Privacy statements for Traficom’s registers

Grounds for and purpose of the data processing

A multichannel customer service system is used in customer service. The system records emails sent by customers to the Finnish Transport and Communications Agency Traficom’s customer service email addresses, as well as customer contacts made by phone and via electronic forms. 

The multichannel customer service system and the related call system enable the centralised management of Traficom's customer contacts and enquiries. The purpose of the processing of related personal data is to identify and assist customers in different contact situations. 

Customer service calls are recorded for the development of operations, for training customer service staff in order to improve service quality and to verify service events in the event of complaints. 

Personal data may also be used for statistical purposes, such as monitoring the total number of customer service interactions during a given period. In addition, we may request feedback from you via text message.

Personal data is processed to perform the statutory duties of a public authority. Personal data is processed to perform the duties specified in section 2, subsection 1, paragraph 2 of the Act on the Finnish Transport and Communications Agency (935/2018). 

The Finnish Transport and Communications Agency may transfer advisory, customer service, document service and other supporting tasks to a private or public service provider. The transferred tasks must not include decision-making powers.

Such transfers are based on section 9 of the Act on the Finnish Transport and Communications Agency (935/2018) and sections 209–211 of the Act on Transport Services (320/2017). 

Data content

The data undergoing processing

Name, personal identity code, email address and phone number of the customer and, where applicable, a person acting on behalf of another person or an organisation. 

Method of contact and time-related data associated with the contact, such as the time an email was received and the start and end times of a phone call.

Other data content:

• the subject line and message content of communications sent by the customer, any attachments and the method of contact
• the subject line and message content of communications sent by the authority to the customer, including any attachments and
• telephone conversations and their content.

Sources of the processed data (where data is received from)

The data is obtained through the customer’s strong identification (name and personal identity code) and from the information provided by the customer via an electronic form or by email. In the case of recorded telephone calls, the data is received from the person in question.

The customer is informed at the beginning of the call, by means of an automated voice message, that the conversation will be recorded. During the call, the customer service adviser may record information provided by the customer, such as contact details and the customer’s preferred method of contact, in order to revert to the matter.

Storage period of personal data

Data recorded in the multichannel customer service system are retained for five (5) years after the ticket created on the basis of the contact has been closed.

Call recordings are retained for two (2) years from the date of the contact.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

The data is not disclosed to third parties without a lawful basis. Such bases include, for example, transferring a matter to the competent authority or responding to an information request from another authority. 

Processing of personal data on behalf of the controller

Traficom has, by contract, transferred certain tasks related to customer service, the granting of driving rights, registration, tax advisory services and the conversion of documents into electronic format to private operators. 

The data is processed by the personnel of Traficom's service providers Ajovarma Oy (1033613-0) and Barona Customer Care Ltd (2406145-7).

Application development and maintenance services are provided by Traficom’s subcontractors in accordance with the contracts concluded. 

Transfer of personal data to third countries outside the EU/EEA

Data is not transferred outside the EU/EEA.

Automated decision-making and profiling

Data processing does not involve automated decision-making or profiling.

Rights related to the processing of personal data

About exercising rights

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki, Finland
tietosuoja@om.fi
Tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data.

In addition, the data subject may personally access and review certain of their own data, such as their email address or phone number, via Traficom’s My e-Services portal.

Right to rectification of data

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

In addition, the data subject may personally update their contact information via Traficom’s My e-Services portal.

Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing if:

• the data subject contests the accuracy of the personal data

• the processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of its use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to erasure

The data subject may personally delete their contact information via Traficom’s My e-Services portal.

TRAFICOM/14064/00.04.00.03/2026 23.2.2026

Grounds for and purpose of the data processing

The legal basis for the processing of personal data is compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

Traficom maintains a domain name register of domain names ending with the country code .fi and a database of the technical data of domain names for the purpose of directing internet traffic (fi-root) in accordance with section 164 of the Act on Electronic Communication Services (917/2014, hereinafter the ‘AECS’). The domain name register was established for the purpose of carrying out the duties described in section 171 of the AECS.

Traficom processes requests to remove domain name entries and resolves disputes concerning .fi domain names at the request of rights holders in accordance with section 169 of the AECS.

Traficom can publish data stored in the domain name register on its website and other electronic services based on section 167 of the AECS. The publication of data stored in the domain name register via the WHOIS protocol and the domain name search service (Fi-domain name search) on Traficom’s website (traficom.fi) is based on section 167 of the AECS.

In the 'Domain Name Search' and 'Check who the registrar of the domain name is' the names of the registrars is published. In the 'Search for registrars' search service the registrars' information is published based on the consent of registrars.

Traficom uses the Friendly Captcha service in order to comply with a statutory obligation and to perform a task carried out in the public interest (6(1)(c) and (e) in the GDPR). The captcha is used as part of ensuring the information security of the authority's services. The purpose sis to prevent automated attacks, protect the integrity of the service and to ensure its availability and functionality. Under section 171, section 1, point 5 of the AECS, Traficom is responsible for ensuring the information security of the .fi domain name system.

Data content

The data undergoing processing

Register of currently valid domain names

Identifying data of the domain name holder:

• contact identifier
• first name and last name or company name
• personal identity code or business ID or other identifying information
• type of business/organisation

Contact information of the domain name holder:

• contact person
• email address (process address)
• other email address
• street address
• postal code
• city
• country
• telephone number

Basic information of the domain name:

• domain name
• domain name status
• period of validity of the domain name
• name of registrar
• additional information

Technical information of the domain name:

• any name servers registered with the domain name and their IP addresses
• information on the use of Domain Name System Security Extensions (DNSSEC)
• DS records
• information on registry lock use

Identifying data of the domain name registrar:

• contact identifier
• first name and last name or company name
• personal identity code or business ID or other identifying information
• type of business/organisation

Reseller

• company name
• department/contact person
• address
• postal code
• city
• state/province
• country
• telephone number
• email address

Technical contact person

• company name or private individual’s first name and last name
• department/contact person
• address
• postal code
• city
• state/province
• country
• telephone number
• email address

Contact information of the domain name registrar:

• department/contact person
• email address (process address)
• other email address
• street address
• postal code
• city
• country
• mobile telephone number

Additional information about the domain name registrar:

• information on whether data is public (the data is published via the registrar search service on the traficom.fi website if the registrar has selected this option)
• the registrar’s star rating (if the registrar has participated in voluntary evaluation)
• website (home page) address
• email (for the registrar search service)
• city (for the registrar search service)
• telephone number (for the registrar search service)
• services (name servers, email, web hotel, virtual servers, DNSSEC services, domain name management without other services, services for private individuals, automatic renewal reminder)
• contact information for emergencies (telephone number and email)
• message transmissions
• contact information of commercial contact person
• prepayment account balance
• prepayment account balance limit
• reference number
• the domain name registrar’s account transactions
• the domain name registrar’s name servers
• EPP account information
• EPP interface’s allowed IP addresses
• public part of the EPP account’s server certificate
• contact information of the reseller or technical or administrative contact person
• additional information

Contact information of the domain name registrar’s administrator and basic user:

• first name and last name
• telephone number
• email address

Register archive

Domain name archive

• domain name
• contact identifier, username or business ID
• user’s personal identity code or date of birth (DD.MM.YYYY)

Registrar data archive

• name of registrar
• business ID or personal identity code or date of birth (DDMMYYYY)
• identifier
• name server
• reference number
• email address
• country

Contact archive

Identifying data of the domain name holder:

• contact identifier
• first name and last name or company name
• personal identity code or business ID or other identifying information
• type of business/organisation

Contact information of the domain name holder:

• contact person
• email address (process address)
• other email address
• street address
• postal code
• city
• country
• telephone number

Reseller:

• company name or private individual’s first name and last name
• department/contact person
• address
• postal code
• city
• state/province
• country
• telephone number
• email address

Technical contact person:

• company name or private individual’s first name and last name
• department/contact person
• address
• postal code
• city
• state/province
• country
• telephone number
• email address

Processing of domain name removal requests

A domain name removal request contains the contact information of the party who submitted the request or their agent. The .fi domain name removal form is subject to the same cookie policy as the traficom.fi website.

When processing the removal requests, the data stored in the domain name register, as described in Sections I and II, will also be processed.

In addition to the contact details of the parties involved, the processing of the requests includes their explanations and statements, which may contain personal data. In addition, Traficom may process other information necessary for resolving the matter, which may also include personal data.

Search services

The WHOIS protocol and the domain name search service (Fi-domain name search), ‘Search for registrars’ and ‘Check who the registrar of the domain name is’ search services on Traficom’s website (traficom.fi) are subject to the same cookie policy as the traficom.fi website.

Voluntary Evaluation of Registrars

In the registrar search, the information provided about the registrar includes the number of stars received in the evaluation. The same cookie policy applies to the registrar search as on the traficom.fi website

• Registrar’s name
• Detailed results of the evaluation (Webropol, other Traficom information system)
• Summary of evaluation results in stars
• Registrar’s identification information
• Registrars’s contact person’s email address (Webropol, other Traficom information system)

Captcha

The Friendly Captcha service does not use cookies nor profiles its users. The service processes only limited technical data, some of which may constitute personal data. The data processed in connection with the Friendly Captcha service is transferred and processed with the European Union. The Friendly Captcha service processes the following registrar data when the service is used:

• The captcha challenge solution (proof-of-work token) is validated on the server side before the user's request is accepted for further processing. Validation is performed either via the interface provided by the Friendly Captcha service or through a self-hosted validation endpoint implemented in Traficom's own environment.
• The validation result is processed on only in connection with the specific transaction. The validation data is not linked to any personal data in the .fi registry and is not used for profiling.
• The IP address and browser fingerprint data may be processed during validation to prevent misuse. The data is not stored permanently; processing is short-term and solely connected to ensuring information security.
• Browser data (User-Agent): Used to assess browser compatibility and computational performance. The information is transmitted in a limited form and is not stored permanently.
• Domain/origin: Used to ensure that the solved token belongs to the correct site and to prevent token misuse.
• Timestamp/nonce: Used to identify an individual event and prevent attacks. Processed only for a temporary duration.

Sources of the processed data (where the data is received from)

The data stored in the domain name register is received from domain name registrars in accordance with section 164, subsection 2 and sections 165, 167, 168 and 170 of the AECS. Fi-domain name registrars act as independent data controllers and are responsible of personal data processing on behalf of they own clients/registrants/data subjects in a whole. Traficom is responsible of the fi-domain name registry database entity.

The domain name register also contains data that was entered into the register during the period of validity of the Domain Name Act (228/2003) and the transition period of the Act on Electronic Communication Services before 5 September 2016, meaning before the adoption of the so-called registrar model. This data was entered into the register by domain name holders themselves or other persons/companies commissioned by domain name holders.

The data required for the domain name register is also collected as part of operations related to Traficom’s own customer service and the processing of .fi domain name removal requests and related decision-making and from YTJ (the Finnish Business Information System maintained by the Finnish Patent and Registration Office, hereinafter PRH), VTJ (the Digital and Population Data Services Agency’s Population Information System), VIRRE (PRH’s information service for trade register data) and PRH’s information service for the Finnish Register of Associations.

As regards the processing of domain name removal requests, data is received via the removal request form filled by the party that submitted the request or their agent, data on the domain name holder is received from the domain name register and potential additional (personal) data is obtained from the parties during the hearings on the matter. Furthermore, Traficom may obtain other necessary information from public sources, such as websites accessible through the disputed domain name, for the purpose of resolving the matter in accordance with section 31 of the Administrative Procedure Act.

Storage period of personal data 

Domain names and related data are stored in the .fi domain name register for as long as the domain name holder’s registration is valid. The data is archived when the period of validity of the domain name expires and the subsequent one-month grace period ends.

When a domain name registrar ends operation as a registrar, their registrar account is removed and the account is archived. The registrar’s registrar account is also removed and archived if they do not operate as a registrar.

Data content of the fi-domain name register and as regards the resolution of domain name disputes, the correspondence and issued decisions related to disputes are stored permanently on the basis of an appraisal decisions issued by the National Archives of Finland.

The data used for the voluntary evaluation of registrars stored in Webropol until the start of the next annual evaluation. In the domain registry and other supporting Traficom information systems, the data is retained for five years.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Traficom can publish data stored in the domain name register on its website and other electronic services based on section 167 of the AECS.

Data stored in the domain name register is published via the WHOIS protocol, the domain name search service (Fi-domain name search), ‘Search for registrars’ and ‘Check who the registrar of the domain name is’ search services on Traficom’s website (traficom.fi) and the OData API.

Domain names registered to private individuals are not published via the WHOIS protocol, the domain name search service (Fi-domain name search) and the OData API. The information of domain name registrars is not published via the domain name search service unless the registrar has given their consent for this.

In accordance with section 165, subsection 4 of the AECS, Traficom provides the required information of registrars to the single point of contact referred to in ection 18 of the Cybersecurity Act. The single point of contact then forwards the information to the European Union Agency for Cybersecurity (ENISA).

Only fi-domain name registrars located in EU-/EEA-area are able to register fi- domain names to private persons. Restriction doesn´t apply to the fi-domain name registrars located outside EU-/EEA-area, whose state of location has a binding data transfer arrangement in force or who have separately certified to apply the data transfer arrangement.

As regards the processing of domain name disputes, both parties to the dispute are named in the decision issued on the dispute. If the holder of the domain name is a private individual, the name they have submitted to the domain name register is also disclosed via the issued decision to the party who submitted the removal request.

Confidentiality regulations or other restrictions on the disclosure of information notwithstanding, Traficom has the right to disclose documents that it has obtained or drawn up in connection with carrying out its statutory duties and disclose confidential information to other authorities in accordance with section 318 of the AECS.

All information requests concerning .fi domain names are processed and assessed on a case-by-case basis in accordance with the requirements of the EU’s General Data Protection Regulation (2016/679), the Data Protection Act (1050/2018) and the Act on the Openness of Government Activities (621/1999).

In the evaluation of registrars, only the registrar-specific evaluation results are published as stars from 1 to 5. Registrar information is not published, or publication is canceled at the registrar’s request.

Processing of personal data on behalf of the controller

DENIC Services GmbH

The domain name register backup is stored in Denic’s equipment facilities in Germany. The backup also includes details of private individuals but Denic does not have the right to view the information.

Byteplant GmbH

As a part of the domain name registering process, the accuracy of the address details provided by the domain name holder is assessed using Byteplant's Address Validation service. Only the address details are used in the assessment. No names of private individuals or other identification information is forwarded to the service.

Webropol

Information related to the registrar’s activities and the registrar’s contact person’s email address for the evaluation of the registrar.

Friendly Captcha GmbH

Electronic services are provided for registrars and registrar applicants. To ensure the secure use of these services, Traficom uses a technical solution by Friendly Captcha GmbH to prevent automated abuse.

Barona Customer Care Oy

Traficom has contractually transferred certain customer service tasks related to domain names to Barona Customer Care Oy. To perform these customer service duties, Barona Customer Care Oy has limited viewing rights to the Register of currently valid domain names and to the Register archive.

Transfer of personal data to third countries outside the EU/EEA

Data stored in the domain name register is disclosed via the WHOIS protocol, the domain name search service (Fi-domain name search), ‘Search for registrars’ and ‘Check who the registrar of the domain name is’ search services on Traficom’s website (traficom.fi) and the OData API within above mentioned limitations.

Fi-domain name registrars manage data they have informed of their own clients to the fi-domain name registry within above mentioned limitations.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

The access request must be directed at the controller. Traficom’s contact details are included in this privacy statement. Instructions for submitting an access request are available on Traficom’s website.

Right to rectification 

The data subject has the right to demand the controller to rectify inaccurate or incorrect personal data concerning them without undue delay. The rectification request should be addressed to the controller.

Right to object 

This right does not apply to the processing operations in question since the legal basis for the processing of personal data is compliance with a legal obligation. 

Right to restriction of processing 

The data subject can request the controller to restrict the processing of their personal data in situations corresponding to Article 18 of the General Data Protection Regulation (679/2016).

Right to data portability

This right does not primarily apply to the processing operations in question since the legal basis for the processing of personal data is compliance with a legal obligation. The consent only applies to the publication of the domain name registrar’s data via the ‘Search for registrars’ and ‘Check who the registrar of the domain name is’ search services.

Right to erasure 

This right does not primarily apply to the processing operations in question since the legal basis for the processing of personal data is compliance with a legal obligation.

However, the domain name registrar can erase their data from the ‘Search for registrars’ and ‘Check who the registrar of the domain name is’ search services. For more information, please refer to the ‘Right to withdraw consent’ section

Right to withdraw consent

The domain name registrar can withdraw their consent for the publication of their data via the ‘Search for registrars’ and ‘Check who the registrar of the domain name is’ search services. The domain registrar can withdraw their consent independently via the services in question. Withdrawing consent does not affect the lawfulness of processing carried out based on the consent before the withdrawal.

