Data protection

Personal data includes all data that can be used to identify a person directly or indirectly. Information such as name, an identification number, occupation, location data, e-mail address, photograph, voice, IP address or even the registration number of a vehicle may constitute personal data to which data protection must be applied.

Personal data can only be processed when legal justification exists for the processing. For more information on the processing of personal data at the National Archives of Finland, see the section “How does the National Archives process your personal data?”.

What are the obligations of the National Archives in the processing of personal data?

The National Archives has the following obligations, among others:

• Assessing the risks and impacts of processing personal data
• Demonstrating that it complies with the data protection regulation
• Telling the data subject about the processing of personal data
• Appointing a data protection officer
• Communicating any personal data breaches.

What are the rights of the data subject?

The term data subject is used to refer to the person whose personal data are being processed.

Read more about the rights of the data subject at the website of the Office of the Data Protection Ombudsman.

To exercise your rights, you can deliver a specific request to the registrar of the National Archive at [email protected] or by post (address: P.O. Box 258, 00171 Helsinki, Finland).

Requests that concern information stored at the National Archives can also be directed to the authority or private operator that gathered or prepared the information.

The National Archives of Finland
P.O. Box 258, 00171 Helsinki
[email protected]
​​​​​​​tel. +358 (0)29 533 7000

Lawyer Tomas Määttä
P.O. Box 258, 00171 Helsinki
[email protected]
​​​​​​​tel. +358 (0)29 533 7050

We process your personal data in connection with the following purposes:

• To carry out our services, for example to deliver documents stored at the National Archives to you for reading at the reading room or as copies to your home
• To invoice any services subject to a fee
• To process access permit applications
• To authenticate customer transactions
• To ensure the realisation of the rights and obligations of all parties
• To develop and analyse the services of the National Archives
• To prevent and investigate any misconduct.

We do not use personal data for statistical purposes.

The National Archives does not use automated decision-making or profiling.

An automated decision refers to a decision related to assessing personal attributes, made solely based on automatic data processing and resulting in legal effects or other significant outcome for the data subject. Examples of automated decision-making include decisions on a person’s creditworthiness. A data subject has the right not to be subjected to automated decision-making.

The National Archives needs to process personal data to fulfil its statutory assignment. The justification is mainly provided in the following laws:

• National Archives Act (1145/2016)
• Archives Act (831/1994)
• Act on the Openness of Government Activities (621/1999)

Personal data can also be processed based on consent; examples include newsletters or recording camera surveillance.  In any case, we always make sure that legal and valid justification exists for any processing of personal data.

The content and amount of the personal data saved in our systems depend on which of our services and service channels you have used. We only gather the personal data that we need to provide and develop each service, to fulfil our statutory obligations and to secure our legal protection.

The Astia service of the National Archives saves the following data:

• Basic customer information: The customer's first and last name, address, telephone number, e-mail address, language identifier and the home archive, which is the National Archives location selected by the customer as their place of access. The customers shall ensure that their contact information is correct.
• Information created on the basis of customer accounts: User ID, the date of accepting the terms of use, and information of the customer’s access permit applications, valid access permits, and any submitted requests for information or orders to access documents in the reading room or as inter-library loans.

The Tweb processing system contains the personal data required for processing the matter:

• Information related to issues opened or decided at the National Archives, including name, identification number or date of birth, the authority/company/organisation that the person represents, postal address, country, language identifier, telephone number, fax number, invoicing address, e-mail address, and any other identification information required for processing the matter, as well as information concerning the process and the decision.
• Information about who has processed the matter at the National Archives.

Platform for digital archiving service: service users

• Basic customer information for government authorities (VIRTU authentication): customer's first and last name, organisation and e-mail address.
• Basic customer information for other customers (suomi.fi authentication): customer's first and last name, social security number, organisation and e-mail address.
• Information created on the basis of customer accounts: information on transfers made by the customer and the date of accepting the terms of use. The customer always identifies with Virtu or suomi.fi authentication.

AHAA: service users

• User information: first and last name, organization and email address.
• User role information that enables the use of the system.
• User data can be combined with procedure data saved from editing description data.

Lyyti event and response management solution: Persons who have signed up to the courses organised by the National Archives of Finland, persons who have given feedback to the National Archives.

• Lyyti management solution contains the personal data required for processing the registration or feedback.

Recording camera surveillance in the facilities of National Archives

• Digital visual material of people who have accessed the facilities where surveillance is used.

The document retention periods have been defined in the National Archives’ Information management plan.

After the customer relationship ends, we retain data to fulfil our statutory obligations, to solve any disputes and to control any misconduct. The data to be retained include personal data related to payments and the use of archived materials.

The retention obligation for such data is typically 6–10 years. Data that is no longer necessary for its intended purpose, outdated data and any data for which justification for processing no longer exists will be safely disposed of.

