Data protection

Data Protection Statement

The Finnish Food Authority is committed to protecting the privacy and personal data of data subjects. The Finnish Food Authority complies with the EU's General Data Protection Regulation (679/2016), the Data Protection Act (1050/2018) and other applicable provisions related to the processing of personal data and data protection.

The purpose of this privacy notice is to explain how the Finnish Food Authority processes personal data in its tasks.


PL 100
Contacts: Registry,

Purpose and basis for the processing of data

The Finnish Food Authority processes personal data mainly for the purpose of exercising its public authority and performing its statutory duties. The Finnish Food Authority's registers are kept on the basis of its statutory tasks (paying agency and other support and funding tasks, supervision and risk assessment tasks as well as research and reference laboratory activities).

The Finnish Food Authority uses the data collected for the supervision of the food chain for carrying out and directing supervision, as well as for analytics related to the targeting and improving supervision. In sampling-based controls, the selection of control sites is planned on the basis of a risk assessment, which means combining and processing data using analytics methods. Analytics does not utilise automatic decision-making or profiling.

The Finnish Food Authority, the Regional State Administrative Agency, the Centre for Economic Development, Transport and the Environment and the municipality are joint controllers of the food administration data resource. The Finnish Food Authority is responsible for the general operation and usability of the registers, the integrity, protection and storage of the data, and the technical implementation of the services related to the registers.

The Finnish Food Authority also offers paid laboratory services at commercial prices. In this case, the customer's personal data is processed in accordance with the terms of use of the orders and on the basis of the customer agreement.

The Finnish Food Authority also processes personal data in order to send prizes to winners in prize draws. In this case, the processing of the data is based on the consent of the person. Consent is also based on newsletters from communications and the Rural Network as well as analytics of website visits.

Provisions on the duties of the Finnish Food Authority are laid down in the Finnish Food Authority Act (371/2018, Section 2).

Data content of the register and determination of the retention period

The information content of registers is often expressly regulated by law. In addition, the Finnish Food Authority has other personal data resources necessary for the management of official duties. The registers and datasets contain identifying information, which mainly includes the data subject's contact details, the information of the control target (e.g. farm ID, EU identifier for bovine animals), control data, information on payments of subsidies, sample data and result data. The data is stored in accordance with the Finnish Food Authority's information management plan and for as long as there is a legal basis for its processing. Dataset-specific privacy notices contain register-specific retention periods. Data is destroyed after the retention period ends.

Regular data sources

Data for the Finnish Food Authority's registers and other datasets are obtained from data subjects themselves. In addition, the employees of the Finnish Food Authority store information necessary for the performance of the agency's necessary and statutory tasks in registers and data sets. In some registers, the data subject has the opportunity to check and update their own data. Information related to the data subject is also obtained from other authorities, especially the Population Information System of the Digital and Population Data Services Agency (VTJ) and the Business Information System of the Finnish Patent and Registration Office (BIS).

Disclosure of information

Disclosure of information to other authorities and parties is based on legislation.  Personal data can be disclosed on the basis of the Act on the Openness of Government Activities (621/1999), for example for historical and scientific research and compilation of statistics.

The Finnish Food Authority will not disclose personal data to third parties without a separate decision. Disclosure of information is applied for from the Finnish Food Authority, which thoroughly investigates the recipient in matters related to the use and protection of information and information security.

Principles of register protection

The Finnish Food Authority shall protect data subjects' data by appropriate measures, taking into account the nature of the personal data concerned. Such measures include, where appropriate, access control, firewalls, telecommunications protection and control, user rights control, control of the use of register data (log data), careful selection of data processors, training and guidance, and other reasonable measures to adequately protect personal data against unauthorised access or disclosure. The Finnish Food Authority also takes the necessary backups and uses other similar means to prevent accidental damage or destruction of personal data. These measures also aim to ensure that the Finnish Food Authority's services function appropriately.

Transfer of data outside the EU or EEA

Register data is not disclosed outside the EU or the EEA. If necessary, individual export licences and other necessary documents can be produced/brokered from the registers for transmission to the operator or to foreign authorities outside the EU and the EEA.

Automated decision-making and profiling

Automatic decisions are made at the Agency in very limited matters, and automatic decision-making is mentioned separately in the notifications specific to the dataset, if any is taking place.

Rights of the data subject

Within the framework permitted by law, the data subject has the following rights concerning the processing of personal data:

  • Right to check information: You have the right to know what personal data the Finnish Food Authority has on you in its registers and on what grounds the data is processed. You can exercise your right to check your own data by filling in following form and submitting it to the Finnish Food Authority's registry either by mail to the Finnish Food Authority, P.O. Box 100, 00027 RUOKAVISTO or by e-mail to 
  • Right to request the correction or deletion of data: If necessary, you have the right to request that the Finnish Food Authority correct or delete any incorrect, unnecessary, incomplete or otherwise inaccurate personal data concerning you. You can submit a request by filling in 
  • Right to prohibit the processing of data: You do not have the right to have your data deleted when the processing of the data is based on law.
  • The right to restrict the processing of personal data pursuant to Article 18 of the EU's General Data Protection Regulation is limited in the Act on the Information Pool of the Finnish Food Administration (560/2021, section 2.2).

If you have participated in the Hygiene Passport test and want to check your information related to it, request correction or deletion of the information, or exercise your other rights mentioned above, please contact the party that provided the competence test.

Data protection monitoring

The Director-General of the Finnish Food Authority has the highest responsibility for data protection at the Finnish Food Authority. The Finnish Food Authority has a data protection organisation that supervises compliance with data protection guidelines internally. If necessary, you can contact the Finnish Food Authority's Data Protection Officer (

More detailed register-specific information

Lists of the Finnish Food Authority's personal data registers and personal data, their legal basis, data content and other matters related to processing can be found on the Finnish Food Authority's registers page.

Page last updated 8/16/2023