Privacy Notice, Talent Espoo: Marketing register

Personal data will be processed to improve, produce, and market the employment and economic services of the City of Espoo. In addition, the data will be used to deliver newsletters and client letters, and for other comparable processes.

Date of publication: 02 September 2021

1. Data controller

City of Espoo
P.O. Box 1, 02070 CITY OF ESPOO

2. Person responsible for the register

Harri Paananen, Director of Economic Development
harri.paananen@espoo.fi

3. Contact person of the register

Melissa Arni-Hardén, Senior Planning Officer
melissa.arni-harden@espoo.fi

4. Data protection officer

Data Protection Officer of the City of Espoo
Address: P.O. Box 12, 02070 City of Espoo
Tel. 09 816 21 (switchboard)
Email address: tietosuoja@espoo.fi

5. For what purpose will personal data be processed?

Personal data will be processed to improve, produce, and market the employment and economic services of the City of Espoo. In addition, the data will be used to deliver newsletters and client letters, and for other comparable processes. The data will also be used to produce networking events, including virtual events.

The aforementioned data processes are part of the City of Espoo’s role in executing and developing the national Talent Boost programme. More information on the Talent Boost programme can be found on the website of the Ministry of Economic Affairs and Employment of Finland. (extrernal link) 

6. On what grounds will personal data be processed?

In the case of private individuals: Article 6(1)(a) of the General Data Protection Regulation of the European Union: the data subject has given consent to the processing of his or her personal data for one or more specific purposes

In the case of companies and employers: Article 6(1)(e) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

7. What data will be processed?

Private person’s identification and contact data

  • given first and surname, telephone numbers, municipality of residence, e-mail address and other relevant contact data, such as links to social media accounts
  • person’s family data (such as guardian, dependent, number and ages of children under the age of 18, information regarding accommodation, the size of the household, information regarding the employment status of spouse), that will be used for instance to target services offered to persons moving to Finland for family reasons
  • need of service
  • information produced or offered by client
  • consent and preference data
  • data related to education, employment history and profession
  • language skills
  • data related to job offers and presentations to employers
  • newsletter logs
  • Log data of events arranged with third parties, such as participants of meetings related to the events, public chat data and participation data from virtual events.

Identification and contact data of companies’ and employers’ contact persons

People whose data can be processes are the register holder’s client and partner companies’ contact persons, persons who due to their position can be regarded cooperation partners, potential clients and/or are within the marketing sphere, persons in contact with the register holder and persons who have participated in the register holder’s events and have given their marketing consent.

The register may process the following data of the registered persons:

  • name
  • organisation, (department) and position
  • address of the organisation
  • e-mail address
  • phone number
  • open positions within the organisation
  • marketing efforts aimed at the registered person and participation in them
  • other data disclosed by the data subject
  • possible mailing bans (e-mail and mail)
  • information about changes to the above data
  • log data (e.g. opening of newsletters)
  • marketing measures targeted at the data subject and participation in them
  • log data of events arranged with third parties, such as participants of meetings related to the events, public chat data and session participation data from virtual events. 

Guidance and service-related data

  • visit and booking data
  • data related to organising the service
  • notes related to customer work, customer contacts and communications.
  •  customer-specific plans

Other data forming in the register

  • statistical events of the service

Maintenance systems of the records

  • EkaCRM (customer relations management system of the Economic Development and Employment unit
  • Protected online file storage of the City of Espoo with limited access and user rights.

8. What are the sources of data?

The data in the marketing register is received or collected from the registered person themselves, the website of the City of Espoo (contact forms, material downloads, newsletter submission forms), and from the enrolments to the events organised by the City of Espoo as well as third parties.

Personal data of contact persons of companies and employers can also be accessed via public internet- and other sources. Such data can also be gathered, saved and updated according to the registers of register holders offering address, update or other services.

9. Will data be disclosed or transferred outside the city?

Data will be given to cooperation partners who participate in planning and executing the services offered to the registered party.

10. Will data be transferred outside the EU/EEA?

Personal data will not be transferred outside the EU/EEA. To produce services, the data controller uses cloud services provided by third parties that are governed by United States legislation. This legislation may under special circumstances force cloud service providers to transfer information to United States authorities.

11. How long will data be stored?

The data will be stored and deleted according to a 10-year term.

12. How will data be protected?

The data is saved in the CRM system of the Economic Development and Employment unit and can only be accessed by the users of the marketing register.

The use of data systems is controlled and the systems can only be accessed with a user ID and password. The systems require a change of password at regular intervals.

Supervisors make decisions regarding granting and removing access rights. At the end of employment, access rights are revoked. The processing of personal data is monitored and controlled with the help of usage log information if it is possible to get the log information from the data system.

Each user must accept the City of Espoo’s information security commitment, including a usage and confidentiality commitment. The personnel are introduced to data protection and appropriate processing of personal data.

13. Rights of the data subject

If collection of data is based on consent, the customer can at any time revoke the consent and demand deleting of personal data by sending e-mail to the contact person of the register.

Further instructions on submitting information requests referred to in the General Data Protection Regulation.

How can I access my data?

You have the right to obtain from the controller a copy of the personal data that is subject to processing. The controller shall provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

When can I request rectification of my data?

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

When can I request erasure of my data?

You have the right to have the controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In these cases, the data will only be erased after the statutory time limit.

When can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi.