Privacy notice: Processing of personal data in the Economic Development Unit’s early-stage integration services (Koto-Espoo)

This privacy notice was published on 24 February 2025.

Client registers for early-stage integration services (Koto-Espoo):

• Koto-Aj
• Koto-CRM

City of Espoo

Tel. +358 9 81621

P.O. Box 1, 02070 City of Espoo

With regard to Koto-Aj, the City of Espoo serves as a joint controller with the KEHA Centre.

Teemu Haapalehto, Director of Economic Development (acting)

P.O. Box 12, 02070 City of Espoo

Tel. 09 816 21 (switchboard)

5. Contact person for personal data

Service Supervisor, Early-stage Integration Services (Koto-Espoo)

P.O. Box 23102, 02070 City of Espoo

Tel. 09 816 21 (switchboard)

Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. 09 816 21 (switchboard)

Email: tietosuoja@espoo.fi

Espoo’s early-stage integration services process clients’ personal data in order to carry out the statutory duties assigned to the municipality.

The City of Espoo processes clients’ personal data for the following purposes:

• reception of quota refugees and other beneficiaries of international protection to be allocated to the municipality;
• mapping the client’s situation, assessing their competence and integration service needs and drawing up an integration plan;
• provision and monitoring of services that promote and support the integration of the client;
• guidance on other services;
• application for reimbursement of the costs of receiving refugees;
• planning, monitoring and assessment of and compilation of statistics on services for unemployed integration clients, and knowledge-based management.

Espoo is obligated to provide integration services to immigrants in Espoo and responsible for the reception of quota refugees and other beneficiaries of international protection taken in the municipality. The provision of services under the Act on the Promotion of Immigrant Integration requires the processing of clients’ personal data. Processing is necessary for compliance with the statutory obligations to which Espoo is subject.

After the integration period, clients’ data is processed with their permission.

• General Data Protection Regulation of the EU, in particular Article 6(1)(c) and Article 9(2)(h)
• Data Protection Act (1050/2018)
• Act on the Openness of Government Activities (621/1999)
• Decree on the Openness of Government Activities and on Good Practice in Information Management (1030/1999), chapter 2
• Act on the Promotion of Immigrant Integration (681/2023)
• Act on the Reception of Persons Applying for International Protection and on the Identification of and Assistance to Victims of Trafficking in Human Beings (746/2011)
• Administrative Procedure Act (434/2003)

The client register for early-stage integration includes client data related to the implementation of the Act on the Promotion of Immigrant Integration.

Data recorded in the register by the City of Espoo:

• the client’s identification and contact information (personal identity code, name, gender, address, telephone numbers, municipality of residence, mother tongue, service language, information on the need for an interpreter, marital status, email address, and other necessary contact information);
• the client’s date of entry, the date of issue of the residence permit, the grounds for and duration of the residence permit, the date of the first registration of municipality of residence, and work permit information;
• the client’s family information (spouse, dependant(s), number and ages of children under 18 years of age, family situation, housing information, household size);
• information related to the client’s education, competence and language skills;
• information on service needs, contact, booking and appointment information, summaries, statements, notes and client contact related to client work, the client’s service needs assessments and integration plans;
• the name(s) and contact information of the employee(s) from the client’s wellbeing services county;
• referral to services that support or promote integration;
• information and assessments concerning the client’s health and capacity to work and function, which have an impact on the integration of the client and are necessary for the provision of services;
• information produced or provided by the client;
• information regarding the guardian or trustee of a minor; and
• consent to the exchange of information and withdrawals of consent and other information on the client’s choices.

Public access to the data and confidentiality

Information regarding a client relationship with integration services is confidential pursuant to section 24 of the Act on the Openness of Government Activities (621/1999).

Espoo can, regardless of the client’s consent, request essential information about the client from the Social Insurance Institution (Kela), the employment authority, the wellbeing services county, the ELY centre, the Digital and Population Data Services Agency, the Finnish Immigration Service, the reception and registration centre, the provider of integration support services and the Regional State Administrative Agency, under the conditions set out in sections 80–94 of the Act on the Promotion of Immigrant Integration. The information and reports requested by Espoo must have a material impact on the integration client relationship and necessary for Espoo’s mandatory duties.

The regular sources of data are:

• the client or their legal representative.
• data related to the handling of the client’s case based on the employee’s observations;
• the Digital and Population Data Services Agency’s data on the population of the area;
• the Social Insurance Institution of Finland (Kela);
• the information system of the foreign nationals register;
• the employment authority
• data obtained with the consent of the client or their legal representative or on the basis of legislation.

When personal data stored in the register is obtained from a source other than the data subject, the register must indicate where the information has been obtained and who has filed the data.

