Updated on 25 February 2022

1. Name of the register

Register of Border Guard Activities

2. Data controller

Headquarters of the Finnish Border Guard
Vilhonvuorenkatu 4-6
00500 Helsinki, Finland
Switchboard +358 295 42 0000
[email protected]

3. Contact person in matters concerning the register

Lieutenant Commander Maija Laukka
Headquarters of the Finnish Border Guard
tel. +358 295 42 1113
[email protected]

4. Data protection officer for the data controller

Senior Officer Sami Piispanen
Headquarters of the Finnish Border Guard
tel. +358 295 42 1000
[email protected]

5. Legal basis for processing personal data

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)
  • Data Protection Act (1050/2018)
  • Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018)
  • Act on the Processing of Personal Data by the Border Guard (639/2019)
  • Border Guard Act (578/2005)
  • Act on Crime Prevention by the Border Guard (108/2018)
  • Act on the Administration of the Border Guard (577/2005).

6. Purpose of processing personal data

The Register of Border Guard Activities may process data for the following purposes:

  1. in border control and to maintain border security and order along the border
  2. to investigate offences and maintain public order and security
  3. to prevent and detect offences
  4. processing data of covert human intelligence sources
  5. in military administration of justice, and
  6. in other statutory duties of the Finnish Border Guard.

7. Personal data categories

Processing of basic personal data

For the purposes of border control and in order to maintain border security and order along the border, to investigate crimes and maintain public order and security, to prevent and detect offences, when processing data of covert human intelligence sources, in military administration of justice, and in other statutory tasks of the Finnish Border Guard, the Finnish Border Guard may process the following basic personal data:

  1. names
  2. personal identity code
  3. gender
  4. date and place of birth
  5. citizenship or lack of citizenship and nationality
  6. native language
  7. communication language
  8. civil status
  9. domicile and place of residence
  10. occupation and education
  11. information on conscription and service
  12. contact details
  13. information in the documentation necessary to establish identity
  14. customer number issued by the authorities
  15. travel document information and other information concerning border-crossing
  16. in the case of foreign nationals, the names, citizenship, nationality and contact details of the parents
  17. information on the person's death or declaration of death
  18. information on guardianship, declaration of bankruptcy or imposition of a business prohibition.

In addition, personal data may be processed as follows:

Processing of personal data in border control and to maintain border security and order along the border

  1. specifications, descriptions and classifications relating to Finnish Border Guard duties, actions or operations
  2. the information referred to in Annex II of the Schengen Borders Code
  3. the recordings of the technical monitoring referred to in section 29 of the Border Guard Act
  4. information on the movements and location of persons and vehicles in the vicinity of the border and on passengers and crew in cross-border passenger transport
  5. information for imposing a financial penalty on a carrier
  6. information for handling a matter relating to a border zone permit and a border crossing permit
  7. border zone notifications and other notifications submitted to the Finnish Border Guard
  8. information on the operation and composition of the border control authorities of other states and the border situation in Finland and in the European Union
  9. personal identifying characteristics to establish identity, including facial images
  10. information for the purpose of safeguarding the safety of a person who is the subject of an action or the occupational safety of an official, concerning the person's state of health and its monitoring or the treatment of their condition and concerning the danger presented by or unpredictability of the subject or the person; and information that describes or is intended to describe a criminal act, punishment or other consequence of an offence.

For the purpose of investigating offences and maintaining public order and security, processing the personal data of people who are:

  1. suspected of an offence or complicity in an offence
  2. younger than 15 years of age and suspected of a criminal act
  3. a subject of a criminal investigation or an action by the Finnish Border Guard
  4. reporting an offence or are  an injured party
  5. a witness
  6. a victim
  7. some other source of information relating to the duty.

The data received in connection with the performance of the duties of the Finnish Border Guard will be destroyed immediately after it is established that the information is not needed to for the purpose of performing a duty relating to investigating or referring a case for consideration of charges, for maintaining public order and security, or in a situation in which personal data has been processed for purposes other than the original purpose.

