Skip to main content
SearchServices

Processing of personal data: City of Espoo’s centralised access management and log register

Date of publication: 10.6.2025, updated 14.11.2025

1. Purpose of and grounds for processing personal data

Personal data is generally used in Espoo for the provision, planning and assessment of activities and services and for statistical purposes. In this service, personal data is processed for the purpose of maintaining the user IDs and access rights of the City of Espoo’s administrative network and EDU network, online learning environments, and related services. The processing of data ensures data security and the continuity of operations. The monitoring and supervision of processing ensures data protection, user identity protection, and the legal protection of pupils and employees. Data can be used to investigate errors and monitor the use of information systems. In addition, data is used for problem-solving, customer service, contact information management, and collecting and monitoring IT system log data.

In this service, personal data is processed on the following legal grounds:

  • To comply with the data controller’s legal obligation. According to the Act on Information Management in Public Administration (906/2019, sections 15–17), security measures, verifying access rights and compilation of log data are required.
  • For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

2. What data is processed and what are the sources of data?

It is necessary to process the following data to provide the service:

Staff, partners:

  • User’s name
  • Groups to which the user belongs
  • User’s role, job title
  • Work unit
  • Photo added by the user
  • Email address
  • User ID
  • Employee ID (does not apply to partners), learner ID (only education partners)
  • Phone number (mobile phone)
  • Account information
  • Workplace address
  • IP address
  • Encrypted identifier (employees)

Education:

  • Person’s first and last name
  • User ID
  • Email address
  • Learner ID
  • Phone number. General upper secondary school students can activate password self-service reset, in which case they enter their phone number in the service.
  • Encrypted unique identifier
  • School-related information (teaching groups, school, class, school ID)
  • Role: staff/student
  • IP address

Log data includes some identification data (e.g. user ID or email address) and personal data when using the following services: communication services, access control for applications and online services, network access control and connections, operating system and application logs.

For administration employees, we obtain information from the HR system, from where the necessary information is transferred to a local directory in the service provider’s data centre and from there to a cloud-based directory service.  For external partners, information is collected from the persons themselves.

In education, the main source of information is the school administration system and its staff, teacher and student registers.

The centralised log system contains log data produced by different IT systems.

3. How long is data stored?

Personal data is stored for as long as it is necessary for the provision of the service or required by legislation. In terms of this service, data is deleted as follows:

Employees/partners:

The ending of an employment relationship or an agreement with a partner and the deletion of a user ID starts the automatic deletion of data. After the deletion of a user ID, personal data is stored in the cloud service for 30 days after the use of the service has ended.

Log data is stored for a maximum of two years. In situations where a user’s activities are investigated afterwards, the data in question is kept in separate storage for the time required by the case.

Learners and teachers:

For learners and teachers, data is stored in a local directory service for 366 days after the pupil/employment relationship has ended. Data is deleted automatically.

Log data is stored for a maximum of two years. In situations where a user’s activities are investigated afterwards, the data in question is kept in separate storage for the time required by the case.

4. Parties processing or receiving data

4.1 Parties processing data on behalf of the City of Espoo

Personal data is processed by the City of Espoo’s office-holders and employees as well as external operators from whom the City of Espoo purchases services or with whom the City of Espoo carries out cooperation projects. We only select contracting partners who comply with good personal data processing practices and meet the requirements of the General Data Protection Regulation. Compliance with data protection requirements is ensured through written agreements.

In this service, we use the following external service providers: Fujitsu Finland Oy and their subcontractors Atea, Toshiba, and Barona. Elisa Oyj (SOC services). 

4.2 Disclosure of data to other organisations

Data is disclosed to the person requesting it in accordance with the Act on the Openness of Government Activities. In this service, data may only be disclosed to other authorities, for example the police, Data Protection Ombudsman or National Cyber Security Centre, for the investigation of information security incidents and crimes based on a separate request.

5. Will data be transferred outside the EU/EEA?

The City of Espoo aims to ensure, by default, that your personal data is processed within the EU/EEA. However, some services and functions may involve the use of service providers, services, or servers located outside this area. As part of the provision of this service, data is transferred to the United States.

Espoo is committed to complying with the criteria set by the General Data Protection Regulation (GDPR) for the transfer of personal data and has in this service ensured an adequate level of protection for personal data in accordance with the standard contractual clauses approved by the European Commission and the EU-US Data Privacy Framework.

6. Rights of the data subject

The General Data Protection Regulation of the European Union guarantees you various rights in terms of the processing of your personal data. You can read more about your rights and how to exercise them on the City of Espoo website: https://www.espoo.fi/en/city-and-decision-making/safety/data-protection#rights-of-the-data-subjec-7317

7. Data controller

City of Espoo

7.1 Contact person of the register

If you have questions or need more detailed information on the processing of personal data, you can contact the contact person of the register:

Juha Valtaharju, IT Manager

juha.valtaharju(at)espoo.fi

Tel. +358 44 5123529

Change history

  1. Date of publication: 22 June 2021
  2. Date of publication:  10 June 2025