Privacy notice: Processing of personal data, Youth Council election and Youth Council members

Date of publication: 2 January 2023

1. Data controller

City of Espoo

2. Person responsible for the register

Tero Luukkonen, Manager of Youth Services

Email: tero.luukkonen@espoo.fi

3. Contact person of the register

Tiia Ylä-Peräinen, Youth Work Coordinator

Email: tiia.yla-perainen@espoo.fi

4. Data Protection Officer

Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. 09 816 21 (switchboard)

Email: tietosuoja@espoo.fi

5. For what purpose is personal data processed?

Personal data is processed for the purpose of organising the City of Espoo’s Youth Council election, establishing the Youth Council and enabling the activities of the Youth Council.

6. On what grounds is personal data processed?

Processing is necessary for compliance with a legal obligation to which the data controller is subject and for the performance of a task carried out in the public interest and in the exercise of official authority.

Provisions on the opportunities to be provided for young people to participate and exert an influence in youth councils are laid down in section 26 of the Local Government Act. Furthermore, provisions on young people’s right to participate and to be heard in matters that affect them are laid down in sections 8 and 24 of the Youth Act.

In addition, the candidate and/or their guardian is requested to give consent for the candidate to be photographed, stand as a candidate and participate in the activities of the Youth Council.

For special categories of personal data, such as political opinions expressed in election compass responses, the processing concerns personal data that the candidate has specifically made public.

7. What data is processed?

The personal data of Youth Council candidates, candidates’ guardians, elected members, persons entitled to vote, election compass users, and the election officials is processed in connection with the activities. The information in this privacy notice has been recorded on the basis of the election to be held in 2023.

7.1 Youth Council candidates and members

- name, date of birth, address, telephone number, email, educational institution, district of residence, consent to stand as a candidate.

- the candidate’s name, candidate number and district of residence are published in the online voting service.

- the candidate’s name, candidate number, postal code, email, year of birth, answer/mother tongue are handled in the election compass, as well as other information such as answers to questions on the election compass, picture, hobbies, reasons for standing as a candidate and campaign promise if the candidate so wishes. The election compass is a public website open to all.

- information on the number of candidates.

7.2 Under 18-year-old candidate’s guardian

- name, email address, telephone number.

- the candidacy form will include the signature of the candidate/guardian.

7.3 Persons entitled to vote

- information required for the identification of the pupil and the verification of their right to vote, which may include their name, municipality of residence, age/year of birth.

- information on whether the person has voted or not.

7.4 Election compass users

- information on election compass users, such as election compass responses, results or candidate recommendations, is only stored for the time the person uses the election compass. The election compass does not include technical monitoring of users. Due to the technical implementation of the election compass, the IP address of the election compass user is processed for a limited period of time.

- information on the number of election compass users.

7.5 Election officials

- name, school, email.

7.6 Youth Council members

The personal data of Youth Council members necessary for the organisation of the activities of the Youth Council is processed during the council term. This data includes the name, date of birth, email address, and phone number of the Youth Council member. To pay the allowance for general assemblies and other meetings, the social security number, home address and IBAN-number of the Youth Council member is also processed. The form to collect personal information is signed by hand.

The guardian of under 18-year-old Youth Council member is asked to provide a name, email address and phone number.

Is necessary, the Youth Council members and their guardians can also be asked to provide other information, for example a permission to participate to orientation weekend. The Youth Council member or their guardian can provide other additional information if they see necessary for the coordinators to know. This information will be handled according to laws.

8. What are the sources of data?

Data on the candidates is obtained from the candidates themselves.

The name, email address and telephone number of the candidate’s guardian are provided by the candidate. The consent of the guardian is requested for a young person under 18 to stand as a candidate, participate in Youth Council activities and be photographed.

Voters right to vote and candidates’ age and municipality of residence are checked in the Population Information System provided by Digital and Population Data Services Agency.

The responses and IP addresses of election compass users are obtained when they use the election compass. The data is only processed for the time the person uses the election compass. After using the election compass, the user’s responses, results or candidate recommendations cannot be linked to the user, not even through technical identifiers.

Data on the members of the Youth Council and their guardian is obtained from the members themselves.

Data on the election officials is obtained from educational institutions and the youth services. They are emplyees of city of Espoo.

In Microsoft’s O365 service, user identity of the election officials in the voter identification system is administered by Microsoft’s Azure Ad, which is the City’s centralised user authorisation management and log register, Microsoft AD and Azure AD. Privacy notice (in Finnish)

9. Will data be disclosed or transferred outside the city?

The information is given to authorities requesting it in accordance with the Act on the Openness of Government Activities. Information and documents are public unless they are expressly prescribed confidential by law.

An online voting service is used in the election. (Service Points use ballot papers). The candidate’s name, candidate number and district of residence are published in the online voting service.