Contents of personal data processed for the purpose of investigating offences and maintaining public order and security

  1. specifications, descriptions and classifications relating to Finnish Border Guard duties, actions or operations
  2. personal identifying characteristics to establish identity, including fingerprints, handprints and footprints, handwriting, voice and odour samples, DNA profiles, facial images and other biometric data
  3. information for the purpose of safeguarding the safety of a person who is the subject of an action or the occupational safety of an official, concerning the person's state of health and its monitoring or the treatment of their condition and concerning the danger presented by or unpredictability of the subject or the person; and information that describes or is intended to describe a criminal act, punishment or other consequence of an offence
  4. identification information on a decision by the prosecutor or court and information on whether the person was convicted, their charges or punishment waived, or charges dismissed, ruled inadmissible or dropped; and information on whether the decision is final.

Processing of personal data for the purpose of preventing and detecting offences concerning persons:

  1. for whom there are reasonable grounds to believe that they have committed, or have an intention to commit, an offence for which the most severe punishment provided by law is imprisonment
  2. who are in contact with a person referred to in paragraph 1 or seen with such a person and the contacts or meetings can be assumed to have a link with the offence due to their regularity or the circumstances or behaviour of the person, or
  3. who are subjects of the surveillance referred to in section 21 of the Act on Crime Prevention by the Border Guard (108/2018) or other action by the Finnish Border Guard.

The Finnish Border Guard may also process the data concerning a witness, a victim and an injured party of an offence and persons reporting an offence or other observation if this is essential for the prevention or detection of an offence.

The decision to commence the processing of personal data connected to a crime analysis required for the prevention and detection of offences is taken by the data controller or some other administrative unit assigned by the data controller to carry out this duty.

In addition, the Finnish Border Guard may process information on observations made by border guards and information reported to the Border Guard regarding incidents or persons that, based on the circumstances or on the behaviour of the person, can reasonably be believed to be connected with criminal activity.

The data received in connection with the performance of the duties of the Finnish Border Guard will be destroyed immediately after it is established that the information is not needed.

Contents of personal data that are processed for the purpose of preventing and detecting offences

  1. specifications, descriptions and classifications relating to Finnish Border Guard duties, actions or operations
  2. details concerning the person’s connections, lifestyle, financial situation, hobbies, and other interests
  3. personal identifying characteristics to establish identity, including voice samples, facial images and other biometric data
  4. information for the purpose of safeguarding the safety of a person who is the subject of an action or the occupational safety of an official, concerning the person's state of health and its monitoring or the treatment of their condition and concerning the danger presented by or unpredictability of the subject or the person; and information that describes or is intended to describe a criminal act, punishment or other consequence of an offence.

Where possible, an assessment of the reliability of the data provider or data source and the accuracy of the data will be appended to the personal data.

Processing data of covert human intelligence sources

  1. information on the use and surveillance of covert human intelligence sources
  2. main contents of the information provided by a covert human intelligence source.

Processing of personal data in military administration of justice

The Finnish Border Guard may process personal data to perform a duty relating to the criminal investigation or military discipline procedure (military administration of justice) referred to in section 31, subsection 3 of the Act on the Administration of the Border Guard (577/2005).

It is further required that the data is connected to a person who is or has been subject to criminal investigation or coercive measures or who acts as an informant, witness, injured party or other person to be heard.

Contents of the personal data processed in military administration of justice

  1. specifications, descriptions and classifications relating to Finnish Border Guard duties, actions or operations
  2. personal identifying characteristics to establish identity, including voice samples and facial images
  3. information for the purpose of safeguarding the safety of a person who is the subject of an action or the occupational safety of an official, concerning the person's state of health and its monitoring or the treatment of their condition and concerning the danger presented by or unpredictability of the subject or the person; and information that describes or is intended to describe a criminal act, punishment or other consequence of an offence
  4. information on military discipline decisions and on matters considered by the prosecutor and the court as military court cases, information on the service of and request for a review of a decision or a sentence and information on the enforcement of the sanction
  5. information concerning the supervision of the military discipline procedure.

Processing of personal data in other statutory duties of the Finnish Border Guard

The Finnish Border Guard may process personal data to perform its statutory duties relating to surveillance, customs, search, rescue and emergency medical care and other statutory duties of the Border Guard.

  1. specifications, descriptions and classifications relating to Finnish Border Guard duties, actions or operations
  2. information on maritime traffic and the location of vessels
  3. information on administrative sanctions
  4. information for the purpose of safeguarding the safety of a person who is the subject of an action or the occupational safety of an official, concerning the person's state of health and its monitoring or the treatment of their condition and concerning the danger presented by or unpredictability of the subject or the person; and information that describes or is intended to describe a criminal act, punishment or other consequence of an offence.

