Instructions for lenders on how to apply for a data permission as of 1 August 2025

These instructions provide guidance for lenders on how to apply for a permission to use the Positive credit register’s data, i.e. request credit register extracts. The instructions also provide other information about data permissions, the purposes of use of the data, and the operators that can be granted data permissions.

A lender that is obliged to report loan contract data to the Positive credit register (in accordance with the Act on the Positive Credit Register 739/2022) must sign up as a data notifier. The lender will need certificates both for reporting data and for requesting credit register extracts. Information about signing up, retrieving and using certificates, sharing data from the Positive credit register and requesting credit register extracts can be found in separate instruction documents:

• Reporting data to the Positive credit register as of 1 December 2025
• Signing up to the Positive credit register as a data notifier as of 1 August 2025
• Instructions on certificates
• Sharing information from the Positive credit register as of 1 April 2026
• Charges collected for the use of the register

Contact information for the Positive credit register's customer service is available on the register's website at www.positivecreditregister.fi.

1 Terminology used in the instructions

Consumer credit refers to a consumer credit or comparable loan to which the provisions of chapter 7 or 7 a of the Consumer Protection Act (38/1978) are applied.

Other than consumer credit refers to a loan, deferred payment or other financial arrangement on which interest or other expenses are collected by agreement and which is granted to a natural person but is not a consumer credit as referred to above.

Borrower or debtor means a natural person to whom a consumer credit or a non-consumer credit has been granted. A natural person is always human. A private business operator (business name entrepreneur) is a natural person. Instead, legal persons, such as limited liability companies and general partnerships, are not natural persons.

Lender refers to a business operator that, by agreement, grants or promises to grant a credit to a borrower as a loan, a deferred payment or another financial arrangement on which interest or expenses are collected by agreement. Lenders also include businesses that broker a consumer credit granted by a third party to a borrower (peer-to-peer loan brokers). Lenders that are entitled to use data shared from the Positive credit register are defined in section 21 of the Act on the Positive Credit Register (739/2022).

Credit register extract refers to a credit information report under the Act on the Positive Credit Register.

Data permission application refers to an application for a permission to access the Positive credit register’s data. The form for applying for a data permission (chapter 4) and the form for applying for changes to the data permission (chapter 5), referred to in these instructions, are data permission applications.

2 Data permission to the Positive credit register

The data recorded in the Positive credit register is confidential, with the exception of the name, Finnish Business ID or foreign business ID of a business operator that is required to submit reports (section 3 of the Act on the Positive Credit Register). A data permission is needed to use the register’s data. Lenders can apply for a data permission from the Tax Administration’s Incomes Register Unit. When the lender has a valid data permission, it can request credit register extracts from the register for the purposes specified in the data permission decision.

The Incomes Register Unit can share data with lenders for purposes specified in the Act on the Positive Credit Register. Data is disclosed on credit register extracts. A precondition for the disclosure is that the lender has a valid data permission (sections 21, 22 and 27 a of the Act on the Positive Credit Register).

Requests for credit register extracts are subject to a charge payable by the lender.

2.1 To whom can a data permission be granted?

The Incomes Register Unit can grant a data permission to a lender that has the right of access to data under section 21 of the Act on the Positive Credit Register. Access to data can thus be granted to business operators under section 16 that grant loans to consumers or to natural persons other than consumers (items 1 to 4 below), and to other business operators that are obliged by the Consumer Protection Act to assess the consumer’s creditworthiness and verify that the information on the consumer is up to date (item 5 below).

The register's data can be used by

1. the following parties with the reporting obligation that are under the supervision of the Financial Supervisory Authority in accordance with the Act on the Financial Supervisory Authority (878/2008):

a. supervised entities, institutions and private entrepreneurs (section 4, subsection 1)
b. Finnish branches of foreign EEA-supervised entities (section 4, subsection 5)
c. foreign supervised entities that provide services in Finland but do not have a Finnish branch (section 4, subsection 5)

2. lenders and loan brokers entered in a register according to the Act on the Registration of Certain Credit Providers and Credit Intermediaries (186/2023)

3. other businesses established in Finland or another EEA country professionally granting loans to natural persons other than consumers to gain income or other financial benefit, except if they grant loans in Finland only occasionally or only to offer financing for the purchase of goods or services they sell

4. specialised financing companies under the Act on the State-Owned Specialised Financing Company (443/1998)

5. other lenders that are obliged, under the Consumer Protection Act, to assess the consumer’s creditworthiness or verify that the information on the consumer is up to date.

2.2 For what purposes can a data permission be granted?

In the data permission application, the lender must specify the purposes for which it intends to use the data received from the Positive credit register. Data can be disclosed only for the following purposes (section 21 of the Act on the Positive Credit Register):

1. To assess the consumer’s creditworthiness in situations where the lender is obliged by the Consumer Protection Act to test the consumer's creditworthiness before a loan contract is concluded.

Under chapter 7 or 7 a of the Consumer Protection Act, the lender must assess the consumer's creditworthiness before the conclusion of a loan contract.

2. To assess the consumer’s creditworthiness if the loan principal or credit limit is increased signficantly or, if the increase is not significant, to verify that the information on the consumer is up to date.

Under chapter 7 or 7 a of the Consumer Protection Act, the consumer’s creditworthiness must be reassessed if the loan principal or credit limit is increased signficantly. The accuracy to the consumer’s information must be verified if the loan principal or credit limit is raised significantly.

3. To assess the consumer’s creditworthiness in situations where the consumer requests a change to the terms of the loan other than raising the loan principal or credit limit and the change requires that the consumer’s creditworthiness should be assessed.

The change to the terms must be such that the debtor's creditworthiness must be assessed. Another condition is that the debtor themself applies for a change to the terms of the loan. The lender is thus not allowed to use the Positive credit register’s data on its own initiative: the debtor must have informed the lender that it will seek changes to the loan contract.

4. To provide or approve a guarantee or third-party security if the guarantee or security is provided as collateral for a loan that has been granted to a consumer and reported to the Positive credit register.

The lender is allowed to use the credit register extract information on the guarantor and the third-party security provider (pledger) when assessing the acceptability of the proposed collateral and the financial position of the collateral provider. This purpose of use does not entitle the lender to use the credit register extract information if a guarantee or third-party security is provided as collateral for a loan granted to a borrower other than a consumer, such as a limited liability company.

5. To assess the debtor’s creditworthiness before the conclusion of a loan contract if the loan is granted to a person other than a consumer.

The lender can assess the debtor's creditworthiness before a loan contract is concluded.

6. To assess the debtor’s creditworthiness in order to increase the loan principal or credit limit if the loan is granted to a natural person other than a consumer.

The lender can reassess the debtor’s creditworthiness if so required by the increase of the loan principal or credit limit.

7. Assessing the debtor’s creditworthiness when the debtor requests a change to the terms of a loan granted to a natural person other than a consumer and the change is other than increasing the loan principal or credit limit.

