Data protection and processing of personal data at the Ministry of Education and Culture
The Ministry of Education and Culture needs personal data to provide services and to perform its tasks. We only process personal data on lawful basis for reasons such as customer service and communications. We store personal data for the period of time required for the processing.
With regard to the processing of personal data, in its role as the data controller and for the purpose of informing the data subjects the Ministry complies with the principles and obligations laid down in the European Union’s General Data Protection Regulation (EU) 2016/679 and the Personal Data Act (1050/2018), supplementary to the Regulation.
As the Ministry is a data controller, data subjects have the right to obtain from the Ministry information as to whether their personal data is processed. Data subjects also have the right to ask to see their personal data. If data is inaccurate or out of date, data subjects have the right to request rectification or restricted processing. Data subjects who think that their data is not processed on lawful basis have the right to make a complaint to the Data Protection Ombudsman.
More information about the processing of personal data at the Ministry
You can request to have access to your personal data stored in the Ministry’s services by filling in an access request form and sending it to the Registry.
If you notice inaccuracies or errors in your data, you can ask that they be corrected. You can ask the Ministry in writing to erase your data.
If you need more information on how the Ministry processes your personal data, please write to the Ministry’s Data Protection Officer at okmtietosuojavastaava(at)gov.fi.
For more information on the processing of personal data and data subjects’ rights, visit the Office of the Data Protection Ombudsman’s website.
Privacy notices
The Ministry's privacy notices provide information on the more specific purposes and bases for processing personal data and on the rights of data subjects:
- Decorations in the Ministry's branch of government (PDF)
- Eurostudent VIII Data Protection Leaflet
- Funet Miitti ZOOM (PDF)
- Personal data processed in a sample selected for a twoyear pre-primary education trial (PDF)
- Personal data processed in communication related to the follow-up and evaluation of the two-year pre-primary education trial (PDF)
- Personal data to be processed in the follow-up and assessment of the two-year pre-primary education trial
- Personal data processed in the system for processing discretionary government grants (SALAMA system) (PDF)
- Personal data processed on Twitter (PDF)
- Personal data processed when arranging meetings, events and surveys
- Remuneration payments (PDF)
- Traveller profile and personal data in travel expenses (PDF)
Whistleblower protection
Whistleblower protection allows people to safely report breaches. A report can be submitted using an internal or external whistleblowing channel. The internal whistleblowing channel of the Ministry of Education and Culture is only available to people employed by the ministry. Others, such as retired public officials or people employed by partners, may submit a report regarding the activities of the Ministry of Education and Culture that they have observed in their work and that fall within the scope of the Whistleblower Act to the central external whistleblowing channel of the Office of the Chancellor of Justice.
Purpose of and grounds for the processing of personal data
Personal data is processed in connection with the tasks laid down in the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, the Whistleblower Act). Under section 30 of the Whistleblower Act, the controller may process data belonging to certain special categories of personal data and data related to criminal convictions and offences only if the processing is necessary for the purpose of the Act.
Personal data is processed in accordance with Article 6, paragraph 1, point (c) of the General Data Protection Regulation (processing is necessary for compliance with a legal obligation to which the controller is subject).
Processed data
Reports processed in matters concerning whistleblower protection may contain any personal data that the whistleblower has appended to the report.
In matters concerning whistleblower protection, the personal data of the whistleblower is not stored in the contact information for the matter or document as the initiator of the matter, nor is the personal data of the reported person stored in the contact information for the matter or document. However, the personal data of the whistleblower and the reported person are processed in the documents concerning the report, such as the report itself.
The personal data of the whistleblower and the reported person under the Whistleblower Act are always treated as non-disclosable in their entirety.
Situations in which information on the identity of the whistleblower can be disclosed to another authority or to the reported person
Notwithstanding the non-disclosure obligation laid down in the Whistleblower Act, the person responsible for processing the report may disclose the identity of the whistleblower and other persons mentioned in the report, as well as any other information directly or indirectly indicating the identity of the persons, to a person appointed to verify the accuracy of the report, if this disclosure is necessary to verify the accuracy of the report.
In addition, notwithstanding non-disclosure provisions, the person responsible for processing the report may provide information on the identity of the whistleblower, the reported person and other persons mentioned in the report, as well as other information directly or indirectly indicating their identity, if it is necessary to provide this information:
1) to the competent authority for the purpose of verifying the accuracy of the report;
2) to the criminal investigation authorities for the purpose of preventing, detecting, investigating and considering prosecution of criminal offences;
3) to public prosecutors for the purpose of performing the official functions prescribed in section 9 of the Act on the National Prosecution Authority (32/2019);
4) to the reported person for the purpose of establishing, presenting or defending a legal claim in a court hearing or in out-of-court judicial or administrative proceedings.
Separate provisions on the right of a party to access non-disclosable information are laid down elsewhere in law.
The reported person has the right to disclose the identity of the whistleblower and to obtain information on the identity of the whistleblower from the authorities if this is necessary for establishing, presenting or defending a legal claim in judicial proceedings.
The person responsible for processing the report shall inform the whistleblower in advance of the disclosure of their identity, unless such information would jeopardise the verification of the accuracy of the report or a criminal investigation or trial related to the matter. The competent authority shall also provide the whistleblower with a written explanation of the grounds for the disclosure of non-disclosable information.
Processing of data is limited within the organisation and time-limited
In matters concerning whistleblower protection, personal data may only be processed by persons designated for the task in the ministry in question as referred to in the Whistleblower Act.
Documents submitted to and prepared by the ministry and the personal data contained therein shall be stored in accordance with the document storage periods specified in the information management plan. The provisions of section 29, subsection 2 of the Whistleblower Act have been taken into account when determining the storage periods.
Data stored in the case management system shall not be transferred to third countries or international organisations.
Rights of data subject
The right of a data subject to restrict the processing of their data does not apply to matters of whistleblower protection, and the right of a data subject to access their data may be restricted if this is necessary and proportionate with respect to ensuring the accuracy of the report or in order to protect the identity of the whistleblower. If only a part of the data on a data subject is such that it falls within the restriction on the right of access, the data subject shall have the right to access the remainder of the data. The data subject has the right to be informed of the reasons for the restriction and to request that this information be provided to the Data Protection Ombudsman in accordance with section 34, subsections 3 and 4 of the Data Protection Act (1050/2018).
Any requests for information concerning personal data, requests to rectify or supplement personal data and requests to restrict the processing of personal data shall be addressed to the controller.