Privacy Statement Processing of personal data, Youth council elections and youth councillors

The purpose of processing the personal data in the register is to organise the elections for the City of Espoo’s Youth Council, to establish the Youth Council and to enable the Youth Council to operate in accordance with Section 26 of the Local Government Act.

Date of publication of the Privacy Statement: 9 September 2021

1. Data controller

City of Espoo

2. Person responsible for the register

Head of regional youth services, e-mail: nina.taipale(at)espoo.fi

3. Contact person of the register

Youth Work Coordinator, e-mail: paula.vihiniemi(at)espoo.fi

4. Data protection officer

City of Espoo Data Protection Officer

Address: P.O. Box 12, 02070 City of Espoo

Tel. 09 849 21 (exchange)

E-mail: tietosuoja@espoo.fi

5. For what purpose is personal data processed?

The purpose of processing the personal data in the register is to organise the elections for the City of Espoo’s Youth Council, to establish the Youth Council and to enable the Youth Council to operate in accordance with Section 26 of the Local Government Act.

6. What are the legal grounds for processing personal data?

The EU’s General Data Protection Regulation, Article 6(1c): processing is necessary for compliance with a legal obligation to which the controller is subject;

7. What data is processed?

The personal data of Youth Council candidates, candidates’ guardians, elected members, persons entitled to vote, members of the electoral committee and corresponding teachers are processed in the activities. The information in this Privacy Statement was first recorded on the basis of the elections to be held in 2019.

Candidates and members of the Youth Council

- name, date of birth, address, telephone, e-mail, educational institute, district of residence, consent to be a candidate

- if the candidate wants to publish the following information: hobbies, reason for standing as candidate, campaign promise, photo.

- the name of the candidate and their candidate number are entered in the electronic voting service

- the name, candidate number and photo of the candidate are entered in the online candidate selection engine if the candidate wants it and gives permission. The candidate selection engine is a public website open to all.

- after the nomination, the candidate himself/herself goes to the website to submit answers to the candidate selection engine’s questions

Persons entitled to vote

- information required for the identification of the pupil and the verification of the right to vote, which may include name, municipality of residence, educational institute, class and academic year, age/year of birth

- information on whether the person has voted or not

The members of the school’s electoral committee and the responsible teacher

- name, school

Candidate’s parent/guardian

- the name and signature of the parent/guardian is entered in the candidacy form

The personal data of Youth Council members necessary for the organisation of the activities of the Youth Council is processed during the council term.

PUBLIC ACCESS TO INFORMATION AND CONFIDENTIALITY:

In principle, the data is not confidential by law.

8. Where is the data obtained from?

The data on the candidates is obtained from the candidates themselves. The candidate’s age and domicile are checked in the Population Information System. The name of the candidate’s parent/guardian is provided by the parent/guardian. Data on the persons eligible to vote is received from educational institutes. Data on the members of the Youth Council is obtained from the members themselves. Data on the members of the electoral committee and the responsible teacher is received from educational institutes.

9. Is data disclosed or transferred outside the city?

Data may only be disclosed on the basis of an individual data request to persons who have a legal right to process the data.

The personal data of candidates and persons entitled to vote is only processed by

- members of the school’s electoral committee for the organisation of elections

- members of the electoral working group appointed by the City Board, to the extent necessary to organise the elections and to prepare the establishment of the Youth Council

- staff of Service Points, who check the age and domicile of candidates, in cooperation with Youth Services, for candidates and when they take up votes.

An electronic voting service is used in the election. (Service Points use ballot papers). When a young person stands as a candidate, their parent/guardian is asked for consent to publish the candidate’s name and candidate number in the electronic voting service. In addition to these, permission is asked to publish the candidate’s picture in the candidate selection engine.

Candidates’ information is published on the website of the Youth Council only with the consent of the candidates and their parents/guardians. Each candidate specifies what personal data he/she wants to be published on the website.

The names of the members of the Youth Council during that council term are published on the website of the City of Espoo’s Youth Council. Otherwise, the personal data of the Youth Council is only processed in the city by persons who need it in their work duties.

To enable the storage and IT processing of personal data, the city uses technical service providers, such as Microsoft and Fujitsu. The technical service provider of the eVaali electronic voting service is Arts & Minds Oy. The technical service provider of the candidate selection engine is ZEF Oy.

10. Is data transferred outside the EU/EEA?

Personal data is stored on servers located in the EU or the European Economic Area (EEA).

The city staff use the Office 365 service (e.g. Word, Excel, e-mail) produced by Microsoft in their duties. The data is stored within the EU. Microsoft operates and develops the Office 365 services from non-European countries, and the data is considered to be transferred outside the EU if, for example, the administrator remotely connects to the European data centre from the United States, e.g. to resolve a fault situation. In these circumstances, for example, EU standard contractual clauses apply.

11. How long are the data kept?

The archive formation plan/data management plan of the City of Espoo and the legal provisions and regulations that are valid at the time are observed when storing and destroying data.

The personal data of persons entitled to vote, the members of the school’s electoral committee and the responsible teacher will be stored for the Youth Council term, i.e. for approximately two years.

As a rule, the personal data of the candidates will be stored for the Youth Council term of approximately two years. An exception to this is the decision of the City Board on the list of candidates for the Youth Council, which includes the name of the candidate, their major area of residence and candidate number, as well as any other minutes, meeting memoranda, reports, brochures and posters related to the organisation of the elections. Other election marketing materials, brochures, etc., to be archived vary annually.

The personal data of members of the Youth Council is retained for a period of 2 years, unless a longer retention period is specified for a document containing personal data. For example, the City Board’s decision on the appointment of the Youth Council and the minutes of the general assemblies of the Youth Council containing the names of the members will be kept for longer than 2 years.

12. How is the data protected?

Electronic material: IT equipment is located in protected and controlled facilities. Access rights to the files are based on personal access rights. Access rights are granted task-specifically. Each user accepts the access and confidentiality undertaking regarding information and information systems. Some data is in the City of Espoo’s Dynasty 360 decision-making system. D360 Privacy Statement: Data protection/Privacy Statements.

Manual material: Archives and units are protected by access control and locked doors. Documents are held on supervised premises in a locked cabinet or room.

13. The data subject’s rights

More detailed instructions on how to submit data requests in accordance with the GDPR: Data protection/Customer rights

13.1 How can I access my data?

You have the right to obtain from the data controller a copy of the personal data undergoing processing. The controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and no later than within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests by the data subject and the related measures are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to take the action requested.

13.2 When can I request rectification of my data?

You have the right to have inaccurate, inaccurate, incomplete, outdated or unnecessary personal data that we retain, corrected or supplemented by us.

13.3 When can I request erasure of my data?

You have the right to have personal data concerning you erased by the data controller without undue delay under certain preconditions. You have no right to remove the data if, following the statutory commitment requires processing of the data or the processing is done for the purpose of performing a task concerning public interest or exercising official authority vested in the controller. In these cases, the personal data will only be destroyed after the statutory deadline.

13.4 When can I request restriction of processing of my data?

If the data collected about you is inaccurate, you may require that the processing of your customer data be restricted until the accuracy of the data has been verified.

13.5 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you consider the processing of personal data to be in breach of data protection legislation. You can lodge a complaint with the office of the Data Protection Ombudsman: www.tietosuoja.fi (external link).(extrernal link)