The change to the terms must be such that it requires that the debtor's creditworthiness should be assessed. Another condition is that the debtor themself applies for a change to the terms of the loan. The lender is thus not allowed to use the Positive credit register’s data on its own initiative: the debtor must have informed the lender that it will seek changes to the loan contract.

8. To provide or approve a guarantee or third-party security if the guarantee or security is provided as collateral for a loan that has been granted to a natural person other than a consumer and reported to the Positive credit register.

The lender is allowed to use the credit register extract information on the guarantor and the third-party security provider (pledger) when assessing the acceptability of the proposed collateral and the financial position of the collateral provider. This purpose of use does not entitle the lender to use the credit register extract information if a guarantee or third-party security is provided as collateral for a loan granted to a consumer or a natural person other than a consumer, such as a limited liability company.

2.3 What kind of data access rights can be granted to lenders?

The extent of the lenders’ right of access to data depends on the grounds on which they are required to submit reports. Data permissions can be granted for different purposes in accordance with the limitations listed below.

Lenders that are required to submit reports to the Positive credit register under section 16, subsections 1 and 2 of the Act on the Positive Credit Register have more extensive rights of access to data than other lenders.

Organisations with the reporting obligation that grant loans only to consumers

Obliged business operators under section 16, subsection 1 that grant only consumer credits have the right of access to data in the following situations:

• To assess the consumer’s creditworthiness in situations where the lender is obliged by the Consumer Protection Act to test the consumer's creditworthiness before a loan contract is concluded.
• To assess the consumer’s creditworthiness in situations where the loan principal or credit limit is increased significantly or the lender has the obligation under the Consumer Protection Act to verify that the information on the consumer is up to date when the consumer and the lender agree on increasing the loan principal or credit limit after the loan contract has been concluded.
• To assess the consumer’s creditworthiness in situations where the consumer seeks a change to the terms of the loan other than raising the loan principal or credit limit and the change requires that the consumer’s creditworthiness should be assessed.
• To assess the financial position of a guarantor or third-party security provider and the acceptability of the collateral in situations where the guarantee or security is provided as collateral for a loan that has been granted to a consumer and reported to the Positive credit register.

Organisations that are required to submit reports and that grant loans both to consumers and to natural persons other than consumers

Business operators under section 16, subsection 2, paragraph 1 that grant loans both to consumers and to natural persons other than consumers have the right of access to data in the following situations:

• To assess the consumer’s creditworthiness in situations where the lender is obliged by the Consumer Protection Act to test the consumer's creditworthiness before a loan contract is concluded.
• To assess the consumer’s creditworthiness in situations where the loan principal or credit limit is increased significantly or the lender has the obligation under the Consumer Protection Act to verify that the information on the consumer is up to date when the consumer and the lender agree on increasing the loan principal or credit limit after the loan contract has been concluded.
• To assess the consumer’s creditworthiness in situations where the consumer seeks a change to the terms of the loan other than raising the loan principal or credit limit and the change requires that the consumer’s creditworthiness should be assessed.
• To assess the financial position of a guarantor or third-party security provider and the acceptability of the collateral in situations where the guarantee or security is provided as collateral for a loan that has been granted to a consumer and reported to the Positive credit register.
• To assess the debtor’s creditworthiness before the conclusion of a loan contract if the loan is granted to a person other than a consumer.
• To assess the debtor’s creditworthiness in order to increase the loan principal or credit limit if the loan is granted to a natural person other than a consumer.
• To assess the debtor’s creditworthiness when the debtor requests a change to the terms of a loan granted to a natural person other than a consumer and the change is other than increasing the loan principal or credit limit and making the change requires assessment of the debtor's creditworthiness.
• To assess the financial position of a guarantor or third-party security provider and the acceptability of the collateral in situations where the guarantee or security is provided as collateral for a loan that has been granted to a natural person other than a consumer and reported to the Positive credit register.

Organisations that are required to submit reports and that grant loans only to natural persons other than consumers

Business operators under section 16, subsection 2, paragraph 1 or 2 have the right of access to data in the following situations if they grant loans to natural persons other than consumers:

• To assess the debtor’s creditworthiness before the conclusion of a loan contract if the loan is granted to a natural person other than a consumer.
• To assess the debtor’s creditworthiness in order to increase the loan principal or credit limit if the loan is granted to a natural person other than a consumer.
• To assess the debtor’s creditworthiness when the debtor requests a change to the terms of a loan granted to a natural person other than a consumer and the change is other than increasing the loan principal or credit limit and making the change requires assessment of the debtor's creditworthiness.
• To assess the financial position of a guarantor or third-party security provider and the acceptability of the collateral in situations where the guarantee or security is provided as collateral for a loan that has been granted to a natural person other than a consumer and reported to the Positive credit register.

Other lenders than business operators with the reporting obligation under section 16, subsections 1 and 2 have the right of access to data only in the following situations:

Organisations that grant loans to consumers but are not required to submit reports

• To assess the consumer’s creditworthiness in situations where the lender is obliged by the Consumer Protection Act to test the consumer's creditworthiness before a loan contract is concluded.
• To assess the consumer’s creditworthiness in situations where the loan principal or credit limit is increased significantly or the lender has the obligation under the Consumer Protection Act to verify that the information on the consumer is up to date when the consumer and the lender agree on increasing the loan principal or credit limit after the loan contract has been concluded.

2.4 Using the data received from the Positive credit register

The lender may use data received from the Positive credit register only for the purposes for which the register disclosed the data. If the purposes of use for which data is needed change, the lender must request changes to its data permission.

The Act on the Positive Credit Register also has provisions on the secondary purposes of use of the data disclosed from the register. If the lender intends to use data for secondary purposes, this must be stated in the data permission application and the secondary purposes of use must be specified.

The lender can use the data received from the register for the purposes described in chapter 2.2 of these instructions only for the following secondary purposes provided in law:

Sharing data with the State Treasury

The lender may share data it has received from the Positive credit register with the State Treasury when applying for compensation under the Act on State Guarantees for Owner-Occupied Housing Loans (204/1996) (section 21, subsection 3 of the Act on the Positive Credit Register).

Sharing data with the guarantor and the third-party security provider

The lender may share data received from the Positive credit register with the guarantor and the pledger in the case that they are carrying out their duty to inform under sections 12 and 14 of the Act on Guaranties and Third-Party Pledges (361/1999) or if the person concerned has given consent that their data may be shared with the guarantor or the pledger.

Before the guarantee is provided, the lender must inform the guarantor of such issues relating to the principal debt covered by the guarantee that have a material impact on the guarantor's position. The guarantor must also be informed of the debtor's obligations and other circumstances relating to the debtor's ability to pay that can be deemed to be of interest to the guarantor. (Section 12 of the Act on Guaranties and Third-Party Pledges.)

