Privacy notice, Espoo’s Employment Services

Date of publication: 24 June 2021

The privacy notice was updated on 14 October 2025.

The City of Espoo and the KEHA Centre with which Espoo shares part of the register

Hilla-Maaria Suomi, Director of Employment Services at the City of Espoo
Address: P.O. Box 2125, 02070 City of Espoo
Tel. +358 9 81621 (switchboard)
Email info.work[at]espoo.fi

Hilla-Maaria Suomi, Director of Employment Services at the City of Espoo
Address: P.O. Box 2125, 02070 City of Espoo
Tel. +358 9 81621(external link, opens in a new window) (switchboard)
Email: info.work[at]espoo.fi

Data Protection Officer of the City of Espoo
Address: P.O. Box 12, 02070 City of Espoo
Tel. +358 9 81621(external link, opens in a new window) (switchboard)
Email: tietosuoja[at]espoo.fi

Personal, employer and company data is processed for the purposes of organising and providing employment services and carrying out the statutory duties of an employment authority.

Legislation governing the operations:

• Act on the Organisation of Employment Services (380/2023)
• Unemployment Security Act (1290/2002)
• Act on the Promotion of Immigrant Integration (681/2023)
• Act on Rehabilitative Work (189/2001)
• Social Welfare Act (1301/2014)
• Act on Multisectoral Promotion of Employment (381/2023)
• Young Workers’ Act (998/1993)
• Act on the Application of European Union Legislation Concerning the Coordination of Social Security Systems (352/2010)
• Municipalities Act, section 54 on delegation of powers: Agreement on managing official duties (410/2015).

Personal data is processed on the grounds of a legal obligation to which the controller is subject. Data is processed for the purpose of carrying out the statutory duties of the controller. The legislation governing the operations is listed above.

• Article 6(1)(a) of the General Data Protection Regulation of the European Union: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Article 6(1)(c) of the General Data Protection Regulation of the European Union: Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Article 6(1)(e) of the General Data Protection Regulation of the European Union: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Article 9(2)(a) of the General Data Protection Regulation of the European Union: The data subject has given explicit consent to the processing of this personal data for one or more specific purposes.

Clients’ identification and contact information 

• personal identity code, name, preferred first name, gender, address (and whether the address is subject to non-disclosure for personal safety reasons), telephone numbers, municipality of residence, mother tongue, service language, marital status, email address, pseudonymised client ID, and other necessary contact information
• the person’s family information (guardian, dependant, number and ages of children under 18 years of age, housing information, size of household)
• need for services
• information on work ability and functional capacity
• documents and service use information related to customer service
• plans
• service decisions and decisions on fees and related notifications
• information produced or provided by the client
• consent and preference data
• information on education, employment history and profession
• information on completed card and certificate training
• information on completed and discontinued coaching
• information on training and job offers and introductions to employers. 

Data related to guidance and service  

• data on appointments and visits
• data related to organising the service
• bulletins, invitations and newsletters sent to the client
• statements
• certificates provided by the client.

Data related to business and employer clients

• business or employer client’s name and contact information, such as contact person, address, telephone number, email address and business ID
• line of business, service profile, number of staff and information on publicly available vacancies
• reason for and date of contact
• information on unadvertised positions, work try-outs and pay subsidy jobs
• information on change situations. 

Other data generated in the register

• statistical data on the client relationship
• service invoicing data
• data on the payer of the service and determination of the fee
• log data generated by the use of the system.

Register data management systems

• Specialists’ Job Market Finland A-TMT (client register of the employment and economic development administration, KEHA Centre)
  • Personal identity code, name, gender, address (and whether the address is subject to non-disclosure for personal safety reasons), telephone number, municipality of residence, mother tongue, service language, nationality, email address, pseudonymised client ID, need for services, information on work ability and functional capacity, documents and service use information related to customer service, plans, information produced or provided by the client, consent and preference data, information on education, employment history and profession, information on completed card and certificate training, information on completed and discontinued coaching, labour policy statements, bulletins and information requests, meetings and contact with the client, and other necessary contact information.
  • Business or employer client’s name, contact person’s name, company’s address, telephone number and email address, reason for and date of contact, business sector, line of business, company’s size, publicly available vacancies, possible pay subsidy jobs, unadvertised positions and work try-outs, and communication with the business or employer client.
• General Grant System YA-TE (KEHA Centre)
  • Personal identity code, name, address, telephone number, municipality of residence, decision and payment information, and other necessary contact information.
• Appointment booking system
  • Pseudonymised client ID
• Typpi (system of the Labour Force Service Centres, KEHA Centre)
  • Personal identity code, name, preferred first name, gender, address (and whether the address is subject to non-disclosure for personal safety reasons), telephone numbers, municipality of residence, mother tongue, service language, marital status, email address, pseudonymised client ID, need for services, information on work ability and functional capacity, documents and service use information related to customer service, plans, information produced or provided by the client, consent and preference data, information on education, employment history and profession, and other necessary contact information.
• Koulutusportti (KEHA Centre)
  • Integration into the URA system Personal identity code, name, preferred first name, gender, address, telephone numbers, municipality of residence, mother tongue, service language, information on education, employment history and profession, and other necessary contact information.
• UMA system (Finnish Immigration Service) – viewing access only
  • Personal identity code, name, date of birth, place of birth, nationality, residence permit validity, residence permit type, grounds for residence permit, and status of residence permit extension application.
• VTJ query (Digital and Population Data Services Agency) – viewing access only
  • Personal identity code, name, date of birth, phone number, email, municipality of residence, most recent address, and date of death.
• Webropol
  • The following data is processed for the procurement of transition security training for over 55-year-olds: first name, last name, telephone number, email address, pseudonymised client ID, end date of the employment relationship, preferred start date of transition security training, and plan for the content of transition security training.
  • When determining the service needs of business and employer clients, the following data is processed: company’s name, contact person, email address, service needs inquired from and described by the company.
  • When registering for card and professional qualification training, the following data needs to be processed: client’s first name, last name, personal identity code, mother tongue, address, mobile phone number and email address, information on the service for which the client is registered, and consent information. On the registration form, the client must give their consent for the use of the form and the transfer of the information provided on the form to the service provider. If the client refuses to give their consent, they will be asked to contact training services by email at korttikoulutukset@espoo.fi. The client has the right to withdraw their consent for the use of the form at any time. The client can withdraw their consent by sending an email to the above-mentioned address. The information provided on the form includes information on the card or professional qualification training selected by the client, the name, date(s) and location of the training, and the work email address of the authority that carried out the registration. Information on the client’s registration is sent to the service provider through the Webropol system or a secure email system. 

