Privacy notice: Processing of personal data related to starting and approval of private early childhood education operations and related guidance, counselling and supervision

Date of publication: 19 August 2024

City of Espoo

Virpi Mattila, Director of Finnish Early Childhood Education

Barbro Högström, Director of Swedish Education and Cultural Services

Email: firstname.lastname@espoo.fi

Tel. 09 816 21 (switchboard)

Mirva Alakoskela, Early Childhood Education District Manager

Mia Westerlund, Administrative Manager

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

Personal data is processed in connection with the starting and approval of private early childhood education operations (day care centres, group family day care centres and family day care providers) that are provided with a private day care allowance, as an outsourced service or with a service voucher. In addition, personal data is processed in connection with the performance of guidance, counselling and supervisory tasks based on the Act on Early Childhood Education and Care.

The register is used for compiling statistics for the City of Espoo as quantitative data. When statistics are compiled, the data is processed anonymously.

A private service provider that organises or provides early childhood education services must have a permit to carry out day care operations before starting such operations. This permit is granted by the Regional State Administrative Agency based on the service provider’s application.

If a service provider applies to become a service voucher day care centre through the system for service vouchers and outsourced services (PSOP), the service provider must provide information on the service provider or company, the place of activity, staff and service prices for approval.

A private service provider that organises or provides family day care services must submit a written notification to the municipality before starting their operations or before any significant changes to their operations.

Article 6(1)(c) of the General Data Protection Regulation of the European Union: processing is necessary for compliance with a legal obligation to which the controller is subject.

Key legislation:

• General Data Protection Regulation of the European Union (2016/679)
• Data Protection Act (1050/2018)
• Basic Education Act (628/1998)
• Act on Early Childhood Education and Care (540/2018)
• Government Decree on Early Childhood Education and Care (753/2018)
• Act on Service Vouchers in Social Welfare and Health Care Services (569/2009)
• Act on Child Home Care Allowance and Private Day Care Allowance (1128/1996)
• Decree of the Ministry of Education and Culture on amending the decree of the Ministry of Education and Culture on documents related to the permit and notification procedure for private service providers in early childhood education (97/2024)
• Act on Checking the Criminal Background of Persons Working with Children (504/2002)

The processing of personal identity codes is based on section 29, subsection 1 of the Data Protection Act. Provisions on the processing of personal identity codes in connection with the permit or notification procedure of a private service provider are laid down in sections 44a, 44e and 45 of the Act on Early Childhood Education and Care.

Day care service providers

• Municipal authorities receive a request for a statement from the Regional State Administrative Agency and a copy of the service provider’s permit application and register extract.
• The municipal authority’s statement including, where appropriate, the names of persons working with children other than those in contractual employment relationships as well as information on the issue and checking dates of criminal records extracts
• Self-monitoring plan
• Permit issued by the Regional State Administrative Agency to carry out day care operations. An extract from the Soteri register (a joint register of Valvira and the Regional State Administrative Agencies containing information on all private early childhood education providers subject to the permit requirement) is provided together with the permit.

Private family day care providers and group family day care centres

• Notification of starting operations related documents The notification contains the name, personal identity code, contact details, education, work experience and role of the person in charge of the operations, as well as the information and documents specified in section 44a, subsection 1, paragraphs 1–4 and 6–11 of the Act on Early Childhood Education and Care.
• Information on the notification form:
  • name, personal identity code, address, telephone number, mother tongue, other language skills and email address
  • issue and checking dates of a family day care provider’s criminal records extract
  • education and work experience
  • spouse working from home
  • number and years of birth of children living at home, as well as other persons living in the dwelling
  • information on the dwelling
  • storage location and method of documents
  • information on support for children
  • reasons for becoming a family day care provider
  • additional information
• Documents provided with the notification form:
• the service provider submits documents that include the name, personal identity code, date of birth, contact details, municipality of residence and nationality of the family day care provider or the company’s contact person or person in a position of control.
• The municipal authority’s inspection visit to the home or premises, during which the authority verifies the names of persons working with children other than those in contractual employment relationships, as well as information on the issue and checking dates of criminal records extracts
  • The notification form has a separate section for the issue and checking dates of the criminal records extract and other information concerning the family day care provider, such as hygiene passport or first aid training.
• Office-holder decision on the approval of the private family day care provider (person’s name)

Applying to become a service provider in the service voucher system

If a service provider applies to become a service voucher day care centre through the system for service vouchers and outsourced services (PSOP), the service provider must provide information on the service provider or company, the place of activity, staff and service prices for approval.