8. Data sources

The Finnish Border Guard has the right to obtain information in its duties in accordance with the powers laid down for it in legislation. It also has the right to collect information necessary for the task from open sources.

In addition, the Finnish Border Guard may also obtain information from the data subject. 

The following data sources are also used.

Right to obtain information from public authorities

Notwithstanding the obligation of secrecy, the Finnish Border Guard has the right to obtain from a public authority, and a body or a person assigned to perform a public function any information and documents necessary to carry out an official duty unless disclosing such information or documents to the Border Guard or using such information as evidence is prohibited or restricted by law.

The decision on obtaining confidential information is made by an official with the power of arrest unless otherwise agreed upon with the party who disclosed the information.

Right to obtain information from a private organisation or person

At the request of an official with the power of arrest, the Finnish Border Guard has the right to obtain information to prevent or investigate an offence to be investigated by the Border Guard, notwithstanding business, banking or insurance secrecy binding on members, auditors, managing directors, board members and employees of an organisation. The Finnish Border Guard has the same right to obtain information needed in an investigation referred to in section 27 of the Border Guard Act if an important public or private interest so requires.

In individual cases and on request of an official with the power of arrest, the Finnish Border Guard has the right to obtain from a telecommunications operator and a corporate or association subscriber contact information on a network address that is not listed in a public directory or data identifying a network address or terminal equipment to perform a Border Guard duty. Similarly, the Finnish Border Guard has the right to obtain postal address information from organisations engaged in postal services.

For licence administration purposes, the Finnish Border Guard has the right to obtain information from private organisations and persons.

Right to obtain information contained in certain registers and information systems

The Finnish Border Guard has the right to obtain data from the registers of authorities also with the aid of a technical interface or as a set of data as agreed with the data controller on the practical procedure. Provisions on the right to obtain information are laid down in the Act on the Processing of Personal Data by the Border Guard and also in other legislation.

Right to obtain information on persons in a vehicle crossing the external border

Notwithstanding secrecy provisions, the Finnish Border Guard has the right to obtain and process information concerning the passengers of organisations and corporations and the personnel of vehicles for the purpose of carrying out border control and maintaining border security.

The driver of a vehicle entering or leaving the country and crossing the external border must submit to the border control authorities of the point of entry or exit information on the persons in the vehicle. The captain of a ship or an aircraft, and the owner or holder of a train or another means of transport, or their representative must submit to the border control authorities of the point of entry or exit the passenger and crew list, or in some other manner information on the employees, passengers and other persons in the means of transport, unless the information has already been submitted under section 25 or 26 of the Act on the Processing of Personal Data by the Border Guard.

The passenger and crew list must state the last and first name of each person entered in the list, their date of birth, gender and nationality as well as the nationality and registration information regarding the means of transport and the place of arrival and departure.

The information referred to above must be submitted also for traffic crossing internal borders if border control has been temporarily reintroduced at the internal borders in accordance with Title III, Chapter 2 of the Schengen Borders Code and section 15 of the Border Guard Act.

Air passenger data

In addition to the provisions in the previous section, natural persons and legal persons whose profession it is to provide passenger transport by air must submit to border control authorities, at their request, information referred to in this section on passengers whom they carry to an authorised border crossing point through which these persons enter or leave the territory of European Union Member States (air passenger data).

These air passenger details must contain the number and type of travel document being used by the passenger, the passenger’s citizenship or lack thereof, full name, date of birth, border crossing point through which the passenger is arriving to or departing from the region of the European Union member states, flight code, flight departure and arrival time, total number of individuals being transported in the flight, and original point of departure. These details must be provided as soon as the check-in has been completed. The details must be disclosed digitally or, where this is not possible, in some other appropriate manner.

This regulation also applies to traffic crossing internal borders in situations where border control has been temporarily reintroduced at the internal borders in accordance with Title III and Chapter 2 of the Schengen Borders Code or section 15 of the Border Guard Act.

Passenger and crew information in vessel and rail traffic

Natural persons and legal persons who professionally carry out passenger or goods transport by ship or by rail must submit to border control authorities the data on passengers and crew referred to in the Act on the Processing of Personal Data by the Border Guard prior to arrival at border check.