The name, candidate number and photo of the candidate are published in the election compass if the candidate so wishes and the candidate/guardian gives their consent. The election compass is a public website open to all. After a candidate has been nominated, they can, if they so wish, submit their answers to the election compass questions.

The names of the members of the Youth Council and their the amount of votes they received in elections during said council term are published on the website of the City of Espoo’s Youth Council. Otherwise, personal data related to the Youth Council is only processed in the city by persons who need it to perform their work duties.

In the implementation of the Youth Council election and the activities of the Youth Council, the city uses personal data processors, who only process data within pre-established limits and for the purposes described in this privacy notice. Appropriate agreements are concluded in which the processors undertake to process personal data in a secure and confidential manner.

The processors of personal data can be divided into the following categories:

• Suppliers of IT systems and server environments

To enable the storage and IT processing of personal data, the city uses technical service providers, such as Microsoft and Fujitsu. The technical service provider of the eVaali online voting service is Arts & Minds Oy. The technical service provider of the election compass is Webscale Oy. The technical service provider of the Power Apps system used for the verification of voting rights is Solita Oy.

• Translation agency

The candidates’ election compass responses are translated with the help of a translation agency.

• Cooperation between cities

Information processed in the election compass is shared between the cities of Espoo, Helsinki and Vantaa.

10. Will data be transferred outside the EU/EEA?

Personal data is mainly processed in systems and data warehouses located within the European Union. Some of the processors of personal data or the services they provide are located outside the European Economic Area (EEA), and in these cases personal data is also transferred outside the area. The data in the systems is transferred outside the EEA, for example in situations where the IT system or cloud service used for the processing of personal data is located on a server outside the EEA, such as a server of a service provider based in the US.

In situations where personal data is transferred outside the EEA, safeguards are established to maintain the high level of data protection required by European legislation even after the personal data has been transferred. These safeguards include an adequacy decision by the European Commission and a commitment to the required safeguards, such as the EU-US Data Privacy Framework, by the recipient of personal data. Required safeguards may also include the use of standard contractual clauses adopted by the European Commission as part of agreements concluded with personal data processors, in addition to which the processors are required to observe appropriate technical and administrative safeguards.

11. How long will data be stored?

Data is stored and destroyed in line with Espoo’s records management plan and the applicable provisions and orders issued by the National Archives of Finland.

As a rule, the personal data of the candidates will be stored for the Youth Council term of approximately two years. Exceptions to this include the decision of the City Board on the list of candidates for the Youth Council, which includes the name, district of residence and candidate number of the candidate, as well as any other minutes, meeting memoranda, reports, brochures and posters related to the organisation of the election. Other election marketing materials, brochures, etc. to be archived vary annually.

The written consent forms signed by guardians are stored for 2 years from the confirmation of the election results.

The candidate’s name, photograph and responses entered in the election compass are stored until the election result is confirmed and for a maximum of 2 months after the election. The election compass user’s responses, results or candidate recommendations are only stored for the time the person uses the election compass. The election compass does not include technical monitoring of users.

The data on persons entitled to vote is stored until the City Board has confirmed the election result. At Espoo’s request, Solita Oy will destroy the list of persons entitled to vote, which is stored in the Power Apps system, after the election result has been published.

The personal data of the election officials is stored for the duration of the Youth Council election but no longer than 6 months.

The personal data of members of the Youth Council is stored for a period of 2 years, unless a longer storage period is specified for a document containing personal data. For example, the City Board’s decision on the appointment of the Youth Council and the minutes of the general assemblies of the Youth Council containing the names of the members will be stored for longer than 2 years.

12. How is data protected?

Electronic material: IT equipment is located in protected and controlled facilities. Each user has personal access rights to the files. Access rights are granted on a task-specific basis. Each user must accept the user agreement and non-disclosure agreement concerning the data and the information systems. Some of the data is in the City of Espoo’s Dynasty 10 decision-making system. Dynasty 10 privacy notice: Privacy notice (in Finnish)

Manual materials: The archives and units have access control and locked doors. Documents are stored in supervised premises in a locked cabinet or room.

13. Rights of the data subject

Further instructions on submitting information requests referred to in the General Data Protection Regulation: Data protection / Clients’ rights

The request can also be submitted using the contact details mentioned above.

13.1 How can I access my data?

You have the right to obtain from the data controller a copy of the personal data that is subject to processing. The data controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

13.2 When can I request rectification of my data?

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

13.3 When can I request erasure of my data?

You have the right to have the data controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In these cases, the data will only be erased after the statutory time limit.

13.4 When can I object to the processing of my data?

You have the right to object to the processing of your personal data when processing is based on the performance of a task carried out in the public interest. We have the right to continue processing personal data despite an objection if we have a particularly weighty reason for the processing.

13.5 When can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

13.6 How can I withdraw consent?

You have the right to withdraw your consent to the processing of personal data at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

13.7 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)(external link, opens in a new window)