Koronavilkku

Privacy notice for the information of data subjects

The Finnish Institute for Health and Welfare (THL) processes personal data in order to carry out its statutory duties. When processing personal data, THL complies with data protection laws and ensures an appropriate level of information security. This privacy notice details how THL processes your personal data in conjunction with use and maintenance of the Koronavilkku mobile app.

1. Data Controllers

THL decides the means and purposes for the processing of personal data, in other words THL is the data controller. Therefore THL is responsible for your personal data and have responsibilities for compliance with obligations under data protection laws.

In the end of year 2020 Finland shall join to the European Federation Gateway Service. The purpose of the processing in the European Federation Gateway Service is to facilitate the interoperability of national contact tracing and warning mobile applications within the federation gateway and the continuity of contact tracing in a cross-border context. For interoperability purposes participating countries act as joint controllers. This means that the designated competent national authorities or bodies of the participating EU/EEA countries control the operation of the European Federation Gateway Services together. The technical and organisational details of this cooperation are laid down in the Commission Implementing Decision (EU) 2020/1023 of 15 July 2020, which is available here:

https://eurlex.europa.eu/eli/dec_impl/2020/1023/oj

For more information see also:

https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/travel-during-coronavirus-pandemic/how-tracing-and-warning-apps-can-help-during-pandemic_en

An updated list of the joint controllers can be found here:

https://ec.europa.eu/health/sites/health/files/ehealth/docs/gateway_jointcontrollers_en.pdf

Our contact information is:

Finnish Institute for Health and Welfare (THL)
PO Box 30
FI-00271 Helsinki, Finland
tel. +358 29 524 6000

The contact person for personal data processing issues is:
Aleksi Yrttiaho

The email address of THL’s data protection officer is tietosuoja@thl.fi.

2. Purpose of processing personal data

The mobile contact tracing app to help to break chains of infection (hereinafter the ”app”) is a System of Systems consisting of a mobile app, its back end system and a professional user interface. The purpose of the app and the processing of personal data processed by it, is to identify the close contacts of app users and to alert close contacts of potential exposure to the covid-19 coronavirus. Use of the app is voluntary.

If an app user is diagnosed by a healthcare professional as having covid-19 infection, the user receives a single-use unlock code that the user can tap into the app at their own discretion. This allows other users of the app to be notified of potential exposure to coronavirus. The information does not allow users to identify persons infected with or exposed to the virus.

If the app sends the user an alert of potential exposure, the user can, at their own discretion, report potential exposure to a healthcare professional via the Omaolo health check service or by phone. The app does not automatically send information about exposure to healthcare professionals or other authorities. The Contact Point for Cross-Border Health Care can be found here:

https://www.eu-healthcare.fi/contact-information/contact-point-for-cross-border-health-care/

The Koronavilkku app shall query visited countries for the purposes of European interoperability. As an additional safety measure, user consent is also obtained before the necessary data is sent through the Federation Gateway Service to participating countries. THL shall receive data for cross-border interoperability through the gateway.

It is not possible to identify person from exchanged data and each participating country is responsible for lawful processing of data. Countries follow EU cross-border interoperability procedures that enchant your privacy rights and ensures lawfulness of data processing. National data protection authorities supervise that personal data processing is done in lawful manner.

Personal data is processed in the Koronavilkku mobile app in iOS and Android interfaces, the Koronavilkku app back end system, in professional user interfaces and systems participating interoperability through European Federation Gateway Service.

Professional credentials can be used in normal workstation software and in secure email.

The back-end system is located in the IT processing environment provided by the Social Insurance Institute of Finland (Kela).

The professional user interface is located in the IT processing environment provided by SoteDigi Oy.

3. Lawful basis for processing personal data

The processing of personal data is always based on valid legislation. THL’s duties are laid down in the Act on the National Institute for Health and Welfare (668/2008). The use and maintenance of the app are laid down in sections 43a – 43i of the Communicable Diseases Act (1227/2016).

The lawful basis for processing personal data under the EU’s General Data Protection Regulation is:

Performance of a task carried out in the public interest (Article 6(1)(e) of the General Data Protection Regulation and section 4(2) of the Data Protection Act (1050/2018)

In addition, the processing of sensitive personal data is based on the special provision under Article 9(2) of the General Data Protection Regulation and section 6 of the Data Protection Act:

Processing is necessary for reasons of public interest in the area of public health (Article 9(2)(i) of the General Data Protection Regulation)

4. Personal data processed

The app and associated systems process the following personal data:

Mobile app

The mobile app stores the following data in the user’s own mobile device:

  • The user’s own pseudonymous codes
  • The pseudonymous codes of others the user comes into close contact with and the associated data relating to the length, time and Bluetooth signal strength of contacts
  • The pseudonymous codes of the user reporting their infection
  • The information received by the user of potential exposure
  • Unlock code (not stored but processed)

The contact information and pseudonymous codes of the user reporting their infection are removed within 21 days of the notification of infection.

Back end system

The back end system saves the following data:

  • The pseudonymous codes of the user reporting their infection
  • Unlock code and telephone number
  • Information about visited countries for EU interoperability

The data is deleted within 21 days of the notification of infection. From European Federation Gateway Service and interoperable systems data is deleted within 14 days.

Professional user interface

In the case of a positive coronavirus test, the telephone number of the corona app user and symptoms starting date is stored temporarily in the professional user interface for the purpose of sending a single-use unlock code to the user’s mobile phone.

In addition, the healthcare professional’s user interface stores the following data of healthcare professionals who have been issued with credentials:

  • First name
  • Family name
  • Personal identity code
  • Registration number in the register of healthcare professionals
  • OID code based on the health and social welfare organisation register
  • Duration of credentials
  • Role according to credentials
  • Contact information
  • Professional title

Healthcare professional data is stored in the professional user interface for as long as the system is in use or the credentials are withdrawn at the request of the person responsible in the user’s or professional’s organisation.

5. Sources of personal data

Data about users’ pseudonymous codes are collected using the Koronavilkku mobile app and from tracking systems of countries participating to EU cross-border interoperability.

Data required for the credentials of professionals are collected through municipal or joint municipal authority physicians in charge of communicable diseases or through another person named by a municipality or joint municipal authority.

6. Transfer or disclosure of personal data

Data is not transferred to parties outside of THL without the user’s consent. App users themselves decide to report exposure information to the health authorities.

The controller may use subcontractors to enable the service provided through the app. Subcontractors are bound by the requirements of data protection legislation insofar as they are involved in processing personal data. Subcontractors do not process data for other purposes. Kela and Sotedigi Oy process personal data on behalf of the controller. Solita Oy, which supplied the app, does not process personal data.

7. Transfer of personal data to non-EU/EEA countries

Personal data is not transferred to non-EU/EEA countries.

8. Profiling and automated decision-making

The data is not used for automated decision-making, including the profiling of individuals.

9. Retention of personal data

The personal data contained in the app and associated systems is retained for a maximum of 21 days.

10. What are your rights?

Data protection legislation guarantees you certain rights which ensure that the protection of your privacy, which is a fundamental right, is respected. Should you wish to exercise your rights, please contact THL’s registry office at kirjaamo@thl.fi.

If THL is unable to identify you from the data, then the right of access, right to rectification, erasure and restriction of processing shall not apply. In practice, rights can be implemented only in those cases where the app user has given their telephone number to the healthcare professional in conjunction with diagnosis of covid-19 infection.

10.1 Right to withdraw consent

The processing of personal data is based on the Communicable Diseases Act. You can at any time remove the app from your phone whereupon all pseudonymous codes stored in the phone will automatically be removed. When the app is removed from the phone, any pseudonymous codes in the back end system are also automatically removed within 21 days. THL is not able to identify you from pseudonymous code data.

10.2 Right to access data concerning you

You have the right to know whether THL is processing personal data concerning you. You also have the right to know what personal data concerning you is processed and how. You also have the right to receive a copy of the personal data concerning you insofar as providing you with a copy does not adversely affect the rights and freedoms of others or if THL does not have legal grounds for refusing to disclose the data. Where THL is unable to identify you from the data, the right to access shall not apply because it is not possible.

10.2 Right to rectification of data

You basically have a right to have inaccurate or incorrect data rectified. Where THL is unable to identify you from the data, the right to rectification of data shall not apply because it is not possible.

10.3 Right to erasure of your data

You can at any time remove the app, whereupon any pseudonymous code data in your phone and back end system will be automatically deleted within 21 days at the latest. THL is not able to identify you from pseudonymous code data.

10.4 Right to restrict processing

You may have the right to restrict the processing of your personal data in cases laid down by law. The right to restrict processing may exists, for instance, if you believe that the personal data concerning you is inaccurate, it is being processed unlawfully or you have objected to the processing of your data. In this case, we may only process your personal data with your consent, where necessary for the establishment, exercise or defence of legal claims, or where it is in the general interest or essential to protect another person’s rights. Where THL is unable to identify you from the data, the right to restrict processing shall not apply because it is not possible.

10.5 Right to object to the processing of personal data

You may have the right to object to the processing of your personal data in cases laid down by law. The right to object may exist, for instance, if the processing is associated with automatic decision-making based on profiling or if the data is used for direct marketing purposes.

10.6 Right to refer a matter to the supervisory authority

You have the right to request the Data Protection Ombudsman to assess the lawfulness of THL’s activities.

Contact information:

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: P.O. Box 800, 00521 Helsinki
Switchboard: +358 29 566 6700
Fax: +358 29 566 6735
Email: tietosuoja@om.fi