In rail transport, the data must be submitted no later than when the train has departed from the last station at which it has taken on passengers. For vessel traffic, the provisions of the Schengen Borders Code and other statutes apply to the obligation to submit information in advance.

This regulation also applies to traffic crossing internal borders in situations where border control has been temporarily reintroduced at the internal borders in accordance with Title III and Chapter 2 of the Schengen Borders Code or section 15 of the Border Guard Act.

Personal data received in connection with international cooperation

The Finnish Border Guard has the right to obtain information from the law enforcement authority of a Member State of the European Union or of the European Economic Area, information on European Union border control cooperation, and information on certain international information systems. The Finnish Border Guard also receives information from third countries.

9. Recipients of personal data

Disclosure of personal data to authorities

In accordance with section 17a of the Act on the Administration of the Border Guard: the non-disclosure obligation of an official who belongs to Border Guard personnel does not prevent the provision of information to a public authority or an organisation performing a public service task that, on account of its statutory duty, needs to obtain information on a fact otherwise to be kept secret or about a person’s reliability or suitability for a duty. Provisions on the disclosure of information for the purpose of verifying the reliability of a person applying for or operating in security-sensitive duties are separately provided by law.

Disclosure of personal data to another competent authority referred to in the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security

Notwithstanding secrecy provisions, the Finnish Border Guard may, in border control and to maintain border security and order along the border, to prevent and detect offences, when processing data of covert human intelligence sources, in military administration of justice and in other statutory duties of the Finnish Border Guard, and with the aid of a technical interface or as a set of data, disclose the following personal data to the police, Customs, the Defence Forces, prosecutors, courts, the Legal Register Centre, the Criminal Sanctions Agency, and other competent authorities referred to in the Criminal Matters Personal Data Act for the performance of the authority's statutory duties referred to in section 1 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security.

Other disclosure of personal data

In addition to the above, the Finnish Border Guard may disclose personal data with the aid of a technical user connection or as a set of data as outlined in the Act on the Processing of Personal Data by the Border Guard or elsewhere in the law.

Personal data received in connection with international cooperation

In accordance with the right to obtain information, the Finnish Border Guard also has the right to disclose similar information in international cooperation.

10. Transfer of data outside the EU or EEA

Notwithstanding secrecy provisions, the Border Guard may disclose personal data in compliance with chapter 7 of the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security.

Notwithstanding secrecy provisions, the Finnish Border Guard may disclose the personal data referred to in border control and to maintain border security and order along the border, to investigate crimes and maintain public order and security, to prevent and detect offences, when processing data of covert human intelligence sources, in military administration of justice, and in other statutory tasks of the Finnish Border Guard as follows:

  1. to the authorities referred to in the agreement concerning the régime of the Finnish-Soviet State Frontier and the procedure for the settlement of frontier incidents (Finnish Treaty Series 32/1960) to carry out the duties referred to in the agreement
  2. to an authority responsible for the border control of another state if the data are essential to perform border control
  3. to the competent authorities referred to in international obligations or arrangements on the readmission of persons entering the country and residing there without authorisation when performing the duties referred to in these international obligations or arrangements.

Notwithstanding secrecy provisions, the Border Guard may disclose personal data relating to the acquisition, possession, transfer, import and export of firearms, firearm components, cartridges and specially dangerous projectiles to an arms control authority of another state provided that the disclosure of the data is essential for arms control.

The information referred to above may also be disclosed as a set of data.

11. Quality of the register and principles of protection 

The user has a personal user ID and password granted in accordance with the data controller's instructions. User rights are mainly managed in a centralised manner. Unauthorised use of the register has been prevented by means of IT encryption solutions. 

12. Storage period for personal data

Erasure of personal data processed in border control and for the purpose of the maintenance of border security and order along the border

The personal data processed in border control and for the purpose of the maintenance of border security and order along the border are erased at the latest five years after the latest entry of data.