• Basic information on the service provider / company entered into the PSOP system:
• Company’s contact person, name, telephone number and email address
• Documents to be provided by the service provider / company:
• If the company has not joined the Reliable Partner service, it must submit documents that include the name, personal identity code, date of birth, contact details, municipality of residence and nationality of the company’s contact person or person in a position of control. 

• Documents concerning day care centre director and staff:
• Staff list (employee’s name, title and educational background and group name)
• Day care centre director’s diploma (name and personal identity code)

The municipal authority makes an annual guidance visit to the service provider’s premises. In connection with this visit, the following matters are checked and a report is drawn up concerning the visit.

Guidance visit report for day care centres receiving private day care allowance, outsourced and service voucher day care centres, and group family day care centres:

• Persons present during the visit
• Service provider’s name and contact details
• Name and contact details of the day care centre and its director
• Day care centre director’s qualification information and language skills, and information on any other training
• Name of the unit’s occupational safety representative
• Employees’ names, titles, education and qualification information, the issue and checking dates of criminal records extracts, and information on any other training
• Information and documents needed to carry out supervision in line with the Act on Early Childhood Education and Care

Guidance visit report for private family day care providers:

• Persons present during the visit
• Family day care provider’s name, year of birth and contact details (address, telephone number and email address)
• Degree/qualification and information on any other training
• If applicable, information on the presentation of an extract from the Trade Register (person’s name and address)
• Information on being included in the prepayment register (person’s name)
• Information on the payment of YEL or TyEL contributions (person’s name and possibly address)
• Information on the payment of taxes, payment arrangements or tax debt certificate (person’s name and possibly address)
• If necessary, information on business restructuring or payment arrangements
• Information and documents needed to carry out supervision in line with the Act on Early Childhood Education and Care

Supervisory procedure under the Act on Early Childhood Education and Care:

If necessary, the municipal authority will carry out supervision in accordance with the Act on Early Childhood Education and Care. Matters subject to supervision are checked in connection with supervisory activities. A report is drawn up concerning the supervisory visit.

Supervisory visit report:

• Name and contact details of the person responsible for the unit subject to supervision
• Information and documents needed to carry out supervision

For day care centres, information on the commencement of early childhood education operations and any substantial changes to operations is obtained from the Regional State Administrative Agency’s permit application and request to inspect the place of activity. Information is obtained from the permit applicant (i.e. service provider) in connection with the inspection. If necessary, the municipality also obtains information from the rescue, building control and health protection authorities.

If a service provider applies to become a service voucher day care centre, information is obtained from the service provider through the system for service vouchers and outsourced services (PSOP).

For group family day care centres, information on the commencement of early childhood education operations and any substantial changes to operations is obtained from the notification and related documents provided by the service provider.

For private family day care providers, information on the commencement of operations is obtained from the notification and related documents provided by the service provider.

In addition, information needed for supervision is obtained in connection with audit and guidance visits and possible inspection and supervisory visits.

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

The Social Insurance Institution of Finland (Kela) is informed of service providers approved by the municipality. Information on the approval and supervision of private early childhood education operations is disclosed to the Regional State Administrative Agency.

The City of Espoo may use operational or technical service providers to provide the service. The service providers process personal data on behalf of the City of Espoo and according to its instructions, to the extent that is necessary to enable service provision. The applications of service providers applying to become service voucher day care centres are processed in the system for service vouchers and outsourced services (PSOP) provided by Kuntien Tiera. Microsoft is Espoo’s service provider with regard to the email system and office productivity software (Microsoft Office).

Data in the client register of the PSOP system is not transferred outside the EEA.

Data may be transferred outside the European Union or the European Economic Area.

Microsoft workspaces are stored within the EU. Microsoft operates and develops Office 365 services from locations outside Europe, and data is considered to be transferred outside the EU if, for example, an administrator establishes a remote connection from the United States to a data centre in Europe, for example to solve a technical problem. In these circumstances, a European Commission-approved basis for transfer applies. The basis for the transfer is the European Commission’s adequacy decision on US data protection. The recipient of personal data is committed to the EU-US Data Privacy Framework.

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

As a rule, data is stored for 10 years or for 10 years after the end of the operations. A family day care provider’s plan regarding the services to be provided during the operating year is stored for two years.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: -