Instructions for lenders on how to request a data permission

These instructions provide guidance on how lenders can apply for a permission to use the Positive credit register’s data. Information is also provided on the data permission, the purposes of use of the data, and who is eligible for the data permission.

The Positive credit register will be rolled out in two stages. In the first stage, starting from 1 April 2024, lenders can use the Positive credit register’s data in consumer lending. In the second stage, lenders can also use the register’s data when granting loans to natural persons other than consumers. Such credits include, for example, loans that entrepreneurs take out for their business activities.

These instructions discuss how to request a data permission for the purposes of the first rollout stage. Lenders can apply for a data permission starting 2 October 2023, and they can start requesting data on 1 April 2024. Instructions on how to request a data permission for the second stage will be published closer to the second rollout.

If the lender is obliged to report loan contract data to the Positive credit register (in accordance with the Act on the Positive Credit Register 739/2022), they can also sign up as a data notifier when applying for a data permission. The lender will need certificates both for reporting data and for requesting credit register extracts. Instructions on the sign-up, retrieval and use of certificates and sharing of data from the Positive credit register, and on how to request a credit register extract are provided in separate instruction documents:

• Reporting data to the Positive credit register
• Signing up for the Positive credit register as a data notifier
• Sharing data from the Positive credit register
• Instructions on certificates
• Charges collected for the use of the register

Contact information for the Positive credit register's customer service is available on the register's website at www.positivecreditregister.fi.

1 Terminology used in the instructions

Consumer credit refers to a consumer credit or comparable loan to which the provisions of chapter 7 or 7 a of the Consumer Protection Act (38/1978) are applied.

Lender refers to a business operator under the Consumer Protection Act that, by agreement, grants or promises to grant a credit to a borrower as a loan, a deferred payment or another corresponding financial arrangement. ‘Lender’ also refers to a business that brokers a credit granted by another operator (peer-to-peer loan broker) to a borrower.

For the purposes of this document, ‘lender’ also refers to an operator that is obliged, in a situation other than loan granting, to assess the borrower’s creditworthiness or check that the information on the borrower is up to date. Lenders that are entitled to use data shared from the Positive credit register are defined in section 21 of the Act on the Positive Credit Register (739/2022).

Credit register extract refers to a credit information report under the Act on the Positive Credit Register.

2 Data permission to the Positive credit register

The data recorded in the Positive credit register is confidential, with the exception of the name, Finnish Business ID or foreign business ID of a business operator that is required to submit reports (section 3 of the Act on the Positive Credit Register). A data permission is needed to use the register’s data. The lender can apply for a permission from the Tax Administration’s Incomes Register Unit. When the lender has a valid data permission, they can request credit register extracts from the register for the purposes specified in the data permission decision.

The Incomes Register Unit can share data with lenders for purposes specified in the Act on the Positive Credit Register. Data is disclosed on credit register extracts. A precondition is that the lender has applied for a data permission and received a positive data permission decision (sections 21, 22 and 27 a of the Act on the Positive Credit Register).

Requests for credit register extracts are subject to a charge payable by the lender.

2.1 To whom can a data permission be granted?

The Incomes Register Unit can grant a data permission to a lender that has the right to receive data under the Act on the Positive Credit Register (section 21). In the register’s first rollout stage, the following parties are entitled to receive data from the register:

1. business operators that are required to submit reports under section 16, subsection 1 of the Act on the Positive Credit Register
2. other lenders that, under the Consumer Protection Act, are obliged to assess the consumer’s creditworthiness or check that the information on the consumer is up to date.

Businesses with the reporting obligation include

• lenders under the supervision of the Financial Supervisory Authority
• lenders and peer-to-peer loan brokers recorded in the register of lenders and peer-to-peer loan brokers and granting or brokering consumer credits reportable to the Positive credit register.

These lenders’ right to access data laid down in legislation is more extensive than that of other lenders.

Lenders under the supervision of the Financial Supervisory Authority refer to supervised entities under section 4, subsection 1 of the Act on the Financial Supervisory Authority, i.e. authorised supervised entities, supervised entities comparable to authorised supervised entities, and other supervised entities.

This group also includes Finnish branches of foreign EEA-supervised entities, and foreign supervised entities that provide services in Finland but do not have a Finnish branch (section 4, subsection 5 of the Act on the Financial Supervisory Authority). A branch of a foreign EEA-supervised entity may be a branch of a credit institution in an EEA country, or a branch of a credit institution established in an EEA country by a third country. Provision of services without a branch is possible only for such EEA-supervised entities that have an operating licence in another EEA country.

