Updated on 9 October 2025
1. Data controller
The Finnish Border Guard Headquarters
Address: P.O. Box 3, 00131 Helsinki
Visiting address: Vilhonvuorenkatu 6, 00500 Helsinki
Telephone: 0295 42 0000
Registry email: [email protected]
2. Data controller’s contact person
The name of data controller’s contact person is available on request and on our website Data controllers at the Finnish Border Guard.
Email: [email protected]
Other contact details in section 1.
3. Finnish Border Guard’s Data Protection Officer
The name of the Finnish Border Guard’s Data Protection Officer is available on request and on our website Data controllers at the Finnish Border Guard.
Email: [email protected]
Other contact details in section 1.
4. The purpose of processing personal data
Sections 7, 16 and 17 of the Act on the Processing of Personal Data by the Border Guard (639/2019, later Border Guard Personal Data Act)
The Border Guard may process personal data to carry out border control laid down in the Schengen Borders Code, to maintain border security and order along the border and to conduct an investigation relating to the conditions for an alien’s entry, residence, exit and removal from country.
Personal data may be processed for other purpose than the original one, in order to carry out the statutory duties of the Finnish Border Guard.
5. The legal basis for processing of personal data and legitimate interests
Article 6, paragraph 1c an article 9, paragraph 2g of the General data protection regulation ([EU] 2016/679), Sections 4 and 7 in the Border Guard Personal Data Act
Processing of personal data is based on compliance with the statutory obligation of the Finnish Border Guard. Processing of data belonging to special categories of personal data is based on important public interest.
6. Personal data processed
Sections 6 and 7 of the Border Guard Personal Data Act
The Border Guard may process basic personal data comprehensively, for instance names, personal identity codes, contact details, travel document information and information concerning border-crossing.
Furthermore, the Border Guard processes, inter alia,
- specifications, descriptions and classifications relating to Border Guard duties, actions or operations;
- information on the movements and location of persons and vehicles in the vicinity of the border;
- information for processing a matter relating to a border zone permit and a border crossing permit referred to in the Border Guard Act;
- alphanumeric information registered by Finland that are processed in the EES;
- information for processing ETIAS travel authorisation and to maintain ETIAS watchlist, and
- information on passengers and crew in cross-border passenger transport.
7. Disclosure of personal data
Act on the Openness of Government Activities (621/1999), Sections 17a and 18 of the Act on the Administration of the Border Guard (577/ 2005), Chapter 4 of the Border Guard Personal Data Act
The right of access to documents of authorities is laid down in the Act on the Openness of Government Activities.
In individual cases, the Border Guard may, notwithstanding secrecy, disclose personal data to authorities and a body or a person entrusted with a public service task, or in a situation where there is a cogent reason for disclosure of information, or for prevention of a significant danger to life, health or liberty, or substantial damage to the environment or property, or a substantial financial loss, or to ensure State security.
Furthermore, the Border Guard may disclose personal data on the basis of legislation to both domestic, European and international authorities for the performance of the statutory duties of the said authorities.
8. Disclosure of personal data to third countries
Sections 38 and 39 of the Border Guard Personal Data Act
In certain cases, the Border Guard may disclose personal data to third countries. Disclosure of personal data to third countries is carried out in compliance with the prerequisites of the legislation.
9. Archiving of personal data
Section 40 of the Border Guard Personal Data Act
Different erasure times have been defined for different data. The underlying premise is that data are erased at the latest five years after the latest entry of data.