Controller 

Finnish Transport and Communications Agency (Traficom)

Controller's contact details 

PO Box 320, FI-00059 TRAFICOM, Finland
kirjaamo@traficom.fi 
Tel. +358 29 534 5000

Contact details of the controller's data protection officer 

PO BOX 320, FI-00059 TRAFICOM, Finland
tietosuoja@traficom.fi 
Tel. +358 29 534 5000

If your message contains confidential, secret or otherwise sensitive content or a personal identity code, please use Traficom’s secure email.

Grounds for and purpose of the data processing

The processing of personal data is based on the controller’s statutory obligations and the performance of duties carried out for reasons of public interest (General Data Protection Regulation, Article 6, subsections c and e of Section 1).

The purpose of processing personal data is to carry out procurements for Traficom and organise competitive tendering for public procurements in accordance with procurement legislation.

In order to process tenders, Traficom needs information on e.g. the contact persons of tenderers participating in procurement procedures and the criminal record of the executives of the selected tenderer. It is also necessary to process tender information, including information on the contact persons of references mentioned in tenders and information on the vocational qualifications and experience of persons named in tenders.

Traficom needs the contact details of tenderers’ contact persons to contact the tenderers during the procurement procedure and e.g. to inform the tenderers of the final procurement decision. The selected tender and appendices thereof will be part of the procurement agreement. Therefore, Traficom processes the personal data included in the tender for the duration of the procurement agreement in order to implement the agreement. Tenders and other procurement documents are saved in Traficom’s case processing system.

If a person concerned requests a procurement decision to be amended or rectified, Traficom is obligated to process the personal data in the procurement documents in question for the duration of the appeal process and potential court proceedings in a manner required by the case outcome, e.g. by comparing the tenders submitted again following a court decision.

Data content

The data undergoing processing

Information on tenderers’ contact persons and executives

Traficom processes the following personal data of tenderers’ contact persons:

1. name
2. Organisation represented and position in the organisation
3. Contact information

Traficom processes the following personal data of the members of tenderers’ administrative, governing or supervisory body or persons having powers of representation, decision or control:

1. Name
2. Organisation represented and position in the organisation
3. Information in the extract from the criminal record

Personal data included in tenders and other personal data collected during the procurement procedure

Traficom processes the following personal data of experts named in the tender and persons participating in any interviews or personal assess- ments as part of the tender evaluation process:

1. Name
2. Organisation represented and position in the organisation
3. Information on education and vocational qualifications as well as experience and other qualities relevant to the procurement

Traficom processes the following personal data of the contact persons of references mentioned in the tender:

1. Name
2. Organisation represented and position in the organisation
3. Contact information
4. Information of the reference in question

Traficom processes the following personal data of the issuer of attestations or certificates attached to the tender:

1. Name
2. Organization represented and position in the organization

Other personal data to be collected from tenders or during the procurement procedure, including information on the tenderer’s personnel given in project or implementation plans, information on auditors, signing clerks and other persons associated with the tendering company or its subcontractor in the trade register extract:

1. Name
2. Organisation represented and position in the organisation
3. Date of birth
4. Information on education and vocational qualifications as well as experience and other qualities relevant to the procurement

Sources of the processed data (where the data is received from)

Traficom obtains data from a tender submitted by either:

1. the data subject themselves
2. the employer of the data subject or
3. an entity that has the data subject’s permission to use their information in the tender, e.g. as a contact person of a reference or as an issuer of attestations or certificates.

Traficom obtains criminal record information from the selected tenderer.

Traficom also obtains information from public sources, including the Finnish Trade Register maintained by the Finnish Patent and Registration Office, Vastuu Group Oy’s Reliable Partner service and Suomen Asiakastieto Oy’s corporate credit information register.

Storage period of personal data 

The storage period is based on archives and special legislation and Traficom’s need to document and protect the legal protection of the authority and private persons and communities.

Procurement documents (including tenders) are stored for at least six (6) years from the end of the financial year in accordance with the government handbook on procurement. In some cases, documents may be stored for a longer period:

1. The selected tender and appendices thereof are stored for at least the validity of the procurement agreement and the obligations based on the agreement.
2. Any procurement documents related to appeal processes (including tenders) are stored for at least the duration of the appeal process or the time needed to carry out the measures required by the outcome of the appeal process.

The information on criminal records is not saved or stored but is returned or disposed of immediately after the information has been reviewed. 

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

As a rule, personal data is not disclosed to third parties. Personal data may be disclosed on a case-by-case basis in accordance with the Act on the Openness of Government Activities (621/1999). The authority’s information and documents are public unless otherwise explicitly provided in law.

The National Audit Office may process personal data included in procurement documents as part of an audit carried out pursuant to the State Budget Act (423/1988) and the regulations issued under it.

The data will not be disclosed for purposes of direct marketing, polls or market research unless separate stipulations concerning this purpose are in place.

Processing of personal data on behalf of the controller

Personal data from public procurement tendering processes is processed in Cloudia Oy’s (business ID: 1088146-2) tendering system.

In order to fulfil its statutory obligations and carry out procurements, Traficom may use its contractual partners to process personal data. Personal data is processed in the information systems of Traficom or its contractual partners, as necessary, and the system providers act as processors or sub-processors of personal data.

In individual cases, Traficom may, by separate agreement, transfer its duties related to tendering processes to the government’s central purchasing body Hansel Oy (business ID: 0988084-1) and other authorities or a company to be selected separately.

Transfer of personal data to third countries outside the EU/EEA

Personal data is not transferred outside the European Union or the European Economic Area.

Automated decisionmaking and profiling

Automated decision-making or profiling does not take place.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject;

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

TRAFICOM/334546/00.04.00.03/2024 , 15.01.2026

Grounds for and purpose of the data processing

The Transport Register is regulated in the Act on Transport Services (320/2017). According to the Act, Traficom maintains the Transport Register in order to issue and monitor transport licences and other authorisations; improve traffic safety; identify vehicles and manage vehicle taxes and mortgages; reduce environmental damage; develop mobility services and promote their use; enable research, development and innovation activities; develop services related to the management of personal data; provide public services in the field of transport; and meet its international obligations. Traficom makes use of the Register in the context of carrying out its statutory duties.

Data content

The data undergoing processing

The Transport Register contains information on: 

• Transport operator permits and operations where notification is required
• Vehicles, aircraft, ships and watercraft, railway vehicles and related equipment (transport) 
• People granted transport-related permits, rights and qualifications (personal permits). 

The information about natural persons that may be saved in the register is: 

• Name and personal identity code, or date of birth, if there is no personal identity code
• Gender
• Place of birth, country of birth and citizenship
• Address and other contact information
• Municipality of residence
• Native language and working language
• Information on a person’s death
• Photograph and sample signature
• Company registration number, if the person is a private entrepreneur.

The information that may be saved about a legal person (e.g. a company) in the register is: 

• Name, trading name and company registration number
• Domicile
• Address and other contact information
• Contact language
• Information about the Managing Director of the company, responsible partners and ownership, information about the organisation's other responsible persons, identification and contact information for responsible persons.

In addition, the following information about natural persons, legal persons or means of transport that is necessary for the purposes of the register can be stored in the register:

• Insurance
• Statutory fees, taxes and their payment
• Charges
• Bankruptcy, debt restructuring, company entering administration, enforcement of a judgement, seizure and sequestration of assets
• Authorisations
• Card data from road transport recording equipment 
• Persons working as seafarers on Finnish vessels
• Parking identifiers for persons with reduced mobility

Traficom may also record in the register the information necessary for the performance of its statutory tasks concerning offences committed and the penalties for them, driving bans and other similar sanctions resulting from them, the sanctions imposed by Traficom as a result of its supervisory duties and other information relating to its supervisory activities.

In addition to the general information mentioned above, the following information on a means of transport may be recorded in the register: 

• Technical and commercial information
• Registration details and other identifying and numerical data
• Information about domicile and operating area
• Construction information
• History
• Approval, survey and classification information and other information concerning technical inspections
• Data about official inspections
• Information about the owner, holder, user, and other registration information
• Data regarding commissioning and enabling and decommissioning and temporary use
• Intended use and management information
• Data on operating limits and bans
• Information regarding maintenance and the parties responsible for it
• Information regarding appropriation

The following data relating to personal permits shall be saved in the register: 

• Information on issued and withdrawn permits, associated conditions and exemptions, unique identifier, period of validity, changes and information on refused permit applications
• Information about the permit issuer and its home State
• Information on the application for and processing of a permit, qualification, approval or competence, training and experience, and information on examinations and assessments
• Information on the required language skills
• Health information and data related to medical and psychological examinations
• Information on the issuing, cancellation, disappearance and destruction of cards and certificates relating to permits qualifications, approvals, and competencies
• Any other information to be recorded in the Transport Authority’s registers under EU legislation and international agreements. 

Of the above information, a facial image that is used to identify a person digitally and medical information are special categories of personal data in accordance with Article 9 of the Data Protection Regulation

Sources of the processed data (where the data is received from)

For carrying out its tasks, Traficom obtains data from data subjects themselves. Notwithstanding the secrecy provisions, Traficom has the right to obtain from authorities and parties performing a public duty data that is essential for carrying out its tasks. The right to obtain data also applies to criminal records and the register of fines.

Traficom also receives data from applicants for and holders of transport operator's licences and personal licences, and from persons carrying out activities subject to declaration who are required by law to make a declaration of their activities Traficom: 

Data is collected from the following bodies among others:

• manufacturers and importers of means of transport and their engines as well as from their representatives
• educational institutions, training providers and competence demonstration examiners
• doctors, psychologists and corporations or institutions engaged in medical or health care activities
• Manufacturers of permits and cards and from processors;
• operators engaged in railway traffic between Finland and Russia
• From those carrying out registration work, from operators carrying out surveys and inspections, from those granting individual approvals, and from other contracting partners of the Finnish Transport and Communications Agency;
• From the Motor Insurers' Centre and the insurance companies;
• From ships’ management companies and from shipping companies.

Storage period of personal data 

The information in the register is removed as follows: 

• Data relating to operator permits, 6 years from the end of the withdrawal of the permit or the end of its validity
• Personal data relating to means of transport, 10 years after the means of transport is permanently deleted from the register
• Information concerning individual permits after the personal data has become obsolete in relation to its intended use, however no later than 10 years after the permit has expired
• Railway qualification data 10 years after the expiry of the authorisation
• Seafarers’ seagoing service, training and competency information 70 years after the data registration
• Personal data no later than 10 years after the death of the person, unless data has already been deleted for some other reason
• Data on criminal offences and their related sanctions immediately after they have become obsolete or at the latest 10 years after the decision has acquired the force of law
• Data found to be erroneous and marked as such, 5 years from the error being detected, if retention is necessary to protect the rights of the data subject, another party involved or the controller
• Operating ban on a subject of the register or other administrative measure taken by the Finnish Transport and Communications Agency or the police, 10 years after the decision has acquired the force of law
• Data relating to the health status of a data subject, when information about the health data has become obsolete in relation to its intended use.

If the data is necessary for the performance of the tasks of Traficom, it can remain undeleted from the register.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

As a rule, the Transport Register is public. Traficom discloses public data to private individuals, companies and authorities, unless otherwise mandated by a person’s right to prohibit the disclosure of their data.

Data maintained in the Transport Register may be disclosed for the following purposes:

Under section 226 of the Act on Transport Services, the following information maintained in the Transport Register is generally available for processing and available in a machine-readable easy-to-edit standard information format for use via a connection established with the information system: 

• Information on a valid operator’s licence, the licence’s identification code, name of the licence holder and contact information relating to the operation as well as corresponding information on operations subject to notification; 
• Information saved in the register so that the data cannot be associated with natural persons and legal persons.

Under section 227 of the Act on Transport Services, everyone has the right to obtain the following information as an individual release:

Based on a business identification code, information on the name and contact information of an operator’s licence holder, the licence code, licence validity and the name of the person in charge or, if the operator is a natural person, based on the first and family name, personal identification code or another unique identifier, information on the operator’s name and work contact information;

Based on the registration number or vehicle identification number, information on a means of transport and the name of its owner, holder, user and representative, as well as address and other contact information, and information on vehicle inspections, taxation, mortgages and insurance policy holders;

Based on the first and family name, personal identification code or another unique identifier, information on the right of a person to operate a means of transport or on the validity and scope of other personal licences.

Said information may be disclosed, for example, through the individual enquiry services.

In addition to individual releases, Traficom may, under section 228 of the Act on Transport Services, disclose the information described above and referred to in section 227 of the Act on Transport Services for the following transport-related purposes: 

• Provision and development of transport services
• Opinion polls and market research, direct marketing and other address and information services
• Update of contact details and data on means of transport entered in the customer register
• Other purposes approved by the controller. 

Under section 229 of the Act on Transport Services, Traficom may, in individual cases, disclose information saved in the transport register for development and innovation activities with the objective of developing and providing the transport system and services, increasing awareness and understanding of the transport system and services and improving traffic safety and promoting the achievement of environmental objectives in transport. 

Under section 230 of the Act on Transport Services, Traficom shall, notwithstanding secrecy provisions, have the right to disclose information from the register to another authority or a party responsible for statutory duties if the information is necessary for the performance of their statutory duties.

Traficom's website may publish lists of persons from certain professions or activities if there is a legal obligation to do so. 

Data may also be disclosed for journalistic purposes, historical or scientific research or other similar purposes, provided that the conditions for the disclosure exist under the Act on Transport Services, the European Union’s General Data Protection Regulation, the Data Protection Act and the Act on the Openness of Government Activities.

Processing of personal data on behalf of the controller

Traficom has entered into contracts to outsource tasks related to issuing driving rights, customer service, registration and tasks related to the digitization of documents to private operators.

Transfer of personal data to third countries outside the EU/EEA

Traficom has the right to disclose information in the register to foreign authorities or for official functions if the disclosure is provided for in law, European Community law or through international agreement binding on Finland. If personal data is transferred outside the European Economic Area, the conditions of Chapter V of the European Union’s General Data Protection Regulation must be met. Other authorities that receive data from the Transport Register may disclose that data to a third party if the above conditions are met.

Automated decisionmaking and profiling

Traficom uses automated decision-making. This means that a decision can be fully or partially automatic. Traficom does not use automated profiling.

For more information on automated decisions at Traficom.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700
 

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

According to Article 21 of the Data Protection Regulation, data subjects shall have the right to prohibit the use of their information for direct marketing.

In addition, under section 231 of the Act on Transport Services, a natural person has the right to prohibit the disclosure of personal data through an open interface for both traffic purposes and development and innovation activities. In addition, a natural person has the right to prohibit the disclosure of their contact details as an individual disclosure. A legal person has the right to prohibit the disclosure of their data for development and innovation activities.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the data subject contests the accuracy of the personal data

• the processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

18.6.2024 TRAFICOM/348766/00.04.00.03/2024

Grounds for and purpose of the data processing

According to section 5 of the Act on the Provision of Digital Services (306/2019), Traficom has the duty to offer everyone the opportunity to submit electronic messages and documents related to their matters with the help of digital services or other electronic transmission methods. The purpose of offering transport matters in My e-Services is to fulfil the statutory duty to offer digital services mentioned above.

The My e-Services service is a portal that offers a uniform service concept and support services for digital transport-related services. The portal con- tains information on your vehicles, boats and driving license and also offers you the option to create certificates in connection with sales or make changes to the instalments of your vehicle tax.

The content of services used in My e-Services is based on service specific regulations, such as the Act on Transport Services (320/2017), the Vehicles Act (1090/2002), the government decree on registering vehicles (valtioneuvoston asetus ajoneuvojen rekisteröinnistä) (893/2007), the Wa- ter Traffic Act (782/2019) and the act on vehicle tax (ajoneuvoverolaki) (1281/2003). You can use My e-Services as a private individual or a representative of an organisation after identification. Identification is based on subsection 1 of section 6 of the Act on the Provision of Digital Services (306/2019). Trafi- com requires that customers are identified, because the service allows customers to view their own details and perform legal acts in the matters of a personal customer or on behalf of an organisation. Identification is also required for public individual requests to fulfil the requirement concerning the nature of individual data transfer requests and to prevent misuse of the service.

Log data is collected on the use of My e-Services in accordance with section 17 of the Act on Information Management in Public Administration (906/2019) to monitor the use and transfer of data in the information sys- tems as well as to investigate technical errors in the information system.

The legal basis for the processing of personal data in connection with My e- Services is Article 6(1)(c) of the General Data Protection Regulation, i.e. compliance with a legal obligation. In addition to this, My e-Services utilises Suomi.fi services produced by the Digital and Population Data Services Agency (DVV) and the State Treasury in accordance with section 5 of the act on support services for shared government electronic services (laki hallinnon yhteisistä sähköisen asioinnin tukipalveluista (571/2016)). The State Treasury produces the Suomi.fi Payments online payment service. Further information on the service is available on the StateTreasury website and the DVV website (in Finnish). DVV produces the Suomi.fi e-Identification, Suomi.fi e-Authorisations and Suomi.fi Messages services. You can find further information on these services on the DVV website and Privacy state- ment 3 June 2021 version 1.0 2 Suomi.fi website. Privacy statements concerning Suomi.fi services produced by DVV are available on the Suomi.fi website. 