2.2 For what purposes can a data permission be granted?

In the data permission application, the lender must specify the purposes for which it intends to use the data received from the Positive credit register. Data can be disclosed only for the following purposes (section 21 of the Act on the Positive Credit Register):

• Assessing the consumer's creditworthiness or checking the accuracy of the information on the consumer when the Consumer Protection Act obligates the lender to assess the consumer's creditworthiness or check that the consumer's data is up to date (chapter 7 or 7 a).
  • The lender must assess the consumer's creditworthiness before the conclusion of a loan contract. Further, if the loan principal or credit limit is raised, the lender must check that the information on the consumer is up to date. If the loan principal or credit limit is raised significantly, the lender must reassess the consumer's creditworthiness.

• Testing creditworthiness when the consumer requests a change in the terms of the loan and the change does not concern raising the loan principal or the credit limit.
  • The change in the terms must be such that it requires that the debtor's creditworthiness should be assessed. A precondition is that the debtor themselves applies for a change in the terms of the loan. The lender is thus not allowed to use the Positive credit register’s data on its own initiative: the debtor must have informed the lender that they will seek changes in the loan contract.

• Providing or approving a guarantee or third-party security if the guarantee or security is recorded as collateral in the Positive credit register.
  • The lender is allowed to use the credit register extract data on the guarantor and the provider of a third-party security (pledger) when assessing the acceptability of the proposed collateral and the position of the collateral provider. Lenders may not use the credit register extract data if a guarantee or a third-party security is deposited as collateral for a loan granted to a borrower other than a natural person, such as a limited liability company.

 

2.3 Who has the right to receive data?

Different parties’ right to receive data from the Positive credit register varies in extent.

Lenders that are required to submit reports to the Positive credit register under section 16, subsection 1 of the Act on the Positive Credit Register have more extensive rights to receive data than other lenders. They have the right to receive data in the following situations:

• Under the Consumer Protection Act, the lender is obliged to test the consumer's creditworthiness before a loan contract is concluded or after the conclusion of the loan contract if the loan principal or credit limit is significantly increased.
• Under the Consumer Protection Act, the lender is obliged to make sure the information on the consumer is up to date when the consumer and the lender agree on increasing the loan principal or credit limit after the loan contract has been concluded.
• A debtor requests a change in the terms of the loan that does not concern an increase of the loan principal or credit limit, and the change requires that the debtor’s creditworthiness should be tested.
• The guarantee or third-party security provided or accepted is collateral for the payment of a loan recorded in the register.

Other lenders than business operators with the reporting obligation under section 16, subsection 1 have the right to receive data only in the following situations:

• Under the Consumer Protection Act, the lender is obliged to test the consumer's creditworthiness before a loan contract is concluded or after the conclusion of the loan contract if the loan principal or credit limit is significantly increased.
• Under the Consumer Protection Act, the lender is obliged to make sure the information on the consumer is up to date when the consumer and the lender agree on increasing the loan principal or credit limit after the loan contract has been concluded.

2.4 Using the data received from the Positive credit register

The lender may use data received from the Positive credit register only for the purposes for which the data permission was granted. If the purpose of use changes, the lender must apply for a new data permission.

However, the lender can also use data they have received from the register for the purpose described in chapter 2.2 for the following purposes:

Sharing data with the State Treasury

The lender may share data they have received from the Positive credit register with the State Treasury when applying for compensation under the Act on State Guarantees for Owner-Occupied Housing Loans (204/1996) (section 21, subsection 3 of the Act on the Positive Credit Register).

Sharing data with the guarantor and the third-party security provider

The lender may share data received from the Positive credit register with the guarantor and the pledger in the case they are carrying out their duty to inform under sections 12 and 14 of the Act on Guaranties and Third-Party Pledges (361/1999) or if the person concerned has given consent that the data may be shared with the guarantor or the pledger. 

Before the guarantee is provided, the lender must inform the guarantor of such issues relating to the principal debt covered by the guarantee that have a material impact on the guarantor's position. The guarantor must also be informed of the debtor's obligations and other circumstances relating to the debtor's ability to pay that can be deemed to be of interest to the guarantor. (Section 12 of the Act on Guaranties and Third-Party Pledges.)