  • In relation to coaching services, the client can express their interest in participating in coaching, and a coaching service can be ordered for them. The client’s name and personal identity code are required on both forms. The client’s consent to the use of the form is also required. If the client refuses to give their consent, they will be asked to contact coaching services by email at valmennuspalvelut@espoo.fi. The client’s municipality of residence (Espoo or Kauniainen) and client relationship with Employment Services are also required on the form used by clients to express an interest in participating in coaching. In addition, the client must choose the language of the form (Finnish, Swedish or English). The client can also provide further information about their wishes regarding the coaching (type of coaching) and other information in the text field. If the person does not live in Espoo or Kauniainen and/or is not a client of Espoo Employment Services, the form will remain anonymous and the person cannot provide information about themselves. 

    A phone number and the language of the service and the name and dates of the coaching are required on the form used for ordering coaching services. In addition, the work email address of the authority that carried out the registration and any additional information provided by the client are entered on the form. The following information is optional: email address, payer of unemployment benefit, and additional information on the client’s situation or needs and desire to obtain a competence passport. 

• Wilma system (Omnia, the Joint Authority of Education in the Espoo Region)
  • Personal identity code, name, address, telephone number, municipality of residence, and other necessary contact information.
• Dynasty 10 (decision-making system of the City of Espoo)
  • Name, date of birth, personal identity code, profession, address and other contact information, as well as other identifying information required by the matter being processed, description and metadata of the matter and documents, as well as processing and decision information concerning the matter.
• Espoo’s Power BI system
  • Pseudonymised client ID
• City of Espoo’s protected/access-restricted data network utilising Microsoft O365 cloud services.

Documents and other information provided by the client

If necessary, data and documents may be collected and obtained on the basis of the law or with the client’s consent from, for example, the following sources:

• wellbeing services county
• public employment and business services
• Kela
• private persons named by the client
• employer
• place of work or training try-out
• place of rehabilitative work experience
• work coach
• outsourced service provider
• rehabilitation centre
• pension institution
• employment register of the Finnish Centre for Pensions
• training and education providers
• YTJ (Finnish Business Information System) and Y-ATV
• unemployment funds.

Data will be disclosed to partners involved in the planning and/or implementation of the service offered to the data subject. Data may be disclosed to different authorities if there is a legal basis for it. Notwithstanding secrecy provisions and other restrictions on access to data, client data may be disclosed for the performance of statutory duties. If there is no legal basis for the disclosure of data, the data will only be disclosed with the consent of the client. 
Data on a pay-subsidised employment relationship will be disclosed to the KEHA Centre to the extent required by them. Client data related to fixed-term employment projects will be disclosed to project financiers to the extent required by them.

Personal data will not be transferred outside the EU or the European Economic Area (EEA).

The storage period and destruction of data are regulated by law. The City of Espoo stores data for the duration of the client relationship and for four (4) years after the end of the client relationship, excluding exceptional cases, such as accounting obligations and needs related to recovery measures. If documents containing data must be included in accounting materials or are used as a basis for payment transactions, the data is stored for at least six (6) years after the end of the accounting period. If documents are needed for recovery measures, the maximum storage period is twenty (20) years.

In connection with the following services, data is deleted annually: 

• Transition security training for over 55-year-olds (Webropol)
• Card training (Webropol)
• Coaching services (Webropol)

The data stored in the register is confidential. All employees who process data are bound by an obligation of secrecy and confidentiality. The obligation of secrecy and confidentiality will remain in force even after an employee’s employment relationship has ended.

Manual materials

Documents are stored in supervised premises and/or locked cabinets. Archived documents are transferred through the sector’s archives to the City Archives.

Data stored in the data systems

Data stored in the register systems is protected in a secure manner and can only be viewed by employees entitled to do so. The use of the data is based on a client relationship or another appropriate reason. The use of data systems is controlled and the systems can only be accessed with a user ID and password. The systems require a change of password at regular intervals. 

The system server, workstations and printers are stored in locked spaces.

Employees processing the data are bound by an obligation of confidentiality, and obtaining access rights requires a written commitment to confidentiality and information security. The obligation of secrecy and confidentiality will remain in force even after an employee’s employment relationship has ended. Supervisors make decisions regarding granting and removing access rights. At the end of employment, access rights are revoked.
The processing and viewing of the register data are monitored and controlled with the help of usage log information in accordance with the data protection monitoring and control plan.

How to submit a request for information to the City of Espoo (in Finnish)

How to submit a request to access personal data stored in the services of the Ministry of Economic Affairs and Employment(external link, opens in a new window) (tem.fi)

How can I access my data?

You have the right to obtain from the data controller a copy of the personal data that is subject to processing. The data controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

When can I request rectification of my data?

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

When can I request erasure of my data?

You have the right to have the data controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In these cases, the data will only be erased after the statutory time limit.

When can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)