During the period of validity of the guarantee, the guarantor has the right to ask the lender for information on the debtor's obligations and other circumstances relating to the debtor’s ability to pay that can be deemed to be of interest to the guarantor. On the guarantor’s request, the lender can thus share data received from the Positive credit register. However, the duty to inform under the Act on Guaranties applies only to circumstances that the lender knows of and that can be provided for the guarantor without separate measures. (Section 14 of the Act on Guaranties and Third-Party Pledges.)

The lender may share with the guarantor only data it has received from the register during a credit relationship for purposes of lending or changing the loan contract. The lender does not have the right to acquire data from the Positive credit register on the guarantor’s request.

The lender’s duty to inform also concerns providers of third-party security, so the lender also has similar obligations towards security providers (section 41 of the Act on Guaranties and Third-Party Pledges).

Meeting the obligations related to credit risk management

The lender may use the information received from the Positive credit register to meet its obligations regarding credit risk management. The obligations are laid down elsewhere in law. However, the right to use data concerns only lenders that are subject to credit risk management obligations laid down elsewhere in law.

3 Process of applying for a data permission

The lender must apply for a data permission in good time before starting to request data from the Positive credit register. Data permissions also entitling to receive credit register extracts regarding loans granted to natural persons other than consumers can be requested as of 1 August 2026.

A lender applying for a data permission for the first time must fill in a data permission application. See how to fill in the application in chapter 4 of these instructions.

A lender requesting changes to its current data permission must fill in the application for changing the data permission. The application for changing the data permission is used, for example, when the purposes for which the lender uses the credit register extract change. See how to fill in the application for changing the data permission in chapter 5 of these instructions.

A lender wishing to give up one or more of the purposes of use stated in its data permission must fill in the contact form for data permission matters. The contact form can also be used for other purposes. See chapter 6 of these instructions for other ways of using the contact form and for instructions on how to fill in the form.

Carefully completed data permission applications and applications for changing the data permission are quicker to process. If additional information is needed from the lender for a data permission application or application for changing the data permission or if required attachments are missing from the application, the processing of the application in the Incomes Register Unit may be delayed.

The lender must state in the application when they are planning to start requesting data. Lenders can request data when they start conducting business activities that require the use of the Positive credit register's data. In order to request data, the lender must have a valid data permission.

A data permission granted by the Incomes Register Unit enters into force on the day specified by the lender at the earliest. The data permission is valid until further notice.

A lender wishing to cancel a data permission application that has been submitted but not yet processed must fill in the contact form. See how to fill in the contact form in chapter 6 of these instructions.

3.1 Channels of applying for a data permission

Data permissions are requested from the Incomes Register Unit primarily in the Positive credit register’s e-service. The e-service can be used if the following conditions are met:

• the lender has a Finnish Business ID
• the person acting in the lender’s name can identify themself in the Suomi.fi service using strong identification. In Suomi.fi, users identify themselves with their Finnish e-bank codes, mobile certificates or certificate cards.

If a lender is not able to use the e-service, it can apply for a data permission on a paper form. You can request a paper form by filling in the contact form for lenders on our website from 1 August 2025 onwards. You can also request a paper form from the Positive credit register’s customer service from 1 August 2025 onwards. The customer service’s contact information is available on the Positive credit register's website. The paper form will be sent by post or by email to the address provided by the lender.

You can return the completed form, with attachments, to the Incomes Register Unit by post to the address:

POSITIVE CREDIT REGISTER
P.O. BOX 2
FI-00055 Incomes Register

See chapters 4, 5 and 6 of these instructions on how to fill in the forms related to applying for a data permission. Chapter 3.3 provides information about the attachments that must be enclosed with the paper form.

3.2 Who can submit a data permission application?

Individuals who are recorded to have any of the official roles listed below in the Trade Register or the Business Information System (BIS) can act in the lender’s name in the e-service:

• managing director
• managing director’s substitute
• chairperson of the board
• general partner (limited partnership)
• partner (general partnership)
• business operator
• holder of procuration who is authorised to sign alone
• individual who is authorised to sign alone (authorised individual).

In addition to individuals with the official roles listed above, an individual or a company that has been granted the ‘Registering as a credit information reporter and user’ authorisation on Suomi.fi can submit a data permission application in the e-service. Lenders can grant and change authorisations as needed in the Suomi.fi e-authorisation service.

The Suomi.fi e-authorisation ‘Registering as a credit information reporter and user’ always applies both to applying for a data permission and to signing up as a data notifier. If the lender wants to authorise different persons for submitting a data permission application and for signing up as a data notifier, a paper form must be used.

Read more about granting authorisations (Suomi.fi)

An individual acting in the lender’s name identifies themself in the Positive credit register’s e-service with their personal e-bank codes, mobile certificate or certificate card. Only individuals with a Finnish personal ID can identify themselves in the e-service.

The data permission application can be submitted on a paper form by an individual who is authorised to sign for the lender or has the required authorisation (see section 3.3 of these instructions).

3.3 Attachments to the paper form

The data permission application can also be submitted on a paper form by an individual or a company authorised by the lender. In that case, an authorisation must be enclosed with the application. The authorisation must state at least the authorising party’s information (lender’s name and foreign business ID), the authorised party's information (name and personal ID or foreign identifier), and what the authorisation concerns. The authorisation must be signed by someone who is authorised to sign for the lender.

If the lender submits the data permission application on paper, various attachments must be enclosed with the form to verify the company and the right to represent the company. The documents must be original and certified in accordance with the legislation of the lender's home country. The attachments are sent to the Incomes Register Unit by post.

Documents may be provided in Finnish, Swedish or English.

Documents needed if the company is registered in Finland

• Documents proving the right of representation (unless indicated in authorities’ registers)

In the case of Finnish organisations, the Incomes Register Unit checks in authorities’ registers, such as the Trade Register, who has the right to represent the organisation. If the right of representation is not indicated in Finnish authorities’ registers, documents proving the right of representation, such as the rules of the organisation, must be enclosed with the application.

• An authorisation, if needed

If the data permission application is submitted by an individual or a company authorised by the lender, then an authorisation must be enclosed with the request. The authorisation must state at least the authorising party’s information (lender’s name and Business ID), the authorised party's information (name and personal ID or foreign identifier), and what the authorisation concerns. The authorisation must be signed by someone who is authorised to sign for the lender.

 

Documents needed if the company is not registered in Finland

• An officially certified extract from a foreign business information register.

The register documents of organisations not registered in Nordic countries must also be validated (e.g. Apostille).

• Documentation indicating rights of representation, if necessary

If the organisation's rights of representation are not shown in the foreign register extract, the organisation must provide sufficient, certified documentation to show the rights of representation.