Espoo may disclose data about the client with the explicit consent of the client or their legal representative. Espoo is obliged on the basis of legislation to disclose data about the client to other authorities. Before disclosing the data, Espoo will ensure that the party requesting the data has the right to obtain the data requested on the basis of legislation.

As a rule, Espoo does not transfer client data outside the European Union or the European Economic Area. For example, the data centres for the client data systems used by Espoo are located in EU or EEA countries.

Espoo transfers client data outside the EU or EEA countries in case of data exchange between authorities based on legislation.

Espoo transfers client data outside the EU and EEA countries only if the receiving country has been determined by a decision of the Commission to ensure an adequate level of data protection or the transfer is carried out using other appropriate safeguards specified in the General Data Protection Regulation of the EU (2016/679).

Client data will be deleted from the system four years after the end of the client relationship (Act on the Promotion of Immigrant Integration 681/2023, section 77).

The client’s personal data is stored in the integration client information system (Koto-AJ). In addition, before the introduction of the Koto-AJ system, clients’ data was stored in the Koto-CRM system, which will be kept as a passive archive until four years have passed since the end of the client relationship of those clients whose data is stored in the system. There are also paper documents containing client data.

Data storage, archiving, destruction and other processing are guided by records management plans and the data security and protection guidelines. Electronic data stored in the register is protected so that it can only be accessed by an authorised person. Each user accepts a commitment concerning access to and confidentiality of data and information systems when receiving access rights.

Employees who process client data are bound by an obligation of confidentiality. The obligation of confidentiality and secrecy continues even after the end of the employment relationship.

The IT equipment is located in protected and supervised premises. The equipment and programmes used by the City of Espoo are protected and secured in accordance with the city’s data security principles.

The processing of clients’ personal data is based on a client relationship or other relevant connection. Employees’ access rights are based on personal access rights, and Espoo uses log data to monitor their use. Each employee must accept the user and non-disclosure agreement concerning data and information systems. Espoo’s systems require a change of password at regular intervals. Supervisors make decisions regarding granting and removing access rights. Espoo deactivates the access rights at the end of an employee’s employment relationship.

Espoo’s units store documents on supervised premises and/or in locked cabinets. Espoo transfers archived documents to the Espoo City Archives.

A data subject, i.e. the client, or their legal representative has the right to be informed of whether Espoo processes personal data concerning the client. If Espoo processes personal data concerning the client, the client or their legal representative has the right to obtain a copy of the personal data being processed.

The guardian of an incompetent person has access to the person’s information if the exercise of the right of access is included in the guardianship decision. When submitting a request for access to personal data, the guardian must also provide a copy of the guardianship decision.

A donee of a continuing power of attorney also has the right to access the information of the person in question if the exercise of the right of access is included in the continuing power of attorney. The continuing power of attorney needs to be confirmed by the Digital and Population Data Services Agency or a local register office. When submitting a request for access to personal data, the donee of a continuing power of attorney must also provide a copy of the continuing power of attorney and a copy of the decision of the Digital and Population Data Services Agency or a local register office to confirm the continuing power of attorney.

Even though the personal data of the client may contain information about a third party (i.e. a person other than the client, the client’s legal representative, or a person who has a right of access to information about a child based on an agreement or a court decision), the third party does not have a right of access to the data.

The client or their legal representative may submit a request for access in person during a visit, by a document sent by post, or by visiting the Registry Office or a Service Point. Espoo has prepared a request form that the client or their legal representative can use when requesting access to data. The form is available at the Koto-Espoo units for early-stage integration and on the City of Espoo website(external link, opens in a new window).  If the client or their legal representative wishes to submit a request for access to personal data using a free-form document, the request must indicate if they wish to access all personal data or data for a specific period of time, and the name, personal identity code and contact details of the person submitting the request. If the request for access concerns the personal data of a person other than the one submitting the request, the request must include the name and personal identity code of the person whose data is requested. The client or their legal representative can send the request by post to: Early-Stage Integration Services (Koto-Espoo), Service Supervisor, P.O. Box 23102, 02070 City of Espoo. If the client or their legal representative submits a request for access to personal data to a unit, the Registry Office or a Service Point in person, Espoo will verify the person’s identity from a photo ID.

Espoo provides the data without undue delay and in any event within one month of receipt of the request. Where necessary, Espoo may extend that period by a maximum of two months. Espoo takes into account the complexity and number of requests when extending the period. Espoo informs the person requesting the data of the extension of the period and the reasons for the extension within one month of receipt of the request. Espoo informs the person requesting the data of its refusal to provide the data no later than within one month of receipt of the request. As a rule, Espoo sends the requested data to the address of the client or their legal representative indicated in the Population Information System.

The EU General Data Protection Regulation, the Data Protection Act and specific national legislation provide for situations where the data controller may refuse to provide the data requested by the client or their legal representative. If Espoo refuses to provide the requested data to the client or their legal representative, Espoo will, without delay and no later than within one month of receipt of the request, inform the person requesting the data of the reasons for not providing the data and the possibility of lodging a complaint with the Data Protection Ombudsman and seeking a judicial remedy.