Personal data stored in the user management system of the digital archive is removed when the access right ends.

Recorded camera surveillance materials are kept for a maximum of 14 days unless a particular reason exists for retaining the materials for longer. The materials are destroyed by recording new materials over them.

The diary data of the Tweb processing system, including information of who has opened the issue (for example, the name of the person who has filed a request) will be permanently retained.

We receive the data from you when you file an order or request or when you access the National Archives facilities that have camera surveillance. When necessary, we confirm the personal data from the population information system or another official registry.

The National Archive transfers to the Government Shared Services Centre for Finance and HR the personal data that is required for invoicing.  There is no other regular transfer of personal data. No data are handed over to third parties for marketing purposes.

Any other hand-over of data is only possible if prerequisites for handing over data as defined in the Act on the Openness of Government Activities (621/1999) exist.

No data are transferred to countries outside the EU or to international organisations.

The personal data of the customers of the National Archive are processed using the following information systems:

• Astia online service
• Astia reading room interface (an interface used in the reading room when ordering documents without an authentication process; the customer enters their name and optionally their telephone number and e-mail address)
• Astia order management (management of orders for the reading room and inter-library loans filed in the Astia online service and its reading room interface)
• Astia user management (Astia’s customer register and management of access rights to restricted materials)
• Tweb, or the National Archive diary, is a processing system for storing the matters processed by the National Archive, including requests for information, which are responded to by sending copies or certificates. The preparation and decision documents generated in the course of this process are archived into the system. The system is used to track the processing of matters under work in the National Archive and to provide information on progress, processing stages and decisions in compliance with the Act on the Openness of Government Activities (621/1999) and other legislation as well as guidelines and orders issued based on these.
• Digital archive user management
• Digital archiving service
• Lyyti event and response management solution
• Recording camera surveillance in the facilities of National Archives

The kansallisarkisto.fi website of the National Archives uses cookies for tracking the use of the site and to allow further development of services.

Cookies are used to process personal data in browser-based information systems. A cookie is a small text file that the browser saves in the user's device. Cookies are used to provide services, to streamline the log-in process and to allow compiling statistics concerning the service use. The user can prevent the use of cookies in their browser software, but this may block the required functionality in the system.

The National Archive protects the privacy of the personal data that it saves, and complies with the data protection legislation and appropriate data protection practices in all its operations.

The data have been protected against unauthorized viewing, editing and deleting. The protection is based on physical protection of the facilities, physical access control and restriction of access.

Right to access and process information is granted based on an employee’s task description. Data are only processed by persons who need to process them as part of their work. 

The facilities and the data are physically located in Finland.

Administrative controls are used to ensure appropriate procedures.

You have the right to

See the information concerning yourself. You can personally view and correct the following information in the Astia online service of the National Archive: address, telephone number, e-mail address, home archive (the National Archive facility that you normally visit) and language identifier. You can also view your name data, the orders for the reading room and inter-library loans filed in the Astia online service, information requests, access permit applications and current access rights.

• Ask to see your own information.
• Request the correction of your own information.
• Demand that your information is removed.
• Demand the processing of your personal data to be restricted.
• Object to the processing of your personal data.
• Request that personal data that you have submitted be transferred from one controller to another.
• Cancel the consent that you have provided, when personal data is processed based on consent.
• Not to be subjected to automated decision-making.

To exercise these rights, submit a written request to the registrar of the National Archive at [email protected] or by post to P.O. Box 258, 00171 HELSINKI, Finland.

Submission of a request for viewing the data and processing of the request are normally free of charge.

A decision is issued within one month from the request being received.

You have the right to file a complaint at the Office of the Data Protection Ombudsman if you believe that your personal data has been processed in breach of the currently valid data protection legislation. Contact information: Office of the Data Protection Ombudsman, P.O. Box 800, 00521 Helsinki, Finland, [email protected].

The statutory task of the National Archives of Finland is to ensure that the documents belonging to the national cultural heritage are preserved and remain accessible, and to promote their use for research purposes. Cultural heritage retained in documents also contains personal data. Permanent retention is usually based on archiving with regard to public interest.

The National Archives does not use automated decision-making or profiling.

An automated decision refers to a decision related to assessing personal attributes, made solely based on automatic data processing and resulting in legal effects or other significant outcome for the data subject. Examples of automated decision-making include decisions on a person’s creditworthiness. A data subject has the right not to be subjected to automated decision-making.

The National Archives needs to process personal data to fulfil its statutory assignment.