• An authorisation, if needed

The data permission application can also be submitted on a paper form by an individual or a company authorised by the lender. In that case, an authorisation must be enclosed. The authorisation must state at least the authorising party’s information (lender’s name and foreign business ID), the authorised party's information (name and personal ID or foreign identifier), and what the authorisation concerns. The authorisation must be signed by someone who is authorised to sign for the lender.

3.4 Processing of the data permission application in the Incomes Register Unit

In the data permission application, the lender provides an account of their activities, the use and processing of the data requested from the register, and the legal grounds for accessing the data. The data permission application includes a data protection report.

A condition for the grant of a data permission is that

• the applicant is a lender entitled to receive data in accordance with section 21 of the Act on the Positive Credit Register and that the lender uses the data received from the register for a purpose laid down in the same section
• the lender sees to it that confidential data and personal data disclosed from the Positive credit register is processed securely and according to law, and that the data is protected and its use is controlled. The data shared from the register is personal data, so the lender must have a legal basis under the EU General Data Protection Regulation to process the data.

The Incomes Register Unit processes the application and may ask the lender for additional information. The request for additional information is emailed to the contact person for data permission application specified by the lender, and a response must be submitted within a certain time limit. The lender may request an extension to the time limit, if needed. The lender can speed up the processing of the data permission application by making sure it provides all the data required in the processing of the application. The processing may take longer if additional information must be requested or if required attachments are missing.

When the application has been processed and any additional information considered, the lender receives a decision from the Incomes Register Unit. The decision is sent to the email address or postal address specified in the application. The e-service will also show whether the application has been accepted or rejected.

In case of a decision of acceptance, the lender will be granted a certificate. The lender needs the certificate for purposes of identification when accessing the credit register extract API. Separate instructions are available on how to retrieve and use the certificate. You can find a link to the instructions at the beginning of this document.

The data permission decision is an administrative decision, and it can be appealed in accordance with the Administrative Judicial Procedure Act (808/2019). Instructions for appeal are enclosed with the data permission decision.

4 How to fill in the data permission application

In the data permission application, the lender must provide information about the company and its activities, the purpose of use of the data disclosed from the Positive credit register, and the legal grounds for accessing the data. The form also includes a data protection report with questions about the lender’s data protection and control of data usage. The form refers to lenders as organisations, and the word organisation is therefore also used in this chapter.

The e-form cannot be saved as unfinished, so you cannot continue to fill it in later. The e-form times out after 4 hours, so if the form is open in the browser for longer than that without being submitted, the session will close and the information filled in will disappear.

Below you can find step-by-step instructions on how to fill in the data permission application.

4.1 Using data

1.1 Submit an account of the organisation and its business activities. In what activities does the organisation use the Positive credit register’s data?

Describe your organisation’s activities where the register’s data is used.

1.2 Which authority supervises the organisation's activities where the Positive credit register’s data is used?

• Financial Supervisory Authority
• Regional State Administrative Agency for Southern Finland
• Other
• Not supervised by authorities

Select the authority that supervises your organisation's activities relating to credit and financial services. This refers to activities involving the use of the register’s data. Please note that the supervision of lenders and peer-to-peer loan brokers entered in the register of lenders and peer-to-peer loan brokers was transferred to the Financial Supervisory Authority on 1 July 2023.

Select ‘Other’ if your organisation’s activities relating to credit and financial services are supervised by an authority other than the Financial Supervisory Authority or the Regional State Administrative Agency for Southern Finland. In the free-text field, specify the authority that supervises the activities and the legal provision on the basis of which the activities are supervised.

If the organisation’s credit and financial services are not supervised by any authority, select ‘Not supervised by authorities’.

If you select ‘Financial Supervisory Authority’, also answer the following question:

Is your organisation any of the following operators referred to in the Act on the Financial Supervisory Authority (878/2008)?

• Authorised supervised entity (section 4, subsection 2), excluding credit servicers under section 4, subsection 2, paragraph 7
• Credit servicer (section 4, subsection 2, paragraph 7)
• Supervised entity comparable to authorised supervised entities (section 4, subsection 3)
• Other supervised entity (section 4, subsection 4)
• Finnish branch of a foreign EEA-supervised entity (section 4, subsection 4)
• Foreign supervised entity providing services in Finland without a branch (section 4, subsection 5)
• Lender or loan broker entered in a register according to the Act on the Registration of Certain Credit Providers and Credit Intermediaries (section 5, paragraph 40)

 

1.3 Give an account of the purposes of use for which the organisation will use the Positive credit register’s data.

State each purpose of use separately. After each purpose of use, also state the legal basis under the EU General Data Protection Regulation for the organisation's right to process personal data received from the register. If the processing is based on a legal obligation, also state the legal provision from which the obligation arises.

For each purpose of use, select whether it applies to consumer credits, loans granted to natural persons other than consumers, or both.

Enter a purpose of use of the Positive credit register’s data in the free-text field and specify how the organisation uses the data. Enter each purpose of use separately. A data permission can be granted only for purposes laid down in section 21 of the Act on the Positive Credit Register and entered here (see section 2.2 of the instructions).

You can enter up to eight purposes of use.

1.4 Will the organisation use data received from the register for the following secondary purposes (section 21, subsections 3 and 4 of the Act on the Positive Credit Register)?

• Disclosing data to the State Treasury
• Sharing data with a guarantor or third-party security provider
• Meeting the obligations relating to credit risk management
• None of the above

You can select more than one if necessary. Specify the grounds for the organisation's right to disclose or use data in the free-text field.

1.5 Does the organisation use an outsider to process data received from the Positive credit register?

The options available are ‘yes’ and ‘no’. Processor here is a processor according to the EU General Data Protection Regulation. The lender is also responsible for the actions of the processors acting on its behalf.

If you select ‘yes’, also fill in the following fields:

• State the Business ID or foreign business ID of the company acting as a processor. If the company is a foreign company, state the name of the country or a country code according to ISO 3166, as well as the business ID.
• Submit the name of the company acting as a processor.
• Has the organisation concluded a contract or other legal act referred to in Article 28 of the EU General Data Protection Regulation with the company processing data? The options available are ‘yes’ and ‘no’.
• What kind of arrangement has been made with the processor? Specify the arrangement between the organisation and the processor in the free-text field.
• Answer the question asking whether the data processors’ role is associated with the Positive credit register’s APIs. The options available are ‘yes’ and ‘no’.
  • If you select ‘yes’, also answer the following questions:
    • Describe the process, from the use of APIs to the delivery of data to lenders.
    • Describe how the arrangement ensures that no confidential data received from the Positive credit register is disclosed, at any point, to such persons or operators that do not have a legal right of access to the data.

Fill in the details on each processor separately. Add a new processor by clicking ‘Add company acting as processor’, indicated with the plus sign.

You can enter details of no more than 10 processors on the form. If the organisation has more than 10 processors, you can enter additional processors’ details in the Additional information field on the summary page of the form.

 

1.6 When will the organisation start using data?

The start date is the day on which the organisation is planning to start conducting such activities that require the use of data received from the Positive credit register.

