Description of the processing of personal data by the AI chatbot software of the Tax Administration accessible by users of the Telephone Service for tax cards

Tax Administration

Tax Administration

•  When calculations are performed for the purpose of issuing a tax card, the software will process personal data directly related to taxes.
• When the software verifies the identity of an individual user, it will process the personal data needed for identification.
• When the processing of personal data serves the purposes of service improvement and quality assurance, the software will utilise the personal data which is linked to the way the chatbot is used and to the comments and feedback gathered.

The Tax Administration obtains data from the data subject and other sources when preparing the calculations for the withholding certificate, the tax card.

The commercial software vendors, service providers and other suppliers may be in the role of a processor of personal data.

The chatbot software keeps data in storage for a 30-day period. After that, an automatic process will delete the data.

Regarding information directly related to taxes, the period of storage of personal data falls under the rules that govern the assessment process, tax control, appeal periods, and the collection of unpaid taxes, including the time limits in force.

In general, the length of the period of storage is 12 years, counting from the end of the tax year or from the end date of the reportable tax period concerned (example: data in submitted income tax returns and issued decisions on tax assessment). The lengths of the periods depend on the categories of tax and on the matters that are processed. It is possible to keep information in storage for longer than 12 years. In addition, exceptions to the lengths of storage periods may occur in connection with the lodging of appeals, collection of unpaid taxes, and efforts to  investigate tax crimes.

And further, storage of information is also carried out for archiving purposes in the public interest. This type of storage is subject to the official decisions on screening, issued by the National Archives (Arkistolaitos; Riksarkivet).

A software system with a secure sign-in routine saves the data in an electronic format.

Only the employees assigned to the task have access to the data. They are required to enter in their user ID and password.

The data is only processed by people whose work involves data processing. All employees who process data have a security clearance (in reference to the provisions of the Security Clearance Act (726/2014)).

The chatbot performs no appraisals, profiling or awarding of points with regard to individuals. It contains no automatic process that would analyze or categorize its users, and when user profiles are being created, none of the stored personal data is used as the base.

No making of decisions in an automatic process – which would have legal impact or other significance from the individual’s perspective – is associated with the functionalities of the chatbot. The chatbot’s purpose of use is to give guidance and to perform the calculations needed for issuing a tax card, where the data subject provides the information entered into the calculations. 

(1) Right of access by the data subject (Article 15)

You have the right to obtain confirmation from the controller as to whether or not personal data is being processed. If personal data concerning yourself is processed, you are entitled to ask for duplicates. As for the parts of the software systems where no access has been given to you, you are entitled to ask for a verification (see the final section of this description).

Exception: Under § 31, subsections 2 and 3 of the Whistleblower Act (Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta (1171/2022)), a data subject’s rights normally safeguarded by Article 15 of the GDPR are subject to restrictions when personal data is brought forward and the Whistleblower Act is invoked. These restrictions can be imposed if they are deemed necessary and appropriate for the purpose of clearing up the facts included in a whistleblowing report that contains personal data, or for the purpose of protecting the individual being the whistleblower.  You will be issued information outlining the reasons for restriction, and you are entitled, as referred to in § 34, subsections 3 and 4 of the Data Protection Act, to ask for delivery of the related data to the Ombudsman for data protection.

(2) Right to rectification (Article 16)

You have the right to ask the controller to rectify, without undue delay, any inaccurate personal data that concerns you.

You have the right to have incomplete personal data completed, including by means of providing a supplementary statement. The public authority will take account of the purposes of data processing, when making its decisions regarding incompleteness of the data and related needs for supplementing the data.

(3) Right to restriction of processing (Article 18)

In some circumstances, you have the right to obtain from the controller restriction of processing. To invoke this right would become relevant in a situation where an individual, whose personal data is processed by the employees of the Tax Administration, is in disagreement with the accuracy of the saved data. To invoke this right would be possible only for the length of time when the public authority is rectifying the saved data.

Exception: Under § 31, subsection 1 of the Whistleblower Act, a data subject’s right to restriction of processing, normally safeguarded by Article 18 of the GDPR, is not applicable to personal data within the meaning of the Whistleblower Act.

(4) Right to object (Article 21)

You have the right to object to the processing of your personal data at any time on grounds relating to a special personal situation. In these circumstances, the Tax Administration would evaluate whether compelling legitimate grounds exist, for the processing which override the interests, rights and freedoms of you, the data subject, or whether compelling legitimate grounds exist for the establishment, exercise or defence of legal claims. If the Tax Administration will have established that the processing of personal data is necessary, the Tax Administration can turn down your objection. At that stage, you become entitled to having the matter addressed through a complaint with a supervisory authority.

The right to object will not be applicable when the processing of data is based on compliance with a legal obligation to which the Tax Administration is subject (in reference to Article 6, line (c) of the GDPR).

(5) Right to lodge a complaint with a supervisory authority