Right to inspect the data processed by a competent authority

The competent authority is required to tell you whether it is processing personal data concerning you.

You have the right to inspect which of your personal data different controllers are processing.  Thus, you can also verify the accuracy of the data concerning you.

You have the right to obtain information on the following matters from the controller

  • the personal data being processed and all available information on the origin of the data
  • the purposes and legal basis for the processing
  • the categories of personal data being processed
  • the recipients or categories of recipients to whom personal data of the data subject have been disclosed
  • the envisaged time limit for storing the personal data, or if such a time limit has not been determined, the criteria for determining it

You also have the right to request from the controller rectification or erasure of personal data concerning you or restriction of processing of the data.

How to formulate an inspection request

Make the inspection request directly to the controller. Further information on the methods of contact can be obtained from the controller’s website or by contacting the controller’s customer service. You must provide proof of identity in the context of the request.

In the request, specify

  • which data you wish to inspect
  • in what form you would like the data
  • your name
  • your contact details

For filing systems of personal data on which right of access has not been restricted, the controller provides the details for the purpose of an inspection.

If the controller refuses your request for access and you feel that there are no grounds for such a refusal, you can contact the Data Protection Ombudsman.

Restriction of the right of access

Restriction of the right of access means that the data subject cannot exercise their right of access.

Your right of access may be restricted or postponed wholly or partly, or it may be refused to the extent that is necessary in order to

  • avoid detriment to the prevention, detection, investigation or prosecution of criminal offences or the enforcement of criminal sanctions
  • safeguard any other investigation, examination or other procedure of an authority
  • protect public security
  • protect national security
  • protect the rights of other persons

Even when the data subject cannot exercise their right of access, the Data Protection Ombudsman can, at the data subject’s request, verify the lawfulness of the data concerning the data subject. Such a request must be presented to the competent authorities in accordance with specifically provided procedures, or with a free-form letter to the Data Protection Ombudsman.

When inspecting the lawfulness of the maintenance of the filing system, the Data Protection Ombudsman pays special attention to the means for data processing, the necessity and accuracy of the data being processed, the time of saving of the data, and the possibilities for implementation of the data subject’s rights. However, the response provided to the data subject does not indicate information received during the inspection, such as information of whether the filing system contains any data concerning the person making the request.

Right of access to the following filing systems and personal data is restricted

Police

  • information referred to in section 9 of the Act on the Processing of Personal Data by the Police
  • personal data concerning discreet and specific checks of the Schengen Information System
  • information included in personal data referred to in sections 5–8 of the Act on the Processing of Personal Data by the Police concerning tactical and technical measures of the police, details on sources of observation or information, or information used for technical investigation
  • personal data acquired by use of methods of gathering intelligence according to Chapter 5 of the Police Act and Chapter 10 of the Coercive Measures Act, and on the basis of section 157 of the Act on Electronic Communication Services

Finnish Border Guard

  • information referred to in section 12 of the Act on the Processing of Personal Data by the Finnish Border Guard
  • information included in personal data referred to in sections 8–11 of the Act on the Processing of Personal Data by the Finnish Border Guard concerning tactical and technical measures of the Finnish Border Guard, details on sources of observation or information, or information used for technical investigation

Finnish Customs

  • intelligence register
  • temporary analysis registers
  • details in the personal filing systems of the Finnish Customs on classification, surveillance or modus operandi concerning a person or an act, or information used for the serialisation of offences and technical investigation
  • information obtained on the basis of Chapter 2, section 14 (1 or 2) of the Act on Crime Prevention by Finnish Customs, or by use of methods of gathering intelligence referred to in Chapter 3 of the latter Act or in Chapter 10 of the Coercive Measures Act
  • information on observations made

Finnish Defence Forces

  • military intelligence register
  • security information register
  • temporary personal registers

Criminal Sanctions Agency

  • security information register
  • information on injured parties included in the monitoring and activity register,  referred to in section 7(1)(10) of the Act on the Processing of Personal Data by the Criminal Sanctions Agency