4.2 Data protection and information security

The data protection report consists of questions and statements regarding the protection and control of data disclosed from the Positive credit register. Fill in the report by selecting either ‘yes’ or ‘no’. Give additional information in free form if so asked.

The questions and statements of the data protection report are provided below.

2.1 The organisation provides instructions and training on the appropriate processing of confidential information and personal data received from the Positive credit register.

2.2 Credit register extract information received from the register is confidential. Every person in the organisation who has access to credit register extract information processes the information only for the purposes defined in section 21 of the Act on the Positive Credit Register and is familiar with the obligations of secrecy and confidentiality regarding the information.

• In the free-text field, describe how the organisation’s processes have been built to support this.

2.3 The organisation makes sure that the persons processing data received from the register are familiar with the up-to-date regulations regarding the data, and with the data permission and its attachments issued by the Incomes Register Unit.

2.4 Whenever a credit register extract is requested, the organisation’s information system ensures that the person requesting data is handling a matter that requires the requesting of a credit register extract from the Positive credit register and that they are entitled by law to request the extract.

• If you answer ‘yes’, state in the free-text field how the organisation’s processes have been built to support this.
• If you answer ‘no’, state in the free-text field how the organisation makes sure that data is not requested from the register without a legal basis and for purposes other than those laid down in law.

2.5 Access to credit register extract information is limited to those persons in the organisation who have the right to process the confidential information in question. Access rights depend on what information the person needs to carry out their duties, and the rights are kept up to date.

2.6 Outsiders are prevented from accessing spaces (e.g. workstations) where data received from the Positive credit register is processed. Outsiders are also prevented from accessing the register’s data. The spaces are locked, and they are under surveillance when employees are not present.

2.7 The organisation has secure access control (e.g. passwords, access rights) for systems where data received from the Positive credit register is processed or can be viewed. Access management tools are handled in a secure manner.

2.8 The organisation has a procedure for ensuring that data media that are disposed of or sent for repairs do not contain the Positive credit register’s data or other personal data.

2.9 The organisation keeps a log to monitor the use of data.

2.10 The organisation keeps a log to ease troubleshooting in case of technical problems.

2.11 A log is a record of who has requested data from the Positive credit register, when the request was made, and whose data was requested.

2.12 The organisation has procedures for controlling the use of the data received from the Positive credit register and for investigating any misuse.

• If you answer ‘yes’, describe the procedures in the free-text field.
• If you answer ‘no’, describe in the free-text field how the organisation intends to control the use of the data disclosed from the Positive credit register.

2.13 Servers and databases used by the organisation where data received from the Positive credit register is processed are located outside or partly outside the EU and EEA.

• If you answer ‘yes’, specify in the free-text field the non-EU/EEA country in which the servers and databases are located and explain how the organisation ensures that data is transferred in compliance with law.
  
  • You can describe the compliance with law for example in the following way: State whether the transferred personal data is guaranteed the same level of protection as in the EU/EEA. State the transfer basis under the EU General Data Protection Regulation and describe any additional protective measures and how the organisation sees to it that effective legal remedies are available to data subjects.

2.14 The organisation uses the cloud service when processing the Positive credit register’s data, in part or in full.

• If you answer ‘yes’, specify the cloud service providers in the free-text field and answer the following question.
• Is it possible to access the Positive credit register’s data from outside the EU/EEA? This may be the case, for example, if data is transferred in connection with the processing of support requests or if data can be viewed remotely.
  
  • If you answer ‘yes’, specify in the free-text field the non-EU/EEA countries from which the data can be accessed and explain how the organisation ensures that data is transferred in compliance with law.
    
    • State whether the transferred personal data is guaranteed the same level of protection as in the EU/EEA. State the transfer basis under the EU General Data Protection Regulation and also describe any additional protective measures and how the organisation sees to it that effective legal remedies are available to data subjects.

2.15 The Positive credit register’s data is processed or can be accessed outside the EU/EEA. For example, is data transferred in connection with the processing of support requests, or can data be viewed remotely?

• If you answer ‘yes’, specify in the free-text field the non-EU/EEA countries in which the register’s data is processed and explain how the organisation ensures that data is transferred in compliance with law.
  
  • State whether the transferred personal data is guaranteed the same level of protection as in the EU/EEA. State the transfer basis under the EU General Data Protection Regulation and also describe any additional protective measures and how the organisation sees to it that effective legal remedies are available to data subjects.

2.16 Data received from the Positive credit register is processed outside the organisation (for example, processing has been partly or fully outsourced).

• If you answer ‘yes’, specify in the free-text field the parties that the register’s data is shared with and for what purposes. Also state if a contract or other legal act in accordance with Article 28 of the EU General Data Protection Regulation has been concluded on the processing.

2.17 The organisation shares credit register extract data received from the register with a third party.

Third parties are external controllers that use the data for their own purposes rather than on behalf of the organisation. Third parties may also be other group companies. Further, third parties refer to those parties previously mentioned in the application with which data can be shared by virtue of section 21, subsections 3 and 4 of the Act on the Positive Credit Register. Third parties are here not processors that act on behalf of the organisation for purposes specified by the organisation (such as system suppliers or subcontractors).

• If you answer ‘yes’, specify in the free-text field the parties that the register’s data is shared with and for what purposes.

2.18 Communications containing the Positive credit register’s data is encrypted.

2.19 The organisation has processes to manage vulnerabilities, and workstations and communications devices are updated automatically.

2.20 The organisation has a person responsible for information security.

• If you answer ‘yes’, fill in the contact information of the contact person for information security.

2.21 The organisation has a person responsible for data protection, or a data protection officer.

4.3 Invoicing information

Credit register extracts issued by the Positive credit register are subject to a fee. The Incomes Register Unit sends the lender a monthly invoice on the credit register extracts the lender has requested.

The data permission application asks the organisation for their invoice address, invoice language, and contact person for invoicing. As a rule, invoices are sent as e-invoices. If e-invoicing is not possible or if it is temporarily unavailable, the invoice will be sent to the organisation’s invoice address by letter post. In the application, you can provide a reference used by the organisation.

The invoicing information is saved in the e-service and can be edited on the Invoicing and contact information page.

Invoice address

• Recipient
• Street address or P.O. Box
• Postcode
• Post office
• Country

E-invoicing

• E-invoice address
• Service provider code

E-invoicing is the primary invoicing method, and therefore the default is ‘Invoices are sent to the organisation's e-invoice address’. You can deselect the option if your organisation does not use e-invoicing. If you deselect, invoices will be sent by letter post to the invoicing address given above. Invoices cannot be sent by email.

Invoicing practices

• Invoice language: the alternatives available are Finnish, Swedish and English
• Organisation’s reference (e.g. cost centre reference)

Enter a reference if the organisation wants it to be indicated on their invoices for purposes of posting, for example. You can enter the reference even if the organisation has not activated e-invoicing. The reference may not have more than 35 characters.