The guarantor has the right, during the period of validity of the guarantee, to ask the lender for information on the debtor's obligations and other circumstances relating to the debtor’s ability to pay that can be deemed to be of interest to the guarantor. On the guarantor’s request, the lender can thus also share data received from the Positive credit register. However, the duty to inform under the Act on Guaranties applies only to information that the lender knows of and that the lender can share with the guarantor without a separate account.  (Section 14 of the Act on Guaranties and Third-Party Pledges.) 

The lender may share with the guarantor only data they have received from the register during the credit relationship in situations relating to the issuing of a loan or changing of the loan contract. The lender does not have the right to acquire data from the Positive credit register on the guarantor’s request.

The lender’s duty to inform also concerns providers of third-party security, so the lender also has similar obligations towards security providers (section 41 of the Act on Guaranties and Third-Party Pledges).  

Meeting the obligations related to credit risk management

The lender may use the information on their loan applicants they have received from the Positive credit register for purposes of testing the creditworthiness to meet their obligations regarding credit risk management. The obligations are laid down elsewhere in law. However, the right to use the data concerns only lenders that are subject to credit risk management obligations laid down elsewhere in law.

3 Process of applying for a data permission

3.1 When can you request a data permission?

The lender can submit a data permission application to the Incomes Register Unit as of 2 October 2023.  However, credit register extracts cannot be requested or shared from the Positive credit register until on 1 April 2024 at the earliest.

Lenders can request data when they start conducting business activities that require the use of the Positive credit register's data. The lender must state in the application when they plan to start using the data. The start date cannot be earlier than 1 April 2024, but the use can start at any time after that. 

A data permission granted by the Incomes Register Unit enters into force on the date specified by the lender at the earliest. The data permission is valid until further notice.

3.2 Channels of applying for a data permission

The application for a data permission is submitted to the Incomes Register Unit in the Positive credit register’s e-service. The e-service can be used if

• the lender has a Finnish Business ID, and
• the person acting in the lender’s name can identify themselves in the Suomi.fi service using strong identification. In Suomi.fi, users identify themselves with their Finnish e-bank codes, mobile certificates or certificate cards.

If the lender cannot use the e-service, they can apply for a data permission with a paper form. You can request the form from the Positive credit register’s customer service as of 2 October 2023. The form will be sent to the address specified by the organisation either by post or by email. You can find the customer service’s contact information on the Positive credit register's website at www.positivecreditregister.fi.

The completed form and its attachments can be returned to the Incomes Register Unit by post to the address below:

POSITIVE CREDIT REGISTER

P.O. BOX 2

FI-00055 INCOMES REGISTER

Read about the attachments to the paper form in chapter 3.4.

3.3 Who can submit a data permission application?

Individuals who are recorded to have any of the official roles listed below in the Trade Register or the Business Information System (BIS) can act in the lender’s name in the e-service:

• managing director
• Managing Director’s substitute
• Chairperson of the board
• general partner (limited partnership)
• partner (general partnership)
• business operator
• holder of procuration who is authorised to sign alone
• individual who is authorised to sign alone (authorised individual)

In addition to individuals with the official roles listed above, individuals or companies that have been granted the ‘Registering as a credit information reporter and user’ authorisation can submit a data permission application in the e-service. Lenders can grant and change authorisations as needed in the Suomi.fi e-authorisation service.

The Suomi.fi e-authorisation `Registering as a credit information reporter and user’ always applies both to applying for a data permission and to signing up as a data notifier. If the lender wants to authorise different persons to make a data permission application and a request to sign up as a data notifier, a paper form must be used.

Read more about granting authorisations (Suomi.fi)

An individual acting in the lender’s name identifies themselves in the Positive credit register’s e-service with their personal e-bank codes, mobile certificate or certificate card. Only individuals with a Finnish personal ID can identify themselves in the e-service.

The data permission application can be submitted on a paper form by an individual who is authorised to sign for the lender or has the required authorisation (see section 3.4).

3.4 Attachments to the paper form

If the lender submits a data permission application on a paper form, attachments must be enclosed with the form to verify the company requesting a data permission, the right to represent the company, and the identity of the person representing the company. The documents must be certified and original. The attachments are sent to the Incomes Register Unit by post.

The documents may be in Finnish, Swedish or English.

Documents needed if the company is registered in Finland:

• Documents proving the right of representation (unless indicated in authorities’ registers).

