Processing of traffic data
Traffic data include, for example, the following:
- data on the caller or recipient of a phone call
- data on the sender and recipient of an e-mail or text message
- data on the duration, routing and time of a connection and the amount of data transferred
- data on the location of the terminal device of a sender or a recipient
- IP address.
Traffic data may also be connected to a legal person, such as a company.
In connection with network and communications services, a telecoms operator may process traffic data:
- for operating the services
- for billing purposes
- for ensuring information security
- for detecting a technical fault
- for technical development
- in cases of misuse, such as the non-paying use of fee-based network, communications or value-added services.
With consent from the customers, traffic data may also be used for marketing communications or value-added services.
Information Society Code (Chapter 17)
A telecoms operator is allowed to process traffic data only to the extent necessary. The processing of traffic data may not limit the confidentiality of messages and the protection of privacy any more than is necessary.
An operator is only allowed to disclose traffic data to parties entitled to process the data in the given situation. If an operator outsources a part of its services it may disclose traffic data to the parties who are, on the basis of their tasks, entitled to process the data. Even when outsourcing its services, the operator is responsible for ensuring that traffic data are processed in compliance with the law.
In public communications, such as chat rooms, IRC or discussion forums on the internet, traffic data are confidential. Parties involved in the transmission of communications, such as telecoms operators and corporate or association subscribers, are only allowed to process traffic data for purposes laid down by law. The parties also have an obligation of secrecy concerning traffic data.
A service provider operating an internet discussion forum has the right to disclose traffic data related to messages sent by participants if permission for this is included in the terms of contract of the service.
In accordance with the conditions laid down in the Act on the Protection of Privacy in Electronic Communications, telecoms operators may use traffic data to produce statistical data for the purposes of pricing and financial planning. After the statistical analysis, messages and traffic data must be destroyed or rendered anonymous so that they cannot be associated with a specific user.
Statistical data may be produced for purposes other than those provided in the law if the data cannot be associated with a specific user.
Information Society Code (Section 142)
Identification data may also be personal data. In such cases, the data controller must also take account of the obligations laid down in the Personal Data Act. The Personal Data Act regulates the processing of personal data, and compliance with the Act is monitored by the Data Protection Ombudsman. The Act applies to telecoms operators as well as corporate or association subscribers.
A telecoms operator must give the subscriber of communications services an itemisation of a bill, if the subscriber so requests. In the itemisation, the last three digits of phone numbers have to obscured so that the other party of the communication cannot be identified. If the user of a subscription requests an itemisation of a bill, the itemisation must include complete phone numbers.
A telecoms operator may release a complete itemisation of identification data only if it knows who uses the subscription (for example, if the subscriber has provided the operator with the user's name when making the contract). If the subscriber is a private person and no other user has been named, the operator is entitled to trust that the subscriber and the user are one and the same person.
A telecoms operator may not release a complete itemisation if the subscriber is a company or an association that has not told the operator who uses the subscription. However, in some cases a company or an association may be considered the user.