Data content

The data undergoing processing

When identifying with My e-Services through the Suomi.fi e-Identification service maintained by DVV, the system will process the personal identity code transferred with the other data to My e-Services. When using the service on behalf of an organization, the system will also process data concerning the person’s authorization to act on behalf of the organization. When a foreign person uses the service on behalf of an organization using the Finnish Authenticator app, the system will process the person’s foreigner’s user identifier (UID), first and last names, date of birth and the authorization granted to the person to act on behalf of the organization. When using the service with eIDAS identification, processed data includes the PID identifier, first and last name and date of birth.

The personal data to be processed are determined based on the service used by the customer. The following personal data will be processed in connection with using My e-Services, among others:

• Traficom customer number
• vehicle identifier, such as a vehicle or watercraft registration number
• vehicle owner and holder details and technical data
• driving rights
• digital certificate information
• vehicle tax data
• qualifications
• payment information
• invoicing information (only for entrepreneurs and organizations)
• contact information for the contact person of the entrepreneur or organization (first and last names, telephone number and e-mail)
• electronic messages (concerning e.g. vehicle taxation, driving licenses and watercraft)
• confirmation/receipt of service of events performed in the service
• information contained in the applications submitted by the customer through the system
• contact made by the customer through the service log data

The Your information section in My e-Services displays the customer’s first and last names, address, language, vehicle tax customer number and electronic contact details.

The customer can also view their own valid non-disclosures of data and add or remove restrictions in My e-Services. The customer can report, update or remove their own electronic contact details (e-mail address and telephone number) and their language preference in the Your information section.

Those acting on behalf of an organisation may report, update and remove the contact details of the organisation’s contact person in the Your information section of My e-Services. This may only be performed for organisations by someone authorised to maintain traffic operator data and permits or by someone authorised on the basis of their position.

My e-Services uses essential cookies in terms of administering the session of customers who have logged in in accordance with the technical functionality requirements of the service.

Sources of the processed data (where the data is received from)

Data is collected from natural persons using My e-Services (the data may be personal data entered by the person or personal data on the representative or contact person of an organization entered by them or data generated by the use of My e-Services, such as log data).

Traficom receives data concerning the Suomi.fi services maintained by DVV through DVV.

Storage period of personal data 

Personal data processed individually in My e-Services are data from the Transport Register. The retention period of personal data is described in the Transport Register privacy statement (in Finnish).

Cookies used in My e-Services are stored in the customer’s terminal device browser. Session cookies will be removed after the session ends. Other cookies will remain on the customer’s terminal device until the customer removes them (or has set the browser settings to remove cookies) or logs in again to My e-Services, at which time cookies will be updated. 

My e-Services log data is retained for up to the duration of the present year and the following seven years. 

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data processed in connection with My e-Services can only be disclosed in accordance with the obligations and restrictions set out in currently valid legislation. Paytrail Oyj (2122839-7), implementation of the payment gateway service and provision of the payment service. The customer shall pay the service fee at the time of the service event using the Suomi.fi Payments service, where they need to select their preferred payment option.

Paytrail Oyj will redirect the customer to the payment option of their choice. After the payment is processed, the payment service will report the successful transaction to Paytrail Oyj, who will then report it to Traficom.

Processing of personal data on behalf of the controller

Government ICT Centre Valtori (Business ID: 2574261-7).

Transfer of personal data to third countries outside the EU/EEA

Traficom or its data processors or sub processors will not transfer personal data outside the EU/EEA.

My e-Services is browser based and can be accessed from anywhere, if the user is able to identify with the service.

Automated decisionmaking and profiling

The data will not be used for profiling. The customer may perform actions that are recorded in the Transport Register maintained by Traficom in certain My eServices.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to receive from the controller confirmation as to whether or not personal data concerning them is being processed. If processing takes place, the data subject has the right to access their personal data. The access request must be directed at the controller. The controller’s contact details are included in this privacy statement. Instructions for submitting an access request are available on Traficom’s website. Some of the personal data processed in My e-Services are displayed to the customer in the Your information section.

Right to rectification 

The data subject has the right to demand the controller to rectify inaccurate or incorrect personal data concerning them without undue delay. The rectification request should be addressed to the controller.

The data subject may update or remove the electronic contact details they themselves have submitted (telephone number, e-mail address) and update their preferred language in the Your information section of My e-Services.

Those acting on behalf of an organisation may update or remove the contact details of the contact person submitted by the organisation in the Your information section of My e-Services. This may only be performed for organisations by someone authorised to maintain traffic operator data and permits or by someone authorised on the basis of their position.

Right to object 

The data subject has the right to object to their personal data being processed for direct marketing purposes. In addition to this, the data subject also has the right to prohibit the disclosure of their personal data through an open interface or for traffic related purposes and development and inno- vation activities based on section 231 of the Act on Transport Services. In addition to this, natural persons have the right to prohibit the disclosure of their contact details as an individual release. Legal persons have the right to prohibit the disclosure of their data for development and innovation activities.

The customer can view their own valid nondisclosures of data and add or remove restrictions in My e-Services.

Right to data portability

This right does not apply to the processing operations in question since personal data is not processed on the basis of consent or agreement.

Right to erasure 

This right does not apply to the processing operations in question since the legal basis for the processing of personal data is compliance with a legal obligation.

Customers can, however, remove voluntarily reported electronic contact details (personal customers and representatives of organizations) in My e- Services.

12.5.2025 TRAFICOM/205069/00.02.08/2025

Grounds for and purpose of the data processing

Personal data is processed for the purpose of carrying out the Finnish Transport and Communications Agency’s administrative tasks as mandated by the Act on Electronic Communications Services (2014/917).

This register is used for the following tasks:

• granting and maintenance of radio licences (sections 40 and 45 of the Act on Electronic Communications Services)
• maintenance of radio communication proficiency examination information and granting of proficiency certificates (sections 265 and 266 of the Act on Electronic Communications Services)
• granting and maintenance of telecommunications and programming licences (sections 9, 25 and 36 of the Act on Electronic Communications Services)
• ensuring efficient and interference-free use of radio frequencies (section 328 of the Act on Electronic Communications Services)
• invoicing administrative fees related to radio communications (sections 285–288 of the Act on Electronic Communications Services).

Data content

The data undergoing processing

The register contains the following data on radio licence holders, radio communication proficiency examination participants, radio communication proficiency certificate and endorsement holders and persons who have ordered print products or services subject to a fee:

• Customer number
• Name
• Personal identity code
• Address
• Telephone number
• Email address
• Invoicing information

In addition to the above, the register contains the following data on radio communication proficiency certificate and endorsement holders:

• Signature sample
• Photograph

In addition to the above, the register contains the following data on radio licence holders:

• Radio licence validity information
• Specifications of radio licences, including the location of the radio transmitter

In addition to the above, the register contains the following data on network licence holders:

• Network licence information

The register may contain data on underage persons and persons subject to a non-disclosure restriction for personal safety reasons.

The register does not contain any personal data that are considered secret pursuant to the Act on the Openness of Government Activities

Sources of the processed data (where the data is received from)

The data sources of the register are documents received from customers and the Digital and Population Data Services Agency ‘s Population Information System.

Storage period of personal data 

The data retention periods are based on currently valid archiving and information management plan principles.

The data are retained for as long as they are needed for carrying out the Finnish Transport and Communications Agency’s statutory administrative tasks.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data on maritime radio licences and proficiency certificates are dis- closed to the Finnish Transport and Communications Agency’s PURKKI system for use by authorities using a secure machine-to- machine (M2M) connection. The data is used to check the validity of maritime radio proficiency certificates.

Data on emergency transmitters (PLB and EPIRB) are disclosed to the Finnish Border Guard’s regional maritime rescue centres for use by authorities via a secure website hosted on the Finnish Transport and Communications Agency’s server that requires strong identification. The data are used in maritime search and rescue situations to determine the source of emergency transmissions.

Personal data related to invoices are disclosed during invoicing to the invoicing customer register of the Finnish Government Shared Services Centre for Finance and HR’s (Palkeet) Kieku system using a secure machine-to-machine (M2M) connection. The data are used for tasks related to invoicing, such as the sending of invoices and collection proceedings.

Processing of personal data on behalf of the controller

As regards data on radio amateur examinations, the data processor is the Finnish Amateur Radio League SRAL, 0202266-8.

Transfer of personal data to third countries outside the EU/EEA

No data is disclosed outside the EU or EEA.

Automated decisionmaking and profiling

Automated decision-making is used in the processing of personal data only when a radio licence that is to enter into effect immediately is applied for via the Finnish Transport and Communications Agency’s electronic radio licence service.

Otherwise, automated decision-making or profiling does not take place.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of their personal data.

In situations where personal data is processed for the purpose of carrying out the statutory duties of an authority and if the controller demonstrates compelling legitimate grounds for the processing which override the rights of the data subject, the data subject does not have the right to object to the processing of their personal data.

If the personal data is processed for direct marketing, the data subject has the right to object to the processing without any specific grounds.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

In situations where personal data is processed for statistical or re- search purposes, the data subject may object to the processing on grounds relating to their particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

At Traficom, personal data is most often processed for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to data portability.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

At Traficom, personal data is most often processed for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to erasure.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

1.9.2022 421113/00.04.00.03/2022

Grounds for and purpose of the data processing

The data is processed for the purpose of carrying out the controller’s statutory duties. According to section 304 of the Act on Electronic Communications Services (917/2014), Traficom acts as the competent authority referred to in Article 13 of Regulation (EU) 2022/868 of the European Parliament and of the Council on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act). The duties of the competent authority include receiving notifications from data intermediation services providers, maintaining a register of data intermediation services providers and monitoring the activities of data intermediation services providers.

Data content

The data undergoing processing

Information provided by data intermediation services providers in notifications:

1. the name of the data intermediation services provider
2. the data intermediation services provider’s legal status, form, ownership structure, relevant subsidiaries and registration number
3. the address of the data intermediation services provider’s main establishment and, where applicable, of any secondary branch or that of the legal representative
4. a public website
5. the data intermediation services provider’s contact persons and contact details
6. a description of the data intermediation service the data inter- mediation services provider intends to provide, and an indication of the categories listed in Article 10 of the Data Governance Act under which such data intermediation service falls
7. the date for starting the activity
8. name and contact details of the person who submitted the notification.

Sources of the processed data (where the data is received from)

The data is received from data intermediation services providers that submit notifications for data intermediation services.

Storage period of personal data 

The data are stored for as long as is necessary for carrying out the controller’s statutory duties or for 10 years from the end of data intermediation services activities.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data can only be disclosed in accordance with the obligations and re- strictions set out in currently valid legislation or based on the consent of the data subject. Data is not disclosed for direct marketing pur- poses. The data are official documents as referred to in the Act on the Openness of Government Activities (621/1999), access to which can be granted in accordance with the conditions laid down in sections 13 and 16 of said Act, unless they are secret pursuant to said Act or other legislation.

The data are disclosed to the European Commission. The Commission maintains a register of all data intermediation services providers that provide services within the European Union and updates it regularly. The information referred to in points 1, 2, 3, 4, 6 and 7 above must be published in the public national register of recognised data altruism organisations. In addition to this, the Commission and the competent authorities for data intermediation services of other Member States can be provided with data that they need to carry out their duties in accordance with the Data Governance Act.

Processing of personal data on behalf of the controller

No data processing operations have been outsourced to a data processor.

Transfer of personal data to third countries outside the EU/EEA

Traficom will not transfer the personal data to third countries outside the EU/EEA.

Automated decisionmaking and profiling

Data is not used for profiling and the processing of personal data is not subject to automated decision-making.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

TRAFICOM/616755/00.04.00.03/2023

Grounds for and purpose of data processing

The Finnish Transport and Communications Agency Traficom is tasked with supervising Regulation (EU) 2022/2065 of the European Parliament and of the Council on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act, DSA). Traficom acts as the Digital Services Coordinator referred to in Article 49 of the Digital Services Act (DSA), in accordance with section 1 of the Act on the supervision of intermediary services (18/2024), and processes personal data for the performance of the controller’s statutory duties. As the national competent coordinating authority, Traficom supervises the activities of service providers established in Finland in accordance with the Digital Services Act when they offer intermediary services, and processes contacts and complaints from users of such intermediary services. According to Article 3 of the Digital Services Act, intermediary services within the meaning of the DSA include the following information society services: mere conduit, caching, hosting and online platform services. In addition, Traficom processes personal data in the AGORA information sharing system established pursuant to Article 85 of the Digital Services Act and Commission Implementing Regulation (EU) 2024/607, for communications between the coordinators of the Member States, the Commission, the European Board for Digital Services and other national competent authorities in connection with supervision, investigation, enforcement and monitoring under the Digital Services Act. Traficom acts partly as a joint controller in accordance with Annex 1 to Commission Implementing Regulation (EU) 2024/607. In addition, Traficom is also a controller for the DSA data access portal established by Commission Delegated Regulation (EU) 2025/2050, insofar as Traficom processes personal data to manage the data access procedure for vetted researchers pursuant to Article 40 of the Digital Services Act. The purpose of the data portal is to manage the data access process for researchers, service providers and Digital Services Coordinators.

Data content

The data undergoing processing

Traficom processes personal data contained in documents obtained in connection with supervision, investigation, enforcement and monitoring under the Digital Services Act. Such data include identification details, contact information, information relating to a person’s involvement in a case, data relevant to the matter being handled and any other information deemed necessary for supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065, in accordance with the data minimisation principle set out in data protection legislation. In addition, Traficom processes data of individuals who have an account in the data access portal or whose personal data is found in the data access portal or included in other data exchanges in connection with the data access process under Commission Delegated Regulation (EU) 2025/2050. The personal data processed include identity data (such as name and user ID), contact information (such as address and email address), personal data contained in documentation demonstrating affiliation to a research organisation, and other such personal data deemed necessary for participation in the data access process, in accordance with the data minimisation principle set out in data protection legislation.

Sources of the processed data (where data is received from)

Data can be obtained from the person themselves, service providers, other authorities or public sources. Personal data is also collected through an electronic form offered to customers. Data may also be obtained from the aforementioned AGORA information sharing system and the data access portal.

Storage period of personal data

Data will be stored as long as it is necessary to carry out the statutory tasks of a controller and in accordance with Traficom's data management plan.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Personal data can only be disclosed in accordance with the obligations and restrictions set out in currently valid legislation or with the consent of the data subject. The data is not disclosed for direct marketing purposes. Documents containing personal data are official documents within the meaning of the Act on the Openness of Government Activities (621/1999), which are released upon request in accordance with the requirements of the Act, unless they are non-disclosable under the Act or other legislation. Data can be disclosed to the AGORA information sharing system maintained by the Commission. The Commission and the coordinating and other competent authorities of other Member States may be given the data they need to perform their tasks in accordance with the Digital Services Act.

Processing of personal data on behalf of the controller

The processing activities related to the processing of personal data have not been outsourced to processors, except for those carried out by the Commission. The Commission acts as a processor in accordance with Annex 2 to Commission Implementing Regulation (EU) 2024/607. In addition, the Commission acts as the processor of personal data processed in the DSA data access portal, and its responsibilities as processor for data processing activities in the portal are defined in Annex 1 to Commission Delegated Regulation (EU) 2025/2050.

Transfer of personal data to third countries outside the EU/EEA

Traficom does not transfer personal data to third countries outside the EU/EEA and there is no access to the data from such a country.

Automated decision-making and profiling

The data is not used for profiling and the processing of personal data does not involve automated decision-making.

Rights related to the processing of personal data

About exercising rights

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’.

The right to lodge a complaint with the supervisory authority

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki, Finland
tietosuoja@om.fi

tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data.

Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds.

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest.

Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing if:

• the data subject contests the accuracy of the personal data

• the processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of its use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

In this case, at Traficom, personal data is processed for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to data portability, unless separately provided by law.

Right to erasure

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

In this case, personal data is processed at Traficom for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to erasure of their data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

29 October 2025 TRAFICOM/517033/00.04.00.03/2025

Grounds for and purpose of the data processing

The data is processed for the purpose of carrying out the controller’s statutory duties. According to section 304 of the Act on Electronic Communications Services (917/2014), Traficom acts as the competent authority referred to in Article 23 of Regulation (EU) 2022/868 of the European Parliament and of the Council on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act). The duties of the competent authority include receiving the registrations of data altruism organisations, publishing and maintaining a register of recognised data altruism organisations and monitoring their activities.

Data content

The data undergoing processing

Information provided by entities registering as data altruism organisations:

1. the name of the entity
2. the entity’s legal status, form and registration number
3. the statutes of the entity, where appropriate
4. the entity’s sources of income
5. the address of the entity’s main establishment, if any, and, where applicable, any secondary branch or that of the legal representative
6. a public website
7. the entity’s contact persons and contact details
8. the objectives of general interest that the entity intends to promote when collecting data
9. the nature of the data that the entity intends to control or process, and, in the case of personal data, an indication of the categories of personal data
10. any other documents
11. name and contact details of the person who filled in the registration form

Sources of the processed data (where the data is received from)

The data is received from entities registering as data altruism organisations.

