Privacy notice: Processing of personal data, internship applications submitted to Espoo’s Youth Services

Date of publication: 23 September 2020 (Updated: 31 July 2024)

City of Espoo

Tero Luukkonen, Manager of Youth Services

Email: firstname.lastname@espoo.fi

Tel. 09 816 21 (switchboard)

Katrina Nylund, Planning Officer

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

The purpose of an internship application is to find an internship at Espoo’s Youth Services for a young person studying the field. The internship application is submitted to Espoo’s Youth Services.  If an internship is granted, an internship agreement is concluded. Interns are not paid for the internship.

Personal data is processed for the purpose of finding a suitable placement for an applicant. When a suitable placement is found, information about the internship and about agreeing on an interview will be sent to the intern and the youth centre. Information on agreed internships is processed in the City of Espoo’s internship management system HARRI for the purpose of paying internship supervision compensation. In addition, personal data is processed to enable proactive planning, real-time information, and monitoring.

Article 6(1)(b) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Article 6(1)(e) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When a suitable placement is found, information about the internship and about agreeing on an interview will be sent to the intern and the youth centre.

Internship application and information to be stored in the internship management system:

• Data subject’s name, year of birth and email address.
• The educational institution of the data subject, the degree being pursued, the internship period, and the part of the degree to which the internship application pertains.
• The data subject may also provide any other information they consider relevant to and wish to include in the internship application, such as their wishes regarding the internship.

The personal data is collected from the data subjects themselves.

The following service providers process information on behalf of Espoo:

• The technical service provider of the registration service is Webropol Oy.
• The provider of Espoo’s email service and collaboration platform is Microsoft.

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

All data included in the Webropol service is stored within the EU and is not disclosed or processed outside the EU.

The email and collaboration platform provided by Microsoft is stored within the EU. Microsoft operates and develops Office 365 services from locations outside Europe, and data is considered to be transferred outside the EU if, for example, an administrator establishes a remote connection from the United States to a data centre in Europe, for example to solve a technical problem. In these situations, safeguards are established to maintain the high level of data protection required by European legislation even after the personal data has been transferred. These safeguards include an adequacy decision by the European Commission and a commitment to the required safeguards, such as the EU-US Data Privacy Framework, by the recipient of personal data. Required safeguards may also include the use of standard contractual clauses adopted by the European Commission as part of agreements concluded with personal data processors, in addition to which the processors are required to observe appropriate technical and administrative safeguards.

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

Data is stored for as long as it takes to offer the internship and coordinate the application process. The maximum storage period is 12 months.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history:

On 31 July 2024, a new person responsible for the register was added and sections 5–7 and 9–10 were clarified.