Personal data and GDPR
The Emergency Response Centre Agency observes the EU’s General Data Protection Regulation (GDPR). The GDPR is designed to increase the openness and transparency of personal data processing and to give data subjects more control over the processing of their own personal information. The Emergency Response Centre Agency has at its disposal several information systems for which privacy policies have been drawn up.
Data held in the ERC information system
The Emergency Response Centre Agency has a statutory mandate to answer emergency calls, evaluate their urgency and forward any operations that require immediate action to rescue services, the police, social services or health authorities.
Operations are carried out using the ERC information system (ERICA), which is used to handle approximately 3.8 million operations every year. The law stipulates that the ERC information system can only be used to store information directly related to emergency response centre operations. This includes the time and method of each emergency call, its content and the caller’s ID, address and other location information, as well as a recording of the call.
Most of the personal data held in the ERC information system is entered by ERC operators. The information is collected directly from callers. The police can add information relating to the personal safety of individuals and the occupational safety of the authorities, which is collected from the authorities themselves. According to the law, the data held in the system can only be used for the purpose of attending to the Emergency Response Centre Agency’s duties. Personal data is deleted from the ERC information system five years after the emergency call.
The units responding to an emergency may require further information to be able to deal with the emergency. ERC operators are authorised by law to retrieve this kind of information from various information systems and to disclose it to the authority in charge of each operation. A note is made in the ERC information system regarding this information.
In addition to the ERC information system, the Emergency Response Centre Agency also has other systems that process personal data.
Under the Act on the Openness of Government Activities (Finlex) documents in the possession of or prepared by an authority are public barring a specific reason. An information request concerning a public document does not need to be justified, and the requesting party does not need to provide his or her own personal information.
Emergency calls and related task reports are official documents within the meaning of the Act on the Openness of Government Activities. Pursuant to Section 24 of the act in question, emergency calls are almost always confidential.
Under the Act on the Openness of Government Activities, every individual has the right of access to information contained in an official document and pertaining to themselves, subject to certain restrictions. A petitioner, an appellant and any other person whose right, interest or obligation is concerned in a matter (i.e. a party) has right of access, to be granted by the authority which is considering or has considered the matter, to the contents also of a document which is not in the public domain, if the document may influence or may have influenced the consideration of his or her matter. However, there is no such right if access to the document would be contrary to a very important public interest, the interest of a minor or some other very important private interest.
Information management entities must maintain a description of data and documents under its manages to ensure public access to documents in accordance with section 28 of the Act on Information Management in Public Administration (906/2019). The Emergency Response Centre Agency is an information management entity referred to in the act.
Description of public access to documents at the Emergency Response Centre Agency.
Right to access personal data
Everyone has the right to know whether or not their personal data is stored in an information system in accordance with Article 15 of the EU’s General Data Protection Regulation. However, there are a few exceptions: the right to access and inspect data does not apply if this impedes the prevention or investigation of a crime or poses a serious risk to the health or treatment of the data subject or the rights of another person, for example. More information on the rights of data subjects is available from the Data Protection Ombudsman.
The National Police Board is the controller of data stored in the ERC information system that falls under the jurisdiction of the police.
Data privacy - FAQ
Data subjects have the right to request that the controller rectify (correct), erased or complete personal data that is incorrect, unnecessary, incomplete or outdated for the purpose of processing.
The request to rectify data must be specified and addressed to the controller. For more about the rights of data subjects, see the Data Protection Ombudsman website.
The National Police Board is the controller of data held in the ERC information system for the purposes of police work. With regard to police work, the request to rectify personal data should be addressed to the police.
The above right does not apply in situations where processing is necessary to comply with a legal obligation based on Union law applicable to the controller or the law of a Member State requiring processing, or in cases where processing is done for the performance of a task that concerns general interest or the exercise of the controller’s public authority. If the controller refuses the data subject’s request to rectify data, the reasons for this will be explained to the data subject in writing. After this, the data subject may take up the matter with the Data Protection Ombudsman.
The Emergency Response Centre Agency does not transfer data to another controller.
In order to obtain information, the applicant must make a request for information to the Emergency Response Centre Agency. You can find the electronic information request forms on the right side of this page. You can also file the request for information in your own words by sending email or mail to the Emergency Response Centre Agency.
The request should be sufficiently specific so that we can determine which document the request concerns. Requests that concern the ERC information system can be specified based on the caller’s phone number, the date and time of the emergency call or the address to which the call was recorded, for example.