As a rule, a request for access to personal data is free of charge. Where requests from the client or their legal representative are manifestly unfounded or excessive, in particular because of their repetitive character, Espoo may either charge a reasonable fee taking into account the administrative costs of providing the data or communication or taking the action requested, or refuse to provide the requested data.

The data subject, i.e. the client, or their legal representative has the right to request Espoo without undue delay to rectify inaccurate personal data concerning the client. The client or their legal representative has the right to have incomplete data completed. Espoo makes the changes so that the register shows information regarding the rectification, the person who made it, the date of the rectification and also the original entry. Espoo is obliged to inform each recipient to whom Espoo has disclosed data concerning the client of the rectification of the data. Espoo has no obligation to inform these recipients if it proves impossible or requires unreasonable effort.

Espoo fulfils the request without undue delay and in any event within one month of receipt of the request. Where necessary, Espoo may extend that period by a maximum of two months. Espoo takes into account the complexity and number of requests when extending the period. Espoo informs the person requesting the rectification of the extension of the period and the reasons for the extension within one month of receipt of the request. Espoo informs the person requesting the rectification of its refusal to rectify the data no later than within one month of receipt of the request.

The client or their legal representative may submit a request in person during a visit or by a document sent by post. The request must indicate the data to be rectified word for word, the proposed changes word for word, the reasons for the proposed changes, and the name, personal identity code and contact details of the person submitting the request. If the request for rectification concerns the personal data of a person other than the one submitting the request, the request must include the name and personal identity code of the person whose data is to be rectified. The client or their legal representative can send the request by post to: Early-Stage Integration Services (Koto-Espoo), Service Supervisor, P.O. Box 23102, 02070 City of Espoo. If the client or their legal representative submits the request to a unit, the Registry Office or a Service Point in person, Espoo will verify the person’s identity from a photo ID.

If Espoo refuses the client’s or their legal representative’s request for rectification of data, Espoo will inform the client or their legal representative of this in writing. Espoo will also give the reasons for the refusal and inform the client or their legal representative of the possibility of lodging a complaint with the Data Protection Ombudsman and seeking a judicial remedy.

Espoo may also rectify client data by supplementing it based on the view of the client or their legal representative.

If the conditions laid down in Article 17 of the EU General Data Protection Regulation are met, the client or their legal representative has the right to have personal data concerning the client erased without undue delay. As a rule, the client or their legal representative does not have the right to have personal data concerning the client erased in relation to social services because Espoo is legally obliged to process data (e.g. registration and filing obligation). The right of the client or their legal representative to have personal data concerning the client erased mainly applies to data that was originally unnecessary for its intended purpose. Espoo is obliged to inform each recipient to whom Espoo has disclosed data concerning the client of the erasure of the data. Espoo has no obligation to inform these recipients if it proves impossible or requires unreasonable effort.

The client or their legal representative can submit requests to erase data to the following address: Early-Stage Integration Services (Koto-Espoo), Service Supervisor, P.O. Box 23102, 02070 City of Espoo.

The client or their legal representative has the right to request Espoo to restrict the processing of personal data concerning the client if the accuracy of the personal data is contested by the client or their legal representative. In this case, Espoo will, as a rule, restrict the processing of personal data concerning the client until Espoo has verified the accuracy of the personal data. The General Data Protection Regulation provides for certain exceptions to the restriction obligation, which allow Espoo to process the client’s personal data subject to restriction under certain circumstances. Espoo must inform the client or their legal representative before the restriction of processing is lifted.

The client or their legal representative can submit requests to restrict data processing to the following address: Early-Stage Integration Services (Koto-Espoo), Service Supervisor, P.O. Box 23102, 02070 City of Espoo.

The processing of the client’s personal data in connection with integration services is based on compliance with statutory obligations. Therefore, the client or their legal representative does not have the right to object to the processing of personal data.

The processing of the client’s personal data in connection with early-stage integration services is based on compliance with statutory obligations. Therefore, the client or their legal representative does not have a right to data portability, i.e. a right to transfer the data to another system.

The client has the right not to be subject to decisions based solely on automated processing, which produce legal effects concerning the client or similarly significantly affect the client. Espoo does not use automated decision-making in the provision of integration services.

The client or their legal representative has the right to lodge a complaint with the Data Protection Ombudsman if the client or their legal representative considers that Espoo does not process personal data concerning the client in compliance with data protection legislation. More detailed instructions on how to lodge a complaint can be found on the website of the Office of the Data Protection Ombudsman.(external link, opens in a new window)

The right to lodge a complaint with the Data Protection Ombudsman is without prejudice to any other administrative or judicial remedy available to the client or their legal representative.