Privacy policy

City of Espoo


1. Register name

Map Service of Espoo

2. Data controller

City Of Espoo
Tel. 09-81621

3. Person responsible for the register

Jani Havukainen, GIS-manager
Tel. 09-81621

4. Contact person of the register

Jani Havukainen, GIS-manager
Tel. 09-81621, jani.havukainen@espoo.fi

5. Data Protection Officer appointed by the organisation

Espoo City Data Protection Officer
Address: PL 12, 02070 Espoon kaupunki
Tel. 09-81621
Email: tietosuoja@espoo.fi

6. Purposes for processing personal data and the legal basis of processing

The purpose of the register is to provide the map service. The map service allows users to create their own accounts, through which they can save information. The service can also be used without a username. Personal data in the service can only be accessed and processed by persons who have the right to manage the service.

The use of the service is monitored, reported on and developed with the help of application and server logs.

The city will not disclose personal data to external parties.

7. Contents of the register (description of the categories of data subjects and the categories of personal data)

The register may consist of the following information (required*)
• Username and password*
• Name*
• Email address*
• Telephone
• Street address
• Postalcode
• City/town
• The user’s own entries and texts
Other information stored when using the service, such as IP addresses.

8. Sources of personal data

Information is saved in the service by the user. The service can be used without authentication. In other words, users do not have to provide their contact information.

9. Disclosure of personal data

The city will not disclose personal data to external parties.

10. Transfer of data outside EU or the EEA

No transfer.

11. Data storage periods

We store personal data for the period of time they are needed for the purpose for which they have been collected.

12. Register maintenance systems and principles of protection

PRINCIPLES OF DATA PROTECTION:

A. Electronic materials IT equipment is located in protected and supervised premises. Each user has personal user rights to client data systems and files, and their use is monitored. User rights are given on a task-specific basis. Each user must accept a data and data system user agreement and non-disclosure agreement.

B. Manual materials No manual materials are generated.

13. Right of access to data

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

The controller shall provide information without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

All information and actions taken on the grounds of a data subject’s right of access request, any information provided under Articles 13 and 14 of the GDPR and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

b) refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Right of access requests should be made to the contact person of the register

14. Right to rectify data

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Whether the data is incomplete will be determined in the light of the purpose for which the data in the register is processed.

If the controller refuses the request of a data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal and inform the data subject of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The request for rectification should for example be made to the contact person of the register. Specify where more detailed instructions, forms, online service etc. can be found.

15. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. This right is laid down in Article 77 the General Data Protection Regulation (GDPR, 2016/679).

16. Other potential rights

Requests should be made to the contact person of the register.

Right to erasure (Article 17 of the GDPR)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds laid down in Article 17(1) applies. The data subject does not have the right to erasure for example if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to restriction of processing (Article 18 of the GDPR)

The data subject shall have the right to obtain from the controller restriction of processing where one of the requirements laid down in Article 18(1)(a–d) applies.

Right to object (Article 21 of the GDPR)

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to data portability (Article 20 of the GDPR)

The data subject shall have the right to have his or her data transmitted only if the processing of data is based on consent or on a contract, and if the processing is carried out by automated means. The data subject’s right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. If the processing of data is based on consent, the data subject shall have the right to withdraw his or her consent at any time.