Data protection and processing of personal data at the Ministry of the Interior

The Gateway to Information on Government Projects is a joint public online service for managing and publishing information about projects carried out by the Government and its ministries. 

The service contains personal data that the Prime Minister's Office handles for tasks carried out in the public interest, in accordance with Article 86 of the General Data Protection Regulation, taking into account the principle of public access to official documents. The personal data contained in the service has been obtained from Government employees who have entered information about projects into the system.

The data stored

The service contains such information as the names, email addresses and phone numbers of project coordinators, contact persons and members of working groups. 

Disclosure of data

No personal data contained in the service is transferred outside the European Union or the European Economic Area. 

Period for which the personal data is stored

After the completion of a project, the personal data of all the participants is automatically deleted from the website (except for the data relating to the contact person). After this, however, personal data can still be accessed through the interface to the service used by public officials within the Government. The data needs to be retained in the interface used by public officials for the compilation of reports on project participants and other tasks.

Whistleblower protection allows people to safely report breaches. A report can be submitted using an internal or external whistleblowing channel. The internal whistleblowing channel of the Ministry of the Interior only available to people employed by the Ministry of the Interior. Others, such as retired public officials or people employed by partners, may submit a report regarding the activities of the Ministry of the Interior that they have observed in their work and that fall within the scope of the Whistleblower Act to the central external whistleblowing channel of the Office of the Chancellor of Justice. 

Purpose of and grounds for the processing of personal data

Personal data is processed in connection with the tasks laid down in the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, the Whistleblower Act). Under section 30 of the Whistleblower Act, the controller may process data belonging to certain special categories of personal data and data related to criminal convictions and offences only if the processing is necessary for the purpose of the Act. 

Personal data is processed in accordance with Article 6, paragraph 1, point (c) of the General Data Protection Regulation (processing is necessary for compliance with a legal obligation to which the controller is subject). 

Processed data

Reports processed in matters concerning whistleblower protection may contain any personal data that the whistleblower has appended to the report. 

In matters concerning whistleblower protection, the personal data of the whistleblower is not stored in the contact information for the matter or document as the initiator of the matter, nor is the personal data of the reported person stored in the contact information for the matter or document. However, the personal data of the whistleblower and the reported person are processed in the documents concerning the report, such as the report itself.

The personal data of the whistleblower and the reported person under the Whistleblower Act are always treated as non-disclosable in their entirety.

Situations in which information on the identity of the whistleblower can be disclosed to another authority or to the reported person

Notwithstanding the non-disclosure obligation laid down in the Whistleblower Act, the person responsible for processing the report may disclose the identity of the whistleblower and other persons mentioned in the report, as well as any other information directly or indirectly indicating the identity of the persons, to a person appointed to verify the accuracy of the report, if this disclosure is necessary to verify the accuracy of the report.

In addition, notwithstanding non-disclosure provisions, the person responsible for processing the report may provide information on the identity of the whistleblower, the reported person and other persons mentioned in the report, as well as other information directly or indirectly indicating their identity, if it is necessary to provide this information:

• to the competent authority for the purpose of verifying the accuracy of the report;
• to the criminal investigation authorities for the purpose of preventing, detecting, investigating and considering prosecution of criminal offences;
• to public prosecutors for the purpose of performing the official functions prescribed in section 9 of the Act on the National Prosecution Authority (32/2019);
• to the reported person for the purpose of establishing, presenting or defending a legal claim in a court hearing or in out-of-court judicial or administrative proceedings. 

Separate provisions on the right of a party to access non-disclosable information are laid down elsewhere in law. 

The reported person has the right to disclose the identity of the whistleblower and to obtain information on the identity of the whistleblower from the authorities if this is necessary for establishing, presenting or defending a legal claim in judicial proceedings.

The person responsible for processing the report shall inform the whistleblower in advance of the disclosure of their identity, unless such information would jeopardise the verification of the accuracy of the report or a criminal investigation or trial related to the matter. The competent authority shall also provide the whistleblower with a written explanation of the grounds for the disclosure of non-disclosable information.

Processing of data is limited within the organisation and time-limited

In matters concerning whistleblower protection, personal data may only be processed by persons designated for the task in the ministry in question as referred to in the Whistleblower Act. 

Documents submitted to and prepared by the ministry and the personal data contained therein shall be stored in accordance with the document storage periods specified in the information management plan. The provisions of section 29, subsection 2 of the Whistleblower Act have been taken into account when determining the storage periods.

Data stored in the case management system shall not be transferred to third countries or international organisations.

