Processing of personal data in customs control

Purpose of processing personal data

The purpose of the processing is laid down in section 12 of the Act on the Processing of Personal Data by Finnish Customs (650/2019). In order to carry out customs control and tax control, Customs may process personal data concerning declarations and other information provided to Customs based on legislation as well as data concerning customs control and tax control measures already carried out and follow-up measures proposed based on these controls. Furthermore, personal data can be processed based on a request for investigation, a criminal offence report or on the Act on imposition of a fine and summary penal fee (754/2010). Data can also be processed for targeting customs controls and tax controls related to details of goods imports as well as details of the number of border crossings and their dates. 

A control in real-time refers to a physical control and a control aimed at electronic documents. The control is carried out before customs clearance and taxation to ensure the accuracy, completeness and validity of the data provided by the customer. 

A proactive control means a control that is carried out before granting an authorisation or before approving a change to an authorisation. The control is carried out to ensure that the customer fulfils or can fulfil the conditions and requirements of the authorisation or customer status and can provide reliable information for subsequent controls. The proactive control can also act as a statement for some internal interest group, e.g. the Authorisation Centre. As a rule, a proactive control includes a control related to a company’s functionality with the emphasis on examining, e.g. the company itself, its administration, organisation, bookkeeping system and internal control measures as well as examining its storage facilities. 

A post-release control means a subsequent control of the customs clearance and taxation to ensure the company’s adherence to the regulations and requirements related to the company’s operation, authorisations and procedures and/or the accuracy of the taxation of the business transactions. Depending on the control method, the post-release control can be aimed at either the company’s functionality, its business transactions or both.

Data based on a control are processed in the following controls: 

Proactive controls

  • bookkeeping audit
  • inspection of a facility
  • assessment of authorisation
  • AEO assessment

Post-clearance audits

  • corporate audit
  • document control
  • level monitoring
  • other post-clearance audits (follow-up audit, re-assessment, procedural control, warehouse control and audits of internal market subsidies)

Real-time controls

  • document control

Categories of personal data

Details collected regarding the persons are names, date and place of birth, personal identity code, gender, native language, communication language, civil status, citizenship or lack of citizenship and nationality, domicile and place of residence, occupation and education, contact information, information in the documentation necessary to establish identity, in the case of a foreign national the parents' names, citizenship and nationality, travel document information and other information related to arrival in the country and border-crossing, registration number of vehicle, customer number issued by the authority, information on the person’s death or declaration of death and information on guardianship, declaration of bankruptcy or imposition of a business prohibition. 

Sources of personal data

Some of the personal data are obtained from the persons themselves. When planning an audit, some are obtained from the authors of the audit proposal. Data are also obtained from the Digital and Population Data Services Agency and the customs clearance system.

Regular disclosures of personal data

According to sections 21 of the Act on the Processing of Personal Data by Finnish Customs, personal data can be disclosed to other authorities. Data can be disclosed based on EU agreements or bilateral or multilateral international agreements. The disclosure of data can also be based on specific national legislation. Data can be disclosed through a technical interface or as a set of data. 

Data can be processed by other functions within Customs for the performance of official tasks. Furthermore, data can be transferred to the National Archives of Finland if they are to be stored indefinitely. 

Personal data retention and disposal times

The audit plans and related background information are stored for 10 years. Instructions on audit planning and protocols are stored for 25 years. In other cases, the data are deleted no later than at the end of the sixth calendar year following the year of storage.

Contact person of the data controller and additional information

Pirkko Alamäki-Karkiainen 
pirkko.alamäki-karkiainen(at)tulli.fi