Obligations of the register

The Once-Only Technical System (OOTS) is a system for exchanging register data between authorities in EU countries. 

When a Finnish person or company wishes to initiate transactions in another EU Member State as part of one of the procedures under the SDG Regulation, the authority in the other Member State must provide the Finnish person with an opportunity to request the Finnish register data (evidence) required for the transactions using OOTS. In turn, the registers of Finnish authorities are obliged to disclose this information through OOTS. The authorities of other Member States may ask the Finnish authorities for the information they need according to national or EU law in procedures under the SDG Regulation. More detailed provisions on the exchange of information through OOTS are laid down in the SDG Regulation and the OOTS Technical Implementing Regulation.

The KEHA Centre has implemented a centralised national OOTS data transmission service, which enables Finnish authorities to disclose information from their registers via OOTS to authorities in other Member States at the lowest possible cost. Provisions on the role of the KEHA Centre in the transmission of OOTS data are laid down in the Act on the KEHA Centre.

Understand the obligations

Annex II to the SDG Regulation and its extensions specify the procedures in which EU Member States must enable citizens and businesses in other Member States to use e-services across borders. In addition, the e-services in question must enable users to request the official information required in the procedures (evidence from another EU Member State in the Regulation) using OOTS.

These official information requirements for the procedures of all Member States determine which information from which register Finland, as a Member State, must disclose to the authorities of other EU Member States. The scope of the Regulation has already been extended with new EU regulations, and the number of procedures and amount of information to be disclosed is expected to increase further in the future.

Member States do not need to disclose register data to the authorities of other Member States if they are not exchanged between the authorities nationally or if the data is not collected at all. In addition, if an existing system for exchanging information between EU Member States (such as the EESSI system for exchanging social security information) is used for exchanging information between the requesting and disclosing authorities, OOTS will not replace it.

The content of the information disclosed in OOTS is based on:

  1. the procedures defined in Annex II to the SDG Regulation and its extensions
  2. information requirements defined by the Member States’ authorities for the procedures.

For example:

  1. One of the procedures in Annex II to the SDG Regulation is the funding of higher education studies.
  2. In Finland, this procedure covers Kela’s tertiary study benefits. To grant study benefits, Kela needs information on the student's admission to the educational institution, among other things.

The SDG Regulation obliges Kela to provide users with the opportunity to submit student admissions information from higher education institutions from other EU countries using OOTS. The authorities responsible for student admissions in all higher education institutions in the other Member States are obliged to provide Kela with information on student admissions using OOTS if they already disclose the information in question nationally. 

Kela cannot use the EESSI system that it already uses instead of OOTS to request information, as the system does not provide the information needed for the procedure.

Article 14 of the SDG Regulation (EU) 2018/1724 lays down the bases for the exchange of information (evidence) to be disclosed in OOTS.

Parties disclosing information are obliged to enable the disclosure of information using OOTS with regard to the information required by the authorities of other Member States in the procedures and extensions of Annex II to the SDG Regulation and which are already disclosed by the register authorities at the national level (section 2). Parties disclosing information may only disclose information requested by the requesting authority for the purposes of their procedures (section 8).

Parties requesting information are obliged to request information directly from other authorities through OOTS regarding the procedures and extensions of Annex II to the SDG Regulation. The information can only be requested at the user’s explicit, freely given, specific, informed and unambiguous request, so that the user can verify which procedure and what information is requested (section 7). The authority requesting the information shall only use the information for the purpose of the procedure for which the evidence was exchanged, and the authority shall deem the information it has received to be authentic for these purposes (section 8).

According to the OOTS Implementing Regulation C (2022)5628, the requesting party may only be a competent authority of an EU Member State responsible for one or more procedures defined in Annex II or extensions of the SDG Regulation (Article 1(3)). In addition, the party requesting the information must have the right to request the information they need under national or EU legislation (Article 10(1)).

According to a decision of the OOTS Operational Governance sub-group, the primary basis for processing the requested information is the controller’s statutory obligation, as referred to in Article 6(1)(c) of the General Data Protection Regulation. Although the decision of the sub-group is not legally binding, the legal basis can also be interpreted, and the decision of the sub-group can be considered clarifying and sufficient.

The SDG Regulation is primary legislation directly binding on Member States. It supersedes conflicting national legislation. No national legislation is required for its implementation, but national legislation may supplement it. If the national legislation is incompatible with EU legislation, the national legislation must be amended.  

Separate agreements (e.g. data disclosure agreements) cannot be required between the authorities of different Member States. The SDG Regulation unambiguously requires the disclosure of information to an authority of another EU Member State if the required information is already shared nationally with the authorities.