The following exceptions apply:

  1. permit or licence data are erased 10 years after the expiry of the permit or licence
  2. notification data are erased 10 years after the entry of the data in the register
  3. the recordings of technical monitoring referred to in section 29 of the Border Guard Act are erased at the latest six months after the recording was made
  4. data on the imposition of a financial penalty on a carrier are erased 10 years after their entry in the register
  5. data on an entry ban are erased three years after the withdrawal or termination of the ban
  6. data on the operation and composition of the border control authorities of other states and the border situation in Finland and in the European Union are erased 25 years after entry of the latest data in the register
  7. data for the purpose of safeguarding the safety of a person who is the subject of an action or the occupational safety of an official, concerning the person's state of health and its monitoring or the treatment of their condition and concerning the danger presented by or unpredictability of the subject or the person; and information that describes or is intended to describe a criminal act, punishment or other consequence of an offence are erased at the latest one year after the death of the data subject.

However, personal data may be retained, if this is necessary for investigative, surveillance or other justified reasons or to ensure the rights of the data subject, other parties or employees of the Finnish Border Guard. The necessity of retaining personal data will be reviewed at least every five years.

Erasure of air passenger data

Air passenger data are erased at the latest 24 hours after they were submitted to the border check authorities when the passengers have entered or left the country unless the data are needed in another statutory duty of the Finnish Border Guard, the police or Customs. The provisions of the Act on the Use of Air Carriers' Passenger Name Record Data in the Prevention of Terrorist Offences and Serious Crime also apply to the processing of air passenger data after 24 hours have passed.

Unless otherwise provided, the party disclosing the air passenger data will destroy the personal data it has acquired and submitted to the border check authorities at the latest 24 hours after the means of transport used has arrived at its destination.

Erasure of personal data relating to criminal matters

Data concerning a criminal matter referred to the prosecutor for a decision are erased:

  1. five years after the referral of the criminal matter to the prosecutor, if the most serious offence suspected in the criminal matter may result in a fine or a maximum imprisonment of one year
  2. ten years after the referral of the criminal matter to the prosecutor, if the most serious offence suspected in the criminal matter may result in an imprisonment of more than one year and no more than five years
  3. twenty years after the referral of the criminal matter to the prosecutor, if the most serious offence suspected in the criminal matter may result in a maximum imprisonment of over five years.

However, the data referred to above are erased at the earliest one year after the expiration of the limitation period for bringing charges for the offence.

Data on other criminal matters are erased one year after the expiration of the limitation period for bringing charges for the latest suspected offence, but no earlier than five years after the recording of the criminal matter.

Personal identifying characteristics processed to establish identity are erased no later than 10 years after the last entry concerning the person suspected of an offence. However, the data are erased no later than ten years after the death of the data subject if the most severe punishment for the most serious offence recorded is a minimum imprisonment of one year.

The personal identifying characteristics of a data subject who was under 15 years of age at the time of committing the offence are erased no later than five years after the recording of the last entry concerning the person suspected of an offence, unless any of the entries concern an offence for which the only sanction is imprisonment.

The data referred to above are erased no later than one year after the entry if, during the investigation, it was ascertained that no offence was committed or that there is no longer reason to suspect the person of an offence.

However, all of the above-mentioned personal data may be retained if this is necessary for investigative, surveillance or other justified reasons or to ensure the rights of the data subject, other parties or employees of the Border Guard. The necessity of retaining personal data will be reviewed at least every five years.

Erasure of other personal data processed for the purpose of investigating offences and personal data processed for the purpose of maintaining public order and security

Personal data processed for the purpose of investigating offences other than those referred to in section 42 of the Act on the Processing of Personal Data by the Border Guard and personal data processed for the purpose of maintaining public order and security are erased five years after the recording of a notification or matter unless they are connected to a criminal matter under investigation.

The following exceptions apply:

  1. data processed for finding, monitoring, surveillance or protection of individuals concerning a warrant of apprehension or a travel ban are erased three years after the cancellation or expiry of the warrant or ban
  2. data for the purpose of safeguarding the safety of a person who is the subject of an action or the occupational safety of an official, concerning the person's state of health and its monitoring or the treatment of their condition and concerning the danger presented by or unpredictability of the subject or the person; and information that describes or is intended to describe a criminal act, punishment or other consequence of an offence are erased at the latest one year after the death of the data subject.

However, the above-mentioned personal data may be retained if this is necessary for investigative, surveillance or other justified reasons or to ensure the rights of the data subject, other parties or employees of the Finnish Border Guard. The necessity of retaining personal data will be reviewed at least every five years.