Contact person for invoicing

The contact person for invoicing provides further information on matters related to invoicing. They will be contacted in case of invoicing problems.

• Name
• Phone number (in international format, e.g. +358...)
• Email address

4.4 Contact person information

The contact information to be provided in the data permission application includes

• details of the contact person for data permission application
• details of the contact person for content
• details of the technical contact person
• the details of the technical contact person for certificates
• details of the contact person for invoicing.

The details of all other contact persons except the technical contact person for certificates and the contact person for invoicing can include a second email address, such as a distribution list or a shared mailbox, as well as a personal email address. All messages sent to such contact persons will also be sent to the second address.

The data protection report also includes contact information for the person responsible for information security and for the person responsible for data protection or for the data protection officer, if the organisation has such roles.

You can enter the details of the same person in multiple fields, if needed.

Contact person for data permission application

The contact person for data permission application gives additional information regarding the application, if needed. Requests for any additional information needed for the processing of the data permission application will be sent to the contact person by email.

The contact information will not be used after the data permission application has been processed. The actual decision on the data permission will be sent to the notification address provided at the end of the form.

Contact person for content

The contact person gives additional information on the content of the requests for credit register extracts submitted by the organisation and replies to requests for additional information regarding the use of the data.

Contact person for technical matters

The contact person answers questions about the technical operation and information security of the requests for data and provides additional information regarding technical matters and problems.

Technical contact person for certificates

The Incomes Register Unit grants a certificate for the use of APIs to each organisation using the register’s data. The technical contact person for certificates receives the information and instructions for retrieving the certificate. Their telephone number must be a number to which text messages can be sent: the number is needed to receive a secure email message regarding the retrieval of the certificate. Once the certificate has been retrieved, the number will not be used any more.

4.5 Notification channel

The person filling in the form selects how the organistion wants to receive a data permission decision:

• by secure email
  • If you select delivery by secure email, you must enter the email address in which the organisation wants to receive the solution. To that email address, we will send a secure message containing a link through which the solution details can be downloaded.
• by letter post
  • If you select delivery by letter post, you must enter the postal address in which the organisation wants to receive the solution.

You cannot select both delivery methods. The decision will not be delivered to the e-service.

You can find more information about the decision and the appeal process in section 3.4 of these instructions.

4.6 Sending the application

Before you submit the application, you will be taken to a summary view, where you can see the information you have entered in the application. Check the information you have entered. If you want to edit the information you have entered on previous pages, click Previous. Clicking Previous will not clear the answers you have already given.

When you have filled in and checked all the information, send the data permission application to the Incomes Register Unit by clicking Submit. The information submitted on the form will be saved in the e-service. If you need the information later, you can view the form in the e-service.

4.7 Application status

When the application has been successfully submitted, its status in the e-service changes to Received. If the status does not change within a few seconds, the application has not been received.

If you want to cancel or edit an application that has not been processed yet, fill in the contact form for data permission matters. See how to fill in the contact form in chapter 6 of these instructions.

When the application is being processed by the Incomes Register Unit, the status shown in the e-service is Processing. Once a data permission has been granted, the status of the application will change to Accepted. The application status changes to Rejected if the Incomes Register Unit rejects the data permission application or decides not to examine the application, or if you cancel the application yourself.

4.8 Updating the contact information

The organisation must check their contact information regularly and update the details as needed.

Organisations can edit the following contact information on the Invoicing and contact information page in the Positive credit register’s e-service:

• contact person for content
• contact person for technical matters
• contact person for invoicing, and other invoicing information.

Other contact information provided in connection with the data permission application can be updated by filling in the contact form for data permission matters. If the organisation is not able to use the e-service, the contact information can be updated by filling in the contact form for lenders, which is available on our website.

5 How to fill in an application for changing the data permission

If you want to request changes to a previously granted data permission, submit an application for changing the data permission. The form refers to lenders as organisations, and the word organisation is therefore also used in this chapter.

The e-form cannot be saved as unfinished, so you cannot continue to fill it in later. The e-form times out after 4 hours, so if the form is open in the browser for longer than that without being submitted, the session will close and the information filled in will disappear.

Changes to a data permission are needed if the grounds for the previously granted data permission have changed. You must request a change in situations such as the following:

• The right of access to data specified in the current data permission needs to be changed for example because the need to assess creditworthiness will expand.
• The grounds for the right of access to data will change. This happens, for example, if the organisation’s activities change substantially.
• The circumstances where data is processed change. For example, the circumstances of data protection have changed.

If the organisation has applied for a data permission before 1 August 2025, a change must be requested if the organisation also grants loans, deferred payments or other financial arrangements to natural persons other than consumers and also wants to use credit register extracts to consider them or changes to their terms and conditions.

The organisation needs a data permission decision issued by the Incomes Register Unit when filling in an application for changing the data permission.

Note: You can submit the following changes by filling in the contact form for data permission matters:

• The organisation wants to correct or supplement a data permission application that has been submitted but not yet processed
• The organisation wants to cancel a data permission application that has been submitted but not yet processed
• The organisation gives up one or more purposes of use of credit register extracts
• The organisation’s lending or right of access to data ends
• The organisation reports a change to the contact person for data permission application or the contact person for certificates.

5.1 Using data

1.1 What kind of change is the organisation requesting to its valid data permission?

State in the free-text field what kind of change the organisation requests to its valid data permission. If there is more than one change, describe each of them separately.

1.2 Why does the organisation request a change to its valid data permission?

State in the free-text field why the organisation requests a change to its valid data permission. Describe the grounds for the requested change as accurately as possible and also state any legal provisions that the request is based on.

1.3 How has the organisation’s need to use of the Positive credit register’s data changed as compared with the circumstances reported when the currently valid data permission was requested?

State in the free-text field how the organisation’s need to use data received from the Positive credit register has changed. If several changes have taken place, describe each one of them separately.

1.4 How have the organisation’s business activities changed as compared with the circumstances reported when the currently valid data permission was requested?

State in the free-text field how the organisation’s business activities have changed. If the business activities have not changed, you can answer by saying that no changes have taken place.

1.5 Which authority supervises the organisation's activities where the Positive credit register’s data is used?

Select the authority that supervises the organisation's activities relating to credit and financial services. Answer the question even if you have provided the information when submitting the first data permission application.

Select ‘Other’ if your organisation’s activities relating to credit and financial services are supervised by an authority other than the Financial Supervisory Authority or the Regional State Administrative Agency for Southern Finland. In this case, specify in the free-text field the authority that supervises the activities and the legal provision on the basis of which the activities are supervised. If the organisation’s credit and financial services are not supervised by any authority, select ‘Not supervised by authorities’.