In the case of Finnish organisations, the Incomes Register Unit checks in authorities’ registers, such as the Trade Register, who has the right to represent the organisation. If the right of representation is not indicated in Finnish authorities’ registers, documents proving the right of representation, such as the rules of the organisation, must be enclosed with the application.

• A certified copy of the official identity card, such as a passport, of the person signing the application.
• An authorisation, if necessary.

The data permission application can also be submitted with a paper form by an individual or a company authorised by the lender. In that case, an authorisation must be enclosed with the application. The authorisation must state at least the authorising party’s information (lender’s name and Business ID), the authorised party's information (name and Finnish or foreign personal identity code), and what the authorisation concerns. The authorisation must be signed by someone who is authorised to sign for the lender.

• Certified copies of the official identity cards of the persons signing the authorisation and of the authorised persons.

Documents needed if the company is not registered in Finland:

• A certified extract from a foreign business information register. Register documents of organisations not registered in Nordic countries must be validated (e.g. Apostille).
• If the organisation's rights of representation are not shown in the foreign register extract, the organisation must provide sufficient, certified documentation to show the rights of representation.
• A certified copy of the official identity card, such as a passport, of the person signing the application. Further, documents issued outside the Nordic countries must be validated (e.g. Apostille).
• An authorisation, if necessary.

The data permission application can also be submitted with a paper form by an individual or a company authorised by the lender. In that case, an authorisation must be enclosed with the application. The authorisation must state at least the authorising party’s information (lender’s name and foreign business ID), the authorised party's information (name and Finnish or foreign personal identity code), and what the authorisation concerns. The authorisation must be signed by someone who is authorised to sign for the lender.

• Certified copies of the official identity cards of the persons signing the authorisation and of the authorised persons. Further, documents issued outside the Nordic countries must be validated (e.g. Apostille).

3.5 Processing of the data permission application in the Incomes Register Unit

In the data permission application, the lender provides an account of their activities, the use and processing of the data requested from the register, and the legal grounds for accessing the data. The data permission application includes a data protection report.

A condition for the grant of a data permission is that

• the applicant is a lender entitled to receive data in accordance with section 21 of the Act on the Positive Credit Register and that they use the data received from the register for a purpose laid down in the same section.
• the lender sees that confidential data and personal data disclosed from the Positive credit register is processed securely and according to law, and that the data is protected and its use is controlled. The data shared from the register is personal data, so the lender must have a legal basis under the EU General Data Protection Regulation to process the data.

The Incomes Register Unit processes the application and may ask the lender for additional information. The request for additional information is emailed to the contact person for data permission application specified by the lender, and a response must be submitted within a certain time limit. The lender may request an extension to the time limit, if needed.

When the application has been processed and any additional information considered, the lender receives a decision from the Incomes Register Unit. The decision is sent to the email address or postal address specified in the application. You can also see in the e-service whether the application has been accepted or rejected.

In case of a decision of acceptance, the lender is granted a certificate. The lender will need the certificate to identify themselves to access the credit register extract API. Separate instructions are available on how to retrieve and use the certificate. You can find a link to the instructions at the beginning of this document.

The data permission decision is an administrative decision, and it can be appealed in accordance with the Administrative Judicial Procedure Act (808/2019). Instructions for appeal are enclosed with the data permission decision.

The Incomes Register Unit processes data permission applications as of 2 October 2023. The applications are processed within 14 days on average. If the service is congested, the processing time may be longer. A decision on the data permission will be provided at the latest on 31 March 2024.

4 How to fill in the data permission application

The lender can apply for a data permission by filling in a form, where they must enter information on the company and its activities, the purpose of use of the data shared from the Positive credit register, and legal grounds for accessing the data. The form also includes a data protection report with questions about the lender’s data protection and control of the data usage. The form refers to lenders as organisations, and the word organisation is therefore also used in this chapter.

The form available in the e-service cannot be saved as unfinished, and you cannot continue to fill it in later. The electronic form times out after 4 hours, so if the form is open in the browser for longer than that without being submitted, the session will close and the information you have filled in will disappear.

4.1 Using data

Submit an account of the organisation and its business activities. What are the activities and purposes for which the organisation intends to use the data obtained from the Positive credit register?

First give a short description of your organisation's business activities where the register’s data will be used.

