Privacy notice, City of Espoo Employment Services

Here you can find information about the City of Espoo Employment Services’ practices concerning privacy and the processing of personal data as well as your own rights.

The privacy notice was published on 24 June 2021.

1. Data controller

City of Espoo.

2. Person responsible for the register

Harri Paananen, Director of Economic Development at the City of Espoo
Address: P.O. Box 12, 02070 City of Espoo 
Tel. 09 816 21 (switchboard) 
Email address: harri.paananen@espoo.fi

3. Contact person of the register

Hilla-Maaria Sipilä, Head of Employment Services at the City of Espoo  
Address: P.O. Box 2125, 02070 CITY OF ESPOO 
Tel. 09 816 21 (switchboard) 
Email address: hilla-maaria.sipila@espoo.fi

4. Data Protection Officer

Data Protection Officer of the City of Espoo
Address: P.O. Box 12, 02070 City of Espoo
Tel. 09 816 21 (switchboard)
Email address: tietosuoja@espoo.fi

5. For what purpose will personal data be processed?

Personal data will be processed for the purposes of organising and implementing employment services and carrying out the statutory duties of an employment and economic development authority.

Legislation guiding the operations

  • Act on Public Employment and Business Service (916/2021)
  • Unemployment Security Act (1290/2002)
  • Act on Job Alternation Leave (1305/2002)
  • Act on the Promotion of Immigrant Integration (1386/2010)
  • Act on Rehabilitative Work (189/2001)
  • Social Welfare Act (1301/2014)
  • Act on Multisectoral Joint Services Promoting Employment (1369/2014)
  • Act on the Application of European Union Legislation Concerning the Coordination of Social Security Systems (352/2010)
  • Act on Municipal Experiments to Promote Employment (1269/2020).

6. On what grounds will personal data be processed?

  • Article 6(1)(a) of the General Data Protection Regulation of the European Union: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Article 6(1)(c) of the General Data Protection Regulation of the European Union: processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Article 9(2)(a) of the General Data Protection Regulation of the European Union: the data subject has given explicit consent to the processing of this personal data for one or more specific purposes.

7. What data will be processed?

Clients’ identification and contact information  

  • personal identity code, name, preferred first name, gender, address (and whether the address is subject to non-disclosure for personal safety reasons), telephone numbers, municipality of residence, mother tongue, service language, marital status, email address and other necessary contact information  
  • the person’s family information (guardian, dependant, number and ages of children under 18 years of age, housing information, size of household)  
  • need for services  
  • data related to the ability to work and function
  • notes and contacts related to client work  
  • client-specific plans  
  • service decisions and decisions on fees and related notifications  
  • information produced or provided by the client  
  • consent and preference data  
  • data related to education, employment history and profession 
  • data related to job offers and introductions to employers.

Data related to guidance and service

  • data on appointments and visits  
  • data related to organising the service  
  • summaries  
  • statements  
  • certificates issued. 

Other data generated in the register

  •  statistical data on the service  
  • service invoicing data  
  • data on the payer of the service and on the determination of the fee  
  • log data generated by the use of the system.

Register data management systems

  • URA (personal customer register of the Employment and Economic Development Offices; the joint register’s data controllers are the KEHA Centre and TE Offices)
  • Typpi (system of the Labour Force Service Centre; the joint register’s data controllers are the KEHA Centre and TE Offices)
  • Koulutusportti (maintained by the KEHA Centre)
  • The Abilitator (Kykyviisari, online service of the Finnish Institute of Occupational Health)
  • Wilma system (the data controller is Omnia, the Joint Authority of Education in the Espoo Region)
  • SosiaaliEffica (client register of adult social work and social assistance)
  • Dynasty 10 (decision-making system of the City of Espoo)
  • EkaCRM (customer relationship management system of the Economic and Urban Development Unit )
  • Protected online file storage of the City of Espoo with limited access rights.

8. What are the sources of data?

  • information provided by the clients themselves 
  • If necessary, data and documents may be collected and obtained with the client’s consent from, for example, the following sources:  
  • municipal social and health services  
  • public employment and business services  
  • Kela  
  • private persons named by the client  
  • employer, place of work try-out or rehabilitative work experience, work coach 
  • outsourced service provider  
  • rehabilitation centre  
  • pension institution  
  • health care professionals  
  • services for substance abusers  
  • employment register of the Finnish Centre for Pensions  
  • various training and education providers  
  • YTJ, the Finnish Business Information System.

9. Will data be disclosed or transferred outside the city?

Data will be disclosed to partners involved in the planning and/or implementation of the service offered to the data subject. Data may be disclosed to different authorities if there is a legal basis for it. Notwithstanding secrecy provisions and other restrictions on access to data, client data may be disclosed for the performance of statutory duties. If there is no legal basis for the disclosure of data, the data will only be disclosed with the consent of the client. Data on a pay-subsidised employment relationship will be disclosed to the Uusimaa TE Office and the KEHA Centre to the extent required by them. Client data related to fixed-term employment projects will be disclosed to project financiers to the extent required by them.

10. Will data be transferred outside the EU/EEA?

Personal data will not be transferred outside the EU or the European Economic Area (EEA).

11. How long will data be stored?

The data will be stored and deleted according to a 10-year term.

12. How will data be protected?

The data stored in the register is confidential. All employees who process data are bound by an obligation of secrecy and confidentiality. The obligation of secrecy and confidentiality will remain in force even after an employee’s employment relationship has ended.

Manual materials

Documents are stored in supervised premises and/or locked cabinets. Archived documents are transferred through the sector’s archives to the City Archives.  

Data stored in the data systems

Data stored in the register systems is protected in a secure manner and can only be viewed by employees entitled to do so. The use of the data is based on a client relationship or another appropriate reason. The use of data systems is controlled and the systems can only be accessed with a user ID and password. The systems require a change of password at regular intervals. 
The system server, workstations and printers are stored in locked spaces.  

Employees processing the data are bound by an obligation of confidentiality, and obtaining access rights requires a written commitment to confidentiality and information security. The obligation of secrecy and confidentiality will remain in force even after an employee’s employment relationship has ended. Supervisors make decisions regarding granting and removing access rights. At the end of employment, access rights are revoked.  

The processing and viewing of the register data are monitored and controlled with the help of usage log information in accordance with the data protection monitoring and control plan.

13. Rights of the data subject

How can I access my data?

You have the right to obtain from the data controller a copy of the personal data that is subject to processing. The data controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

When can I request rectification of my data?

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

When can I request erasure of my data?

You have the right to have the data controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In these cases, the data will only be erased after the statutory time limit.

When can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman(external link).