Storage period of personal data 

The data are stored for as long as is necessary for carrying out the controller’s statutory duties or for 10 years from the end of data altruism activities.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data can only be disclosed in accordance with the obligations and re- strictions set out in currently valid legislation or based on the consent of the data subject. Data is not disclosed for direct marketing purposes. The data are official documents as referred to in the Act on the Openness of Government Activities (621/1999), access to which can be granted in accordance with the conditions laid down in sections 13 and 16 of said Act, unless they are secret pursuant to said Act or other legislation.

As a competent authority, Traficom must notify the European Commission of all registrations. The Commission then adds them to the public EU register of recognised data altruism organisations.

The information referred to in points 1, 2, 6, 7 and 8 above must be published in the public national register of recognised data altruism organisations.

Processing of personal data on behalf of the controller

No data processing operations have been outsourced to a data processor.

Transfer of personal data to third countries outside the EU/EEA

Traficom will not transfer the personal data to third countries outside the EU/EEA.

Automated decisionmaking and profiling

Data is not used for profiling and the processing of personal data is not subject to automated decision-making.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

TRAFICOM/616742/00.04.00.03/2023

Grounds for and purpose of the data processing

Traficom uses the personal data in the stakeholder register to carry out its tasks related to accessibility laid down in the Act on Electronic Communications Services (917/2014).

The personal data is used for communication between Traficom and the stakeholders, sharing up-to-date information as well as sending the newsletter. 

The basis for the personal data processing is the controller’s performance of a task carried out in the public interest. It is the duty of authorities to produce and share information. As such, the grounds for the processing are public interest based on the controller’s obligation to provide information about current events in the transport and communications sectors, which are part of its field of competence. Furthermore, provisions on Traficom’s duties and special tasks are laid down in the Act on Electronic Communications Services.

The basis for the personal data processing is the controller’s performance of a task carried out in the public interest (Article 6(1)(e) of the General Data Protection Regulation (2016/679) and section 4 of the Data Protection Act (1050/2018)).

Data content

The data undergoing processing

We process the name and contact details of members of the stakeholder groups (name, organisation, email address and title).

Sources of the processed data (where the data is received from)

Data is primarily received from the members of the stakeholder group themselves or representatives of the stakeholder groups (e.g. other people appointed by the contact person). Data on newsletter subscribers (email address) is obtained from the newsletter service.

Storage period of personal data 

Personal data is stored as long as it is necessary to carry out the statutory tasks or until the data subject asks to have his or her data removed from the group.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

As a rule, personal data is not disclosed to third parties. As a public authority, Traficom’s activities are subject to the Act on the Openness of Government Activities (621/1999).

Processing of personal data on behalf of the controller

The personal data is only processed by Traficom.

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred outside the EU/EEA.

Automated decisionmaking and profiling

Traficom does not use automated decision-making or profiling in this context.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

At Traficom, personal data is most often processed for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to data portability, unless separately provided by law.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

2.2.2023

Grounds for and purpose of the data processing

The Finnish Transport and Communications Agency Traficom processes personal data to process the notifications required under the Act on the Provision of Digital Services (306/2019), the Act on Electronic Communications Services (917/2014) and the Act on Accessibility Requirements for Certain Products (102/2023). The processing of personal data is necessary for compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation (EU) 2016/679, ‘GDPR’).

According to section 10e of the Act on the Provision of Digital Services and section 194g of the Act on Electronic Communications Services (917/2014), a service provider who derogates from accessibility requirements shall notify the supervisory authority of the deviations.

According to section 10g of the Act on the Provision of Digital Services and section 194e of the Act on Electronic Communications Services, a service provider shall notify the supervisory authority of deficiencies and the related corrective action if a service does not comply with accessibility requirements.

According to section 8 of the Act on Accessibility Requirements for Certain Products, an economic operator who derogates from accessibility requirements shall notify the market surveillance authority of the deviations.

The purpose of collecting personal data is to ensure that the notifications submitted to Traficom are appropriate and that the accessibility requirements for digital services and products can be monitored in the manner required in the above-mentioned legislation.

Data content

The data undergoing processing

Under section 10 of the Act on the Provision of Digital Services, service providers and product manufacturers, importers and distributors have a legal obligation to notify the supervisory authority if a service or a product does not meet the accessibility requirements or if the operator relies on the grounds for derogation. The individuals from whom personal data is collected do not constitute a specific, uniform group or category.

The data collected from individuals includes: the contact person’s name and email address. The data is of a contact information nature. The data is used for the purpose of reaching and identifying the individual in situations where it is necessary to contact the person who has acted on behalf of an organisation.

Sources of the processed data (where the data is received from)

The processed personal data is collected with an electronic form for deficiency and deviation notifications. The form is available on the websites saavutettavuusvaatimukset.fi and traficom.fi.

Storage period of personal data 

Personal data is stored in compliance with the storage period provisions of the Archives Act (831/1994), Traficom’s filing plan and the regulations of the National Archives Service.

The personal data is stored for 5 years.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

The data may only be disclosed as allowed and required by the law.

According to section 1 of the Act on the Openness of Government Activities (621/1999), official documents shall be in the public domain, unless specifically provided otherwise.

Under section 9 of the Act, everyone has the right of access to an official document in the public domain.

Deficiency and deviation notifications submitted to Traficom are documents in the public domain insofar as they do not contain non-disclosable information as referred to in section 24 of the Act.

Documents that contain personal data and are in the public domain can be disclosed on the basis of a request for access to the party requesting access.

Transfer of personal data to third countries outside the EU/EEA

Personal data is not transferred to third countries outside the EU/EEA.

Automated decisionmaking and profiling

The processing of personal data does not involve automated decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

22.5.2025 TRAFICOM/293929/00.04.00.03/2025

Grounds for and purpose of the data processing

The Finnish Transport and Communications Agency Traficom serves as the supervisory authority referred to in the Act on the Provision of Digital Services (306/2019, hereinafter the Digital Services Act).

The Finnish Transport and Communications Agency Traficom handles personal data to process the complaints on web accessibility and requests for clarification laid down in section 11 of the Digital Services Act. The processing of personal data is necessary to comply with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation (EU) 2016/679).

The purpose of collecting personal data is to ensure the delivery of the necessary requests for supplementing information to secure the processing of complaints and requests for clarification. In addition, the purpose of collecting personal data is to ensure that the notification of not admitting the complaint for examination as referred to in section 53 b of the Administrative Procedure Act can be delivered to the person who submitted the complaint.

Data content

The data undergoing processing

Under section 11 of the Digital Services Act, everyone has the right to submit a complaint on web accessibility or a request for clarification. The persons from whom personal data is collected do not form a specific uniform set or group.

The data collected from these persons are: name, email, street address, post code, town/city and telephone number. The nature of the information is contact details. The information is used to get in touch with the person, if necessary.

A complaint on web accessibility or a request for clarification can also be submitted anonymously.

Sources of the processed data (where the data is received from)

The personal data to be processed are collected from the person submitting the complaint on web accessibility or the request for clarification with the Complaint on web accessibility and request for clarification form, which is electronically available at saavutettavuusvaatimukset.fi.

Storage period of personal data 

Personal data is stored according to provisions on storage periods in the Archives Act (831/1994), in Traficom's archive formation plan and in the regulations of the National Archives Service.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

The data can be disclosed only within the limits permitted and obligated by legislation. Under section 1 of the Act on the Openness of Government Activities (621/1999), official documents are in the public domain unless specifically provided otherwise.

Under section 9 of the Act, everyone has the right of access to an official document in the public domain.

The complaints on web accessibility and requests for information received by Traficom are documents in the public domain to the extent that they do not contain the secret information referred to in section 24 of the Act on the Openness of Government Activities.

Based on a request for information, public documents containing personal data can be disclosed to a person who has submitted such a request.

Transfer of personal data to third countries outside the EU/EEA

Personal data are not transferred to third countries outside the EU/EEA.

Automated decisionmaking and profiling

The processing of personal data does not include automated decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

The data subject has the right to object to the processing without separate justifications if the data are processed for the purposes of direct marketing.

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

23.12.2024 TRAFICOM/708374/00.04.00.03/2024

Grounds for and purpose of the data processing

Under section 10 of the Act on the Provision of Digital Services (306/2019, hereinafter the Digital Services Act), everyone has the right to send feedback to the service providers’ electronic contact address indicated in the accessibility statement regarding the deviations from accessibility requirements they have observed in the digital service or request specifications for the justifications for a disproportionate burden.

The Finnish Transport and Communications Agency Traficom handles personal data to process the accessibility feedback laid down in section 10 of the Digital Services Act. The processing of personal data is necessary to comply with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation (EU) 2016/679).

The purpose of collecting personal data is to ensure that Traficom will be able to send an electronic acknowledgement of receipt for accessibility feedback and respond to the feedback as required by the Digital Services Act.

Data content

The data undergoing processing

Under section 10 of the Digital Services Act, everyone has the right to give accessibility feedback. The persons from whom personal data is collected do not form a specific uniform set or group.

The data collected from these persons are: name, email, street address, post code, town/city and telephone number. The nature of the information is contact details. The information is used to get in touch with the person.

Accessibility feedback can also be left anonymously.

Sources of the processed data (where the data is received from)

The personal data processed is collected with an electronic form from the person providing the accessibility feedback. The form is available at saavutettavuusvaatimukset.fi.

Storage period of personal data 

Personal data is stored according to provisions on storage periods in the Archives Act (831/1994), in Traficom’s archive formation plan and in the regulations of the National Archives Service.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

The data can be disclosed only within the limits permitted and obligated by legislation. Under section 1 of the Act on the Openness of Government Activities (621/1999), official documents are in the public domain unless specifically provided otherwise.

Under section 9 of the Act, everyone has the right of access to an official document in the public domain.

Accessibility feedback submitted to Traficom and the responses given to the feedback received are in the public domain to the extent that they do not contain the secret information referred to in section 24 of the Act.

Based on a request for information, public documents containing personal data can be disclosed to a person who has submitted such a request.

Transfer of personal data to third countries outside the EU/EEA

Personal data are not transferred to third countries outside the EU/EEA.

Automated decisionmaking and profiling

The processing of personal data does not include automated decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

23.12.2024 TRAFICOM/708335/00.04.00.03/2024 

Grounds for and purpose of the data processing

The processing of personal data is based on the performance of the controller's statutory tasks. According to section 2, subsection 1, paragraph 2 of the Act on the Finnish Transport and Communications Agency (935/2018) and section 3 of the Aviation Act (864/2014), Traficom is the competent authority for aviation oversight.

The information obtained through notifications is used to detect disruptions caused by aviation (e.g. noise, use of the area, damage caused), to identify aviation activities requiring intervention by the authorities and to oversee aviation activities in general.

Data content

The data undergoing processing

The register contains the following information:

• The name (mandatory), telephone number, and e-mail address of the notifier
• The location, date, time, and description (all mandatory) of the event
• The registration number of the aircraft, other markings or symbols of the aircraft, the aircraft type (mandatory)
• Additional information, if any
• Attachments, if any

Sources of the processed data (where the data is received from)

In order to carry out its tasks, Traficom receives data from data subjects themselves.

Storage period of personal data 

Stored permanently.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data is not regularly disclosed.

Data is disclosed to those requesting it in accordance with the Act on the Openness of Government Activities. The data and documents are public, unless specifically prescribed as confidential by law.

Processing of personal data on behalf of the controller

Personal data is processed by Traficom and the processing has not been transferred by contract to other parties.

Transfer of personal data to third countries outside the EU/EEA

Traficom has the right to disclose information in the register to foreign authorities or for official functions if the disclosure is provided for in law, European Community law or through international agreement binding on Finland. If personal data is transferred outside the European Economic Area, the conditions of Chapter V of the European Union’s General Data Protection Regulation must be met.

Automated decisionmaking and profiling

Traficom does not use automatic decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject shall have the right to know whether Traficom is processing personal data concerning him/her or not, as well as to access personal data concerning him/her that is being processed by Traficom.

Right to rectification 

The data subject shall have the right to demand that Traficom rectify inaccurate personal data concerning the data subject or supplement incomplete personal data.

Right to object 

The legal basis for the processing of personal data is the performance of a statutory task.

Right to have data transferred between systems 

The legal basis for the processing of personal data is the performance of a statutory obligation, in which case this right does not apply to Traficom.

Right to removal of information 

The legal basis for the processing of personal data is the performance of a statutory obligation, in which case this right does not apply to Traficom.

Grounds for and purpose of the data processing

Traficom processes the data stored in the register on the basis of Article 6(1)(c) of the General Data Protection Regulation (EU) 2016/679 in order to comply with a legal obligation. Special categories of personal data and personal data relating to criminal convictions and offences are processed by Traficom on the basis of section 6, subsection 1, paragraph 2 of the Data Protection Act (1050/2018), meaning that the processing is provided by law or derives directly from a statutory duty set out for Traficom by law. 

Section 101 of the Aviation Act (864/2014) lays down provisions on background checks in aviation. 

In order to check a person’s background, a security clearance vetting is requested. According to the Act, the airport operator applies for security clearance vetting on persons referred to in section 19, subsection 1, paragraph 7 and section 21, subsection 1, paragraph 4a of the Security Clearance Act (726/2014). Regardless of secrecy regulations, the airport operator must provide Traficom with any such information discovered in a personnel security clearance vetting or integrity monitoring carried out in accordance with section 51 of the Security Clearance Act that is necessary for assessing the granting of a permit or approval that requires compliance with the requirements related to background checks. 

According to section 3 of the Aviation Act, Traficom acts as Finland’s competent national aviation authority and is responsible for issuing permits and approvals for tasks that require compliance with the requirements related to background checks. However, the airport operator is responsible for granting access permits referred to in section 102 and airport identification cards referred to in section 103 of the Aviation Act. 

Under section 181 of the Aviation Act, Traficom may process data that is necessary for granting access permits or airport identification cards when a revision of a decision made by the airport operator is claimed from Traficom.

Data content

The data undergoing processing

The data undergoing processing The background check register contains data on:

• persons who work in tasks related to aviation security checks, access control or other security control measures outside a security restricted area in an airport or who work in tasks where they can independently access air cargo, air mail, air carrier mail and air carrier materials or in-flight supplies or airport supplies after they have been subject to security control measures
• persons who are responsible for aviation security checks, access control or other security control measures or implement them in a security restricted area in an airport or otherwise have independent access to security restricted areas in the airport in their tasks
• regulated agents, known consignors and regulated suppliers.

Data that may be recorded of natural persons:

• first names and last name
• date of birth or personal identity code
• nationality
• contact information
• employer and work task
• information contained in a written notice issued of a personnel security clearance vetting or integrity monitoring related to
  • criminal records
  • the register of fines
  • credit records and the enforcement register
  • a criminal matter pending pre-trial investigation, consideration of charges or court proceedings
  • a security clearance vetting interview
  • information provided by the National Bureau of Investigation related to the prevention or disclosure of crime
  • information that the subject of the vetting has resided abroad for an uninterrupted period of more than five years during the ten years preceding the security clearance.

Data that may be recorded of legal persons:

• name, auxiliary business name and Business ID
• domicile
• contact information
• information on the security manager.

Sources of the processed data (where the data is received from)

In order to carry out its duties, Traficom receives data from Finavia (Business ID: 2302570-2). Furthermore, Traficom may request data from the data subjects themselves and their employers, if necessary.

Storage period of personal data 

The information in the register is stored permanently with the exception of written notices regarding the security clearance vetting and integrity monitoring concerning a natural person. These documents are kept for five years after the calendar year when the final decision was given.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Regular disclosures. Traficom may disclose data to the subject of a background check, the applying company and Finavia within the limits of the law.

Data may also be disclosed to other parties within the limits of the law.

Transfer of personal data to third countries outside the EU/EEA

Traficom does not transfer personal data outside the EU/EEA.

Automated decisionmaking and profiling

Traficom does not use automated decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

5.4.2024 TRAFICOM/77830/00.04.00.03/2023

Grounds for and purpose of the data processing

According to section 304, subsection 14 of the Act on Electronic Communications Services (917/2014), Traficom acts as a national cybersecurity certification authority in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).

As regards operators based in Finland, Traficom shall supervise compliance with obligations arising from the Cybersecurity Act (EU) 2019/881 and compliance with cybersecurity certification schemes drawn up in accordance with the Cybersecurity Act.

In order to carry out its statutory duties, Traficom collects personal data and contact details that are necessary for its supervisory tasks.

The basis for the personal data processing is compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the General Data Protection Regulation).

Data content

The data undergoing processing

Traficom processes the names and contact details for the contact persons of the supervised parties and, if necessary, the names and contact details of other personnel (for example organisation, email, telephone number) and, if necessary, data describing the person’s position, duties or qualifications (for example title, role, education).

As regards complaints in relation to certificates or certifications, the contact details for the complainant are processed as necessary during the processing of the complaint and for informing the complainant of the progress of the matter.