Erasure of personal data processed for the purpose of preventing and detecting offences

Personal data processed for the purpose of preventing and detecting offences are erased no later than 10 years after the last entry of data concerning an offence, criminal activity or action. The data referred to in section 10, subsection 5 of the Act on the Processing of Personal Data by the Border Guard are erased no later than six months after making the entry and the data referred to in section 11, subsection 1, paragraph 4 no later than one year after the death of the data subject.

However, the above-mentioned personal data may be retained if this is necessary for investigative, surveillance or other justified reasons or to ensure the rights of the data subject, other parties or employees of the Finnish Border Guard. The necessity of retaining personal data will be reviewed at least every five years.

Erasure of data concerning covert human intelligence sources

Data concerning covert human intelligence sources are erased no later than 10 years after the last entry.

Erasure of personal data processed in military administration of justice

Personal data processed in military administration of justice are erased as follows:

  1. data concerning an admonition, extra duty and confinement to barracks not exceeding 10 days, three years after the disciplinary punishment was sentenced or imposed unless the concerned party has during this period been sentenced by a decision of a court or in disciplinary proceedings
  2. data concerning a warning, confinement to barracks exceeding ten days, disciplinary fine and detention, five years after the disciplinary punishment was sentenced or imposed unless the concerned party has during this period been sentenced by a decision of a court or in disciplinary proceedings.

Data on a sentence imposed by a court in military court procedure are erased in compliance with the provisions of section 10 of the Criminal Records Act (770/1993) and section 52 of the Act on the Enforcement of a Fine (672/2002).

If a person has been punished by a decision of a court or in disciplinary proceedings more than once, the data are erased five years after the last disciplinary punishment.

Personal data relating to criminal investigation processed in military administration of justice are erased no later than:

  1. one year after the expiration of the limitation period for bringing charges for the offence if the expiry period is more than ten years
  2. one year after the data controller has received information on a decision of the prosecutor not to take measures to bring charges against the person who has committed an offence or on a decision of the prosecutor that no offence has been committed or that there is no evidence of an offence
  3. one year after the data controller has received information on a decision of the prosecutor that the offence has become time-barred
  4. one year after the controller has received information that the charge has been finally dismissed or the charge brought has been dismissed due to time-barring
  5. one year after the death of the suspect of an offence
  6. ten years after the last entry.

Data for the purpose of safeguarding the safety of a person who is the subject of an action or the occupational safety of an official, concerning the person's state of health and its monitoring or the treatment of their condition and concerning the danger presented by or unpredictability of the subject or the person; and information that describes or is intended to describe a criminal act, punishment or other consequence of an offence in military administration of justice are erased at the latest one year after the death of the data subject.

Erasure of other personal data

The personal data referred to in section 15 of the Act on the Processing of Personal Data by the Border Guard are erased five years after their entry in the register unless there are special reasons to retain the data for investigative, surveillance or other justified reasons or to ensure the rights of the data subject, other parties or employees of the Border Guard. The necessity of retaining personal data will be reviewed at least every five years.

The following exceptions apply:

  1. data on foreign persons detained are erased five years after the last entry of data related to the person in question
  2. data concerning a business prohibition are erased five years after the end of the business prohibition
  3. the data referred to in section 15, subsection 2, paragraph 4 of the Act on the Processing of Personal Data by the Border Guard are erased no later than one year after the death of the data subject.

Information found to be incorrect

Notwithstanding the provisions of the General Data Protection Regulation and the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security on the rectification of erroneous data in personal data registers, any data that is found to be incorrect may be kept with the rectified data if this is necessary to ensure the rights of the data subject, other parties or employees of the Border Guard. Such data may only be used for the stated purpose.

Any data found to be incorrect and retained under the above section will be erased once retaining of the data is no longer necessary to ensure the rights.

13. Publicity

The data in the Register of Border Guard Activities are secret as provided in section 24 of the Act on the Openness of Government Activities (621/1999).

14. Right of access to personal data

Notwithstanding confidentiality provisions and after indicating the information needed to search the data, everyone has the right to know which data concerning them has been stored in the personal data register or that the register does not contain any data concerning them.