Rights of data subjects

The right of a data subject to restrict the processing of their data does not apply to matters of whistleblower protection, and the right of a data subject to access their data may be restricted if this is necessary and proportionate with respect to ensuring the accuracy of the report or in order to protect the identity of the whistleblower. If only a part of the data on a data subject is such that it falls within the restriction on the right of access, the data subject shall have the right to access the remainder of the data. The data subject has the right to be informed of the reasons for the restriction and to request that this information be provided to the Data Protection Ombudsman in accordance with section 34, subsections 3 and 4 of the Data Protection Act (1050/2018).

Any requests for information concerning personal data, requests to rectify or supplement personal data and requests to restrict the processing of personal data shall be addressed to the controller.

Applications and projects under the EU Home Affairs Funds that are filed with the Ministry of the Interior are processed in the system.

The data stored

The following information is stored in the system: the applicant's name; the beneficiary's name; the name, email address and telephone number of the contact person and of his or her deputy; the name, email address and telephone number of the financial contact person for the payment application; information on the composition of the project steering group; payroll data and other personal data recorded by the applicant and the beneficiary in the application and payment application or included in the attached documents (e.g. general ledgers and salary allocation reports) as further clarification in connection with the financial reporting concerning the payment application.

Disclosure of data

No personal data is transferred outside the European Union or the European Economic Area.

Period for which the personal data is stored

The storage periods of personal data are determined in accordance with the data management plan. The storage period is based on the Act on Home Affairs Funds (903/2014). Depending on the document, data will be retained between ten years and permanently.

The Internal Security Portal is a digital platform for cooperation between security experts, stakeholders and networks.

The data stored

Persons registering for the service are requested to provide their name, organisation, profession or function, and email address. The data is used to manage the portal's customer relationships. The email address provided by the person acts as a user ID in the portal.

Disclosure of data

We do not transfer personal data outside the European Union or the European Economic Area. We do not disclose personal data for purposes such as direct marketing, market surveys and opinion polls, yearbooks or genealogical studies.

Period for which the personal data is stored

The data is stored in the online service until the person deletes their profile from the Tuovi portal.

Camera surveillance is used to ensure the legal protection and safety of the employees and visitors to the Ministry of the Interior, to protect the employer’s and employees’ property, and to prevent and solve crime. We use the information in the register to track and identify the movement of people on our premises.

We process this data in accordance with Article 6, paragraph 1, point (e) of the General Data Protection Regulation, that is, for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller.

The data stored

Images of people and vehicles moving in the camera surveillance area are stored in the register. In addition to images, the register contains information about the surveillance camera and the date and time of the recorded event.
Camera surveillance is not used in the areas or for the purposes prohibited in section 16 of the Act on the Protection of Privacy in Working Life (759/2004). 

Disclosure of data

As a rule, we do not disclose register data to other parties. However, we disclose data to the police or other competent authorities in cases specifically provided by law, such as for solving crimes. The disclosure of data is always based on a specific request from the authorities. Data in the register is not transferred or disclosed to countries outside the European Union or the European Economic Area. 

Period for which the personal data is stored

As a rule, records are retained for one (1) month.

We collect the personal data needed to conduct surveys and register participants for events.

We process personal data in accordance with Article 6, paragraph 1, point (e) of the General Data Protection Regulation. The processing is necessary for the performance of a task carried out in the public interest.

The data stored 

The data collected varies depending on the case. When registering for an event, participants are typically requested to provide their name and email address. Depending on the event, other personal data may also be requested.

Disclosure of data

We may disclose data on a case-by-case basis to parties involved with the surveys, such as the security control personnel of ministries. Our subcontractors process personal data in their role as service providers.

Period for which the personal data is stored

For surveys, the appropriate storage period varies depending on the case.

In the case of registrations, the storage period is the time required for arranging the event and carrying out follow-up activities, but no longer than 6 months after the event; except in certain cases where more time is required for financial administration, archiving, or the retention of technical backup copies.

In matters pertaining to contracts, HR and financial administration, the Ministry of the Interior functions as the controller. We store data related to the processing of salary payments, travel and travel expenses, activities and work carried out in the Ministry of the Interior, invoicing and invoice payments, contract management and public procurement.

In accordance with Article 6, paragraph 1, point (c) of the General Data Protection Regulation, we store data in our registers that is necessary for compliance with our statutory rights and obligations.

The data stored

We only collect personal data to the extent necessary for processing. The personal data we collect can be divided into the following categories: identification data (e.g. a person's name, bank details), payment data (e.g. travel expenses), data relating to contracts (e.g. public procurement) and any other required data.