In addition, Traficom processes contact details that are needed for interacting with different stakeholders and contact details obtained through contacts from different sources.

Sources of the processed data (where the data is received from)

Data can be obtained from the person themselves, from the person's organisation, from a party subject to the supervision, from another authority or from public sources. Personal data can also be collected through electronic forms offered to customers.

Storage period of personal data 

Data is stored as long as it is necessary to carry out the statutory tasks and in accordance with Traficom's data management plan.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Personal data can only be disclosed in accordance with the obligations and restrictions set out in currently valid legislation or with the consent of the data subject.

The data is not disclosed for direct marketing purposes. Documents containing personal data are official documents within the meaning of the Act on the Openness of Government Activities (621/1999), which are released upon request in accordance with the requirements of the Act, unless they cannot be kept secret under the Act or other legislation.

Processing of personal data on behalf of the controller

Processing activities related to data processing have not been outsourced to personal data processors.

Transfer of personal data to third countries outside the EU/EEA

Traficom does not transfer personal data to third countries outside the EU/EEA and there is no access to the data from such a country.

Automated decisionmaking and profiling

The data is not used for profiling and the processing of personal data does not involve automatic decision-making.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data. In this case, personal data is processed at Traficom for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to erasure of their data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

19.11.2024 TRAFICOM/655279/00.04.00.03/2024

Grounds for and purpose of the data processing

According to section 304, subsection 14 of the Act on Electronic Communications Services (917/2014), Traficom acts as a national cybersecurity certification authority in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act). The national cybersecurity certification authority’s contact form can be used to present questions, give feedback or ask for advice regarding EU cybersecurity certification schemes.

The personal data on the form is used for processing the matter reported on the form and for informing the sender of the form about the progress of the matter. The basis for the personal data processing is the performance of a task carried out in the public interest (Article 6(1)(e) of the General Data Protection Regulation).

Data content

The data undergoing processing

Traficom processes the contact details of the sender of the form, such as first name, last name and email address and, if necessary, phone number. For corporate customers, also the name of the organisation is collected.

Sources of the processed data (where the data is received from)

The information to be processed is obtained from the sender of the form themselves.

Storage period of personal data 

Data is stored as long as it is necessary to carry out a task of public interest in accordance with the processing, but not for longer than 5 years from the moment that the data was saved.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Personal data can only be disclosed in accordance with the obligations and restrictions set out in currently valid legislation or with the consent of the data subject.

The data is not disclosed for direct marketing purposes.

Processing of personal data on behalf of the controller

Processing activities related to data processing have not been outsourced to personal data processors.

Transfer of personal data to third countries outside the EU/EEA

Traficom does not transfer personal data to third countries outside the EU/EEA and there is no access to the data from such a country.

Automated decisionmaking and profiling

The data is not used for profiling and the processing of personal data does not involve automatic decision-making.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

19.11.2024 TRAFICOM/655288/00.04.00.03/2024

Grounds for and purpose of the data processing

National Cyber Security Centre Finland’s extranet solution serves the needs of stakeholder communication. Extranets are used to support efficient and reliable exchange of information between internal users and stakeholders’ designated end users. Extranets are closed forums for exchanging information and the purpose of the possible processing of personal data is to ensure the sharing of information regarding current information security matters. The extranet solution that is taken into use in 2025 will replace the previous outdated extranet solution.

Traficom processes personal data provided by the stakeholder’s contact persons insofar as they have been received. The basis for the personal data processing is the controller’s performance of tasks carried out in the public interest (Article 6(1)(e) of the EU General Data Protection Regulation). The duties of Traficom are, among others, to disseminate information on information security matters and on the functioning of communications networks and services (section 304, subsection 1, paragraph 8 of the Act on Electronic Communications Services).

Data content

The data undergoing processing

We process the data of those who have logged in as extranet users. The users are Traficom’s own employees who handle cooperation in accordance with their job description and contact persons who have been selected by stakeholder collaboration partners. We process the name and contact details of data subjects, such as organisation, e-mail address or telephone number.

Sources of the processed data (where the data is received from)

The data is received primarily from the stakeholders’ representatives and contact persons and through their system logins (for example the company’s contact person designates the users for their own company). Only name, e-mail address, telephone number and organisation is mandatory information.

Storage period of personal data 

Personal data is stored for as long as the group exists or until the data subject or the contact person of the organisation that the data subject represents asks to have the data removed from the group.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data can only be disclosed in accordance with the obligations and restrictions set out in currently valid legislation.

The data is not disclosed for direct marketing purposes.

Processing of personal data on behalf of the controller

The personal data is processed only by Traficom.

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred outside the EU/EEA.

Automated decisionmaking and profiling

The processing of personal data does not involve automated decision making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

7.1.2025 TRAFICOM/44993/00.04.00.03/2025

Grounds for and purpose of the data processing

The basis for the personal data processing is the controller’s performance of a task carried out in the public interest (Article 6(1)(e) of the General Data Protection Regulation (2016/679) and section 4 of the Data Protection Act (1050/2018)).

In accordance with Section 3 of the Act on the Finnish Transport and Communications Agency (935/2018), the task of the National Cyber Security Centre Finland at the Finnish Transport and Communications Agency is to maintain the situational picture of national information security. Pursuant to section 304(1)(7) of the Act on Electronic Communications Services (917/2014), the Finnish Transport and Communications Agency's task is to collect information on data security breaches and threats to online services, communication services, value-added services and information systems, as well as failure and disruption situations of communication networks and communication services. For these purposes, the National Cyber Security Centre Finland's data breach notification form collects information about data security breaches described by the notifiers. In order to implement this collection, it is necessary to process the personal data described in this privacy statement.

Data content

The data undergoing processing

The data processed are the information provided by the person filling out the notification form regarding the reported data security breach. This information may include personal information. Registered persons are the notifier and the persons whose information is entered into the form.

The personal data processed are the data of persons related to the data security breach communicated to the controller or included in the open fields of the form and in the attached files, such as:

• Contact information, such as name, e-mail, phone number, address, role in the organisation and other stated contact information
• Information about the violation and related personal information, such as user account and login information and profile pictures of social media or other online environments, or information about the existence of such an ID; financial, bank or payment information, device information such as IMEI code; information about the filing of a report of an offence and related information, such as information about the person who made the report of an offence, information about the police department that received the report and the time of filing; information about any other persons mentioned in the information security breach notification, as well as electronic messages and message forwarding information
• Technical data related to the notifier, such as IP address, browser information and browser version
• Other, including special categories, information about the data subject that may emerge from the description of the data breach, or personal identity code (for example, in phishing situations) and information derived from the personal identity code, such as age and gender
• Information on whether the notifier gives consent to provide information to another authority.

The possible processing of special categories of personal data groups is based on Article 9, Section 2, Subsection (g) and possibly Subsection (e) of the General Data Protection Regulation (EU). Possible processing of the personal identity code takes place on the basis of section 29 subsection 1 of the Data Protection Act.

Sources of the processed data (where the data is received from)

The information to be processed is obtained from the person making the notification. The information is given on a form that is filled out on the website of the National Cyber Security Centre Finland or by sending the information by e-mail to the CERT e-mail box. Information can also be obtained from the exchange of messages between the controller and the person filling out the notification form or other contact person related to the data security breach situation.

Storage period of personal data 

Personal data will be stored as long as processing it is necessary to fulfil the purposes described in this data protection statement, however for a maximum of ten years from the end of the calendar year during which the data was obtained (Act on Electronic Communications Services Section 316 Subsection 4).

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority.

The data is not disclosed for direct marketing purposes.

Processing of personal data on behalf of the controller

There are no separate processors, i.e. the personal data is not processed on behalf of the controller.

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred outside the EU/EEA.

Automated decisionmaking and profiling

Automatic decision-making or profiling is not used.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

7.3.2024 TRAFICOM/105033/00.04.00.03/2024

Grounds for and purpose of the data processing

Traficom’s National Coordination Centre processes the personal data of representatives of stakeholders included on the membership list insofar as these persons are members of one of Traficom’s stakeholders. The purpose of the processing of personal data is maintaining con- tact and engaging in cooperation with different stakeholder representatives. Personal data is also processed for the purpose of updating contact details and managing the cancellation of competence network membership, using a separate form.

Forms of cooperation include working groups established and events organised by Traficom and other communications, for which Traficom maintains contact and other information on stakeholders. The cooperation also includes the exchange of information regarding requests for cooperation in EU funding applications, particularly to promote pan-European consortium and project partnership cooperation.

The basis for the personal data processing is the controller’s performance of its statutory duties (Article 6(1)(c) of the EU’s General Data Protection Regulation). As a national authority, Traficom’s National Coordination Centre carries out tasks laid down in the regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres (EU 2021/887 Article 7), which include:

• promoting and disseminating the relevant outcomes of the work of the Network, the Community and the Competence Centre at national, regional or local level
• assessing requests by entities established in the same Member State as the national coordination centre to become part of the Community.

Data content

The data undergoing processing

Traficom processes the following information concerning stakeholder representatives.

Personal data processed

• Identifying information: person’s name and title
• Contact information: person’s email address, mobile telephone number, name of organization
• Information concerning the organisation collected during sign-up: type and industry of the organisation and what kind of communications the organisation and its representative wish to receive. In addition to these, information is collected on willingness to participate in or receive more information on cross-border EU projects, the development of cooperation or advocacy
• Consortium and project partner information: information about the research or project and the funding being applied for, insofar as they involve personal data, such as the contact information of consortium members
• Membership and mailing list management data: information on the cancellation of membership and any voluntary information provided regarding the reasons for the cancellation.

Information is also collected utilising the Webropol survey platform. Webropol uses necessary cookies for the functioning of its service plat- form and collects the data specified below using them. These cookies are connected to the functionality and quality control of the service.

Webropol collects e.g. the following information using cookies:

• operating system
• browser version
• IP address
• browser add-ons
• number of times the survey has been opened in the space of one week
• page download time
• incomplete responses.

Sources of the processed data (where the data is received from)

To perform its statutory duties, Traficom collects data on its stakeholders and customers from the individuals filling out forms, data subjects themselves, their employers or public sources. As part of the performance of its statutory duties, the controller also identifies active operators in different industries and utilises industry publications, among others.

Storage period of personal data 

The data are stored for as long as Traficom maintains the competence community and for as long as storing the data is necessary for the achievement of the competence community’s objectives.

Webropol stores data collected through cookies for 14 days.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data can only be disclosed in accordance with the obligations and restrictions set out in currently valid legislation.

Data is not disclosed for direct marketing purposes.

Personal data collected via Webropol survey forms is stored on the Webropol Oy (business ID: FI17739602) service platform. Webropol Oy and Traficom have an agreement on processing personal data.

Processing of personal data on behalf of the controller

Webropol Oy (business ID: FI17739602) serves as the processor of the personal data and its subcontractors Telia Inmics-Nebula Oy (business ID: 2546028-1) and Qumio Oy (business ID: 2466203-3) serve as subprocessors.

Webropol may not transfer personal data to third parties, except to specific subcontractors agreed upon by Webropol and Traficom.

The following subcontractors may act as processors in accordance with the definition in the data protection regulations when serving as Webropol subcontractors to ensure and improve the development, usability and reliability of the system:Telia Inmics-Nebula Oy (business ID 2546028-1) and Qumio Oy (business ID 2466203-3).

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred outside the EU/EEA.

Automated decisionmaking and profiling

The personal data processing does not involve automated decision- making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

6.6.2025 TRAFICOM/33627/00.04.00.03/2025

Grounds for and purpose of the data processing

The basis for the personal data processing is compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the General Data Protection Regulation (EU) 2016/679, ‘GDPR’).

Under section 11 of the Cybersecurity Act (124/2025), an entity shall report a significant incident to the supervisory authority without delay. Supervisory authorities under section 26 of the Cybersecurity Act and section 18h of the Information Management Act (906/2019) are the Finnish Transport and Communications Agency, the Energy Authority, the Finnish Safety and Chemicals Agency, National Supervisory Authority for Welfare and Health, the Centre for Economic Development of Transport and the Environment for South Savo, the Finnish Food Authority and the Finnish Medicines Agency. A significant incident means an incident that has caused or is capable of causing severe operational disruption of services or significant financial losses for the entity concerned and an incident that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. An early warning must be submitted within 24 hours and an incident notification within 72 hours of detecting a significant incident. The early warning must include information on the following aspects: (1) the detection of a significant incident, (2) whether the significant incident is suspected of being caused by crime or other unlawful or malicious acts, (3) the likelihood of a cross-border impact and information about forecasting cross-border impacts. The follow-up notification must include the following information: (1) assessment of the nature, severity and impact of the incident, (2) technical indicators of compromise, if available, (3) any updates to information included in the early warning.

According to section 12 of the Cybersecurity Act, an entity must, upon request by the supervisory authority, provide additional information or an intermediate report on status updates concerning the significant incident and progress in handling the incident.

According to section 13 of the Cybersecurity Act, an entity must provide the supervisory authority with a final report on the significant incident within one month of the incident notification or, in the case of a long-term incident, within one month of handling the significant incident. The final report must include the following: (1) a detailed description of the incident, including its severity and impact, (2) the type of threat or root cause that is likely to have triggered the incident, (3) applied and ongoing mitigation measures, and (4) the cross-borderimpact of the incident, if any. As regards public administration entities, provisions on the obligation to notify significant incidents are included in section 18d of the Information Management Act.

According to section 15, subsection 1 of the Cybersecurity Act, an entity may submit to the supervisory authority notifications about incidents, cyber threats and near misses other than those referred to in section 11 on a voluntary basis. According to section 15, subsection 2 of the Cybersecurity Act, a supervisory authority must inform the single point of contact referred to in section 18 of notifications of incidents, cyber threats and near misses submitted pursuant to this section. As regards public administration entities, provisions on voluntary notifications are included in section 18f of the Information Management Act.

According to section 17 of the Cybersecurity Act, a supervisory authority must submit the notifications and reports referred to in sections 11–13 and 15 to the CSIRT without delay. If a significant incident has an impact on another European Union Member State, the single point of contact must inform the European Union Agency for Cybersecurity (ENISA) and the affected Member States without undue delay. Upon request, the single point of contact must also submit the notifications and reports referred to in sections 11–13 to the single point of contact of the affected European Union Member State. For this purpose, the single point of contact is allowed to release information about the significant incident to ENISA and the single points of contact in other European Union Member States. As regards public administration entities, see section 18h of the Information Management Act.

According to section 18 of the Cybersecurity Act, the National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency acts as the single point of contact referred to in Article 8(3) of the NIS 2 Directive. The task of the single point of contact is to promote cooperation and coordination among supervisory authorities in the performance of their tasks in accordance with the Act. The single point of contact shall submit to ENISA every three months a summary report, including anonymised and aggregated data on significant incidents, incidents, cyber threats and near misses notified in accordance with sections 11–13 and 15. For this purpose, the single point of contact has the right to obtain anonymised and aggregated data from a supervisory authority. As regards public administration entities, see section 18h of the Information Management Act.

For these purposes, the Finnish Transport and Communications Agency’s NIS 2 notification application is used to collect data on significant incident notifications (mandatory notification) and voluntary notifications made by entities. In order to implement this data collection, it is necessary to process the personal data described in this privacy statement.

Data content

The data undergoing processing

The register processes the information provided by an entity regarding the notified cybersecurity incident. This information may include personal data. Data subjects include the notifier and the persons whose information is entered into the form.

The personal data to be processed are the data of persons related to the information security violation communicated to the controller or included in the open fields of the form and in the attached files, such as:

• Contact information, such as name, email, telephone number, address, role in the organisation and other contact details provided
• Information about the incident and any related personal data
• Technical data related to the notifier, such as IP address, browser information and browser version
• Any other, including special, information about the data subject that may be provided in the description of the cybersecurity incident, or a personal identity code (e.g. in phishing cases) and information that can be derived from the personal identity code, such as age and sex.

The possible processing of special categories of personal data is based on Article 9(2)(g) and possibly Article 9(2)(e) the EU GDPR. Possible processing of the personal identity code is based on section 29, subsection 1 of the Data Protection Act.

Sources of the processed data (where the data is received from)

The data to be processed is obtained from the person submitting the notification. The data are provided via a form filled in on the NCSC-FI website. Data can also be obtained from the exchange of messages between the controller and the person filling in the notification form or other contact person in connection with the incident.

Storage period of personal data 

Personal data will be stored as long as it is necessary to process the data for the purposes described in this privacy statement, however not for longer than six years from the end of the calendar year during which the data was obtained.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Information on incidents, including personal data, is transmitted via the application to the authority supervising the entity in question, to the CSIRT and the single point of contact. 

The data is not disclosed for direct marketing purposes.

Processing of personal data on behalf of the controller

There are no separate processors, i.e. the personal data is not processed on behalf of the controller.

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred outside the EU/EEA.

