Privacy Notice, City of Espoo: Marketing register

Date of publication: 14 June 2021

City of Espoo

P.O. Box 1, 02070 CITY OF ESPOO

Harri Paananen, Director of Economic Development
harri.paananen@espoo.fi

Mari Ala-Mikkula, Marketing and Communications Manager
mari.ala-mikkula@espoo.fi

Data Protection Officer of the City of Espoo
Address: P.O. Box 12, 02070 City of Espoo
Tel. +358 9 81621 (switchboard)
Email address: tietosuoja@espoo.fi

The marketing register is used for marketing the services and sales and networking events of the City of Espoo, for sending newsletters and for other similar activities.

On the grounds for processing personal data specified in the General Data Protection Regulation of the European Union.

• When marketing is aimed at private individuals, the processing of personal data stored in the register is based on the consent given by the data subject. Article 6(1)(a) of the General Data Protection Regulation.

• When marketing is aimed at companies, the processing of personal data stored in the register is based on the public interest. Article 6(1)(e) of the General Data Protection Regulation.

The groups of persons whose data may be processed are the contact persons of the data controller’s customer and partner companies, those classified as an ex officio partner, potential customer and/or within the sphere of marketing, persons in contact with the data controller, and those who have participated in events organised by the data controller or have given their permission for marketing.

The register may contain, for example, the following data about the data subjects:

• name
• organisation (and department) and position
• organisation’s address
• email address
• telephone number
• marketing measures targeted at the data subject and participation in them
• other data disclosed by the data subject
• possible mailing bans (email and mail)
• information about changes to the above data
• log data (e.g. opening of newsletters).

Data in the marketing register is acquired or collected from the data subject through the customer relationship, through the City of Espoo website (contact forms, material downloads, newsletter subscription forms) and through registrations for events organised by the City of Espoo and third parties and from publicly available Internet sources and other possible public sources. Personal data may also be collected, saved and updated from the registers of a data controller providing address or updating services or other similar services.

As a rule, personal data will not be disclosed to third parties. The City of Espoo may, however, disclose data in a manner permitted by legislation to, for example, its partners for marketing purposes if the data subject has given permission for disclosing their data. Data may also be disclosed in cases where it is considered that a third party can offer special information or benefit to a company represented by a person in the register.

Personal data will not be transferred outside the EU or the European Economic Area (EEA).

Personal data is stored for as long as it is necessary for the operations of the City of Espoo or until the data subject prohibits the processing of their data.

The data is saved in the CRM system of the Economic Development and Employment unit and can only be accessed by the users of the marketing register.

The use of data systems is controlled and the systems can only be accessed with a user ID and password. The systems require a change of password at regular intervals.

Supervisors make decisions regarding granting and removing access rights. At the end of employment, access rights are revoked. The processing of personal data is monitored and controlled with the help of usage log information if it is possible to get the log information from the data system.

Each user must accept the City of Espoo’s information security commitment, including a usage and confidentiality commitment. The personnel are introduced to data protection and appropriate processing of personal data.

Further instructions on submitting information requests referred to in the General Data Protection Regulation.

You have the right to obtain from the data controller a copy of the personal data that is subject to processing. The data controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

You have the right to have the data controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In these cases, the data will only be erased after the statutory time limit.

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi