Processing data requests and clients’ rights
This page explains how data requests are processed by the Western Uusimaa Wellbeing Services County, what the disclosure of information is based on and what rights clients have in matters concerning data requests.
How data requests are processed
The Western Uusimaa Wellbeing Services County processes data requests in accordance with the law. A data request means a request to obtain information or documents from registers or documents held by the wellbeing services county.
If the request is not sufficiently specific, the client will be asked to provide additional information.
Grounds for disclosing information
The disclosure of information is based on legislation (Act on the Openness of Government Activities(external link), EU General Data Protection Regulation(external link), Act on the Processing of Client Data in Healthcare and Social Welfare(external link)). The wellbeing services county may disclose information, for example, when you request personal data concerning yourself, request information as a party to a matter, request public documents held by the wellbeing services county or have a statutory right to receive information on behalf of another person or information concerning a deceased person.
However, not all information can always be disclosed. The disclosure of information may be restricted if the law contains specific provisions limiting the right of access to data. This may be the case, for example, when the information is confidential or when disclosing it could endanger another person’s rights or safety.
Processing times
The processing time for a data request depends on the law on which the request is based.
Data requests concerning your own information
- Requests concerning your own information are processed as soon as possible and within the statutory time limit laid down in the law on which the request is based.
- Data requests under the Act on the Openness of Government Activities concern a person’s right of access to information contained in an official document and pertaining to themselves (section 12 of the Act on the Openness of Government Activities) and, as a party to a matter, information that may have influenced the consideration of their matter (section 11 of the Act on the Openness of Government Activities). As a rule, these requests are processed within two weeks.
- Data requests under the Data Protection Regulation (GDPR) concern your own personal data, such as access to, rectification or erasure of data. As a rule, these requests are processed within one month.
- The processing time may be longer only if the request is extensive or if processing it requires more investigative work than usual.
Requests for access to a public document
- These requests are processed within two weeks.
- The processing time may be longer if the request concerns a large number of documents, contains confidential information or requires such information to be separated from other information or otherwise requires investigative work that is more extensive than usual.
Requests for log data
- These requests are processed within a reasonable time.
- They are processed within two months at the latest.
Requests for a deceased person’s data
- The law does not lay down a separate time limit for these requests, and the time limits under the Act on the Openness of Government Activities are therefore applied.
- As a rule, these requests are processed within two weeks.
Clients’ rights in data request matters
The person submitting a data request has the right to be informed whether the requested information can be disclosed, to receive the requested information within the statutory time limit and to receive a reasoned decision if the information cannot be disclosed.
The client has the right to request the rectification of inaccurate or incomplete information concerning their own personal data and to appeal against a decision if they are dissatisfied with the outcome.
The wellbeing services county ensures that clients’ rights are safeguarded when data requests are processed.
General Data Protection Regulation of the European Union
Data protection refers to protecting personal data. The objective of the EU’s General Data Protection Regulation (GDPR) is to improve the protection of personal data, increase transparency in the processing personal data and give data subjects, i.e. the clients of the Western Uusimaa Wellbeing Services County, more tools for managing the processing of their personal data. Furthermore, the GDPR aims to provide an answer to data protection questions brought on by digitalisation and globalisation. The national Data Protection Act complements and specifies the regulations set by the GDPR.
EU’s General Data Protection Regulation (EU) 2016/679 (external link)(external link)
Data Protection Act (1050/2018) (external link)(external link)
Your rights and how to exercise them
As a data subject, you have rights related to your personal data and their processing at the Western Uusimaa Wellbeing Services County. For example, you have the right to know whether the wellbeing services county processes your data and what type of data is being processed as well as the right to request access to your personal data. You also have the right to request that incorrect personal data be rectified.
The processing of personal data at the wellbeing services county is mostly based on compliance with a legal obligation, the performance of a task carried out in the public interest or the exercise of official authority. In such cases, the wellbeing services county does not need your separate consent to process your personal data. However, in certain services, the processing of personal data is based on the consent you have given to the wellbeing services county, in which case you have the right to withdraw your consent at any time.
The rights can be exercised in different ways, depending on the grounds for the processing of personal data.
Right of access, right to inspect data
The person has the right to know whether personal data concerning them are being processed and what information about them has been stored.
The wellbeing services county will provide the data without undue delay, at the latest within one month of receipt of the request. This period may be extended by a maximum of two further months if the request in question is exceptionally extensive and complex. If the period is extended, the wellbeing services county will inform the person requesting the data of any such extension within one month of receipt of the request, together with the reasons for the delay.
The person has the right to receive their personal data free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the wellbeing services county may charge a reasonable fee or refuse to act on the request. In such cases, the wellbeing services county bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
The right to access data is not unlimited. For example, the data subject does not have the right to access data collected about them if providing the data could harm national security, defence or public order and public security, or hinder the prevention or investigation of criminal offences. Furthermore, this right does not apply if disclosing the information could cause a serious risk to the data subject’s health or care, their rights or the rights of another person.
If the wellbeing services county does not take action on the data subject’s request, it must inform the data subject without delay and, at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
(General Data Protection Regulation: Article 12, Article 15, and Data Protection Act: section 34)
Right to rectification
A person has the right to obtain from the wellbeing services county, without undue delay, the rectification of imprecise and incorrect personal data concerning them. In addition, the person has the right to have incomplete personal data completed. Any incompleteness of the data will be resolved by taking into account the purpose of the processing of personal data in the register.
If the wellbeing services county does not take action on the data subject’s request for rectification, it will provide a written statement setting out the reasons for not granting the request. At the same time, the person will be informed of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
(General Data Protection Regulation: Article 12, Article 16)
Right to erasure, right to be forgotten
In certain situations, a person has the right to obtain the erasure of personal data concerning them. This right is also referred to as the right to be forgotten. Erasure of data may be possible, for example, where the data are no longer necessary in relation to the purposes for which they were collected, or where the person objects to the processing and there are no overriding legitimate grounds for continuing it, for example in situations involving direct marketing.
At the wellbeing services county, erasure of data is mainly possible in situations where the processing is based on consent that has later been withdrawn. Such situations may include, for example, the use of contact details in customer satisfaction surveys or the use of data in voluntary services. After consent has been withdrawn, the processing is discontinued and the data are erased, unless there is another statutory basis for retaining them.
If the wellbeing services county does not grant the person’s request for erasure, it will provide a written statement setting out the reasons why the request was not granted. At the same time, the person will be informed of the possibility of lodging a complaint with a supervisory authority and seeking other judicial remedies.
There is no right to erasure if the processing is based on compliance with a legal obligation of the wellbeing services county, relates to the performance of a task carried out in the public interest or involves the exercise of official authority vested in the wellbeing services county.
(General Data Protection Regulation: Article 17)
Right to restriction of processing
In certain situations, a person may have the right to request that the processing of their data be restricted until the data have been duly inspected, rectified or completed. This may apply, for example, where the person contests the accuracy of their data, in which case the processing is restricted for a period enabling the wellbeing services county to verify the accuracy of the data.
(General Data Protection Regulation: Article 18)
Right to data portability
A person has the right to transmit their personal data from one controller to another if they have themselves provided the controller with personal data, the processing is based on consent or a contract and the processing is carried out by automated means.
(General Data Protection Regulation: Article 20)
Right to object
A person has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them where the processing is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the wellbeing services county. In such cases, the wellbeing services county may continue to process the data only if it demonstrates compelling legitimate grounds for the processing. Processing may also continue where it is necessary for the establishment, exercise or defence of legal claims.
(General Data Protection Regulation: Article 21)
Right to contest an automated individual decision
A person has the right not to be subject to a decision based solely on automated processing, which produces legal effects concerning them or similarly significantly affects them. Automated decision-making means that a decision is not made by a human being but solely by machine based on personal data.
(General Data Protection Regulation: Article 22)
Right to lodge a complaint with an authority
A person has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the person considers that the processing of personal data concerning them infringes the EU General Data Protection Regulation. In Finland, this supervisory authority is the Data Protection Ombudsman. In addition, a person has the right to exercise other administrative and judicial remedies.
(General Data Protection Regulation: Article 77)