Then state the purposes of use for which the organisation will use the data received from the Positive credit register. You can state one or more purposes. Report all the planned purposes of use of the data. A data permission can be granted only for the purposes laid down in section 21 of the Act on the Positive Credit Register and specified in this field (see section 2.2 of the instructions).

What authority supervises the organisation's activities relating to credit and financial services? This refers to activities involving the use of the register’s data.

• Financial Supervisory Authority
• Regional State Administrative Agency for Southern Finland
• Other

Select the authority that supervises your organisation's activities relating to credit and financial services. This refers to activities involving the use of the register’s data. Select ‘other’ if your organisation's activities relating to credit and financial services are not supervised by the Financial Supervisory Authority or the Regional State Administrative Agency for Southern Finland. Specify the authority supervising the activities.

Please note that the supervision of lenders and peer-to-peer loan brokers entered in the register of lenders and peer-to-peer loan brokers was transferred to the Financial Supervisory Authority on 1 July 2023.

On what grounds are the organisation's activities supervised? Also state whether under the Act on the Financial Supervisory Authority (878/2008) the organisation is

• an authorised supervised entity (section 4, subsection 2)
• a supervised entity comparable to an authorised supervised entity (section 4, subsection 3)
• other supervised entity (section 4, subsection 4)
• a Finnish branch of a foreign EEA-supervised entity or a foreign supervised entity providing services in Finland without a branch (section 4, subsection 5).

Describe in detail on what grounds your organisation's activities relating to credit and financial services are subject to supervision. If the activities are supervised by the Financial Supervisory Authority, specify the legal provision on the basis of which they are supervised. If you are a lender or a peer-to-peer loan broker entered in the register of lenders and peer-to-peer loan brokers, state is here.

Does the organisation also need to use data obtained from the register for the following secondary purposes (section 22, subsections 3 and 4 of the Act on the Positive Credit Register)?   

• Sharing data with the State Treasury
• Sharing data with a guarantor or third-party security provider
• Meeting the obligations related to credit risk management
• None of the above

Select more than one if necessary. Specify the grounds for the organisation's right to access data in the free-text field.

When will the organisation start requesting data from the register?

Enter the date on which the organisation plans to start requesting data from the register. The date may not be earlier than 1 April 2024. The organisation can start requesting data when they start conducting business activities that require the use of the Positive credit register's data.

What is the legal basis under the EU General Data Protection Regulation for the organisation's right to process the borrower's personal data obtained from the register? If the processing is based on a legal obligation, state the legal provision from which it arises.

State here a legal basis laid down in the General Data Protection Regulation. To process the borrower's personal data according to law, the organisation must have at least one legal basis laid down in the General Data Protection Regulation. The legal bases are provided in Article 6 of the General Data Protection Regulation.

If the reported legal basis for processing data is to comply with the controller's legal obligation, also specify the legal provision on which the obligation is based.

Does the organisation use an outsider to process the data obtained from the Positive credit register? 

The options are ‘yes’ and ‘no’. ‘Processor’ here refers to a processor according to the EU General Data Protection Regulation. The lender is also responsible for the activities of the processors acting on its behalf.

If you select ‘yes’, also fill in the following fields:

• State the Business ID or foreign business ID of the company acting as a processor. If the company is a foreign company, state the country’s name or country code according to ISO 3166, as well as the business ID.
• Submit the name of the company acting as a processor.
• Has the organisation concluded a contract or other legal act referred to in Article 28 of the EU General Data Protection Regulation? The options are ‘yes’ and ‘no’.

Fill in the details on each processor separately. Add a new processor by clicking ‘Add company acting as processor’, indicated with the plus sign.

You can enter details of no more than 10 processors on the form. If the number of processors is larger, contact the Positive credit register’s customer service. You can find the contact information on the Positive credit register's website at www.positivecreditregister.fi.

4.2 Data protection report

The data protection report consists of questions and statements regarding the protection and control of data disclosed from the Positive credit register. Fill in the report by selecting either ‘yes’ or ‘no’. You can give additional information in free form if asked to do so.

Questions and statements of the data protection report

1. The organisation provides instructions and training on the processing of confidential information and personal data obtained from the Positive credit register.
2. Credit register extract information obtained from the register is confidential. Every person in the organisation who has access to credit register extract information processes the information only for the purposes defined in section 21 of the Act on the Positive Credit Register and is familiar with the obligations of secrecy and confidentiality regarding the information.
3. The organisation makes sure that the persons processing the data obtained from the register are familiar with up-to-date regulations regarding the data, and with the data permission and its enclosures issued by the Incomes Register Unit.
4. The organisation’s information system ensures, case by case, that the person requesting data is handling a matter that requires the requesting of a credit register extract from the Positive credit register, and that they are entitled by law to request the extract.