Automated decisionmaking and profiling

Automatic decision-making or profiling is not used.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

Because processing is based on compliance with a legal obligation, data subjects do not have the right to object to the processing.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

7.4.2025 TRAFICOM/671811/00.04.00.03/2024

Grounds for and purpose of the data processing

Personal data is processed based on Article 6(1)(c) of the EU General Data Protection Regulation (compliance with a legal obligation to which the controller is subject). Traficom’s legal task is based on the supervisory authority’s obligation to maintain a list of entities in the sector they supervise referred to in Article 27(2) of the NIS 2 Directive (EU 2022/2555), in section 41 of the Cybersecurity Act and in section 18 a of the Information Management Act.

In accordance with the requirements in the NIS 2 Directive, the Cybersecurity Act (124/2025) and the Information Management Act (906/2019), contact details of entities subject to the legislation will be collected in the list of NIS2 entities from the following sectors supervised by Traficom:

• Transport
• Manufacturing (transport and vehicles) 
• Space
• Postal and courier services
• Public administration 
• Research organisations
• Digital infrastructure entities 
• Digital service providers
• Managed ICT service providers and managed security services

The purpose of the data collection is to improve national and international situational awareness and cooperation and to achieve better reaction capabilities for the supervisory authority and the national CSIRT.

Data content

The data undergoing processing

The dataset includes the entities’ contact details in accordance with the requirements of the Directive and the Act, such as address details, telephone numbers, email addresses, public IP ranges, sector details (such as information about the sector and about the countries where the entity is carrying out activities as well as information on whether or not the entity is an essential entity), and information on participation in a voluntary cybersecurity information-sharing arrangement. In some cases, the email address and/or telephone number may be the entity representative’s personal address or number.

Sources of the processed data (where the data is received from)

Data is primarily collected from the entities themselves with an electronic online form in accordance with section 41 of the Cybersecurity Act and section 18 a of the Information Management Act. Data can also be obtained from the exchange of messages between the controller and the person filling in the notification form or other contact person.

Storage period of personal data 

Traficom stores personal data as long as it is necessary to carry out the legal obligation. The data is deleted within five years from the end of the calendar year during which the entity has been deleted from the list of entities.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

In accordance with Article 3 and Article 27 of the NIS 2 Directive and section 41 of the Cybersecurity Act, as the supervisory authority, Traficom is obligated to share relevant information from the registry of entities with the Finnish Transport and Communications Agency single point of contact who is primarily responsible for submitting the relevant information to the European Commission, the NIS Cooperation Group and the European Union Agency for Cybersecurity ENISA. The CSIRT unit has the right to obtain information about the list of entities from the supervisory authority. In addition, when it comes to public authority cooperation indicated in section 45 of the Cybersecurity Act, it is possible to share information among other supervisory authorities indicated in the Cybersecurity Act.

Processing of personal data on behalf of the controller

Personal data is not processed on behalf of the controller by other parties.

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred outside the EU/EEA.

Automated decisionmaking and profiling

Data is not processed automatically and no profiling is done.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

This right does not apply to the processing operations in question because the personal data is processed based on a legal obligation.

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

This right does not usually apply to the processing operations in question because the personal data is processed for compliance with a legal obligation.

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

This right does not usually apply to the processing operations in question because the personal data is processed for compliance with a legal obligation.

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

This right does not usually apply to the processing operations in question because the personal data is processed for compliance with a legal obligation.

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

8.4.2025 TRAFICOM/195893/00.04.00.03/2025

Grounds for and purpose of the data processing

The Finnish Transport and Communications Agency (Traficom) processes personal data in connection with matters concerning passengers’ rights in the EU to comply with its legal obligations.

Passengers’  rights in the EU are laid down in the following EU Regulations:

• EU Regulation on air passenger rights (Regulation (EC) No 261/2004 of the European Parliament and of the Council of 11 February 2004 establishing common rules on compensation and assistance to passengers in the event of denied boarding and of cancellation or long delay of flights, and repealing Regulation (EEC) No 295/91)
• EU Regulation on the rights of disabled persons and persons with reduced mobility when travelling by air (Regulation (EC) No 1107/2006 of the European Parliament and of the Council of 5 July 2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air)
• EU Regulation on rail passenger rights and obligations (Regulation (EC) No 1371/2007 of the European Parliament and of the Council of 23 October 2007 on rail passengers’ rights and obligations. As of 7 June 2023, the following regulation will be applied: Regulation (EU) 2021/782 of the European Parliament and of the Council of 29 April 2021 on rail passengers’ rights and obligations. However, Article 6(4) of the Regulation will be applied as of 7 June 2025.)
• EU Regulation on the rights of passengers when travelling by sea and inland waterway (Regulation (EU) No 1177/2010 of the European Parliament and of the Council of 24 November 2010 concerning the rights of passengers when travelling by sea and inland waterway and amending Regulation (EC) No 2006/2004)
• EU Regulation on the rights of passengers in bus and coach transport (Regulation (EU) No 181/2011 of the European Parliament and of the Council of 16 February 2011 concerning the rights of passengers in bus and coach transport and amending Regulation (EC) No 2006/2004)

The legal basis for the processing of personal data in connection with matters concerning passengers’ rights is Article 6(1)(c) of the EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ). This means that processing personal data is necessary to comply with the legal obligation of the controller. The legal basis of processing special categories of personal data is section 6, subsection 1, paragraph 2 of the Data Protection Act (1050/2018).

Traficom’s authority and tasks in matters concerning EU passenger rights are laid down in section 186 of the Act on Transport Services (320/2017).

Traficom has the statutory task of generally supervising compliance with regulations concerning EU passenger rights in respect of the rights of business travellers, disabled passengers and passengers with reduced mobility. Traficom has the statutory competence to give a recommended decision on complaints that concern the rights of passengers who are not consumers and the rights of disabled passengers and passengers with reduced mobility and have been filed under the EU regulations concerning the rights of passengers.

As part of its tasks, Traficom also provides general advice on matters concerning EU passenger rights.

Data content

The data undergoing processing

Traficom processes the personal data of people in the following groups of natural persons in connection with processing matters concerning EU passenger rights

Passengers

• Business travellers
• Disabled persons and persons with reduced mobility
• Consumers (the processing is primarily connected to transferring documents to the competent authority)

Other natural persons

• Agents or assistants or their representatives Guardians
• Representatives of legal persons
• Personal data primarily processed in connection with matters concerning passenger rights

The following personal data is processed for natural persons who have contacted the authority:

• name
• contact information
• information related to health or disability
• other special personal data
• other personal data mentioned or discovered in connection with the matter (other personal data, such as service language, signature, bank details or personal data on the passenger provided by the transport operator)
• other personal data may also contain personal identity codes and e.g. other personal data contained in the travel documents or other identification
• the person’s message or complaint and other personal data provided by the data subject in connection with the matter

The following personal data is processed for the representatives of legal persons:

• the name of the person who provided the response on behalf of the legal person
• name of the company, auxiliary business name as well as business ID and domicile
• workplace address, postal code and country
• work telephone number
• work email
• service language
• information on the managing director, general partners and ownership
• information on the persons responsible for the rest of the corporation as well as identification and contact information of the responsible persons
• other personal data included in the response provided by the legal person (e.g. the signature of the person who provided the response)

Sources of the processed data (where the data is received from)

Traficom receives information for monitoring passenger rights and processing individual complaints from general contacts, enquiries and complaints by individuals. The information is usually provided to Traficom via email. Traficom may also receive information from other authorities in Finland, EU member states, countries in the EEA and Switzerland or the European Commission. Legal persons (e.g. transport operators) also provide Traficom with information. Traficom may also obtain information from the news and social media and other public data sources.

Storage period of personal data 

Personal data is stored for as long as necessary in order to complete statutory tasks connected to passenger rights.

Documents are stored in compliance with legislation on archives and instructions issued by the National Archives of Finland and the Agency’s filing plan verified based on them.

General messages and enquiries by business travellers and consumers and the related Traficom responses will be deleted when five years have passed since the receipt of the original message. However, if messages concerning a certain topic are connected to a complaint or supervisory matter that comes pending later, the data is stored permanently.

Personal data related to the passenger rights of disabled persons or persons with reduced mobility are usually stored permanently.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

The following parties may receive personal data:

• Finnish authorities (Finnish Competition and Consumer Authority: the Consumer Ombudsman, consumer advisory services and the European Consumer Centre as well as the Consumer Disputes Board as well as the Non-Discrimination Ombudsman and any other Finnish authorities)
• National enforcement bodies responsible for EU passenger rights in EU member states, EEA countries and Switzerland
• Transport operators (railway companies, shipping companies, air carriers or coach services)
• Railway station operators, airport operators, bus terminal and port terminal operators
• Travel agents and ticket vendors in certain special circumstances

Transfer of personal data to third countries outside the EU/EEA

Traficom has the right to disclose information to foreign authorities in situations related to EU passenger rights or for official duties, if the disclosure has basis in law, European Union legislation or obligations based on international treaties binding Finland. If personal data is transferred outside the EU/EEA, the prerequisites specified in Chapter V of the EU General Data Protection Regulation must be met. The authority receiving the data may disclose the data further when the same prerequisites are met.

Personal data may have to be transferred to third countries outside the EU/EEA during the processing of the matter.

Passengers are primarily advised to initiate their own matters by contacting a certain body responsible for enforcing EU passenger rights regulations in Switzerland. Based on a legal obligation, Traficom will, however, transfer documents to the Swiss National Enforcement Body (NEB) if requested by the person filing the complaint.

When processing individual matters, personal data may have to be transferred outside the EU/EEA to a third country (e.g. requests for information to carriers other than Community carriers) for which the European Commission has not adopted an adequacy decision. In this event, the transfer of personal data may have to be carried out based on grounds for derogation within the General Data Protection Regulation, meaning that the personal data protection does not correspond to the level of protection awarded to personal data within EU member states or the EEA. The need for personal data transfers is assessed separately in each case.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

TRAFICOM/275984/00.04.00.03/2022 15.11.2022

Grounds for and purpose of the data processing

Personal data is used to carry out the administrative tasks of the Finnish Transport and Communications Agency imposed by the Act on Electronic Communications Services (917/2014, later TYK), the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and the Finnish Transport and Communications Agency’s Regulation regarding disturbances in telecommunications services (66 A/2019 M).

The use of this register applies to the following activities:

• Collection of market data (Section 315 of the TYK and Act on Strong Electronic Identification and Electronic Trust Services, Section 42a(2) and 43).
• Data collection on disturbances in telecommunications services and information security failures (Regulation 66 A/2019 M).

Data content

The data undergoing processing

The register contains the following information for telecommunications operators, companies, cooperatives and identification service providers:

• Company name
• Company business ID
• Address of company
• Unique identifier of the contact person
• Name of contact person
• Telephone number of the contact person
• Email address of the contact person
• Role assigned to the contact person in the register (Suomi.fi Authorization)
• Other e-mail, such as registry office’s e-mail

Sources of the processed data (where the data is received from)

The register's information source is the information provided by the customers and the Suomi.fi identification and authorization of the Digital and Population Data Services Agency.

Storage period of personal data 

The data storage periods are based on the principles of the valid archiving and data control plan. The information is stored as long as it is required to carry out the statutory administrative tasks of the Finnish Transport and Communications Agency.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Personal data will not be disclosed to third parties.

Processing of personal data on behalf of the controller

The personal data is not processed on behalf of the controller.

Transfer of personal data to third countries outside the EU/EEA

No data is transferred outside the EU or EEA.

Automated decisionmaking and profiling

Automatic decision-making or profiling is not used.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject can also update his/her email address and phone number themselves as a logged-in user of the service.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

At Traficom, personal data is most often processed for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to data portability, unless separately provided by law.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Personal data is processed at Traficom for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to removal of their data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

12.4.2023 TRAFICOM/108561/00.04.00.03/2023

Grounds for and purpose of the data processing

A company engaged in general telecommunications, pay-television service operations, broad- casting operations, on-demand programme service operations and the provision of a videosharing platform service must submit a notification to Traficom before starting operations. The obligation to notify is prescribed in Section 4 of the Act on Electronic Communications Services (917/2014).

According to Section 5 of the Act, the Finnish Transport and Communications Agency maintains a public list of notifications referred to in Section 4.

According to Section 4 of the Postal Act (415/2011), a company engaged in postal operations must notify Traficom before starting operations.

According to Section 5 of the Act, the Finnish Transport and Communications Agency maintains a public list of notifications referred to in Section 4.

Data content

The data undergoing processing

The data material to be processed contains information about telecommunications, broadcasting operations, pay television services, on- demand program services, video sharing platform services and companies that have submitted a postal operation notification.

Operators that have submitted a telecommunications notification

Collected personal data

• name of the appointed and secondary contact person in the enterprise or organisation carrying out the operations
• telephone number of the appointed and secondary contact person in the enterprise or organisation carrying out the operations
• email address of the appointed and secondary contact person in the enterprise or organisation carrying out the operations

Other information to be attached to personal data:

• name of the operator
• business identity code or registration number of the enterprise or organisation carrying out the operations
• postal address of the operator
• telephone number of the operator
• email address of the operator
• home page address
• address of the possible main establishment of the operator
• description of the provided or planned service
• geographical operating area of the operator
• information on whether activities are carried out in the whole- sale and/or retail market
• estimate of the date on which the operations will commence
• end date of operations

Companies that submitted a broadcasting, pay television service, on-demand program service and video sharing platform service notification

Collected personal data

• name of the contact person in the enterprise or organisation carrying out the operations
• telephone number of the contact person in the enterprise or organisation carrying out the operations
• email address of the contact person in the enterprise or organisation carrying out the operations

Other information to be attached to personal data

• name of the operator
• business identity code or registration number of the enterprise or organisation carrying out the operations
• postal address of the operator
• telephone number of the operator
• email address of the operator
• description of the corporate structure of the enterprise carrying out the operations
• description of the provided or planned programmes and videos
• geographical operating area of the operator
• estimate of the date on which the operations will commence
• information on the basis of which Finnish jurisdiction can be defined
• 15) a broadcasting notification, notification of video-on-demand services and pay-television service notification must also include an account of premises where the recordings required by the Act on the Exercise of Freedom of Expression in Mass Media (460/2003) are available for viewing or listening.

Companies that submitted a postal activity notification:

Collected personal data

• Name of contact person
• Email address of the contact person
• Phone number of the contact person
• Name of contact person related to electronic notification
• Mobile phone number related to electronic notification
• Email address related to electronic notification 

Other information to be attached to personal data:

• Company name
• Business ID of the enterprise or association
• Postal address of the company
• Telephone number of the company
• E-mail of the company
• Description of the postal operations to be carried out
• Target group of the service
• Geographical operating area of the enterprise
• Estimate of the date on which the operations will commence
• Consent to electronic notification

Sources of the processed data (where the data is received from)

The information is obtained from a company entered in the notice of activity register or from a registered person. Electronic forms on Traficom's website are used to collect data.

The information is also checked from the YTJ (Business and Entity Information System) information service of the Finnish Patent and Registration Office.

Storage period of personal data 

Personal data will be stored as long as the notifying company is engaged in activities subject to notification.

Personal data is stored for five years after the company has notified Traficom of the termination of operations or when Traficom has removed the company from the register on other grounds.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Traficom publishes information on its website about the name of the company that made the telecommunications and on-demand program service notification.

Traficom publishes on its website information about the name of the company that submitted the postal activity notification and the geo- graphic operations area that the company has reported.

Pursuant to Section 5 of the Act on Electronic Communications Services, Traficom hands over telecommunications notifications to the Body of European Regulators for Electronic Communications. Other- wise, there will be no regular disclosure from the register.

Traficom discloses public information about the companies that submitted a broadcasting, pay television service, on-demand program service and video sharing platform service notification to the MAVISE database maintained by the European Audiovisual Observatory. Personal information will not be disclosed.

In other respects, the Act on the Openness of Government Activities, Data Protection Regulation and the Data Protection Act apply to the disclosure of personal data.

Processing of personal data on behalf of the controller

The personal data is not processed on behalf of the controller.

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred outside the EU/EEA.

Automated decisionmaking and profiling

Data is not processed automatically and no profiling is done.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

1.2.2024 TRAFICOM/40159/00.04.00.03/2024

Grounds for and purpose of the data processing

Based on section 216 of the Act on Transport Services (320/2017), the Finnish Transport and Communications Agency Traficom maintains a Transport Register in electronic form, containing data on vehicles, for example. As part of maintaining the Transport Register, holders of inspection permit as defined in the Act on the inspection of vehicles (957/2013) who carry out periodic inspections of vehicles shall in connection with roadworthiness tests collect data as defined in section 152 a of the Vehicles Act (82/2021).

In accordance with section 152 a of the Vehicles Act, real-world representative data as defined in Regulation (EU) 2019/631 of the European Parliament and of the Council setting CO2 emission performance standards for new passenger cars and for new light commercial vehicles, Commission Implementing Regulations (EU) No 1014/2010, (EU) No 293/2012, (EU) 2017/1152 and (EU) 2021/392 repealing Commission Implementing Regulation (EU) 2017/1153 is collected in connection with periodic roadworthiness tests. The real-world repesentative data together with the vehicle identification number (VIN) is collected for new passenger cars and new light commercial vehicles registered from 1 January 2021 which are equipped with on-board fuel and/or energy consumption monitoring devices in accordance with Article 4 a of Regulation (EU) 2017/1151.