Requests for information are processed within two weeks. If the request is particularly broad in scope, the processing time is one month.
Documents containing confidential information are always delivered in a way that ensures that the recipient is the person who requested the information. The response to the request is mailed by recorded delivery. For this reason, the request must include a postal address to which the data subject wants the response delivered.
Requests for information about matters that fall within the police’s jurisdiction must be made to the police.
The appropriate processing of all data is ensured proactively by means of controlling access to the data. An entry is automatically made in the system log whenever the system is accessed or personal data is processed. The Emergency Response Centre Agency monitors processing by its employees through spot checks. The system cannot be accessed by outsiders, and it is housed in a separate secure government network.
According to Section 17 of the Act on Emergency Response Centre Operations, only data related to ERC operations may be stored in the ERC’s information system.
The emergency SMS register stores the data subject’s name, phone number and address.
The customer register for burglar and fire alarms stores the name of the device’s owner, the device’s location and details of the contact person.
Emergency calls are often related to situations where urgent assistance from the authorities is needed. In order to help to be provided, certain minimum information is required. These include details of the accident and its location, possible victims and whether others are at risk of exposure from the accident. The caller's phone number is stored in the system in case the phone connection is lost prematurely. This allows the ERC operator to call the number back if necessary.
The ERC information system and other IT systems used by the Agency are operated in the secure data network for public authorities owned and administered by the state. The secure data network includes a communications network, hardware facilities and hardware and shared technical data and communications services.
The secure data network ensures the ERC information system’s operation under both normal conditions and in the event of disruptions. Data in the system is protected from third parties.
The purposes of processing, data content and disclosure of data in the ERC information system are specified in the Act on Emergency Response Centre Operations.
As a rule, data in the ERC information system may be processed by officials of the Emergency Response Centre Agency's emergency services, as well as by police, healthcare, social welfare and rescue service employees and alerted units of the Border Guard for the purpose of assisting those in need of urgent assistance. In addition, the Emergency Response Centre Agency and the National Police Board may, as controllers of the data, process data in their areas of responsibility when necessary for the purpose of monitoring conformance with the law, processing complaints and disclosing information.
Officials’ access to the system is restricted internally by the Emergency Response Centre Agency and public authorities using the ERC information system. Officials have access only to data that is necessary for the performance of their duties. Even in these cases, officials may only process data which they need to perform their official duties in practice. In other words, officials who do not require information about emergency response assignments in their work cannot access the data.
The purposes of processing, data content and disclosure of data in the ERC information system are specified in the Act on Emergency Response Centre Operations. According to the law, the data held in the system can only be used for the purpose of attending to the Emergency Response Centre Agency’s duties. The Emergency Response Centre Agency discloses data in the ERC information system for the purposes of alerting authorities and assisting the work of alerted authorities.
In addition to disclosing data in the ERC information system to the authority carrying out the task in order to assist the person in need, data in the ERC information system may be disclosed to the Ministry of the Interior and the Ministry of Social Affairs and Health when necessary for the purpose of planning and developing operations and for supervisory duties. Similarly, data that is necessary for supervisory duties may be disclosed to Regional State Administrative Agencies.
Some authorities require data from the ERC information system to carry out tasks other than urgent tasks. Even in such cases, personal data stored in the ERC information system is not disclosed unless specifically permitted by law. For example, the police, healthcare supervisory authorities, social welfare authorities, the Safety Investigation Authority and supreme legal supervisor have the right to access necessary data for the purpose of carrying out their respective duties.
Data in the ERC information system is not disclosed to businesses, insurance companies or banks, for example.
Data in the ERC information system is not transferred outside the EU or EEA.
In addition to the ERC information system, the Emergency Response Centre Agency also has other systems that process personal data. The terms of disclosing data in these systems are described in the privacy statement for each system.
Everyone has the right to request access to their personal data. The request must include all necessary identifying information about the person in order for the information to be retrieved from the filing system. If the data subject has exercised the right inspect data in the past year, the controller may charge a reasonable fee to cover the direct costs of fulfilling the request.
Documents containing confidential information are always delivered in a way that ensures that the recipient is the person who requested the information. The response to the request to inspect data is mailed by recorded delivery. For this reason, the request must include a postal address to which the data subject wants the response delivered.
In the case of data in the ERC information system not under the jurisdiction of the police, requests to inspect data are fulfilled by the Emergency Response Centre Administration as the principal controller. You can find the electronic form on the right side of this page. You can also send the request by email or mail to the Emergency Response Centre Agency.