through technical interfaces. Based on a client’s consent, counsellors have the right to receive information through technical interfaces also from other parties such as creditors.

According to section 7 of the act on the debt adjustment register (Laki velkajärjestelyrekisteristä 368/2017), financial and debt counselling has the right to receive information erased from the debt adjustment register from the Legal Register Centre.

Right of access by the data subject

Data subjects have the right to access their personal data collected in a register and request correction of any incorrect data. Data requests may be submitted to the Leading Public Legal Aid Attorney of the relevant legal aid office. See the contact details of the legal aid offices.

The data can usually be provided to the data subject electronically through the suomi.fi portal.

Data subjects have the right to lodge a complaint with the supervisory authority (Data Protection Ombudsman).

Information to data subjects on personal data processing in public guardianship

Controller

National Legal Services Authority
email: oikeuspalveluvirasto(at)oikeus.fi
tel. +358 29 56 60010

Data Protection Officer until 2 February 2025

Mika Kanervisto
email: mika.kanervisto(at)oikeus.fi
tel. +358 29 56 61908

Data Protection Officer from 3 February 2025 onwards

Sami Nikula

Purpose and legal basis for processing

The processing of personal data is based on legislation (EU General Data Protection Regulation Article 6(1)(c)).

The National Legal Services Authority organises public guardianship services as required by the act on the National Legal Services Authority (Laki Oikeuspalveluvirastosta 1133/2023, section 2). The services are provided by public guardianship offices. Public guardians manage the financial and personal affairs of their client for the management of which they have received a mandate. Personal data is processed for the performance of these tasks. The tasks are determined in a decision of the relevant guardianship authority (the Digital and Population Data Services Agency, or the State Department in Åland), as laid down in the Guardianship Service Act (442/1999). A guardian can be appointed pursuant to the Guardianship Service Act, the Child Welfare Act (417/2007) or the Criminal Investigation Act (805/2011).

Personal data is also used to monitor and develop the performance of tasks, and to create related statistics and reports.

Special categories of personal data within the meaning of Article 9 are processed. Usually, only information on trade union membership and health are recorded. The bases for the processing are in Article (9) (2) (f) and (g).

Categories of data subjects and related categories of personal data

The register comprises the case management systems of the public guardianship offices and a paper archive.

The following personal data may be collected:

• Name and personal identity code, or if no personal identity code exists, date and place of birth
• Personal identifier generated by the system
• Address, telephone number or other contact details as well as any prohibitions on the disclosure of contact details
• Language, nationality and civil status
• Trade union membership
• Health information and any medical statements relevant for the guardianship insofar as carrying out statutory obligations requires them

The following information may be collected on cases and their handling:

• Actions taken, documents, information and photographs related to the guardianship. This information may also include personal data belonging to others.
• Applications, decisions and agreements
• Information on the client’s assets, income and debt
• Case record and bank account balance sheet and any other related documents required
• Payment transaction information

Information of the persons close to the client or the client’s nurses and the contact details of these

Some offices or customer premises may have recording video surveillance systems. In these cases, a separate register is kept for each of the premises. More information on video surveillance can be requested from each office.

The following data may be collected on officials:

• Name
• Official title
• Access rights
• Actions performed and log data

Recipients of personal data or categories of recipients

Information on the clients of public guardianship offices is regularly disclosed to the state legal aid offices operating in the same premises for the investigation of cases involving disqualification.

Personal data is regularly disclosed to the supervising guardianship authority.

Personal data is disclosed for carrying out statutory guardianship duties and to apply for benefits. A guardian can request executive assistance for managing their client’s affairs.

The Legal Register Centre is the data processor, and data is also disclosed to the Finnish Tax Administration, Kela, insurance companies, pension institutions, the social services of cities, financial institutions and care institutions. In individual cases, the guardian may, pursuant to the Guardianship Service Act, decide to disclose personal data to other parties as well if their client’s interests require the disclosure.

Transfer of personal data to third countries

Data in the register is not transferred or disclosed outside the European Union or the European Economic Area (EEA), unless the client’s interests (Article 49) require it. In this case, it may be necessary to transfer data outside the EEA. In this case, sufficient protection of the data is ensured.

Time limits for the erasure of different categories of data

A records management plan guides the erasure of data. All material is erased 6 years after the end of the guardianship. Messages in the client portal are erased after 6 months.

Sources of personal data

Under section 89 of the Guardianship Service Act, a guardian has the right to receive all information required for the performance of their duties. The data is collected from the client, the client’s family or people close to the client as well as authorities and communities.

Right of access by the data subject

Data subjects have the right to access their personal data collected in a register and request correction of any incorrect data. Data requests may be submitted to the Leading Public Guardian of the relevant public guardianship office. See the contact details of the public guardianship offices.

Customers can access the entries in the client portal as long as they are a client of guardianship services. Messages in the client portal are erased after 6 months. After this, the data may the accessed by submitting a data request.

The data can usually be provided to the data subject electronically through the suomi.fi portal.