The rights of the data subject may be restricted if this, considering the rights of the data subject, is proportionate and necessary:

Under Section 34 of the Data Protection Act, the data subject does not have the right to access data collected about them if:

  1. providing access to the data could compromise national security, defence, or public order and security, or hamper the prevention or investigation of offences
  2. providing access to the data could seriously endanger the health or treatment of the data subject or the rights of some other person, or
  3. the personal data is being used for monitoring and inspection purposes and refusal to provide access to the data is necessary to safeguard an important economic or financial interest of Finland or the European Union.

If only part of the data relating to the data subject is according to the above mentioned excluded from the right of access, the data subject has the right to access the other data relating to them.

The data subject will be notified of the reasons for the restriction except in cases where this would endanger the purpose of the restriction.

If the data subject does not have the right to access the data collected about them, the data referred to above must be provided to the Data Protection Ombudsman at the request of the data subject.

Under section 28 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security, the data subject’s right of access can be restricted in order to:

  1. avoid detriment to the prevention, detection, investigation or prosecution of criminal offences or the enforcement of criminal sanctions
  2. safeguard any other investigation, examination or other procedure of an authority
  3. protect public security
  4. protect national security, or
  5. protect the rights of other persons.

Under section 51 of the Act on the Processing of Personal Data by the Border Guard, the data subject does not have the right of access to:

  1. data of covert human intelligence sources referred to in section 12 of the Act on the Processing of Personal Data by the Border Guard
  2. information concerning the tactical and technical methods of the Finnish Border Guard, observation data, personal data of covert human intelligence sources or data used for forensic investigation purposes in order to investigate offences and maintain public order and security and to prevent and detect offences.

Provisions on the data subject exercising their rights through the Data Protection Ombudsman are outlined in section 21 of the Data Protection Act and in sections 29 and 56 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security. The request to exercise rights must be made to the Data Protection Ombudsman or to the data controller. A request to the data controller or another authority must be submitted to the Data Protection Ombudsman without delay.

Referral of a matter for consideration by the Data Protection Ombudsman

The data subject may refer a negative decision made by an authority concerning the right of access and the correction of an error to the Data Protection Ombudsman by means of a letter addressed to them.

Address:
Data Protection Ombudsman
P.O. Box 800
00521 Helsinki, Finland

Street address:
Ratapihantie 9, 6th floor
00520 Helsinki, Finland

15. Realisation of the right of access

When exercising their right of access, the data subject must make a request to this effect in person at the Headquarters of the Border Guard or Coast Guard or to the data controller and prove their identity.

In order to facilitate the implementation of the right of access, a separate form has been prepared. Using the form is not an absolute prerequisite for exercising the right of access; the request may also be submitted in writing by another document.

Access to the data is provided by the data controller or a person appointed by the controller to manage register matters, who provides the data subject with an opportunity to view their data. The data is provided in writing upon request.

The data and measures related to exercising the right of access are free of charge.

If the data subject's requests are clearly unfounded or unreasonable, in particular due to their frequency, the data controller may either:

  • a) charge a reasonable fee, taking into account the administrative costs of providing data or messages or performing the requested action, or
  • b) refuse to perform the requested action.

In such cases, the data controller must be able to demonstrate that the request is clearly unfounded or unreasonable.

The possible fee for checking the data is determined on the basis of the Act on Criteria for Charges Payable to the State (150/1992) and the Ministry of the Interior decree issued under it.

16. Right to rectify or supplement data

The data subject has the right to demand that the data controller rectifies inaccurate and incorrect personal data concerning the data subject without undue delay. With consideration to the purposes for which the data was processed, the data subject has the right to supplement incomplete personal data, for example, by providing additional data.

17. Right to restrict processing

Article 18 of the General Data Protection Regulation concerning the data subject’s right to restrict processing does not apply to data processing referred to in the Act on the Processing of Personal Data by the Border Guard.

18. Notification concerning the processing of personal data and right to file an appeal with the supervisory authority

If the data subject wants to report a problem concerning the processing of their personal data, they must primarily contact the data controller's representative/data protection officer.

The data subject also has the right to appeal to the supervisory authorities concerning the processing of their data. In Finland, the supervisory authority is the Data Protection Ombudsman (tietosuoja.fi).

19. Availability of the privacy statement

The privacy statement is available to everyone at the premises of the data controller and at each administrative unit.

The privacy statement is also available on the Finnish Border Guard's public data network (raja.fi).