The Finnish Transport and Communications Agency Traficom reports the data to the European Environment Agency. The Finnish Transport and Communications Agency Traficom does not use the VINs and real-world representative data for purposes other than those defined in Article 12 of Regulation (EU) 2019/631. Otherwise, the Finnish Transport and Communications Agency Traficom may use the data to carry out its statutory duties.

Data content

The data undergoing processing

The VIN, system unique identifier, make, year of entry into service and consumption data are collected in connection with roadworthiness testing as real-world representative data in accordance with the Commission Implementing Regulation (EU) 2021/392.

Data is collected in connection with roadworthiness tests for a maximum period of 15 years from the date on which the data on the vehicle in question was first reported to the European Environment Agency.

Sources of the processed data (where the data is received from)

Data is collected in connection with roadworthiness testing at an inspection station, and it is submitted to the Finnish Transport and Communications Agency Traficom using an electronic interface or via message connection.

Storage period of personal data 

In accordance with Commission Implementing Regulation (EU) 2021/392, the European Environment Agency stores the VINs for a period of 20 years from the date when they were first entered to the central database of the European Environment Agency.

The VINs and real-world data may only be retained by the bodies and establishments responsible for roadworthiness tests until the in- formation has been submitted to the European Environment Agency.

The Finnish Transport and Communications Agency Traficom will retain the information until it is reported to the European Environment Agency annually by 1 April. After this, the Finnish Transport and Communications Agency Traficom is required to delete all submitted data from its database.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

The Finnish Transport and Communications Agency Traficom submits the data to the European Environment Agency annually by 1 April regarding the previous calendar year. In addition, data is submitted individually to a party who has filed an explicit request for it. The data is never submitted as a dataset.

Processing of personal data on behalf of the controller

No other parties process data on behalf of the Finnish Transport and Communications Agency Traficom.

Transfer of personal data to third countries outside the EU/EEA

The data is not transferred outside the EU/EEA.

Automated decisionmaking and profiling

The data will not be processed automatically and no profiling will be conducted.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data content is classified as the technical information of a vehicle. It is not covered by right of access.

Right to rectification 

The data collected cannot be erased or rectified because no such personal information is collected that would enable unambiguous identification of the data subject.

The data subject’s right of access can be realised only if the data subject can be unambiguously identified from the provided responses.

Right to object 

The data subject may object to the collection of the information at the inspection site in connection with the roadworthiness test. The information is processed in order to comply with a legal obligation, and the data subject does not have the right to object to the processing of the information.

Right to data portability

The legal basis for the processing of personal data is compliance with a legal obligation, in which case the data subject does not have the right to transfer the information from one system to another.

Right to erasure 

For the Transport Register, the legal basis for the processing of personal data is compliance with a legal obligation, and this right is not applied at the Finnish Transport and Communications Agency Traficom.

Right to withdraw consent

The right is not applicable to these processing procedures, because the personal information is not processed based on the basis of the consent of the data subject (Article 6(1)(a) of the data protection regulation).

11.8.2023 TRAFICOM/348813/00.04.00.03/2023

Grounds for and purpose of the data processing

Personal data is processed to perform the statutory duties of a public authority. The personal data contained in this register is processed to perform the duties specified in section 2, subsection 1, paragraph 2 of the Act on the Finnish Transport and Communications Agency (935/2018). Customers can contact the Agency's service provider via customer contact forms for matters concerning driving licences and road transport personal licences to enquire about driving examinations, driving licences, personal licences for road transport and professional qualifications. To ensure the quality of customer service and protect customers’ personal data, it is necessary to verify the customer’s identity.

Data content

The data undergoing processing

Customer’s name and personal identity code, name and personal identity code of a person using the service on behalf of another person or organisation, email address, telephone number, name of the holder of a parking card for people with reduced mobility and a description of the matter. Recordings of calls also involve the processing of a person’s voice.

Sources of the processed data (where the data is received from)

The data is received from the customer by means of strong identification (name and personal identity code) and from the data given by the customer. In call recordings, the data is received from the person in question.

Storage period of personal data 

Personal data collected from contact forms is stored temporarily in the data log of the VISA platform for 1 month and in ServiceNow tickets for 5 years. Call recordings are stored for 2 years.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

As a rule, collected data is not disclosed. However, personal data may be disclosed to certain authorities (e.g. Finnish Tax Administration) based on the law.

Processing of personal data on behalf of the controller

The data is processed by the personnel of the Finnish Transport and Communications Agency’s service provider Ajovarma Oy (1033613-0).

On behalf of the system provider, the data is processed by the following:

• Elisa Corporation (business ID: 0116510-6)
• Government ICT Centre Valtori (business ID: 2574261-7) Tietoevry Corporation (business ID: 0101138-5)
• Pinja Group Ltd (business ID: 2277884-1)
• Codecontrol Oy (business ID: 2645169-4) 
• Digia Finland Ltd (business ID: 1091248-4)
• ProToppex Oy (business ID: 1003566-1)
• ManpowerGroup Ltd (business ID: 1091032-3)

Transfer of personal data to third countries outside the EU/EEA

Data is not transferred outside the EU/EEA.

Automated decisionmaking and profiling

Data processing does not involve automated decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

1.3.2023 TRAFICOM/ 81499/00.04.00.03/2023

Grounds for and purpose of the data processing

The processing of personal information is based on the GDPR (EU) 2016/679 Article 6(1)(e) and the Data Protection Act Section 4(1)(2) specifying it, according to which the processing of personal information is in accordance with the law when it is necessary and proportionate for the performance of a task carried out in the public interest by the public authority. Personal data is processed to perform the statutory duties of a public authority.

Recording camera surveillance in theory test rooms is used to investigate and prevent cases of cheating. Recording camera surveillance is carried out to prevent, investigate and prove crimes, offences and other misconduct. Camera surveillance is also carried out to ensure the safety of employees and other persons and to prevent and investigate situations that endanger safety. The recordings may be used, if necessary, to assert, establish or defend legal claims or to ensure other legal protection.

Data content

The data undergoing processing

The camera surveillance register stores information about people who are taking a theory test for a driving examination. The data content consists of events recorded by the camera, which, in addition to the recorded image, include information about the time of the recording (time and date). The camera system does not record sound.

Sources of the processed data (where the data is received from)

Ajovarma carries out the camera surveillance as Traficom’s service provider. If necessary, camera recordings will be provided to Traficom in case of suspected cheating. Camera surveillance is only performed in separate theory test rooms while the candidate is participating in a theory test. Customers are informed of recording camera surveillance with signs at Ajovarma service points.

Storage period of personal data 

The records of the camera surveillance shall be retained for a period of 30 days. The length of the storage period is intended to ensure that any deviations recorded by the camera surveillance system can be detected and investigated. The camera surveillance system deletes the recordings automatically when the storage period ends. 

The recordings are used in Traficom to investigate cheating cases. The recordings can also be delivered to a criminal investigation authority, in which case they are kept for the period of the detection process, preliminary investigation and the possible court hearing. The length of the legal process also includes appeal periods.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

In cases of suspected crime, data may be disclosed to the preliminary investigation authority if necessary in accordance with Finnish legislation.

Processing of personal data on behalf of the controller

Ajovarma Oy, Business identification code 1033613-0

Transfer of personal data to third countries outside the EU/EEA

Personal data is not transferred outside the EU/EEA.

Automated decisionmaking and profiling

The processing of personal data does not involve automated decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. Camera recordings are not handed over directly to individuals themselves (camera recordings are confidential because they include information about the test questions, Act on the Openness of Government Activities (621/1999) Section 24(1)(22)

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

This right does not apply to the processing operations in question because personal data is not processed on the basis of consent or agreement.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

28.2.2024 TRAFICOM/10887/00.04.00.03/2024

Grounds for and purpose of the data processing

The 5G Momentum ecosystem established in 2018 is a cooperation network aimed at 5G operators and service providers. The purpose of the network is to promote the development and deployment of 5G services, promote new services and innovations based on 5G technology through trials, identify challenges related to the 5G operating environment and make Finnish 5G expertise visible.

The 5G Momentum ecosystem is an open forum for information exchange, and personal data is processed in the context of the network for the purpose of sharing information about 5G and news about other new technologies related to it. Personal data is processed in connection with the sending of the 5G Momentum newsletter, invitations to group events, surveys on topical matters or information on topical matters related to 5G to members of the network.

The basis for the personal data processing is the controller’s performance of a task carried out in the public interest. It is the duty of authorities to produce and share information. As such, the grounds for the processing are public interest based on the controller’s obligation to provide information about current events in the transport and communications sectors, which are part of its field of competence. Furthermore, the Act on Electronic Communications Services lays down provisions on Traficom’s duties and special tasks.

The basis for the personal data processing is the controller’s performance of a task carried out in the public interest (Article 6(1)(e) of the General Data Protection Regulation (2016/679) and section 4 of the Data Protection Act (1050/2018)).

Data content

The data undergoing processing

We process the names and contact details (such as organisation, email address or phone number) of persons who are part of stakeholders and, if necessary, data describing the person’s position or duties (such as title or role).

Sources of the processed data (where the data is received from)

Data is received primarily from persons themselves when they join the distribution list or from the representatives of stakeholders (as a result of a company’s contact person naming participants, for example). The only mandatory information that must be provided when joining the distribution list is an email address and organisation.

Storage period of personal data 

Personal data related to stakeholder events is stored for the purpose of processing only for as long as processing is necessary. Traficom deletes outdated data. Personal data is stored for as long as the group exists.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

As a rule, personal data is not disclosed to third parties. As a public authority, Traficom’s activities are subject to the Act on the Openness of Government Activities (621/1999).

Processing of personal data on behalf of the controller

The personal data is processed only by Traficom.

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred outside the EU/EEA.

Automated decisionmaking and profiling

Traficom does not use automated decision-making or profiling in this context.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

At Traficom, personal data is most often processed for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to data portability, unless separately provided by law.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

25.1.2023

Grounds for and purpose of the data processing

The aid granted by Traficom in accordance with the Act on Broadband Construction Aid (1262/2020) is a government grant financed by the EU Recovery and Resilience Facility (RRF). Traficom must report the information in accordance with Section 12 of the Act on the Management, Supervision and Inspection of the European Recovery and Resilience Support Instrument (537/2022) to the RRP system maintained by the State Treasury for centralized national monitoring and control of the implementation of the recovery and resilience plan. The information that must be reported is stipulated in Article 22(2)(d)(i-iv) of Regulation (EU) 2021/241 of the European Parliament and of the Council establishing the Recovery and Resilience Support Instrument.

Traficom processes the beneficiary's personal data in order to fulfil its obligations to protect the financial interests of the European Union. The processing of personal data is in accordance with the EU General Data Protection Regulation (EU 2016/679), Article 6(1)(c, e), i.e. the processing is necessary to comply with the controller's statutory obligations and to fulfil the controller's public authority.

Data content

The data undergoing processing

Traficom must process and report the actual owners and beneficiaries of the beneficiary who received the broadband aid. This means one or more natural persons owned or controlled by a legal entity (company, association, foundation). The name and date of birth of the person/persons must be stated as the owner and beneficiary information of the applicant.

Additionally, as other personal data, Traficom collects the beneficiary’s telephone number and email address for the necessary contact in the aid process.

Sources of the processed data (where the data is received from)

The information is obtained from the beneficiary.

Additionally, Traficom can verify the information from the trade register maintained by the Finnish Patent and Registration Office.

Storage period of personal data 

Data will be stored until the end of 2032 in accordance with Section 18 of the Act on the Management, Supervision and Inspection of the European Union's Recovery and Resilience Support Instrument (537/2022).

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data can only be disclosed in accordance with the obligations and re- strictions set out in legislation or with the consent of the registered person. As a public authority, Traficom’s activities are subject to the Act on the Openness of Government Activities (621/1999).

The State Treasury hands over the personal data reported to the RRP system by Traficom to the European Commission and the Ministry of Finance and supervisory authorities upon request pursuant to Sections 13 and 14 of the Act on the Management, Supervision and Inspection of the European Union's Recovery and Resilience Support Instrument. The processing of data with regard to the RRP system is described in the privacy notice of the State Treasury's RRP system: Privacy Statement: Implementation of the EU Recovery and Resilience Support Instrument Plan (RRP) (in Finnish).

Processing of personal data on behalf of the controller

The personal data is processed only by Traficom.

Transfer of personal data to third countries outside the EU/EEA

Data is not transferred outside the EU or the EEA

Automated decisionmaking and profiling

Data is not processed automatically and no profiling is done.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

7.2.2024

Grounds for and purpose of the data processing

The processing of personal data is necessary for compliance with a legal obligation to which the controller is subject (point (c) of Article 6(1) of the General Data Protection Regulation) and for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (point (e) of Article 6(1) of the General Data Protection Regulation).

The personal data are used for the performance of the Finnish Transport and Communications Agency’s official duties related to licence and supervision matters as laid down in the Act on Earth Stations and Certain Radars (96/2023, hereinafter also referred to as the ‘Earth Stations Act’).

• This register is used for the following tasks:
• processing of notifications submitted by authorities (section 3 of the Earth Stations Act)
• issuing, processing and maintenance of licences and carrying out reliability evaluations (sections 4–8 of the Earth Stations Act)
• supervision, including reception and processing of information and incident notifications submitted by operators, exercise of the right to access and review data and exchange of information between authorities (sections 9–17 of the Earth Stations Act)
• invoicing (section 18 of the Earth Stations Act).

Data content

The data undergoing processing

The register contains personal data relevant to licence and supervision matters related to earth station and radar operations.

The register contains the following information on operators as referred to in the Earth Stations Act and their representatives, the members and deputy members of their board of directors or supervisory board, their CEO and the CEO’s deputy, their active partners, their other members of top management, their owners and their contact persons

• client number, licence number
• name
• business ID / date of birth / personal identity code / nationality
• address
• postal code, city, country
• telephone number
• email address
• invoicing information.

Location of the earth station or radar

As regards reliability evaluations, the following information on the persons being evaluated as referred to in section 5 of the Earth Stations Act:

• bankruptcy information (section 1 of the Act on the Bankruptcy and Restructuring Register 137/2004)
• business prohibition information (section 21 of the Act on Business Prohibitions 1059/1985)
• criminal record information (section 2 of the Criminal Records Act 770/1993)
• fines register information (section 46 of the Act on the Enforce- ment of a Fine 672/2002)
• attachment information (section 24 of the Enforcement Code 705/2007)
• other relevant extracts, certificates and information as regards the above (section 5(4) of the Earth Stations Act)
• information on the person’s manifest unfitness to engage in earth station or radar operations in a manner compliant with national security, Finland’s international obligations or foreign and security policy (section 5(2)(2) of the Earth Stations Act).

Information on operators’ notifications to the authorities and licences 

Information on operators’ clients

• clients and client groups, including name and any identifying information and any changes in client relationships. 

Other information related to electronic communications and supervision:

• traffic data, location data and messages
• information concerning the information system or telecommunications arrangement being inspected.

Other personal data: Personal data (such as a person’s name, contact information) may be included in the following notifications: annual reports, submitted information on changes that may be relevant to eligibility for a licence or the terms of a licence and incident notifications.

Sources of the processed data (where the data is received from)

The data sources of the register are documents received from clients and other authorities. Relevant data are also obtained from the Ministry of Defence, the Ministry for Foreign Affairs, the Ministry of Transport and Communications, the Finnish Security and Intelligence Service, the Finnish Defence Forces, the Legal Register Centre and National Enforcement Authority Finland. Furthermore, data may be collected from the Finnish Patent and Registration Office’s Business Information System and Finnish Register of Associations.

Traficom may also receive and acquire data in connection with carrying out supervision tasks.

Storage period of personal data 

The data retention periods are based on currently valid archiving and information management plan principles. 

The data are retained for as long as they are needed for carrying out the Finnish Transport and Communications Agency’s statutory administrative tasks.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Confidentiality regulations or other restrictions on the disclosure of information notwithstanding, the Finnish Transport and Communications Agency, the Ministry of Defence, the Ministry for Foreign Affairs, the Ministry of Transport and Communications, the Finnish Security and Intelligence Service and the Finnish Defence Forces have the right to disclose documents that they have obtained or drawn up in connection with carrying out their statutory duties and disclose confidential information to each other if doing so is necessary for the performance of their statutory duties.

Furthermore, in connection with reliability evaluations, personal data may be disclosed to the Legal Register Centre, National Enforcement Authority Finland and other competent authorities for the purpose of obtaining the necessary register extracts and documents.

Personal data related to invoices are disclosed during invoicing to the invoicing customer register of the Finnish Government Shared Services Centre for Finance and HR’s (Palkeet) Kieku system using a secure machine-to-machine (M2M) connection.

The data are used for tasks related to invoicing, such as the sending of invoices and collection proceedings.

Processing of personal data on behalf of the controller

No processing of personal data on behalf of the controller.

