1. Register name

Online Feedback System

2. Data controller

City of Espoo
Tel. 09-81621

3. Person responsible for the register

Kirsi Remes
Customer Service Director
Tel. 09-81621
kirsi.remes@espoo.fi

4. Contact person of the register

Katariina Eskola
Specialist
Tel. 09-81621
katariina.eskola@espoo.fi

5. Data Protection Officer appointed by the organisation

Espoo City Data Protection Officer
Address: PL 12, 02070 Espoon kaupunki
Tel. 09-81621
Email: tietosuoja@espoo.fi

6. Purposes for processing personal data and the legal basis of processing

The personal data collected through the Online Feedback System are used only for processing and responding to feedback messages. As it is possible to provide anonymous feedback, it is not necessary to provide a name and contact details when sending feedback. The City of Espoo does not respond to anonymous feedback, but these messages are stored in the feedback database with other feedback messages.

If individuals enter their name and contact details on the feedback form or login to the system, a personal data register called the “Online Feedback System” is formed on the basis of the data provided.

The personal data included in the feedback can be processed and read only by those City of Espoo employees whose task is to respond to feedback or who have been granted the right to browse the system.

The city does not disclose personal data to external parties, unless it is necessary for the purpose of addressing the feedback received. Data can be exceptionally disclosed only for studies and surveys commissioned by the City of Espoo. The individuals responsible for these studies and surveys are bound to secrecy concerning personal data and contact details, and no personal data is published in the reports.

The register consists of feedback provided through the Online Feedback System and the data of users logged in to this system. The system can be found on the city’s website (http://www.espoo.fi, http://www.esbo.fi, https://espoo.fi/en-US). The feedback data is saved into the Online Feedback System. The purpose of this is to use the feedback to develop customer services and other city activities. The data will be used for compiling analyses and statistics from which individuals cannot be identified. Each feedback message recorded is considered a public document from the perspective of the Act on the Openness of Government Activities.

7. Contents of the register (description of the categories of data subjects and the categories of personal data)

The free text field allows the feedback provider to write freely. It is also possible to attach files to the feedback.

8. Sources of personal data

The system only saves data that the users provide on themselves voluntarily.

9. Recipients or categories of recipients of the personal data

The purpose of the Online Feedback System is to receive feedback, questions and suggestions from customers. Feedback providers are not required to give any personal data, as feedback can be left anonymously or using a pseudonym.

Feedback defined as public in the feedback system can be read through a REST interface (a 311 interface). The feedback does not contain personal information.

10. Transfer of data outside EU or the EEA

No transfer.

11. Data storage periods

We store personal data for the period of time they are needed for the purpose for which they have been collected.

12. Register maintenance systems and principles of protection

PRINCIPLES OF DATA PROTECTION:

A. Electronic materials IT equipment is located in protected and supervised premises. Each user has personal user rights to client data systems and files, and their use is monitored. User rights are given on a task-specific basis. Each user must accept a data and data system user agreement and non-disclosure agreement.

B. Manual materials No manual materials are generated.

13. Right of access to data

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

The controller shall provide information without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

All information and actions taken on the grounds of a data subject’s right of access request, any information provided under Articles 13 and 14 of the GDPR and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

b) refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Right of access requests should be made to the contact person of the register

14. Right to rectify data

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Whether the data is incomplete will be determined in the light of the purpose for which the data in the register is processed.

If the controller refuses the request of a data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal and inform the data subject of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The request for rectification should for example be made to the contact person of the register. Specify where more detailed instructions, forms, online service etc. can be found.

15. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. This right is laid down in Article 77 the General Data Protection Regulation (GDPR, 2016/679).

16. Other potential rights

Requests should be made to the contact person of the register.

Right to erasure (Article 17 of the GDPR)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds laid down in Article 17(1) applies. The data subject does not have the right to erasure for example if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to restriction of processing (Article 18 of the GDPR)

The data subject shall have the right to obtain from the controller restriction of processing where one of the requirements laid down in Article 18(1)(a–d) applies.

Right to object (Article 21 of the GDPR)

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to data portability (Article 20 of the GDPR)

The data subject shall have the right to have his or her data transmitted only if the processing of data is based on consent or on a contract, and if the processing is carried out by automated means. The data subject’s right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. If the processing of data is based on consent, the data subject shall have the right to withdraw his or her consent at any time.