Processing of traffic data

All network communications leave traces. For example, making a phone call, sending an e-mail or browsing the internet leaves a trace. In communications, traffic data mean data based on which a user can be identified or information can be associated with a user of a network or communications service. Telecoms operators may use traffic data only for purposes specified in law.

Traffic data include, for example, the following:

  • data on the caller or recipient of a phone call
  • data on the sender and recipient of an e-mail or text message
  • data on the duration, routing and time of a connection and the amount of data transferred
  • data on the location of the terminal device of a sender or a recipient
  • IP address.

Traffic data may also be connected to a legal person, such as a company.

When can telecoms operators process traffic data?

In connection with network and communications services, a telecoms operator may process traffic data:

  • for operating the services
  • for billing purposes
  • for ensuring information security
  • for detecting a technical fault
  • for technical development
  • in cases of misuse, such as the non-paying use of fee-based network, communications or value-added services.

With consent from the customers, traffic data may also be used for marketing communications or value-added services.

Information Society Code (Chapter 17)

A telecoms operator is allowed to process traffic data only to the extent necessary. The processing of traffic data may not limit the confidentiality of messages and the protection of privacy any more than is necessary.

An operator is only allowed to disclose traffic data to parties entitled to process the data in the given situation. If an operator outsources a part of its services it may disclose traffic data to the parties who are, on the basis of their tasks, entitled to process the data. Even when outsourcing its services, the operator is responsible for ensuring that traffic data are processed in compliance with the law.

Traffic data in public communication

In public communications, such as chat rooms, IRC or discussion forums on the internet, traffic data are confidential. Parties involved in the transmission of communications, such as telecoms operators and corporate or association subscribers, are only allowed to process traffic data for purposes laid down by law. The parties also have an obligation of secrecy concerning traffic data.

A service provider operating an internet discussion forum has the right to disclose traffic data related to messages sent by participants if permission for this is included in the terms of contract of the service.

Processing for the purpose of statistical analysis

In accordance with the conditions laid down in the Act on the Protection of Privacy in Electronic Communications, telecoms operators may use traffic data to produce statistical data for the purposes of pricing and financial planning. After the statistical analysis, messages and traffic data must be destroyed or rendered anonymous so that they cannot be associated with a specific user.

Statistical data may be produced for purposes other than those provided in the law if the data cannot be associated with a specific user.

Information Society Code (Section 142)

Personal Data Act applies too

Identification data may also be personal data. In such cases, the data controller must also take account of the obligations laid down in the Personal Data Act. The Personal Data Act regulates the processing of personal data, and compliance with the Act is monitored by the Data Protection Ombudsman. The Act applies to telecoms operators as well as corporate or association subscribers.

The Personal Data Act

Data Protection Ombudsman

Call itemisation of a bill

A telecoms operator must give the subscriber of communications services an itemisation of a bill, if the subscriber so requests. In the itemisation, the last three digits of phone numbers have to obscured so that the other party of the communication cannot be identified. If the user of a subscription requests an itemisation of a bill, the itemisation must include complete phone numbers.

A telecoms operator may release a complete itemisation of identification data only if it knows who uses the subscription (for example, if the subscriber has provided the operator with the user's name when making the contract). If the subscriber is a private person and no other user has been named, the operator is entitled to trust that the subscriber and the user are one and the same person.

A telecoms operator may not release a complete itemisation if the subscriber is a company or an association that has not told the operator who uses the subscription. However, in some cases a company or an association may be considered the user.


Key words: Information security , Data protection , Telecommunications

Updated 17.11.2015

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248