• • If you select ‘no’, state in free-text field 4.1 how the organisation makes sure that data is not requested from the register without grounds and purposes laid down in law?

5. Access to credit register extract information is limited to those persons in the organisation who have the right to process the confidential information in question. Access rights depend on what information the person needs to carry out their duties, and the access rights are kept up to date.
6. Outsiders are prevented from accessing premises (e.g. workstations) where data obtained from the Positive credit register is handled. Outsiders are also prevented from accessing the register’s data. The premises are locked, and they are under surveillance when employees are not present.
7. The organisation has secure access control (e.g. passwords, access rights) for systems where data obtained from the Positive credit register is processed or can be viewed. Access management tools are handled in a secure manner.
8. The organisation has a procedure for ensuring that data media that are disposed of or sent for repairs do not contain the Positive credit register’s data or other personal data.
9. The organisation keeps logs to monitor the use of data and to ease troubleshooting in case of technical problems.
10. The logs are a record of who has requested data from the Positive credit register, when the request was made, and whose data was requested.
11. Servers and databases used by the organisation where data obtained from the Positive credit register is processed are located outside or partly outside the EU/EEA.

• • If you select ‘yes’, state in free-text field 11.1 in which non-EU/EEA country the servers and databases are located. What actions are taken to ensure that data is transferred in compliance with law?

12. The organisation uses the cloud service to process the Positive credit register's data, in part or in full.

• • If you select ‘yes’, state in free-text field 12.1 how the organisation sees to it that data is transferred in compliance with law if it is processed outside the EU/EEA. Also state if data is not processed outside the EU/EEA.

13. Data obtained from the Positive credit register is processed outside the EU/EEA.

• • If you select ‘yes’, state is free-text field 13.1 in what country the register’s data is processed. What actions are taken to ensure that data is transferred in compliance with law?

14. Data obtained from the Positive credit register is processed outside the organisation (for example, processing has been partly or fully outsourced).

• • If you select ‘yes’, state in free-text field 14.1 what parties process the register’s data on behalf of the organisation. Has the organisation concluded a contract or other legal act on the processing in accordance with Article 28 of the EU General Data Protection Regulation?

15. The organisation shares credit register extract information obtained from the register with a third party.

‘Third party’ means an external controller who uses the information to their own purposes, not on behalf of the organisation. ‘Third party’ does not mean a processor (such as a system supplier or subcontractor) that acts on behalf of the organisation and uses the data for the purposes specified by the organisation.

• • If you select ‘yes’, specify is free-text field 15.1 the parties that the register’s data is shared with and the purposes for which it is shared.

16. Communications containing data recorded in the Positive credit register are encrypted.
17. The organisation has processes to manage vulnerabilities, and workstations and communications devices are updated automatically.
18. The organisation has a person responsible for information security.

• • If you select ‘yes’, fill in the contact information of the contact person for information security.

19. The organisation has a person responsible for data protection, or a data protection officer.

• • If you select ‘yes’, enter the contact information of the person responsible for data protection or of the data protection officer.

 

4.3 Invoicing information

Credit register extracts issued by the Positive credit register are subject to a fee. The Incomes Register Unit sends the lender a monthly invoice on the credit register extracts the lender has requested.

The data permission application asks the organisation for their invoice address, invoice language, and contact person for invoicing. As a rule, invoices are sent as e-invoices. If e-invoicing is not possible or if it is temporarily unavailable, the invoice will be sent to the organisation’s invoice address. You can also provide a reference used by the organisation in the application.

The invoicing information is saved in the e-service, and the information can be edited on the Invoicing and contact information page.

Invoice address

• Recipient
• Street address or P.O. Box
• Postcode
• Post office
• Country

E-invoicing

• E-invoice address
• Service provider code

E-invoicing is the primary invoicing method, and therefore the default is ‘Invoices are sent to the organisation's e-invoice address’. You can deselect the option if your organisation does not use e-invoicing.

