Processing of identification data – The rights and obligations of corporate and association subscribers

Companies, educational institutions and other organisations may provide, for example, e-mail and telecoms services for their staff and students. Such organisations are called corporate or association subscribers and the users of their services include company employees, residents of housing companies and the like. Corporate and association subscribers process the users' confidential messages, identification data and location data in their communications networks. Corporate and association subscribers may use identification data only for purposes specified in law.

All network communications leave traces. For example, making a phone call, sending an e-mail or browsing the internet leaves a trace. In communications, identification data mean data based on which a user can be identified or information can be associated with a user of a network or communications service. Identification data include, for example, the following:

  • data on the caller or recipient of a phone call
  • data on the sender and recipient of an e-mail or text message
  • data on the duration, routing and time of a connection and the amount of data transferred
  • data on the location of the terminal device of a sender or a recipient
  • IP address.

When can a corporate or association subscriber process identification data?

In connection with network and communications services, a corporate or association subscriber may process identification data:

  • for operating the services
  • for billing purposes
  • for ensuring information security
  • for detecting a technical fault
  • for technical development
  • in cases of misuse, such as the non-paying use of fee-based network, communications or value-added services.

A corporate or association subscriber is allowed to process identification data only to the extent necessary. The processing of identification data may not limit the confidentiality of messages and the protection of privacy any more than is necessary. A corporate or association subscriber is only allowed to disclose identification data to parties entitled to process the data in the given situation.

Identification data may also be processed for the purposes laid down in law if a party to the communication has given his or her consent. When asking for consent, the Personal Data Act, the Act on the Protection of Privacy in Working Life and any other special laws concerning the processing of personal data have to be taken into account. The laws determine the types of data for the processing of which consent may be requested.

A corporate or association subscriber's right to process identification data only applies to the identification data of messages sent and received through the communications network it administers or that is administered on its behalf. A corporate or association subscriber is, for example, not allowed to find out the identification data of an e-mail that has been sent with an e-mail service operated by an external service provider.

Identification data in public communication

In public communications, such as chat rooms, IRC or discussion forums on the internet, identification data are confidential. Parties involved in the transmission of communications, such as operators and corporate or association subscribers, are only allowed to process identification data for purposes laid down by law. The parties also have an obligation of secrecy concerning identification data.

A service provider operating an internet discussion forum has the right to disclose identification data related to messages sent by participants if permission for this is included in the terms of contract of the service.

Processing for the purpose of statistical analysis

In accordance with the conditions laid down in the Information Society Code, operators may use identification data to produce statistical data for the purposes of pricing and financial planning. After the statistical analysis, messages and identification data must be destroyed or rendered anonymous so that they cannot be associated with a specific user.

Statistical data may be produced for purposes other than those provided in the law if the data cannot be associated with a specific user.

Information Society Code (Chapter 18)

Personal Data Act applies too

Identification data may also be personal data. In such cases, the data controller must also take account of the obligations laid down in the Personal Data Act. The Personal Data Act regulates the processing of personal data, and compliance with the Act is monitored by the Data Protection Ombudsman. The Act applies to telecoms operators as well as corporate or association subscribers.

The Personal Data Act

Data Protection Ombudsman

Key words: Information security , Data protection

Updated 24.02.2015

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248