By derogation from foregoing
- permit or licence data are erased ten years after the expiry of the permit or licence;
- data concerning the processing of ETIAS travel authorisation after the travel authorisation has expired or five years from a decision by which a travel authorisation has been refused, annulled or revoked;
- notification data and data on the imposition of a financial penalty on a carrier are erased ten years after their entry in the filing system;
- data on an entry ban are erased three years after the withdrawal or termination of the ban;
- information on the operation and composition of the border control authorities of other states and the border situation are erased 25 years after the last entry of data;
- data on the data subject’s health or their dangerous nature that is processed to ensure occupational safety are erased at the latest one year after the death of the data subject;
- data that corresponds to the data Finland has registered in EES of a family member of an EU citizen or a person who enjoys a corresponding right to free movement, but does not have a residence permit in the said member state, after one year from their registration, and when other data subject is concerned, after three years from the registration of the data, unless the data shall not be erased already before that in accordance with article 35 of the EES regulation, and
- the air passenger data are erased at the latest 24 hours after they were submitted to the border check authorities after the passengers have entered or left the country.
10. Legitimate interests
Legitimate interest is not the legal basis for processing personal data.
11. Origin of personal data
Chapter 3 of the Border Guard Personal Data Act, Section 22 of the Act on the Processing of Personal Data by the Police (616/2019), Section 21 of the Act on the Processing of Personal Data by the Customs (650/2019), Section 29 of the Act on the Processing of Personal Data by the Finnish Defence Forces (332/2019)
Some of the data is received directly from the data subject, for instance, in connection to a border check. Some of the data is received based on the Border Guard’s statutory rights to information and other authorities’ statutory rights to disclose information.
12. Automated decision-making and profiling
Automated decision-making or profiling is not used in processing personal data.
13. Rights of the data subject
13.1. The data subjects right of access
Article 15 of the General data protection regulation, Sections 50 and 51 of the Border Guard Personal Data Act, Section 34 of the Data Protection Act (1050/2018)
Under certain restrictions, the data subject has the right to confirmation whether his or her personal data are processed, and if they are processed, the right to a copy of these personal data.
Furthermore, the data subject has the right to a copy of this privacy notice, in addition to, where possible, more detailed information of automated decision-making and profiling, of the origin of personal data and their disclosure, as well as of disclosure of personal data to third countries.
When exercising the data subject’s right of access, the data subject shall present this request to the data controller, or to the part indicated by them, in person and verify his or her identity. Further information on exercising the data subject’s right of access concerning the Finnish Border Guard’s operative information systems is available on our website Access to your personal data.
If the data subject requests several copies of his or her personal data, a reasonable fee may be charged based on administrative costs.
13.2. Right to rectification of inaccurate or incorrect personal data
Article 16 of the General data protection regulation
The data subject shall have the right to rectification of inaccurate personal data concerning him or her, as well as the right to have incomplete personal data completed, taking into account the purposes of the processing.
13.3. Right to erasure of personal data
Article 17 of the General data protection regulation
In certain cases, the data subject has the right to demand that the personal data concerning them will be erased. The right to erasure primarily concerns situations where the need to process personal data no longer exists, or it was carried out illegally.
13.4. Right to restrict processing
Article 18 of the General data protection regulation, Section 52 of the Border Guard Personal Data Act
The data subject does not have the right to restrict processing.
13.5. Right to data portability
Article 20 of the General data protection regulation
The data subject does not have the right to data portability.
13.6. Right to object
Article 21 of the General data protection regulation
The data subject does not have the right to object the processing of their personal data.
13.7. Right to not be subjected to automated decision-making or profiling
Article 22 of the General data protection regulation
Automated decision-making or profiling is not used in processing personal data.
13.8. Exercising of the data subject’s rights
Please send any requests concerning the data subject’s rights, as well as questions concerning the processing of personal data, to the data controller’s contact person, whose contact details are available in chapter 2.
In accordance with article 12, paragraph 5 of the General data protection regulation, enforcement of rights of the data subject shall primarily be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, the controller may either charge a reasonable fee or refuse to act on the request.
13.9. Exercising of rights via the Data Protection Ombudsman
Article 77 of the General data protection regulation
Every data subject shall have the right to present the matter to the Data Protection Ombudsman, if the data subject considers that the processing of personal data relating to him or her infringes the data protection regulation.
Further information on the operations of the Data Protection Ombudsman and the contact details for their office are available on the website Office of the Data Protection Ombudsman (tietosuoja.fi).