Privacy notice, Subscriber register of news and newsletters of urban development and local area marketing

Approved in the implementation project of the Data Protection

Regulation on 6 February 2018.

Privacy policy City of Espoo

1. Name of the data file

Subscriber register of news and newsletters of urban development and local area marketing.

2. Controller

City of Espoo

Urban Environment Sector

Marketing and communications unit

P.O. Box 49

02070 CITY OF ESPOO

Exchange +358 9 81621

3. Data file contact person

Marketing Manager

City of Espoo

Urban Environment Sector

P.O. Box 49

02070 CITY OF ESPOO

Exchange +358 9 81621

4. Data protection officer appointed by the organisation

Data protection officer

City of Espoo

P.O. Box 12

02070 CITY OF ESPOO

Exchange +358 9 81621

5. Purpose and legal grounds for processing the personal data

The purpose of processing the personal data in the data file is

  • delivering newsletters and single news items concerning the areas and urban development of Espoo
  • customer relationship communication
  • carrying out individual studies relating to the areas of Espoo and the development of the city

LEGAL GROUNDS:

Article 6(1e) of the EU General Data Protection Regulation

Providing personal data is based on voluntary consent.

6. Contents of the data file

Client’s name (The client can be an organization, a contact person in an organization or a private person.)

Client’s e-mail address

Client’s interests in Espoo city development and the areas of Espoo

PUBLIC ACCESS TO INFORMATION AND CONFIDENTIALITY:

The data forms a person register to which the Personal Data Act and, as of 25 May 2018, the Data Protection Regulation and the national Privacy Protection Act are applied.

7. Disclosure of personal data

The data shall not be sold or, as a rule, disclosed outside the organization of the City of Espoo. In exceptional one-off cases, data may be disclosed electronically to a co-operation partner working on behalf of the City of Espoo so that the data is used for the purposes mentioned under “Purpose of use of the data file” in a way specified by the City of Espoo.

8. Data retention periods

The controller shall keep the data until further notice. Inoperative e-mail addresses and data related to them shall be removed from the register.

9. Sources of personal data

Clients provide the data themselves.

10. Registry maintenance systems and protection of the data file

The data is saved in an electronic format.

IT equipment is located in protected and controlled facilities.

Access rights to the client information systems and files are based on personal access rights the use of which is controlled.

Access rights are granted task-specifically. Each user accepts the access and secrecy obligation regarding information and information systems.

11. Right of access by the data subject (Article 15)

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The controller shall provide a copy of the personal data undergoing processing. If the data subject requests further copies, the controller may charge a reasonable fee based on administrative costs.

The controller shall provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and no later than within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Personal data provided upon request as well as information provided under Articles 13 and 14 of the EU General Data Protection Regulation and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

b) refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

The request for information shall be addressed to the data file contact person.

12. Right to rectification (Article 16)

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Whether the data is incomplete or not shall be assessed in the light of the purpose of the processing of personal data.

If the controller refuses the request of a data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also include the reasons for the refusal and information on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The rectification request shall be addressed to the data file contact person. Detailed instructions are available from the data protection officer of the organization.

13. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, a data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. This right is based on EU General Data Protection Regulation (2016/679, Article 77).

14. Possible other rights

The requests shall be addressed to the data file contact person.

Right to remove data (Data Protection Regulation, Article 17)

The data subject shall have the right to have personal data concerning the data subject removed by the controller without undue delay, provided that any of the requirements in the Data Protection Regulation, Article 17(1) is met. There shall be no right to remove the data if, for example, following the statutory commitment requires processing of the data or the processing is done for the purpose of performing a task concerning public interest or exercising official authority vested in the controller.

Right to request limitation of processing (Data Protection Regulation, Article 18)

The data subject shall have the right to have the processing of the personal data limited by the controller if any of the requirements in Article 18(1a–d) is met.

Right of opposition (Data Protection Regulation, Article 21)

On the grounds of a special personal situation, the data subject shall at any time have the right to oppose the processing of personal data relating to him or her for the purpose of performing a task concerning public interest or exercising official authority vested in the controller. The controller shall not be allowed to process the personal data anymore, unless the controller can show that there is a very important and justified reason for the processing.

If personal data is processed for direct marketing purposes, the data subject shall at any time have the right to oppose the processing of personal data relating to him or her for this kind of marketing, including profiling relating to this kind of direct marketing. If the data subject opposes the processing of personal data for direct marketing purposes, the data may not be processed for this purpose anymore.

Right to transfer data from one system to another (Data Protection Regulation, Article 20)

The data subject shall have the right to the transfer only if the processing is based on consent or agreement and if the processing is performed automatically. The right of the data subject to transfer the data from one system to another shall not be applied to processing that is necessary for performing a task concerning public interest or exercising official authority vested in the controller.

If the data processing is based on consent, the data subject shall have the right to cancel his or her consent at any time.