Processing of personal data in the Tax Administration’s certificate service

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Articles 13 and 14. 

Controller

The Tax Administration 
P.O. Box 325, FI-00052 VERO 
Telephone +358 29 512 000 (switchboard)

Street address: 
Registry  
Vääksyntie 4, Helsinki 

Data Protection Officer at the Finnish Tax Administration

Noora Kontro

Taito von Konow

P.O. Box 325, FI-00052 VERO 
Telephone +358 29 512 000 (switchboard)

Purpose of the processing of personal data

Personal data is processed in order to identify an individual data subject for giving them an authorisation for using the certificate service relating to the Tax Administration’s, the Incomes Register’s or the Positive credit register’s APIs. Personal data may also be processed for purposes of monitoring, when the Controller needs to examine the integrity of submitted data or when the Controller needs to prevent, examine or stop any abuse connected to data reporting.

The Tax Administration also uses personal data for identifying contact persons in companies that use certificates.

Categories of data subjects

Data on the contact persons/authorised persons of companies and organisations that submit applications for a certificate

Categories of personal data

  • Name 
  • Email address
  • Telephone number
  • Personal identity code
  • Personal data received via eIDAS authentication

Categories of recipients of personal data

Personal data is forwarded and disclosed to parties that use it for other purposes only in circumstances laid down in law. Under provisions of law, personal data can be forwarded and disclosed to public authorities and to other parties who are legally entitled to it.

Disclosure of data to third countries

Data will not be disclosed to third countries.

Time limits for erasure of data categories

Personal data saved in the certificate service is stored for varying periods depending on when the certificate expires and on the needs for storing event log information.  

A certificate is valid for two years at a time. After expiration of a certificate, the associated personal data is deleted when five (5) years have elapsed from the start of the calendar year that followed the year when the certificate expired. Information is stored after expiration in order to facilitate investigation of any crimes that may be committed with certificates.  

Page last updated 9/20/2024