Disclosure of data

Disclosure of data

According to the Act on the Positive Credit Register, the data stored in the register is confidential, with the exception of the name, Finnish Business ID or foreign business ID of the lender with the reporting obligation. We disclose data from the Positive credit register to lenders and authorities only for the purposes laid down in the Act on the Positive Credit Register. The register starts disclosing data on 1 April 2024.

Disclosing data to lenders

The Act on the Positive Credit Register provides for the disclosure of data to lenders and other businesses with the right of access to data. We disclose data only for the purposes laid down in the Act on the Positive Credit Register. We disclose data in the form of credit register extracts.

Businesses with the right of access to data

Businesses with the right of access to data include:

  • businesses under the supervision of the Financial Supervisory Authority that have been entered into the register of lenders and loan brokers and have the duty to report loan data to the register (read more about these businesses)
  • other lenders that have the obligation to test the consumer’s creditworthiness or check the accuracy of consumer-related data under the Consumer Protection Act.

To request a credit register extract, the business must have a data permission granted by the Incomes Register Unit.

Credit register extract’s purposes of use

The Act on the Positive Credit Register provides exhaustively for the purposes of use for which data may be disclosed from the register. The purposes of use are the following:

1) Testing the consumer’s creditworthiness

The lender can request a credit register extract when the Consumer Protection Act obliges them to test the consumer’s creditworthiness. The lender is obliged to test the consumer's creditworthiness before a loan contract is concluded, and after the conclusion of a loan contract if the loan principal or credit limit is significantly increased.

2) Checking the accuracy of the consumer’s data

The lender can request a credit register extract when the Consumer Protection Act obliges them to check the accuracy of the consumer’s data. The lender is obliged to check the accuracy of the data on the consumer when the consumer and the lender agree on increasing the loan principal or credit limit after the loan contract has been concluded.

3) Testing the consumer’s creditworthiness when the loan contract is being amended

Businesses that have a duty to submit reports to the register can request a credit register extract when the debtor requests a change other than an increase of the loan principal or credit limit to the terms of the loan. In order that a credit register extract could be requested, the change must require an assessment of creditworthiness.

Reassignees are not entitled to request credit register extracts for this purpose, even though they are obliged to report loan data to the register.

4) Granting or accepting a guarantee or a third-party security

Businesses that have a duty to submit reports to the register can request a credit register extract for the purpose of granting or accepting a third-party security.

Reassignees are not entitled to request credit register extracts for this purpose, even though they are obliged to report loan data to the register.

A business operator must state the purposes of use of the credit register extract when submitting a request. The business operator is responsible for seeing that the confidential data received from the Positive credit register is processed in compliance with law. The credit register extract may be used only for the purpose for which it was disclosed from the register. Notwithstanding the above, however, data may also be used for the purposes below by virtue of the Act on the Positive Credit Register:

The lender may share data they have received from the Positive credit register with the State Treasury when applying for compensation under the Act on State Guarantees for Owner-Occupied Housing Loans (204/1996).

The lender may disclose credit register extract data received from the Positive credit register to the guarantor and the security provider (pledgor). The disclosure of data may be based either on the lender’s obligation to report data laid down in law or on the data subject’s consent that their data may be disclosed.

It is part of the lender’s statutory obligation to report information that before they provide a guarantee, they must report the debtor’s such obligations and other circumstances relating to the debtor’s ability to pay that can be deemed to be of interest to the guarantor. During the period of validity of the guarantee, the guarantor also has the right to ask the lender to provide information on these matters. However, the guarantor's request does not entitle the lender to separately request data from the Positive credit register.

Data can be disclosed to third-party security providers in a similar way as to guarantors. In the provision of third-party security, the security provider pledges their property with the creditor as security for the performance of another person’s obligations.

The right to disclose data that the lender has received from the Positive credit register may also be based on the data subject’s consent. Based on consent, the lender can disclose credit register extract data to parties providing commercial housing loan guarantees, for example.

The lender may use the loan applicants’ data received from the Positive credit register for purposes of testing creditworthiness in order to meet certain obligations. These obligations, relating to credit risk management, are laid down in law.

Content of the credit register extract

Identifying data

  • personal identity code of the individual whose data the register extract contains
  • identifier of the organisation that requested the register extract.

Summary of loan data

  • number of lenders and peer-to-peer loan brokers that have issued or brokered loans to the person
  • number of loan contracts that the pers
  • total amount of payments paid last
    • The amount contains the most recently paid amortization, interest payment or expense amount of each loan added together. However, the amount does not contain payments related to loans that are included in a debt arrangement payment plan or business restructuring program.
  • leasing contracts’ monthly payments in total
  • number of loans where the person is a guarantor.

