Privacy notice, Processing of personal data, processing and archiving of grant applications submitted to Youth Services

Date of publication: 18 September 2023 (Updated: 20 August 2024)

City of Espoo

Tero Luukkonen, Manager of Youth Services

Email: firstname.lastname@espoo.fi

Tel. 09 816 21 (switchboard)

Hanna Kaseva, Youth Work Coordinator

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

Personal data is processed for the purpose of processing and archiving grant applications submitted to Youth Services.

Youth Services awards the following types of grants: targeted grant, general grant, advance payment of a general grant, grants for regional organisations, and partnership grant.

Article 6(1)(e) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The processing of personal identity codes is based on section 29, subsection 1 of the Data Protection Act. The identification of the data subject and their personal data is important for the performance of a statutory duty.

Applicant

The following data is collected on organisations:

organisation name, business ID, address, telephone number, email, home municipality, bank account details, organisation’s website (if exists), URL address

Information on the representative(s) of the organisation:

Name, personal identity code, address, telephone number and email

Client information is obtained from the client’s application through strong identification or on a paper form.

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

The City of Espoo may use operational or technical service providers to organise the service. The service providers process personal data on behalf of the City of Espoo and according to its instructions, to the extent that is necessary to enable service provision.

The service provider for Espoo’s grant system is the City of Espoo. The supplier is Reaktor, and its sub-processor is Amazon EU.

The provider of Espoo’s email service is Microsoft.

Personal data is mainly processed in systems and data warehouses located within the European Union. Some of the processors of personal data or the services they provide are located outside the European Economic Area (EEA), and in these cases personal data is also transferred outside the area. The data in the systems is transferred outside the EEA, for example in situations where the IT system or cloud service used for the processing of personal data is located on a server outside the EEA, such as a server of a service provider based in the US.

In situations where personal data is transferred outside the EEA, safeguards are established to maintain the high level of data protection required by European legislation even after the personal data has been transferred. These safeguards include an adequacy decision by the European Commission and a commitment to the required safeguards, such as the EU-US Data Privacy Framework, by the recipient of personal data. Required safeguards may also include the use of standard contractual clauses adopted by the European Commission as part of agreements concluded with personal data processors, in addition to which the processors are required to observe appropriate technical and administrative safeguards.

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

The data will be deleted after the 10-year archiving obligation ends.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: -