Disclosure of public environmental data | Metsään.fi
  • Metsään.fi
  • Minskog.fi

Disclosure of public environmental data


The open forest data pages on the website of the Finnish Forest Centre provide access to public environmental data concerning forests and related measures. No names, IDs or contact details of forest owners or other natural persons are disclosed in connection with environmental data.

The Finnish Forest Centre may also give access to environmental data upon request. When submitting a request for public environmental data, the requesting party is not required to specify the use purpose of the data or whether any conditions for data disclosure are met. These must be specified where the party in question requests, in addition to environmental data, name, ID or contact details of natural persons or wants to link the environmental data requested to natural persons based on their personal data.

Linking environmental data to natural persons

When the requesting party intends to link environmental data concerning specific natural persons to the name, address, other contact detail or ID of those persons, the combined data will form a personal data file and the processing of the data must comply with all obligations relating to the protection of personal data.

Conditions of the processing of personal data and related obligations

Provisions on the processing of personal data and related obligations are laid down in the Personal Data Act (523/1999). The key principles and obligations of the processing of personal data will largely remain the same once the application of the EU’s General Data Protection Regulation (EU) No 2016/679 (the GDPR) and the supplementing Finnish Data Protection Act (1050/2018) will start on 25 May 2018.

The processing of personal data must have a legal basis as specified in the Personal Data Act (in the GDPR starting from 25 May 2018).

The typical bases include the following:

  • unambiguous consent given by the data subject;
  • a contract to which the data subject is party, or an assignment given by the data subject;
  • a customer or service relationship, membership or other comparable relationship (‘connection requirement’; in the GDPR, ‘establishment of the legitimate interest of the data controller or a third party’).

When processing of personal data, for example, the following obligations must be taken into account:

  • appropriateness: the processing of personal data must be appropriate considering the operations of the data controller;
  • definition of the purpose and design of the processing: the purpose of the processing of the personal data collected must be defined and the processing must be designed in advance;
  • necessity requirement (data minimisation): the processing of personal data must be necessary considering the defined purpose of processing (i.e. adequate, relevant and limited to what is necessary in relation to the purposes for which the personal data are processed);
  • purpose limitation: the data must be collected for specified explicit purposes and not further processed in a manner that is incompatible with those purposes;
  • integrity and confidentiality (protection obligation): data security must be ensured, for example, by protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Further information