If you select ‘Financial Supervisory Authority’, also answer the following question:

Is your organisation any of the following operators referred to in the Act on the Financial Supervisory Authority (878/2008)?

• Authorised supervised entity (section 4, subsection 2), excluding credit servicers under section 4, subsection 2, paragraph 7
• Credit servicer (section 4, subsection 2, paragraph 7)
• Supervised entity comparable to authorised supervised entities (section 4, subsection 3)
• Other supervised entity (section 4, subsection 4)
• Finnish branch of a foreign EEA-supervised entity (section 4, subsection 4)
• Foreign supervised entity providing services in Finland without a branch (section 4, subsection 5)
• Lender or loan broker entered in a register according to the Act on the Registration of Certain Credit Providers and Credit Intermediaries (section 5, paragraph 40)

1.6 Give an account of the purposes of use for which the organisation will use the Positive credit register’s data.

State every purpose of use separately. With regard to each new purpose of use, also state the legal basis under the EU General Data Protection Regulation for the organisation's right to process personal data received from the register. If the processing is based on a legal obligation, also state the legal provision from which the obligation arises.

Note: Check your organisation’s current purposes of use in the data permission decision. Report only changes to them here. If the purposes of use do not change, move on to the next question.

If you want to add new purposes of use, select ‘Add new purpose of use’.

For each purpose of use, select whether it applies to consumer credits, loans granted to natural persons other than consumers, or both.

Enter a purpose of use of the Positive credit register’s data in the free-text field and specify how the organisation uses the data. Enter each purpose of use separately. A data permission can be granted only for the purposes of use under section 21 of the Act on the Positive Credit Register specified in the application (see section 2.2 of the instructions).

State the legal basis for each purpose of use in the free-text field. Specify the legal basis in accordance with the EU General Data Protection Regulation on which the processing of data for the purpose in question is based. If the reported legal basis for processing data is to comply with the controller's legal obligation, also specify the legal provision on which the obligation is based.

You can select up to eight new purposes of use.

If you want to give up current purposes of use, select ‘Give up purpose of use’.

For each purpose of use you give up, select whether it relates to consumer credits, loans granted to natural persons other than consumers, or both.

Specify in the free-text field what purpose of use your organisation wants to give up.

1.7 Does the organisation use data received from the register for the following secondary purposes? (section 21, subsections 3 and 4 of the Act on the Positive Credit Register)

Answer the question only if the secondary purposes of use change as compared with the information previously reported to the Incomes Register Unit. If so, enter all secondary purposes of use, including those you have reported previously. State the basis for the organisation’s right to disclose or use data in the free-text field. If the secondary purposes of use do not change, move on to the next question.

1.8 Does the organisation use an outsider to process data received from the Positive credit register?

Answer the question only if the processors or circumstances relating to the processing have changed as compared with the information previously reported to the Incomes Register Unit. If the processors or circumstances relating to the processing have not changed, select ‘No changes’ and move on to the next question.

If you answer ‘yes’, also answer the following questions:

• State the Business ID or foreign business ID of the company acting as a processor. If the company is a foreign company, state the name of the country or a country code according to ISO 3166, as well as the business ID.
• Submit the name of the company acting as a processor.
• State whether the organisation has concluded a contract or other legal act referred to in Article 28 of the EU General Data Protection Regulation with the company processing the data? The options available are ‘yes’ and ‘no’.
• Describe the arrangement between the organisation and the processor in greater detail in the free-text field.
• State whether the role of processors is associated with the use of the Positive credit register’s APIs. The options available are ‘yes’ and ‘no’.
  • If you select ‘yes’, also answer the following questions:
    • Describe the process, from the use of APIs to the delivery of data to lenders.
    • Describe how the arrangement ensures that no confidential data received from the Positive credit register is disclosed, at any point, to such persons or operators that do not have a legal right of access to the data.

Fill in the details on each external processor separately. Add a new processor by clicking ‘Add company acting as processor’, indicated with the plus sign.

You can enter details of no more than 10 processors on the form. If the organisation has more than 10 processors, you can enter additional processors’ details in the Additional information field on the summary page of the form.

1.9 When will the changes enter into force?

State the date when the changes enter into force.

If you report several changes entering into force on different days, specify the dates in the Additional information field at the end of the application. If you do so, enter only the earliest date of change here.

5.2 Data protection and information security

The data protection report consists of questions and statements regarding the protection and control of data disclosed from the Positive credit register. All questions must be answered. Fill in the report by answering either ‘yes’ or ‘no’ to each question. Give additional information in free form if so asked. You do not need to give additional information where no changes have taken place as compared with the currently valid data permission decision.

The questions and statements of the data protection report are provided below.

2.1 The organisation provides instructions and training on the appropriate processing of confidential information and personal data received from the Positive credit register.

2.2 Credit register extract information received from the register is confidential. Every person in the organisation who has access to credit register extract information processes the information only for the purposes defined in section 21 of the Act on the Positive Credit Register and is familiar with the obligations of secrecy and confidentiality regarding the information.

• In the free-text field, describe how the organisation’s processes have been built to support this.

2.3 The organisation makes sure that the persons processing data received from the register are familiar with the up-to-date regulations regarding the data, and with the data permission and its attachments issued by the Incomes Register Unit.

2.4 Whenever a credit register extract is requested, the organisation’s information system ensures that the person requesting data is handling a matter that requires the requesting of a credit register extract from the Positive credit register and that they are entitled by law to request the extract.

• If you answer ‘yes’, state in the free-text field how the organisation’s processes have been built to support this.
• If you answer ‘no’, state in the free-text field how the organisation makes sure that data is not requested from the register without a legal basis and for purposes other than those laid down in law.

2.5 Access to credit register extract information is limited to those persons in the organisation who have the right to process the confidential information in question. Access rights depend on what information the person needs to carry out their duties, and the rights are kept up to date.

2.6 Outsiders are prevented from accessing spaces (e.g. workstations) where data received from the Positive credit register is processed. Outsiders are also prevented from accessing the register’s data. The spaces are locked, and they are under surveillance when employees are not present.

2.7 The organisation has secure access control (e.g. passwords, access rights) for systems where data received from the Positive credit register is processed or can be viewed. Access management tools are handled in a secure manner.

2.8 The organisation has a procedure for ensuring that data media that are disposed of or sent for repairs do not contain the Positive credit register’s data or other personal data.

2.9 The organisation keeps a log to monitor the use of data.

2.10 The organisation keeps a log to ease troubleshooting in case of technical problems.

2.11 A log is a record of who has requested data from the Positive credit register, when the request was made, and whose data was requested.

2.12 The organisation has procedures for controlling the use of the data received from the Positive credit register and for investigating any misuse.

• If you answer ‘yes’, describe the procedures in the free-text field.
• If you answer ‘no’, describe in the free-text field how the organisation controls the use of the data disclosed from the Positive credit register.

2.13 Servers and databases used by the organisation where data received from the Positive credit register is processed are located outside or partly outside the EU and EEA.

