Privacy notice: Processing of personal data, Espoo youth centres’ membership register

Date of publication: 20 August 2024

City of Espoo

Tero Luukkonen, Manager of Local Youth Services

Email: firstname.lastname@espoo.fi

Tel. 09 816 21 (switchboard)

Barbro Högström, Director of Swedish Education and Cultural Services

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Tuomas Rapp, Youth Work Coordinator

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Elisa Stark, Senior Planning Officer

Email: etunimi.sukunimi@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo 

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

Personal data is processed for the purpose of providing youth services and communicating with clients. The membership register indicates who the main users of youth services are.

Personal data is used for the management of client relationships at the City of Espoo’s youth centres. The register enables youth services to contact the users of Espoo’s youth centres and their guardians.

Personal data may also be used in youth services’ communications in accordance with the consent for photography given by the young person / their guardian. The consent for photography can be withdrawn at any time by contacting youth services.

The data may also be used for statistical purposes. When statistics are compiled, the data is processed anonymously.

Article 6(1)(a) of the General Data Protection Regulation of the European Union: the data subject has given consent to the processing of his or her personal data for one or more specific purposes. 

Article 6(1)(e) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The personal data of young people and their guardians is processed in the register. The data is processed electronically and integrated with the Nuori Espoo membership card, which is a free membership card for Espoo’s youth centres that can be used through a mobile device. The membership card is not mandatory, and young people may visit youth centres even if they do not have a card. The service is available in Finnish, Swedish and English. A guardian can apply for a youth services membership card through e-services or a paper form. Once the application has been received, the person processing the application calls the guardian back. After this, the young person receives a text message with a personal login link to access the service. The membership card is renewed for each operating period. The following information is required to obtain the membership card:

• The young person’s first name, last name, preferred first name, date of birth, telephone number and postal code
• First name, last name and telephone number of the young person’s guardian
• Young person’s gender. Chosen from the following: girl, boy, other, prefer not to specify
• Language of communication. Chosen from the following: Finnish, Swedish, English
• The local youth centre can be selected from a dropdown menu

Consent for photography is requested from persons aged 15 and older and from guardians if the young person is under 15 through a yes/no option.

When a young person visits a youth centre, their check-in information is added to the register. The young person checks in at the youth centre by showing their membership card’s personal QR code to the card reader.

The information is obtained from the guardian via an electronic form or a paper form. The electronic application is accessed through suomi.fi identification using online banking codes or a mobile ID. The manual data content is deleted when the application is saved.

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

The City of Espoo may use operational or technical service providers to organise the service. The service providers process personal data on behalf of the City of Espoo and according to its instructions, to the extent that is necessary to enable service provision.

The service provider of the Nuori Espoo membership card is Reaktor.

Personal data will not be transferred outside the EU or the European Economic Area.

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

Data may be deleted at the request of the young person / their guardian or due to the ending of the client relationship. Personal data is stored in the register for the duration of the operating period, which is one year. The operating period starts in August and ends at the end of July. Youth centre check-in information is stored in the register for 14 days.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: -