Data subjects have the right to lodge a complaint with the supervisory authority (Data Protection Ombudsman).

Information for data subjects on personal data processing

Controller

National Legal Services Authority

email: oikeuspalveluvirasto(at)oikeus.fi 

tel. +358 29 56 60010

Data Protection Officer until 2 February 2025

Mika Kanervisto

email: mika.kanervisto(at)oikeus.fi
tel. +358 29 56 61908

Data Protection Officer from 3 February 2025 onwards

Sami Nikula

Purpose and legal basis for processing

Personal data required for exercising the rights and carrying out statutory obligations of the controller are saved in the register pursuant to Article 6(1)(c) of the EU General Data Protection Regulation.

The security clearance information of persons appointed to office or external to the organisation on whom a security clearance is carried out pursuant to section 21 of the Security Clearance Act (726/2014) is processed in accordance with sections 17, 23, 25–28, 30, 31, 35 and 37 of the Security Clearance Act.

Log data may be used to investigate data protection deviations and to determine who has accessed confidential data in official duties.

Categories of data subjects and categories of personal data

The categories of data subjects are job applicants, recipients of remunerations, external passengers, visitors, lessors, data request submitters, Digital and Population Data Services Agency personnel when they log in to Ervard through VAAKA, sales invoice customers, senders or beneficiaries of purchase invoices, external persons operating within the agency’s premises, and external persons saved in user registers. This may include external persons for whom a decoration is applied.

The personal data we collect can be divided into the following categories of personal data:

Identifying information of data subjects:

Name, official title, date of birth, personal identity code, personnel ID, postal address, email address, telephone number, bank details, nationality, language and gender.

Candidates applying for a position in office:

E.g. information on education and work history, other information provided by candidates in connection with their application such as a personnel record or a CV, degrees and qualifications, certificates of employment, referees named by the candidate, other information related to recruiting an official, and the results of aptitude tests.

Payment information:

Remunerations, travel reimbursements, sales and purchase invoices, lessor details, returns, tax information and enforcement information.

Other information:

User rights of systems, system use and log data, security clearance information, information of event participants and travel information.

Information provided by the data subjects that is necessary for handling a case (e.g. a complaint)

Some offices or customer premises may have recording video surveillance systems. In these cases, a separate register is kept for each of the premises. More information on video surveillance can be requested from each office.

If a job interview is held via TEAMS, no personal data is collected. If the instructions provided on using TEAMS are not observed, or Microsoft changes is practices, personal data may be collected.

Recipients of personal data or categories of recipients

Information may be disclosed or outsourced within the limits of or as required by applicable legislation.

In addition, application documents are public documents within the meaning of the Act on the Openness of Government Activities (621/1999) and access to them is granted on request. Access to public documents is provided on request in accordance with the requirements laid down in sections 13 and 16 of the Act on the Openness of Government. Access to confidential information is only provided 1) with consent from the party involved, 2) to a party involved, or 3) pursuant to a statutory right.

Parties to whom data is disclosed:

Data is regularly disclosed to enforcement authorities, financial institutions in the form of remuneration and compensation payment information, Keva, the Finnish Tax Administration, the Finnish Security and Intelligence Service and parties involved in granting decorations.

Parties who process data on behalf of the Authority, meaning parties to which processing has been outsourced:

the Government Shared Services Centre for Finance and HR (Palkeet), and the Prime Minister’s Office/Government Administration Department.

Information system providers also process personal data on behalf of the Authority, and these include the following: Visma (M2), CGI (Kieku and Rondo), Fujitsu (Hilda), Palkeet (Pointti), Microsoft (Outlook, Skype, TEAMS and Tiimeri), Netum (Senaattila), Rapal (Optimaze), VR (webstore) and Amadeus’s KDS (SMT).

In addition, identification and contact details are saved in systems to which it may be necessary to provide access for external persons for the performance of agreed tasks.

Transfer of personal data to third countries

As a rule, data in the register is not transferred or disclosed outside the European Union or the European Economic Area. If it is agreed with a supplier that the supplier may transfer data outside the European Economic Area, the parties ensure that the personal data transfer is in line with legislation.

Planned time limits for the erasure of different categories of data

The retention periods for the personal data in the register of persons external to the Ministry of Justice and its administrative branch are based on the Authority’s records management plan/information management plan. The retention periods of categories of personal data vary between 0 and 50 years from the date on which a case is closed or a document is created.Some of the personal data is retained indefinitely pursuant to a decision of the National Archives of Finland.

Sources of personal data and whether the data is collected form public sources, if applicable

As a rule, the personal data is collected directly from the data subjects.

Other sources of personal data include:

Agreements (contact persons of organisations)

National Enforcement Authority Finland (enforcement information)

Finnish Security and Intelligence Service (security clearance information)

Finnish courts (decisions on compensations)

Data subject’s rights

Data subjects have the right to access their personal data collected in a register and request correction of any incorrect data.

Data subjects have the right to lodge a complaint with the supervisory authority (Data Protection Ombudsman).