Processing of personal data in the City of Espoo’s M365 environment

Date of publication: 10.6.2025, updated 14.11.2025

Personal data is generally used in Espoo for the provision, planning and assessment of activities and services and for statistical purposes. Microsoft M365 (M365 Copilot) is an online working environment that is used to carry out tasks and obligations of employment relationships, elected officials and partners. Pupils use it as an online learning environment. M365 contains electronic tools and user-produced content.

For separately agreed purposes, the processing of data is enhanced with the help of the AI-based Copilot application in the M365 environment. AI (artificial intelligence) is not used to automate decision-making processes, but it is used as a tool in information-intensive work alongside other M365 tools.

Personal data is used for:

• M365 access rights management and logging in to the system
• Enabling interaction between users
• Use of email services
• Use of file services
• Work-related collaboration, use of tools and use of solutions to increase the efficiency of work
• Management of tools and information security solutions.

In this service, personal data is processed on the following legal grounds:

• To comply with the data controller’s legal obligation. [The Act on Information Management in Public Administration (906/2019) contains provisions on the processing of data in public administration. IT services include tasks related to the security of workstations, services and information systems and system management, for example to ensure security and to protect the availability, authenticity, integrity and confidentiality of personal data. According to the Act on Information Management in Public Administration (906/2019, sections 15–17), security measures, verifying access rights and compilation of log data are required.]
• For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller when employees use the AI tool to make their work more efficient.
• For the performance of a contract. The data subject is a party to the contract, or the processing is necessary in order to carry out preparatory measures at the request of the data subject prior to entering into a contract.

It is necessary to process the following data to provide the service:

Employees, partners:

• User’s name
• Groups to which the user belongs
• User’s role, job title
• Work unit
• Photo added by the user
• Email address
• User ID
• Employee ID (does not apply to partners)
• Phone number (mobile phone)
• Account information
• Workplace address
• IP address

For users who use the AI tool, the following data is also processed:

• User-specific conversation history, prompts, answers produced by AI

Learners:

• Person’s first and last name
• User ID
• Email address
• Learner ID
• Encrypted unique identifier
• Teaching groups
• School
• Class
• School ID
• Role: staff/student
• IP address

In addition, the environment contains content added by users, such as files, emails and calendar entries. Content produced by a user refers to images, texts, links, videos and audio files entered into the system for a defined group of users. The user can, for example, add their own description of themselves and their area of responsibility, their mobile phone number, location information, competence information, date of birth and other areas of interest to the service, to be viewed by everyone / limited users. The user can allow the utilisation of the information content that they produce and obtain information about their networking and closest friends.

We obtain data from the user directory, which receives learners’ information from the pupil register, employees’ information from the HR system, and partners’ (external users) information from themselves.

Personal data is stored for as long as it is necessary for the provision of the service or required by legislation. In terms of this service, data is deleted as follows:

Employees/partners:

The ending of an employment relationship or an agreement with a partner and the deletion of a user ID starts the automatic deletion of data. After the deletion of a user ID, personal data is stored in the cloud service for 30 days after the use of the service has ended. It is possible to restore a user’s email address and personal storage folder for four years. Data stored elsewhere in the environment by the user is stored in line with the lifecycle of the data.

Learners and teachers:

For learners and teachers, data is stored for 366 days after the pupil/employment relationship has ended. Data is deleted automatically.  It is possible to restore a user’s email address and personal storage folder for four years.

Log data is stored for a maximum of two years. In situations where a user’s activities are investigated afterwards, the data in question is kept in separate storage for the time required by the case.

M365 is a work environment where documents to be archived or backed up must be stored in systems suitable for archiving.

Personal data is processed by the City of Espoo’s office-holders and employees as well as external operators from whom the City of Espoo purchases services or with whom the City of Espoo carries out cooperation projects. We only select contracting partners who comply with good personal data processing practices and meet the requirements of the General Data Protection Regulation. Compliance with data protection requirements is ensured through written agreements.

In this service, we use the following external service providers: In this service, we use the following external service providers: Fujitsu Finland Oy and their subcontractors Atea, Toshiba, and Barona. Elisa Oyj (SOC services). 

Data is disclosed to the person requesting it in accordance with the Act on the Openness of Government Activities. In this service, data is only disclosed to authorities based on a legal request.

The City of Espoo aims to ensure, by default, that your personal data is processed within the EU/EEA. However, some services and functions may involve the use of service providers, services, or servers located outside this area. As part of the provision of this service, data is transferred to the United States.

Espoo is committed to complying with the criteria set by the General Data Protection Regulation (GDPR) for the transfer of personal data and has in this service ensured an adequate level of protection for personal data in accordance with the standard contractual clauses approved by the European Commission and the EU-US Data Privacy Framework.

The General Data Protection Regulation of the European Union guarantees you various rights in terms of the processing of your personal data. You can read more about your rights and how to exercise them on the City of Espoo website: https://www.espoo.fi/en/city-and-decision-making/safety/data-protection#rights-of-the-data-subjec-7317

City of Espoo

If you have questions or need more detailed information on the processing of personal data, you can contact the contact person of the register:

Juha Valtaharju, IT Manager

juha.valtaharju(at)espoo.fi

Tel. +358 44 5123529

Change history

1. Date of publication 10.6.2025