Transfer of personal data to third countries outside the EU/EEA

No data is disclosed outside the EU or EEA.

Automated decisionmaking and profiling

The personal data processing does not involve automated decision- making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

At Traficom, personal data are most often processed for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to data portability, unless separately provided by law.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

At Traficom, personal data are most often processed for the purpose of carrying out the statutory tasks of an authority, in which case the data subject does not have the right to erasure.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

1.1.2024 TRAFICOM/83427/00.04.00.03/2024

Grounds for and purpose of the data processing

The processing of personal data is based on the fulfilment of the controller's statutory duties.

Personal data is used to manage the administrative tasks of the Finnish Transport and Communications Agency prescribed by the Act on Transport Services (320/2017) and the Finnish Transport and Communications Agency's regulation for Demand and supply data for passenger transport services and price data for taxi services (TRAFICOM/420990/03.04.03.00/2020).

The use of this register applies to the following activities:

Act on Transport Services section 152 subsection 7: The Finnish Transport and Communications Agency must monitor the general price development of taxi transport services in different regions. License holders and brokerage service providers engaged in passenger transport have the obligation, without prejudice to business secrets, to periodically submit information on the actual prices of the taxi services they offer or broker to the Finnish Transport and Communications Agency in order to carry out the monitoring tasks referred to in this subsection and subsections 4 and 5. The Finnish Transport and Communications Agency issues more detailed regulations on the price information to be delivered, the delivery methods and the delivery times of the information.

Act on Transport Services section 179 subsection 1: The Finnish Transport and Communications Agency shall monitor the demand for and supply of mobility services and coordinate their development. Additionally, the Finnish Transport and Communications Agency evaluates the state and functionality of the transport system, assesses the effects of this law and reports on them regularly.

Act on Transport Services section 233 subsection 1, chapters 1 and 2: The Finnish Transport and Communications Agency maintains data for its duties stipulated in the law:

• supply and demand of transport markets and mobility services and their development
• transport volumes of different modes of transport and other indicators.

The Finnish Transport and Communications Agency can publish information based on the data in this register, from which individual actors cannot be identified.

Data content

The data undergoing processing

The register contains the following information about taxi transport license holders (hereinafter referred to as taxi companies) and providers of taxi transport brokerage services (hereinafter referred to as dispatch centres):

Monthly monitoring of dispatch centres and large taxi companies (the turnover of taxi operations in the previous year is at least 7.5 million euros):

• Business ID of the taxi company
• Name of the taxi company
• Registration number of the vehicle that undertook the journey
• Taxi journey time of order
• Taxi journey departure time
• Taxi journey arrival time
• Taxi journey response time
• Taxi journey duration
• Advance order of a taxi journey (yes/no)
• Taxi journey start location
• Journey distance
• Taxi journey order type
• Accessibility requirement of a taxi journey (yes/no)
• Additional information about a taxi journey
• Total price of a taxi journey
• Basic price of a taxi journey
• Payment method

Annual monitoring of taxi companies:

• The notifier's name and personal identity code data are processed through the Suomi.fi identification of the Digital and Population Data Services Agency. The information is stored in case of misuse and failure, and is not used for any other purpose.
• The notifier's e-mail address information is used for automatic acknowledgement of receipt. Providing information is voluntary for the notifier and the information is not stored in the system.
• The notifier's mobile phone number information is used for automatic acknowledgement of receipt. Providing information is voluntary for the notifier and the information is not stored in the system.
• Company business ID
• Company name
• Total number of taxi journeys
• Number of KELA and social welfare and health care rides
• Number of taxi journeys requiring accessible equipment
• Professional mileage
• Taxi vehicles in use: The registration numbers of the vehicles used in taxi transport by the taxi company during the review year are reported individually.
• umber of accessible fleet
• Typical starting municipalities of taxi journeys
• Total turnover
• Taxi transport turnover
• Ordering methods
• Additional services and their pricing of special groups
• Number of taxi drivers and forms of employment
• Address for a price list published in an electronic service 

Annual monitoring of a dispatch centre:

• Company business ID
• Company name
• Turnover
• Number of dispatched taxi journeys
• Unrealised municipality-specific journeys

Uutiskirjeet.traficom.fi newsletter service is used to send email requests for information on the annual monitoring of taxi companies.

Uutiskirjeet.traficom.fi uses technical cookies to ensure the service functions properly.

Sources of the processed data (where the data is received from)

The register's information source is the information provided by the customers and the Suomi.fi identification and authorization of the Digital and Population Data Services Agency.

Information is retrieved from the following sources:

• The Business Information System (YTJ)
• Vehicle information system (ATJ)
• Transport Register (LILJA)

Storage period of personal data 

The data storage periods are based on the principles of the valid archiving and data control plan. The information is stored as long as it is required to carry out the statutory administrative tasks of the Finnish Transport and Communications Agency. Personal data is stored for a maximum of five years. Aforementioned applies to uutiskirjeet.traficom.fi service too.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Notwithstanding the duty of non-disclosure, Traficom has the right to disclose information it has obtained to another authority if the information is essential in order for this authority to perform its statutory duties.

Personal data is not disclosed for any other purpose in accordance with the rules.

Processing of personal data on behalf of the controller

Liana Technologies (Koodiviidakko Oy, business ID 1939962-1) serves as the processor of the personal data for uutiskirjeet.traficom.fi service. The email information requests for the annual monitoring of taxi companies is the only part of Traficom's taxi market monitoring where the personal data is processed on behalf of the controller.

Transfer of personal data to third countries outside the EU/EEA

Personal data is not transferred outside the EU/EEA.

Automated decisionmaking and profiling

Data processing does not involve automated decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. The data subject’s right to access their own personal data can be exercised only if the data subject can be unambiguously identified based on the given responses.

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject’s right to access their own personal data can be exercised only if the data subject can be unambiguously identified based on the given responses.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

The demand to restrict the processing of data can be processed if the data subject can be unambiguously identified based on the given responses.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data. 

The demand to erase personal data can be processed if the data subject can be unambiguously identified based on the given responses.

18.3.2024 TRAFICOM/368205/00.04.00.03/2023

Grounds for and purpose of the data processing

The register has been established for the purpose of storing contact details related to navigational warnings for potential future contact and for the purposes of safety investigation.

Pursuant to Section 24 of the Maritime Rescue Act (1145/2001), Traficom is responsible for safety-related navigational warnings and notices. The processing of personal data related to navigational warnings is based on Article 6(1)(e) of the General Data Protection Regulation, according to which processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Data content

The data undergoing processing

The name and contact details of the person reporting information that may compromise maritime safety. The data are stored for potential future contact and for the purposes of safety investigation.

Sources of the processed data (where data are received from)

The data is obtained directly from the person reporting information that may compromise maritime safety. The data may be received, inter alia, by telephone, via voice communications conducted through the maritime VHF system, by email, in DSC messages, or through other communication channels.

Storage period of personal data

Personal data are retained for no longer than is necessary for the purposes of clarifying the situation related to the navigational warning, however for a minimum period of 90 days.

Data processing

Recipients and categories of recipients of personal data (to whom personal data are disclosed)

Personal data are available to Traficom and to processors acting on its behalf for the duration of the processing. Personal data are not routinely disclosed to third parties.

Upon a separate request, data are disclosed to other authorities and operators with the right to use the data. The disclosed data are used for purposes such as safety investigation and court proceedings.

Processing of personal data on behalf of the controller

Processor of personal data: 

Fintraffic Vessel Traffic Services Ltd (2945246-5) 
Palkkatilanportti 1, FI-00240 Helsinki, Finland

Transfer of personal data to third countries outside the EU/EEA

Personal data are not transferred outside the European Union (EU) or the European Economic Area (EEA).

Automated decision-making and profiling

The personal data processing does not involve automated decision-making or profiling. 

Rights related to the processing of personal data

About exercising rights

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority

If you believe that your personal data are being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection ombudsman
PO Box 800, FI-00531 Helsinki, Finland
tietosuoja(at)om.fi
tel. +358 29 566 6700

Right of access to personal data

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning the data subject is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate or incorrect personal data.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, data subjects have the right to object to the processing of personal data concerning them.

If data subjects use their right to object, the controller must stop the processing of their personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If the personal data are processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds.

In situations where personal data are processed for statistical or research purposes, data subjects may object to the processing on grounds relating to their particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing if:

• the data subject contests the accuracy of the personal data

• the processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

TRAFICOM/197739/00.04.00.03/2025

Grounds for and purpose of the data processing

The register has been established for managing the maritime distress and safety radio service appropriately as well as investigating events concerning maritime accidents and dangerous situations after the fact. 

The processing of personal data is based on section 24 of the Maritime Search and Rescue Act (1145/2001), Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR) as well as the Data Protection Act (1050/2018).

Data content

The data undergoing processing

Personal data related to the reports in the service (the names and contact details of the persons involved in the event being reported, as well as descriptions related to the event).

Personal data received in voice traffic via the marine VHF system as well as in DSC messages (such as the identifying information of the vessel, the location, the name of the person who reported information on risks to navigation, the name of the person in distress, the name of the person transmitting the emergency message, information describing the state of health of the person in distress). The information is transmitted to maritime search and rescue authorities as well as the rescue department in connection with the events. The information is saved for safety investigation and court proceedings.

Sources of the processed data (where data are received from)

As a rule, the initial information comes from the person in distress, the person who reported the emergency or the user of the safety radio service. The information may come by telephone or marine VHF radio or via a technical system interface. 

The reports are generated due to the statutory duty of the controller.

Storage period of personal data

The personal data are stored as long as necessary to take care of the rescue activities appropriately and investigate the events involved in the accident or dangerous situation and the related search and rescue measures; however, for a minimum of 90 days.

Data processing

Recipients and categories of recipients of personal data (to whom personal data are disclosed)

The data are disclosed to the authorities and operators participating in maritime rescue.

Upon a separate request, data are disclosed to other authorities and operators with the right to use the data. The disclosed data are used for purposes such as accident investigation and court proceedings.

Processing of personal data on behalf of the controller

Processor of personal data: Fintraffic Vessel Traffic Services Ltd (2945246-5) Palkkatilanportti 1, FI-00240 Helsinki, Finland

Transfer of personal data to third countries outside the EU/EEA

Data can be transferred outside the EU, if parties outside the EU are linked to the event related to the data.

Automated decision-making and profiling

The personal data processing does not involve automated decision-making or profiling. 

Rights related to the processing of personal data

About exercising rights

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority

If you believe that your personal data are being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection supervisory authority
PO Box 800, FI-00531 Helsinki, Finland
tietosuoja(at)om.fi
tel. +358 29 566 6700

Right of access to personal data

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning the data subject is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate or incorrect personal data.

Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing if:

• the data subject contests the accuracy of the personal data

• the processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

TRAFICOM/340920/00.04.00.03/2023

Grounds for and purpose of the data processing

The purpose of the theory test data form is to collect the information for the completion of the pilot theory test and PEC theory test.

The data is only used to record the results of the person who took the test and to inform the person of the result.

The basis for the personal data processing is the controller’s performance of a task carried out in the public interest (Article 6(1)(e) of the General Data Protection Regulation (2016/679) and section 4 of the Data Protection Act (1050/2018)). Under section 20 of the Act on the Openness of Government Activities (621/1999), the authorities have the duty to produce and disseminate information. As such, the grounds for the processing are public interest based on the controller’s obligation to provide information about current events in the transport and communications sectors, which are part of its field of competence.

Section 1 of the Act on the Transport and Communications Agency (935/2018) requires Traficom to operate in a customer-oriented manner, drawing on multisectoral expertise.

The pilot theory test and the PEC theory test are based on the requirements of the Pilotage act (561/2023) in section 36 Written part of the pilot examination and section 45 Written part of the PEC examination.

Data content

The data undergoing processing

The purpose of the theory test form is to collect information on the persons taking the theory test and the completion of the test.

The Webropol questionnaire collects information about the name, date of birth and e-mail address of the participants for the purpose of authenticating the person and providing a response.

Webropol uses necessary cookies for the functioning of its service platform and collects the data specified below using them. These cookies are connected to the functionality and quality control of the service.

Webropol uses cookies to collect e.g. the following information:

• Operating system
• browser version
• IP address
• browser add-ons
• number of times the survey has been opened in the space of one week
• page download time
• incomplete responses.

Sources of the processed data (where the data is received from)

The data source is a questionnaire on the Webropol platform. The link to the questionnaire is shared via email.

Storage period of personal data 

Any personal data entered will not be stored after 2025. Webropol will store data collected through cookies for 14 days.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Personal data is stored on the Webropol Oy (business ID FI17739602) service platform. Webropol Oy and Traficom have an agreement on processing personal data.

Processing of personal data on behalf of the controller

Webropol Oy (Business ID: FI17739602) processes the personal data and Telia Cygate Oy (Business ID 0752421-0) and Qumio Oy (Business ID 2466203-3) process the data as its subcontractors.

Webropol may not transfer personal data to third parties, except to subcontractors agreed upon by the Agency and Webropol. The following subcontractors may act as processors in accordance with the definition in the data protection regulation when serving as Webropol subcontractors to ensure and improve the development, usability and reliability of the system: Telia Cygate Oy (business ID 0752421-0) and Qumio Oy (business ID 2466203-3).

Transfer of personal data to third countries outside the EU/EEA

Personal data is not transferred outside the EU/EEA.

Automated decisionmaking and profiling

The processing of personal data does not involve automated decision- making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

TRAFICOM/589429/00.04.00.03/2024

Grounds for and purpose of the data processing

According to section 20 of the Act on the Openness of Government Activities (621/1999), the authorities shall promote the openness of their activities and, where necessary for this purpose, produce guides, statistics and other publications, as well as information materials on their services and practices, as well as on the social conditions and developments in their field of competence. As such, the grounds for the processing are public interest based on the controller’s obligation to provide information about current events in the transport and communications sectors, which are part of its field of competence.

Websites are a key communications channel for Traficom, and the agency maintains several websites focusing on different topics. Traficom.fi, kyberturvallisuuskeskus.fi and other sites in the same system with them are hosted on a server located in the agency’s own data centre.

Information is also relayed via videos embedded on the websites. These videos are shared via a service provided by Dream Broker Oy (2092227-2), and the videos are hosted on Dream Broker Oy’s server in Finland. Viewer statistics are collected on the videos: the number of viewers per video and how much of each video is viewed (at 25% intervals).

Data content

The data undergoing processing

The data undergoing processing consists of each data subject’s:

• IP address
• video viewing quality as selected by the user, if the user changes the default setting.

Sources of the processed data (where the data is received from)

The personal data concerning videos are received directly from the data subjects.

Storage period of personal data 

IP addresses are stored on Dream Broker Oy’s server for two (2) years. The video viewing quality cookie selected by the user is session- specific and only stored on the viewer’s device.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Personal data are stored on Dream Broker Oy’s (2092227-2) server.

Processing of personal data on behalf of the controller

Dream Broker Oy (2092227-2) processes personal data on behalf of the controller. Dream Broker Oy and Traficom have an agreement on processing personal data. 

The data are not disclosed to third parties.

Transfer of personal data to third countries outside the EU/EEA

Personal data are not transferred outside the EU/EEA.

Automated decisionmaking and profiling

The personal data processing does not involve automated decision- making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

The only personal data collected in connection with videos is the data subject’s IP address.

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or he

The only personal data collected in connection with videos is the data subject’s IP address.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

The only personal data collected in connection with videos is the data subject’s IP address.

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

The only personal data collected in connection with videos is the data subject’s IP address.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

The only personal data collected in connection with videos is the data subject’s IP address.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

The only personal data collected in connection with videos is the data subject’s IP address.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

8.10.2022 TRAFICOM/583117/00.04.00.03/2022

Grounds for and purpose of the data processing

Act on the Finnish Transport and Communications Agency (935/2018), Act on Transport Services (320/2017) 

Management of data on Traficom’s partners and partnership agreements/operating licences that fall within the area of authority of the agency. These data are needed by operative systems for access rights, reporting and charging and by business operations for communication with partners.

Data content

The data undergoing processing

The register contains the following data on companies and organisations:

• names and addresses
• business locations
• persons responsible
• agreements.

Sources of the processed data (where the data is received from)

Applications, notifications or agreements/licences of agreement partners.

Storage period of personal data 

Personal data is retained until the company deletes or changes information on persons responsible.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data on organisation partners are only processed by employees of Traficom, and data on partner companies are only disclosed to the partner companies themselves.

Processing of personal data on behalf of the controller

No processing on behalf of the controller takes place.

Transfer of personal data to third countries outside the EU/EEA

When the partner company is based outside of the EU, data that the company itself has previously provided are disclosed to the company for the purpose of assessing the need to update the data.

Automated decisionmaking and profiling

No automated decision-making or profiling takes place.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain confirmation on whether or not Traficom is processing personal data concerning them and to obtain access to the personal data concerning them that Traficom is processing.

Right to rectification 

The data subject has the right to obtain from Traficom the rectification of inaccurate personal data concerning them or have incomplete personal data completed.

TRAFICOM/534584/00.04.00.03/2025