Invoicing practices

• Invoice language: Finnish, Swedish, English
• Organisation’s reference (e.g. cost centre reference)

Enter the reference if you want it to be indicated on invoices on data usage for purposes of posting, for example. You can enter the reference even if the organisation has not activated e-invoicing. The reference may not have more than 35 characters.

Contact person for invoicing

The contact person for invoicing provides further information on matters related to invoicing. They will be contacted in case of invoicing problems.

• Name
• Phone number (in international format, e.g. +358...)
• Email address

4.4 Details of contact persons

The contact information to be provided in the data permission application includes

• details of the contact person for data permission application
• details of the contact person for content
• details of the technical contact person
• the details of the technical contact person for certificates
• details of the contact person for invoicing.

The details of all other contact persons except the technical contact person for certificates and the contact person for invoicing can include a second email address, such as a distribution list or a shared mailbox, as well as a personal email address. All messages sent to such contact persons will also be sent to the second address.

The data protection report also includes the contact information of the person responsible for information security and data protection or of the data protection officer, if the organisation has such responsible persons.

You can enter the details of the same person in multiple fields, if needed. After submitting the data permission application, you can edit the details of the technical contact person and the contact person for invoicing on the Invoicing and contact information page in the e-service. If you want to update other contact information provided in connection with the application, please contact the Positive credit register’s customer service. You can find the contact information on the Positive credit register's website at www.positivecreditregister.fi.

Contact person for data permission application

The contact person for data permission application gives additional information regarding the application, if needed. Requests for any additional information needed for the processing of the data permission application will be sent to the contact person by email.

The contact information will not be used after the data permission application has been processed. The decision on the data permission will be sent to the notification address stated at the end of the form.

Contact person for content

The contact person gives additional information on the content of the requests for credit register extracts submitted by the organisation and replies to requests for additional information regarding the use of the data.

Contact person for technical matters

The contact person answers questions about the technical operation and information security of the requests for data and provides additional information regarding technical matters and problems.

Technical contact person for certificates

The Incomes Register Unit grants a certificate for the use of APIs to each organisation using the register’s data. The technical contact person for certificates receives the information and instructions for retrieving the certificate. Their telephone number must be a number to which text messages can be sent: the number is needed to receive a secure email message regarding the retrieval of the certificate. The number should preferably be a Finnish number so as to ensure the successful arrival of the text message. Once the certificate has been retrieved, the number will not be used any more.

4.5 Notification channel

Select how you want the data permission decision to be delivered to your organisation: by secure email or by post. You can select only one of the two options. The decision will not be delivered to the e-service.

If you select delivery by secure email, enter the email address to which your organisation wants us to send the decision. The secure email sent to the address will include a link through which you can download the decision.

If you select delivery by post, enter the postal address to which your organisation wants us to send the decision.

You can find more information about the decision and appeal in item 3.4 of this document.

4.6 Sending the application

Before you submit the application, you will be taken to a summary view, where you can see the information you have entered in the application. Check the information you have entered. If you want to edit the information you have entered on previous pages, click Previous.

The information entered in the application is not saved in the e-service. If you need the information later, save it before you submit the application.

When you have filled in and checked all the information, send the data permission application to the Incomes Register Unit by clicking Submit.

4.7 Application status

When the application has been successfully submitted, its status in the e-service changes to Received. If the status does not change within a few seconds, the application has not arrived.

When you have sent the application, you cannot submit a new application in the e-service, nor supplement or edit the application you have submitted. If you need to submit a new application, supplement or edit the application you have sent, or cancel the application, please contact the Positive credit register’s customer service. You can find the contact information on the Positive credit register's website at www.positivecreditregister.fi. Additions and changes must always be made in writing.

When the application is being processed by the Incomes Register Unit, the status shown in the e-service is Processing. Once a data permission has been granted, the status of the application will change to Accepted. The application status changes to Rejected if the Incomes Register Unit rejects the data permission application or decides not to examine the application, or if you cancel the application yourself.

4.8 Updating the contact information

The organisation must check their contact information regularly and update the details as needed.

The organisation can edit the following contact information in the Positive credit register’s e-service:

• contact person for content
• contact person for technical matters
• contact person for invoicing, and other invoicing information.

Other contact information provided in connection with the data permission application can be updated by contacting the Positive credit register’s customer service. The customer service can also update the contact information if the organisation cannot use the e-service. You can find the customer service’s contact information on the Positive credit register's website at www.positivecreditregister.fi.