Privacy notice: Processing of personal data, grant applications submitted to the Cultural Unit

Date of publication: 8 January 2025

City of Espoo

Cultural Director

Tiina Kasvi, Cultural Manager, kulttuuriavustukset@espoo.fi
Taiju Kiesilä, Senior Specialist, taiteenperusopetus@espoo.fi
 

Data Protection Officer of the City of Espoo
Address: P.O. Box 12, 02070 City of Espoo
Tel. +358 9 81621 (switchboard)
Email: tietosuoja@espoo.fi

Personal data is processed for the purposes of processing and archiving grant applications submitted to the Cultural Unit, which is part of the Sector for Economic Development, Sports and Culture. The applicants’ contact information is also processed to facilitate cooperation between the City of Espoo and the cultural grant applicants.
- Culture: annual grants, event and project grant, development grant and artist grants.

Article 6(1)(e) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Data on a person associated with the registered organisation or another operator submitting the application:

• name
• personal identity code
• address
• telephone number
• email address
• method of sending client mail (post, email).

Data on organisations:

• name of the organisation
• business ID
• address
• telephone number
• email address
• registration number and municipality of registration.

PUBLIC ACCESS TO AND CONFIDENTIALITY OF DATA:
The data is not confidential according to law.

Personal data concerning clients is obtained from the clients themselves through the applications.

As a rule, personal data is not disclosed to third parties. Personal data may only be disclosed if applicable statutory requirements are met.

As the data controller, the city uses personal data processors (service providers). Processors may transfer data from the register outside the European Union or the European Economic Area only if the transfer meets the applicable statutory requirements and if the transfer and appropriate protection measures have been agreed upon between the controller and the processor as required by data protection legislation.

The data will be deleted after the 10-year archiving obligation ends.

Personal data is processed in a manner that ensures appropriate security of the personal data, including protection (General Data Protection Regulation, Article 5(1)(f)). Data processing is regulated, for example, based on the principles of purpose limitation, necessity and accuracy. Each employee who processes data is under an obligation of secrecy and confidentiality, which remains in force even after the employee’s employment relationship has ended.

Electronic materials are stored in the grant application system. Grant applicants log into the system using strong identification through the suomi.fi service. No separate user IDs are created for clients. The electronic grant application register is protected from third parties with firewalls and other technical protection measures. Access rights to the system are only granted to Espoo employees authorised to process grant-related matters.

Electronic application forms submitted by clients to the City of Espoo Registry Office are stored in the case management system and the Records Management Unit’s archiving system until the end of the archiving obligation. Access rights to the systems are only granted to Espoo employees authorised to process grant-related matters and archived materials. Physical paper applications delivered to the City of Espoo Registry Office are stored in the locked archive facilities of the City Archives as part of the decision-making archives.

The stored contact information is securely protected so that only authorised City of Espoo employees can view and access it. The information system can only be accessed with a username and password granted by the city.

Further instructions on submitting information requests referred to in the General Data Protection Regulation: Data protection / Clients’ right of access to personal data

You have the right to obtain from the data controller a copy of the personal data that is subject to processing. The data controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

You have the right to have the data controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In these cases, the data will only be erased after the statutory time limit.

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)