Disclosure of data

The disclosure or outsourcing of data can only take place within the limits of current legislation. We regularly disclose data to financial institutions for payment purposes, to Keva for pensions, to the Tax Administration for taxation purposes and to the Finnish Security and Intelligence Service for security clearance purposes. Data processing has also been outsourced to the Finnish Government Shared Services Centre for Finance and HR and to system providers. Travel agencies may transfer personal data to third countries, in which case they, in the role of controllers, are responsible for processing the personal data in accordance with the General Data Protection Regulation.

Period for which the personal data is stored

Personal data related to contracts, HR and financial administration is stored in accordance with the relevant legislation governing the matter concerned. We provide more detailed information, upon request, regarding the retention periods of personal data in specific systems.

Job vacancies are published in the Valtiolle.fi (state recruitment portal) service, which is also the main channel for submitting applications for employment.
In the Valtiolle.fi service, we collect data which is essential for the selection process and which applicants themselves provide when submitting an application. At the end of the application process, we compile a memo in which we compare the applicants’ merits in accordance with the Public Servants Act and the instructions and recommendations issued by the Office for the Government as Employer. 

We process the data of applicants in accordance with Article 6, paragraph 1, point (c) of the General Data Protection Regulation, as well as with the Public Servants Act (750/1994), the Decree on Public Servants (971/1994) and the Act on the Protection of Privacy in Working Life (759/2004). 

The security clearance data of the appointed person is processed in accordance with sections 45 and 58–59 of the Security Clearance Act.

The data stored

We collect the following personal data: identification data (name, gender, address, phone number, email address, and other contact information); personal information that the applicant has included in their application, such as education and work experience; other information supplied by the applicant in support of their application, such as a personal record or CV, school and study certificates, certificates of employment and testimonials, and references supplied by the applicant; as well as other necessary information relating to the application for employment and the filling of the position.

Disclosure of data

As a rule, we do not disclose the data. However, we disclose personal data, upon request, in accordance with the Act on the Openness of Government Activities. The data and documents are public, unless special provisions on their secrecy have been laid down by law. We do not disclose data to countries outside the European Union or the European Economic Area. 

Period for which the personal data is stored

Applications are removed from the Valtiolle.fi service 12 months after the end of the recruitment process. In the Ministry of the Interior, the storage periods of data related to the recruitment process are determined specifically in accordance with the Archives Act (831/1994), the regulation of the National Archives (AL 16465/07.01.01.03.02/2016) and the office's data management plan. We provide more detailed information about processing times on request.

Newsletters and other material on current issues can be ordered via our website. Personal data given when ordering is processed by the Ministry of the Interior staff and our service provider Emaileri, with whom we have agreed on how personal data is to be processed.
We process your personal data to comply with the statutory obligation of the Ministry of the Interior (Article 6(1)(c) of the Data Protection Regulation and section 20 of the Act on the Openness of Government Activities) and based on your consent.

The data stored

The subscription service for newsletters and material on current issues stores email addresses provided when ordering.

Disclosure of data

We do not transfer personal data outside the European Union or the European Economic Area. We also do not disclose personal data for purposes such as direct marketing, market surveys and opinion polls, yearbooks or genealogical studies.

Period for which the personal data is stored

Data is stored in the subscription service for material on current issues and the subscription system for newsletters until the subscriber terminates their subscription.

The website feedback form can be used to submit questions and feedback. Visitors can also comment on our blogs.

We process personal data in accordance with Article 6, paragraph 1, point (e) of the General Data Protection Regulation. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data stored

When submitting feedback via the feedback form, users are requested to provide their name. If the person submitting the feedback wishes to receive an answer to their question, we will require an email address. 

For comments on blogs, users are requested to provide both their email address and a name that will be shown on the website next to the comment. 

Disclosure of data

We do not transfer personal data outside the European Union or the European Economic Area. We also do not disclose personal data for purposes such as direct marketing, market surveys and opinion polls, yearbooks or genealogical studies.

Period for which the personal data is stored

Information submitted via a feedback form is removed one year after the feedback was submitted. Comments on blogs are stored throughout the life cycle of the blog text.

We do not directly collect data that would make it possible to identify individual visitors.  However, in some cases, an IP address can be considered personal data.

In addition to the IP address, general statistical information on the use of sites is collected to improve the services provided on our website. The data collected includes details of the pages viewed, time of visit, web browser and operating system.

Third-party applications, such as social media feeds, videos or podcasts are embedded into some pages of this website. These applications use cookies that transmit data to third parties about the pages viewed.