Processing of personal data, client register for open early childhood education

Date of publication: 29 July 2024

City of Espoo

Virpi Mattila, Director of Finnish Early Childhood Education

Email: firstname.lastname@espoo.fi

Tel. 09 816 21 (switchboard)

System Specialists Sari Kuittinen and Sirpa Koljonen

Email: evakatuki@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

The personal data stored in this register is processed for the purposes of organising open early childhood education activities and taking care of related duties. Open early childhood education comprises residents’ parks and club activities.

The activities at residents’ parks are intended for children of different ages, their guardians and other adults taking care of children as well as for young schoolchildren.

Club activities offer an alternative to full-time or part-time early childhood education. At a club, 2–5-year-old children in home care get to participate in guided activities as part of a group of children.

Residents’ parks offer a snack to all young schoolchildren who have signed up. Guardians sign their children up for the snack service by filling in a form available at residents’ parks. The forms may also contain information on special diets.

For example, statutory information regarding the number of children is reported on the basis of the register (Act on Central Government Transfers to Local Government for Basic Public Services).

The register is used for compiling statistics for the City of Espoo. When statistics are compiled, the data is processed anonymously.

Article 6(1)(c) of the General Data Protection Regulation of the European Union: processing is necessary for compliance with a legal obligation to which the controller is subject.

Special categories of personal data to be processed may include health information. According to section 6 of the Data Protection Act, Article 9(1) of the Data Protection Regulation does not apply to any processing of data that is provided by law or that derives directly from a statutory duty set out for the data controller by law.

Key legislation:

• General Data Protection Regulation of the European Union (2016/679)
• Data Protection Act (1050/2018)
• Act on Early Childhood Education and Care (540/2018)

The processing of personal identity codes is based on section 29, subsection 1 of the Data Protection Act. The identification of the data subject and their personal data is important for the performance of a statutory duty. 

Client information system and forms related to early childhood education club activities

• Child’s name, personal identity code, contact information and mother tongue
• Guardians’ names, personal identity codes and contact information
• Other persons who live in the same household as the child
• Names and telephone numbers of other persons authorised to pick up the child
• Club application and decision
• information on the acceptance of a club place
• Other necessary information provided by the family
• Pedagogic documentation
• Child’s photograph
• Child’s absence information
• Child’s basic information form

Snack service for schoolchildren

• Snack service sign-up form submitted to Espoo Catering, including information on possible allergies and special diets
• Child’s name, contact information and other necessary information
• Guardians’ names and contact information
• Espoon Catering’s list of children who have signed up for the snack service, including information on possible special diets

Open afternoon activities for schoolchildren

• Contact information form: child’s name, telephone number, school and class; guardian’s name and contact information (the form is optional)

• Child’s guardians
• Early childhood education employees, service providers, persons responsible for outsourced and service voucher units
• Client information is obtained from the Digital and Population Data Services Agency
• An earlier provider of early childhood education may disclose public information that is needed for the organisation of the child’s early childhood education (section 16, subsection 3 of the Act on the Openness of Government Activities).
• Espoon Catering’s list of children who have signed up for the snack service

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

For the purposes of statistics, a set of data concerning current placements, applications, persons, families, journal entries and unit information is compiled on a data warehouse server.

The City of Espoo may use operational or technical service providers to organise the service. The service providers process personal data on behalf of the City of Espoo and according to its instructions, to the extent that is necessary to enable service provision.

Service providers (processors) that process data through eVaka (early childhood education information system) on behalf of the City of Espoo: There is a contractual relationship between the City of Espoo and Digia, and Amazon is Digia’s sub-processor. 

As the data controller, the city uses personal data processors (service providers). The early childhood education information system uses a cloud service provided by Amazon. Processors may transfer data from the register outside the European Union or the European Economic Area only if the transfer meets the applicable statutory requirements and if the transfer and appropriate protection measures have been agreed upon between the controller and the processor as required by data protection legislation.

The storage location of Amazon’s cloud service is within the EU. If Amazon operates and develops services from outside Europe, data is considered to be transferred outside the EU. For example, if an administrator connects remotely from the United States to a European data centre to resolve an issue. In these situations, safeguards are established to maintain the high level of data protection required by European legislation even after the personal data has been transferred. These safeguards include an adequacy decision by the European Commission and a commitment to the required safeguards, such as the EU-US Data Privacy Framework, by the recipient of personal data. Required safeguards may also include the use of standard contractual clauses adopted by the European Commission as part of agreements concluded with personal data processors, in addition to which the processors are required to observe appropriate technical and administrative safeguards.

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

Data on a child who attends a club is stored in the system until six (6) years have passed since the end of the calendar year during which the child’s early childhood education ended. After the archiving period, the data is deleted from the electronic system either automatically or by the administrator. Physical materials are destroyed at the end of the archiving period.

The physical documentation required by the club, for example, the child’s basic information form is stored for as long as they attend the club plus 6 additional years.

As for the snack service for schoolchildren, the list of participants is stored in the residents’ park for one school year, after which the material is destroyed. 

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: -