Loan details

  • loan type: lump-sum loan, running-account loan or leasing
  • date of conclusion
  • number of debtors
  • loan currency
  • information whether a collateral is included in the loan contract; if yes, the type of collateral
  • start and end date of a deferment period
  • due date of an instalment that is at least 60 days late, and the unpaid amount of the instalment
  • information on loan acceleration
  • the following information if the loan type is leasing:
    • start date of the leasing contract if the date is not the same as the date of conclusion
    • transaction price if redemption is required by the contract
  • the following information if the loan type is lump-sum loan:
    • loan’s purpose of use
    • final due date of the payment plan
    • amount issued and amount paid
    • loan balance
    • amortization frequency
    • payment method if the loan is to be paid as a lump sum (bullet) or if the last instalment is notably larger than the regular instalments (balloon)
  • the following information if the loan type is running-account loan:
    • credit limit
    • amount of loan balance, and the value date.

Income information

  • An individual’s gross and net income for the past 12 full calendar months, separated into wages and benefits.

Voluntary ban on credits

  • If a person has set a voluntary ban on credits, the ban and the reason for it are indicated on the register extract. Voluntary bans on credits can be set as of 1 April 2024.

Information that the person has requested restriction of personal data processing under Article 18 of the General Data Protection Regulation.

Credit register extracts are displayed in the e-service

You can view the credit register extracts requested about you in the Positive credit register’s e-service. You can also check the content of the credit register extract there, and see who has requested the register extract, when and for what purpose.

Disclosing data to authorities

We disclose data stored in the Positive credit register to the Bank of Finland, the Financial Supervisory Authority, the Finnish Competition and Consumer Authority, the Consumer Ombudsman and Statistics Finland.

Bank of Finland

  • ensuring the reliability and efficiency of the financial system, and developing the financial system
  • preparing and publishing statistics necessary for the operations of the Bank of Finland

Financial Supervisory Authority

  • monitoring and evaluating financial markets, and issuing regulations regarding the financial markets
  • supervising financial markets and lenders, including supervision of credit risks and consumer protection
  • compiling data on the financial position of parties operating on the financial markets

Finnish Competition and Consumer Authority

  • establishing the competition conditions on credit markets

Consumer Ombudsman

  • supervision of compliance with consumer protection legislation, including the supervision of contractual terms, compliance with contractual terms, assessment of creditworthiness and making of credit decisions

Statistics Finland

  • preparation of statistics

We disclose data to the Bank of Finland, the Financial Supervisory Authority and the Finnish Competition and Consumer Authority in pseudonymised form. This means that the personal data cannot be linked to an individual without additional information. We disclose data to the Consumer Ombudsman both in pseudonymised form and as identifiable data. The data disclosed to Statistics Finland is not pseudonymised.

The disclosure of data is based on the Act on the Positive Credit Register, which explicitly lays down the tasks for which authorities can receive data from us. After the data has been disclosed, the authorities process the data in the capacity of controllers. Further information about the processing of personal data is available on the authorities' own websites.

By virtue of the Act on the Positive Credit Register, we can also disclose data to the Financial Supervisory Authority and the Regional State Administrative Agency of Southern Finland for the supervision of business operators’ obligation to sign up and submit reports.

Disclosure of data by virtue of the Act on Openness

According to the Act on the Positive Credit Register, we can also disclose data for the following purposes laid down in the Act on the Openness of Government Activities (621/1999, Act on Openness):

  • right of access to data of the party concerned
  • right of access to a document pertaining to the party concerned
  • provision of executive assistance
  • processing of advance information, a preliminary ruling or a complaint.

The public availability of loan and income data other than the data stored in the Positive credit register is determined by the Openness Act. As a rule, authorities' documents are public. Everyone has the right to receive information about a public authority document in accordance with the Openness Act.

Processors

The Positive credit register has been implemented on the Microsoft Azure cloud service platform.

The certificate service is provided by Digia Plc.

The operational services of the customer relationship management system are provided by Tietoevry Corporation.

We use the following service providers for application management services, such as troubleshooting: Innofactor Software Ltd, Gofore Plc, Gofore Verify Oy and Advania Finland Oy.

When processing personal data, application management uses a service management system provided by ServiceNow.

The digitisation services are provided by Posti Messaging Oy.

Transfer of personal data to third countries

In principle, we do not disclose data to countries outside the EU/EEA. However, in exceptional individual cases, Microsoft may have access to personal data during support and maintenance activities. In data transfer, the transfer basis under the General Data Protection Regulation is the European Commission's decision on the adequacy of data protection under Article 45(1) (Adequacy decision for the EU-US Data Privacy Framework, C(2023) 4745 final) or, where necessary, standard contractual clauses published by the European Commission.

Page last updated 2/1/2024