• If you answer ‘yes’, specify in the free-text field the non-EU/EEA country in which the servers and databases are located and explain how the organisation ensures that data is transferred in compliance with law.
  
  • State whether the transferred personal data is guaranteed the same level of protection as in the EU/EEA. State the transfer basis under the EU General Data Protection Regulation and also describe any additional protective measures and how the organisation sees to it that effective legal remedies are available to data subjects.

2.14 The organisation uses the cloud service when processing the Positive credit register’s data, in part or in full.

• If you answer ‘yes’, specify the cloud service providers in the free-text field and answer the following question.
  • Is it possible to access the data from outside the EU/EEA? This may be the case, for example, if data is transferred in connection with the processing of support requests or if data can be viewed remotely.
  • If you answer ‘yes’, specify in the free-text field the non-EU/EEA countries from which the data can be accessed and explain how the organisation ensures that data is transferred in compliance with law.
    
    • State whether the transferred personal data is guaranteed the same level of protection as in the EU/EEA. State the transfer basis under the EU General Data Protection Regulation and also describe any additional protective measures and how the organisation sees to it that effective legal remedies are available to data subjects.

2.15 The Positive credit register’s data is processed or can be accessed outside the EU/EEA. For example, is data transferred in connection with the processing of support requests, or can data be viewed remotely?

• If you answer ‘yes’, specify in the free-text field the non-EU/EEA country in which the register’s data is processed and explain how the organisation ensures that data is transferred in compliance with law.
  
  • State whether the transferred personal data is guaranteed the same level of protection as in the EU/EEA. State the transfer basis under the EU General Data Protection Regulation and also describe any additional protective measures and how the organisation sees to it that effective legal remedies are available to data subjects.

2.16 Data received from the Positive credit register is processed outside the organisation (for example, processing has been partly or fully outsourced).

• If you answer ‘yes’, specify in the free-text field the parties that the register’s data is shared with and for what purposes. Also state if a contract or other legal act in accordance with Article 28 of the EU General Data Protection Regulation has been concluded on the processing.

2.17 The organisation shares credit register extract data received from the register with a third party. This means all third parties, including the parties previously mentioned in the application with which data can be shared by virtue of section 21, subsections 3 and 4 of the Act on the Positive Credit Register.

• If you answer ‘yes’, specify in the free-text field the parties that credit register extract data is shared with and for what purposes.

Third party means an external controller who uses the information to their own purposes, not on behalf of the organisation. Third parties may also be other group companies. Third party is not a processor (such as a system supplier or subcontractor) that acts on behalf of the organisation and uses the data for the purposes specified by the organisation.

2.18 Communications containing the Positive credit register’s data is encrypted.

2.19 The organisation has processes to manage vulnerabilities, and workstations and communications devices are updated automatically.

2.20 The organisation has a person responsible for information security.

• If you answer ‘yes’, fill in the contact information of the contact person for information security.

2.21 The organisation has a person responsible for data protection, or a data protection officer.

5.3 Contact information and notification channel

The application for changing the data permission cannot be used to change the invoicing information or contact person information provided in the first data permission application.

In the application for changing the data permission, you must provide information on the contact person for the application for changing the data permission.

Contact person for the application for changing the data permission

The contact person for the application for changing the data permission is responsible for the application details and provides additional information if needed. Any requests for additional information needed for the processing of the application will be sent to the contact person by email.

The contact information will not be used after the application for changing the data permission has been processed.

Notification channel

Select whether the data permission decision will be delivered to the organisation by secure email or by letter post. You can select only one delivery method. The decision will not be delivered to the e-service.

If you select delivery by secure email, enter the email address to which the organisation wants us to send the decision. To that email address, we will send a secure message containing a link through which the decision can be downloaded.

If you select delivery by letter post, enter the postal address to which the organisation wants us to send the decision.

Language of notification

Select the language in which you want to be notified of the solution. The alternatives are Finnish and Swedish.

6 How to fill in the contact form

You can use the contact form for data permission matters in situations such as the following:

• you want to report that the organisation will give up one or more of the purposes of use of the data permission
• you want to report that the organisation’s lending or right of access to data will end
• you want to cancel a data permission application that has not been processed yet
• you want to supplement or correct an answer you have given in a data permission application that has not been processed yet
• you want to report a change to the contact person for data permission application or the contact person for certificates.

Please note that the organisation must submit an application for changing the data permission if the changes concern new purposes of use.

6.1 Change to activities

The first question contains a free-text field where the respondent must describe the change and the reason for the change as accurately as possible. The answer depends on the change you report.

Some examples are presented below.

Additions to a pending application
If you are contacting us about a pending data permission application or change application and the matter has not been resolved yet, you can supplement the application in this field. In such a case, enter the number of the question to which you want to add details.

Cancelling a pending application
If you want to cancel a data permission application you have submitted but that has not been processed yet, you can do it on this form. Clearly specify when the application you wish to cancel was submitted.

Organisation’s lending or right of access to data will end
If you are contacting us because the activities in which the Positive credit register’s data has been used will end, you can cancel the organisation’s valid data permission on this form. You can also briefly describe the reason for ending the activities.

Organisation will give up one or more of the purposes of use of the data permission
Name the purpose of use that the organisation wants to give up. If the organisation gives up several purposes of use, please specify the purposes in your answer.

When the change enters into force
State in the date field when the changes enter into force.

6.2 Contact person for changes

Provide information on the contact person for changes. You must give at least the following information about the contact person for changes:

• name
• phone number in international format
• email address.

In addition to a personal email address, you can also submit a second email address, such as a distribution list or a shared mailbox. All messages sent to the contact person will then also be sent to the second address.

The contact person for changes provides additional information about the change notification, if needed. Any requests for additional information needed for the processing of the change will be sent to them by email. A notification regarding the solution will be sent to the notification address requested at the end of the form. Please note that the details of the contact person for changes are not saved in the organisation’s information but will be used only as long as the change is processed.

6.3 Notification channel

The person filling in the form selects how the organistion wants to receive the decision or other solution:

• by secure email
  • If you select delivery by secure email, you must enter the email address in which the organisation wants to receive the solution. To that email address, we will send a secure message containing a link through which the solution details can be downloaded.
• by letter post
  • If you select delivery by letter post, you must enter the postal address in which the organisation wants to receive the solution.

You cannot select both delivery methods. The solution will not be delivered to the e-service.

Language of notification

Select the language in which you want to be notified of the solution. The alternatives are Finnish and Swedish.

6.4 Status of contact form

When the contact form has been successfully submitted, its status in the e-service changes to Received. If the status does not change within a few seconds, the form has not been received.

When the form has been submitted, you can see it in the e-service. You can download the submitted form by clicking Download the submitted form (html).

When the Incomes Register Unit has procesed the contact form, the status of the form changes to Processed.