Data protection

Data Protection Statement

The Finnish Food Authority is bound to protect the privacy and personal data of those in the register. The Food Authority adheres to the processing of personal data in line with the General Data Protection Regulation (EU) 2016/679, the Data Privacy Act (1050/2018) and other regulations that apply to the processing of personal data and data protection.

The aim of this data protection statement is to inform you of how the Food Authority processes personal data for their purposes.


PO BOX 100
Contacts: Registry,

The purpose and grounds for data processing

The Food Authority mainly processes personal data for the performance of tasks carried out in the public interest and to carry out their legislated duties. The registers of the Food Authority are based on legally stipulated tasks (paying agency and other support and financing tasks, control and risk assessment and research and reference laboratories). The personal data in the registers are processed for these purposes. In addition to the Food Authority, processors and users of the data are other authorities and municipal staff which process data for fulfilling their legal obligations within the sphere of the Food Authority.

The Food Authority also offers laboratory services liable to commercially priced charges. In this case, the personal data of the customers is processed based on the terms of the order and the contract with the customer.

The tasks of the Food Authority are stated in the act on the Finnish Food Authority Laki Ruokavirastosta (371/2018, section 2).

Data content of the registers and specification of the retention period for the data

The data content in a register is often provided for in the Act that covers the record keeping of the register. The registers contain data that specifies individuals, which is mainly the contact details for the registered individual, data identifying the control object (for example code of holding, EU code for cattle), control data, information on support payments, and test samples and results. The data is stored in accordance with the information management plan of the Food Authority and for as long as there are legal grounds for processing the information. The storage time for each register is found in the more detailed processing criteria for the register in question. The data is destroyed at the end of the storage period.

Correct sources of information

The registered individual provides or saves the data in registers of the Food Authority. Registration data is also generated when tasks are performed for the Food Authority by a control authority. In some registers the registered individual has the opportunity to update their data. Information on those registered is also received from registers of other authorities, the Population Information System of the Population Register Centre (VTJ) and the Business Information System (YTJ).

Disclosure of data

In addition to the employees of the Food Authority, employees of the ELY centres, co-operation districts, Regional State Administrative Agencies (AVI) and other parties performing tasks of public authority covered by the Food Authority process data and keep common registers.

The disclosure of data to other authorities and other parties is based on legislation. Public personal data can be disclosed as public information pursuant to the Act on the Openness of Government Activities (621/1999) for historical and scientific research and for the compilation of statistics, for example.

Names and addresses can be released with the consent of the individual for direct advertising mail and other direct marketing, opinion polls and market research or other activities comparable to these.

The Food Authority does not disclose personal data to third parties without a separate decision being made. Disclosure of data is applied for from the Food Authority, which will carefully work out with the transferee the matters pertaining to the use and protection of the data.

The principles for protection of registries

The Food Authority protects the data of the registered individual by taking relevant measures while considering the nature of the personal data. Such measures are as needed access control, firewalls, protection and control of telecommunications, access management, control of the use of registered data (logging), careful choice of data processing staff, training and guidance and other reasonable measures with the help of which personal data can be protected correctly from unlawful use or disclosure. The Food Authority also makes the necessary backup copies and uses other similar measures in order to protect personal data from being damaged or destroyed unintentionally. These measures are also intended to ensure that the services of the Food Authority function correctly.

Disclosure of data to countries outside of the EU or the EEA

Registered data is not disclosed to countries outside the EU or the EEA. When needed, individual export certificates and other necessary documents can be produced/supplied/produced to be supplied from the registers to operators or foreign authorities outside the EU and the EEA.

The rights of registered individuals

Those registered have the following rights within the legal framework for the processing of personal data:

  • The right to inspect the data: The right to find out what personal data the Food Authority keeps about you in their registers and on what grounds the data is processed.
  • The right to ask that the data is corrected or removed: The right, when needed, to request the Food Authority to rectify or remove erroneous, unnecessary, incomplete or in any other way inaccurate personal data.
  • The right to refuse data processing: The right within the framework of the law to refuse to allow the Food Authority to process your personal data.

You can use your rights by filling in the following form  (in Finnish) and sending it to the registry office of the Food Authority at the address Individuals taking part in hygiene proficiency tests should contact their hygiene proficiency tester in order to utilise their rights.

Data protection control

The Director General of the Food Authority has the highest responsibility for the data protection of the Food Authority. The data protection organisation at the Food Authority checks that the guidance on data protection is adhered to internally. When needed, you can contact the officer at the Food Authority responsible for data protection (

More detailed information on the registers

The lists of the Food Authority’s registers containing personal data, their legal basis, data content and other matters related to the processing are found on the page the Food Authority’s registers.

Page last updated 12/19/2018