Privacy notice: Processing of personal data, personal data register for provision of after-school activities

Date of publication: 9.8.2024 (updated 15.8.2025)

City of Espoo

Finnish Basic Education Unit: Juha Nurmi, Director of Basic Education

Swedish Education and Cultural Services: Barbro Högström, Director of Swedish Education and Cultural Services

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Miia Loisa-Turunen, Education Support Manager

Ida Stolt-Haglund, Development Manager

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

After-school activities are provided by Espoo’s Finnish Basic Education Unit and Swedish Education and Cultural Services. Activities are provided as the city’s own service, as an outsourced service or by providing subsidies to service providers.

The city decides on the admission of pupils to after-school activities. The city charges a client fee for the activities. The city decides on the reduction of fees for after-school activities.

According to Article 6(1)(c) of the General Data Protection Regulation of the European Union, processing is necessary for compliance with a legal obligation to which the controller is subject. After-school activities are provided in accordance with chapter 8a of the Act on Primary and Secondary Education.

The processing of personal identity codes is based on section 29, subsections 1 and 2 of the Data Protection Act. The identification of the data subject and their personal data is important for the performance of a statutory duty.

Through the Primus school administration system, the school sees whether the school’s pupils attend after-school activities, their hours of attendance, and the service provider. Employees use register data to carry out their duties. Most applications for after-school activities are submitted online through Wilma. When submitting an application, the guardian decides whether they wish to receive the decision electronically or by post.

Information obtained from the application for after-school activities:

• Child’s information: name, personal identity code and address
• Guardian’s information: name, personal identity code, address, telephone number and email address
• School or service provider providing after-school activities
• Name of the school and grade
• Hours of attendance

The personal identity code is needed for invoicing.

Information on decision of support for learning and school attendance, if applicable (Act on Primary and Secondary Education, section 48b, subsection 1)

Decision on admission to after-school activities:

• Admission to and place of after-school activities
• Hours of attendance (full-time/part-time)

Tietoja lapsesta (‘Information about the child’) form, available to service providers on the Espoo.fi website:

• Child’s name and address
• Guardians’ contact information
• Hours of attendance
• Information on the child’s transport arrangements
• Child’s allergies, special dietary needs, and medication during after-school activities
• Other matters to be considered during after-school activities
• Consent to sharing of information

You can find the Tietoja lapsesta form through the following link:Forms and instructions. The form for after-school activities provided by Swedish Education and Cultural Services is available from the service provider.

Non-collection or reduction of client fees:

The necessary income and family information is obtained from the application for non-collection or reduction of client fees (Act on Primary and Secondary Education, section 48f, subsection 2). When preparing a decision on the non-collection or reduction of client fees, information provided by clients concerning Kela benefits that affect the decision may be checked by the City of Espoo’s office-holders from Kela’s Kelmu system. The register also includes information on whether the client is entitled to exemption from fees on other grounds. If necessary, information is checked from the Digital and Population Data Services Agency or Trimble Locus Cloud.

Guardians provide the information via Wilma or using paper forms. Guardians provide information on any changes in writing via Wilma or by email.

Basic information on pupils and their guardians and information on decisions of support for learning and school attendance, if applicable, is obtained from the pupil register in the Primus school administration system.

Guardians fill in the Tietoja lapsesta form and submit it directly to the provider of after-school activities. The service provider stores and archives the forms in accordance with the city’s instructions. If the service provider discontinues its operations, the forms will be transferred to the city’s archives.

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

The disclosure of public information from a personal data register controlled by an authority is based on section 16, subsection 3 of the Act on the Openness of Government Activities. According to this provision, the party requesting access must have the right to record and use such data. Personal data can only be disclosed following a detailed request for data (Act on the Openness of Government Activities, section 13, subsection 2).

• Public information may only be disclosed for the purposes of direct marketing, polls or market research with the consent of the data subject or the guardian of a minor.

• Public information may be disclosed for scientific or historical research purposes in the public interest. Confidential information may only be disclosed with the consent of the data subject or the guardian of a minor or, in individual cases, based on a separately requested authorisation. (Act on the Openness of Government Activities, section 28)

Confidential information may only be disclosed with the express consent of the data subject or the guardian of a minor or if there is a specific provision on the collection of information or the right of access. (Act on the Openness of Government Activities, chapter 7)

Information on after-school activities is disclosed on the basis of the register under section 58 of the Act on the Financing of Education and Culture.

The City of Espoo uses operational or technical service providers to provide the service. The service providers process personal data on behalf of the City of Espoo and according to its instructions, to the extent that is necessary to enable service provision. Agreements concluded with service providers comply with the requirements of the General Data Protection Regulation (GDPR) of the European Union.

Information on the children attending after-school activities (name, address, grade, school’s name, hours of attendance and decision of support for learning and school attendance, if applicable) and their guardian’s information for contact purposes is transferred to the service provider. The child’s personal identity code is disclosed to the service provider if necessary, for example, to file a child welfare notification or an accident report.

Microsoft is the service provider of the Office product family.

Invoicing information is transferred through the Digia interface to the City of Espoo’s JoTo management and financial management information system.

The school administration system Primus-Wilma is provided by Visma. The Trimble Locus Cloud geographic and population information system is provided by Trimble.

As the data controller, the city uses personal data processors (service providers). Processors may transfer data from the register outside the European Union or the European Economic Area only if the transfer meets the applicable statutory requirements and if the transfer and appropriate protection measures have been agreed upon between the controller and the processor as required by data protection legislation.

Microsoft workspaces are stored within the EU. Microsoft operates and develops Office 365 services from locations outside Europe, and data is considered to be transferred outside the EU if, for example, an administrator establishes a remote connection from the United States to a data centre in Europe, for example to solve a technical problem. In these circumstances, a European Commission-approved basis for transfer applies. The basis for the transfer is the European Commission’s adequacy decision on US data protection. The recipient of personal data is committed to the EU-US Data Privacy Framework.  

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

Applications, decisions, attendance lists, client fee reduction applications and decisions are stored for ten years. Service providers store the Tietoja lapsesta form for two years and for the period of validity. If the service provider discontinues its operations, they are obliged to deliver the forms to the city for archiving purposes.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: 

2.6.2025 The text under the heading Non-collection or reduction of client fees has been updated.

15.8.2025 The reform of support for learning, which entered into force on 1 August 2025, has been taken into account.