• National Archives Act (1145/2016)
• Archives Act (831/1994)
• Act on the Openness of Government Activities (621/1999)

The National Archives of Finland
P.O. Box 258, 00171 Helsinki
[email protected]
​​​​​​​tel. +358 (0)29 533 7000

Lawyer Tomas Määttä
P.O. Box 258, 00171 Helsinki
[email protected]
​​​​​​​tel. +358 (0)29 533 7050

The data stored at the National Archives has been accumulated during centuries. Most of the materials have been generated as a result of the activities of various authorities. The parties who have gathered the data from the data subjects have appropriate legal justification and purpose for processing the data within their own operations. Data protection regulation only applies to the personal data of the living.

As a rule, the data held by the National Archives include information on many different groups of data subjects, such as employees, health care customers, prisoners, convicted persons, pupils, association members, etc. The contents of the information vary and some stored materials include sensitive or special personal data or classified information.

The party that has drafted the document is responsible for the correctness of the information and for the information content in general.

As a rule, we retain the data permanently as part of the national cultural heritage.

The National Archive stores as part of its task documents of other authorities and private operators; these documents may contain personal data. Most of the materials have been generated as a result of the activities of various authorities.  The authorities have received the data for example from other authorities due to various reporting requirements, or they may have gathered the data directly from the data subjects. The party that originally gathered the data must have legal justification and purpose for gathering the data.

The National Archive works in cooperation with the authorities and private operators such as associations who have given materials for storage and promotes data protection as part of this cooperation. The National Archive agrees with the parties who give materials for storage on practices related to the materials and on the fulfilment of requirements set out in the data protection legislation, such as acting as the controller.

The National Archives does not hand over the data it stores to other parties regularly.  No data are handed over to third parties for marketing purposes.

Information requests may be submitted with regard to the materials that we store, and the requests are complied with in accordance with the legislation on the openness of operations as well as personal data protection principles. The persons who are responsible for the information services of the National Archive work based on specific instructions and always take into account the wishes and rights of the party who has transferred the information.

When responding to information requests, attention is always paid to the general principle of the right of access to public documents, and to the particular requirements of research work and other special purposes.

If the purpose for which information is requested does not require detailed personal data to be included, the personal data may be processed to anonymise or pseudonymise it as far as possible upon hand-over.

No data are transferred to countries outside the EU or to international organisations.

Reference data of materials to be archived in the National Archives, as well as analog and digital materials, are managed and used in the following systems:

• Astia service 
• AHAA (metadata)
• Digital archiving service
• Systems for massdigitisation and retrospective digitisation

The kansallisarkisto.fi website of the National Archives uses cookies for tracking the use of the site and to allow further development of services.

Cookies are used to process personal data in browser-based information systems. A cookie is a small text file that the browser saves in the user's device. Cookies are used to provide services, to streamline the log-in process and to allow compiling statistics concerning the service use. The user can prevent the use of cookies in their browser software, but this may block the required functionality in the system.

The National Archive protects the privacy of the personal data that it saves, and complies with the data protection legislation and appropriate data protection practices in all its operations.

The data have been protected against unauthorized viewing, editing and deleting. The protection is based on physical protection of the facilities, physical access control and restriction of access.

Right to access and process information is granted based on an employee’s task description. Data are only processed by persons who need to process them as part of their work. 

The facilities and the data are physically located in Finland.

Administrative controls are used to ensure appropriate procedures.

You have the right to make requests that concern gaining access to your personal data, correcting or removing information, restricting the processing of your data, objecting and transferring your data from one system to another. You can deliver a specific request to exercise these rights to the National Archive and each controller or other authority. To exercise your rights, deliver a specific request to the registrar of the National Archive at [email protected] or by post at P.O. Box 258, 00171 Helsinki, Finland. Resolution on the matter will be provided within one month from the request being received, unless special reasons exist for extending this period.

The National Archive is responsible for storing information for archiving purposes, which may allow exceptions from the regular rights of the data subject based on the Finnish Personal Data Act and the General Data Protection Regulation.

The purpose of the information transferred to the National Archive is to promote the preservation of cultural heritage value and to serve the needs of researchers. In both of these, the integrity and reliability of the information is important; as a rule, the National Archive cannot make changes to or remove any of the information that has been handed over to it. This would be counterproductive to the objective of retaining information for later generations to describe the state of matters on which authorities, for example, have based their decisions.

Submission of a request for viewing the data and processing of the request are normally free of charge. However, the management of the materials stored at the National Archives, their descriptions and the related tools do not always allow the fulfilment of the data subject's rights without unreasonable effort and with adequate accuracy.  If the requests submitted by a data subject are decidedly unjustified or unreasonable, for example if unspecified requests are presented repeatedly, the National Archives may collect a reasonable fee that corresponds to the administrative costs of the execution of the requested action.

You have the right to file a complaint at the Office of the Data Protection Ombudsman if you believe that your personal data has been processed in breach of the currently valid data protection legislation. Contact information: Office of the Data Protection Ombudsman, P.O. Box 800, 00521 Helsinki, Finland, [email protected]