This is how your personal data is processed in the supervision of the Money Laundering Act

Personal data refers to any information that can be directly or indirectly linked to a natural person.

The Regional State Administrative Agency for Southern Finland is the controller for your data, which you have provided to us or which we have received from other sources. Privacy protection is always an important aspect when we process personal data.

On this page, we will outline the instructions we follow, our methods for processing and storing your data, and what rights you have. These guidelines will never limit the rights granted to you by the General Data Protection Regulation or any other legally valid decision.

We process your personal data when we conduct supervision to prevent money laundering and terrorist financing.

We process the following data:

  • full name and personal identity code of private trader
  • private trader with no Finnish personal identity code
    • date of birth
    • nationality
    • company name
    • auxiliary company name if any
    • business ID or other equivalent identifier
    • date of registration
    • visiting address for every business location, where activities are carried out
  • A legal person’s
    • company name
    • auxiliary company name if any
    • business ID or other equivalent identifier
    • date of registration
    • visiting address for every business location, where activities are carried out
  • the full name, personal identity code or, in its absence, the date of birth and nationality of the person whose reliability has been established, and their status in the registered operator
  • administrative penalty imposed on a private trader or a legal person, as well as requests and prohibitions which are subject to a conditional fine (such information must be removed from the register three years after the end of the year during which the penalty was imposed).

The processing of your personal data is based on Article 6 (1)(c) of the EU General Data Protection Regulation (EU 2016/679), i.e. processing required compliance with the legal obligation of the controller. We do not need the consent of the data subject for this processing. You can read the EU General Data Protection Regulation via the Legal Links at the bottom of this page.

We use the money laundering supervision register when we monitor the prevention of money laundering and terrorist financing. We keep a register of persons subject to the reporting obligation referred to in the Money Laundering Act to ensure that the statutory supervision is carried out. The aim of supervision is to prevent money laundering and terrorist financing.

The regular information source for personal data is the notification of applicants to the supervision register. If you are obliged to submit a notification and your information changes, notify us at the Regional State Administrative Agency about this without delay. 

Personal data will be stored in the control register as long as the company meets the registration criteria. Data on registry entries shall be kept for five years from the end of the year during which the data was deleted from the register.

Personal data is not regularly transferred from the supervision register nor is personal data transferred outside the EU/EEA. The processing of your personal data also does not involve automatic decision-making or profiling.

We process your personal data in the contact information register when we carry out supervision with the aim of preventing money laundering and terrorist financing. We will only process your personal data if no other information is available or known, such as the data of a legal person.

We process the following personal data:

  • Name of private trader or decision maker of legal person
  • personal email address if the company's general email address is not known
  • personal phone number if the company's general phone number is not known.

The legal basis for the processing of your personal data is Article 6(e) of the EU General Data Protection Regulation (EU 2016 / 679), i.e. the processing is necessary for the performance of a task of public interest or for the exercise of the public authority vested in the controller. This criterion is supplemented by section 4, paragraph 2 of the Data Protection Act (1050/2018), i.e. processing is necessary and proportionate and necessary for the performance of a task carried out in the public interest by an authority. We do not need the consent of the data subject for this processing.

In accordance with the Act on the Prevention of Money Laundering and Financing of Terrorism, we supervise compliance with the Money Laundering Act and the provisions and regulations issued under it for certain obliged entities. 

The regular sources for personal data are public information sources and information obtained from the Alma Talent Päättäjät register ([email protected]). Personal data that the Regional State Administrative Agency receives via contact such as emails can also be exported to the contact register.

If an operator does not respond to contacts sent by the Regional State Administrative Agency, their personal data will be deleted from the contact information register within 30 days of receiving the information from Alma Talent's Päättäjät register.

We retain personal data only as long as this is necessary for performing  our supervisory task. Personal data will be deleted from the contact information register if the operator registers in the supervision register.

Personal data is not regularly transferred from the contact information register nor is personal data transferred outside the EU/EEA. The processing of your personal data also does not involve automatic decision-making or profiling.

Both the contact information register and supervision register for money laundering supervision are protected from unauthorised viewing, editing and destruction. The protection is based on user authorisation management, the technical protection of databases and servers, the physical protection of facilities, access control, the protection of data communication and the backup of data. The right to access and process data is granted based on tasks. Access to the system is based on personal usernames. We use administrative controls to monitor the appropriateness of our activities.

You have the right to know which of your personal data we are processing and to request a copy. You have the right to receive information about whether we process your personal data in our activities. If we do not process your personal data, you have the right to be informed about this as well. You also have the right to rectify incorrect information about you, supplement your personal data, and ask us to delete your personal data or limit its use. You also have the right to receive personal data concerning you in a machine-readable format and to transfer the data to another party responsible for processing the data.

If you believe that your personal data has been processed in a manner that is violated to the law, you can file a complaint or complain to the Office of the Data Protection Ombudsman about the processing of your data. However, we recommend that you first contact the Regional State Administrative Agencies' Data Protection Officer (see contact details below).

Contact information for the Data Protection Officer and further information on data protection
Office of the Data Protection Ombudsman


Contact details

Data controller:
The tasks of the Regional State Administrative Agencies referred to in this notification have been centralised nationally to one Regional State Administrative Agency, which is responsible for the processing of your personal data as the controller.

Regional State Administrative Agency for Southern Finland
Visiting address: Wähäjärvenkatu 6, Hämeenlinna
Postal address: P.O. Box 1, 13035 AVI
Switchboard: +358 295 016 000
Registry office: kirjaamo.etela(at)avi.fi

Data Protection Officer for the Regional State Administrative Agencies:
Hannele Svanström
tel. +358 295 018 015
tietosuoja(at)avi.fi

You can contact the Regional State Administrative Agencies' Data Protection Officer if you need more information on the processing of personal data by Regional State Administrative Agencies. Contact the Regional State Administrative Agency's registry office, if you have any questions concerning the exercising of your rights in matters related to the processing of your personal data. The contact details for the registry office can be found above. If your matter concerns the processing of your personal data by an organisation other than the Regional State Administrative Agency, you must first contact the relevant organisation or its data protection officer.

Links to Act on Preventing Money Laundering and Terrorist Financing

Lakilinkki-rahanpesulaki (444/2017, 1 luku, 2 §) -en

Rahanpesun valvontarekisterin pitäjä ja käyttötarkoitus (444/2017, 5 luku, 2 §) -en

Valvontaviranomaiset ja ilmoitus rahanpesun selvittelykeskukselle (444/2017, 7 luku, 1 §) -en

Other legal Links