Obligations of the register

The Once-Only Technical System (OOTS) is a system for exchanging register data between authorities in EU countries. 

When a Finnish person or company wishes to initiate transactions in another EU Member State as part of one of the procedures under the SDG Regulation, the authority in the other Member State must provide the Finnish person with an opportunity to request the Finnish register data (evidence) required for the transactions using OOTS. In turn, the registers of Finnish authorities are obliged to disclose this information through OOTS. The authorities of other Member States may ask the Finnish authorities for the information they need according to national or EU law in procedures under the SDG Regulation. More detailed provisions on the exchange of information through OOTS are laid down in the SDG Regulation and the OOTS Technical Implementing Regulation.

The KEHA Centre has implemented a centralised national OOTS data transmission service, which enables Finnish authorities to disclose information from their registers via OOTS to authorities in other Member States at the lowest possible cost. Provisions on the role of the KEHA Centre in the transmission of OOTS data are laid down in the Act on the KEHA Centre.

Data protection

The SDG Regulation does not provide for exceptions to the disclosure of secret or other sensitive personal data. The Regulation and its extensions only provide for e-services from another EU Member State and for requesting and disclosing the necessary information regardless of the nature of the information.

Under section 29 of the Act on the Openness of Government Activities (Openness Act), an authority may grant access to a secret document to some other authority if there is a specific provision on access or the right of access in an act, for example. Under section 30 of the Openness Act, an authority may grant access to a secret official document to an authority of a foreign state or to an international institution, if an international agreement binding on Finland contains a provision on such co-operation between Finnish and foreign authorities and if the Finnish authority in charge of the co-operation could under this Act have access to the document. The exchange of OOTS data is governed by the EU SDG Regulation and the OOTS Technical Implementing Regulation.

It is also significant that, from the perspective of the user, i.e. the party protected by the Openness Act, the provision of information always requires an explicit request, which typically revokes the need for secrecy under the Openness Act. Thus, the Openness Act does not prevent the disclosed information (evidence) from containing information that is, as a rule, secret under the Openness Act.

Disclosure of data belonging to sensitive categories of personal data referred to in Article 9 of the General Data Protection Regulation is also possible under section 6, subsection 1, item 2 of the Data Protection Act (5.12.2018/1050). According to this provision, the prohibition on processing data concerning special categories of personal data in Article 9(1) of the General Data Protection Regulation does not apply to any processing of data that is provided by law or that derives directly from a statutory duty set out for the controller by law.

Article 33 of the SDG Regulation provides that the processing of personal data by competent authorities within the framework of the Regulation is to be carried out in compliance with the GDPR. When the Commission processes personal data within the scope of the SDG Regulation, it must comply with the Data Protection Regulation (EU) 2018/1725, which applies to EU institutions, bodies, offices and agencies.

In addition, the gateway coordination group established under the Regulation has been tasked with discussing the application of the principles of security by design and privacy by design in the context of this Regulation under Article 30(1)(l) of the SDG Regulation.