Date: 9 July 2020

1. Register name

Zoning survey register – answer materials from resident surveys

2. Data controller

City of Espoo

3. Person responsible for the register

City Planning Director

4. Contact person of the register

Minna Hietanen, Special Planner

City Planning Department, Tekniikantie 15, 02150 Espoo

firstname.lastname@espoo.fi

5. Data Protection Officer appointed by the organisation

Data Protection Officer, City of Espoo

P.O. Box 12, 02070 City of Espoo

tietosuoja@espoo.fi

6. Purposes for processing personal data and the legal grounds of processing

The purpose of processing the personal data in the register is to implement the interactivity of spatial planning and collect the data needed for spatial planning. The survey’s results will be utilised for spatial planning.

Processing the personal data in the register is necessary for performing the task of public interest and exercising the official authority vested in the data controller. (Land Use and Building Act 132/1999)

7. Contents of the register

The respondents of the resident survey and the users of the zoning plan’s feedback system can be prompted to give their contact information as well as information about their age, family composition, mobility or their use of services.

PUBLICITY AND CONFIDENTIALITY OF INFORMATION: The information will primarily be public.

GROUNDS FOR CONFIDENTIALITY: According to the Act on the Openness of Government Activities, if information is classified.

8. Sources of personal data

The personal data in the register are received directly from the data subjects. Responding to the survey may require giving one’s personal data.

9. Disclosure of data

The answer materials collected through the Maptionnaire system can be disclosed to partners for analysing.

10. Transfer of data outside the EU or the EEA

The answer materials are not transferred outside the EU or the EEA. The respondent's other data, such as their IP address and browser data, can be processed and transferred outside the EU/EEA to such subcontractors (e.g. Mapbox, Maptiler) that follow the EU’s valid regulations concerning the transfer of personal data.

11. Data storage periods

The times for storing data have been defined in the City of Espoo’s information control plan.

12. Register maintenance systems and principles of protection

PRINCIPLES OF DATA PROTECTION:

A. Electronic materials

IT equipment is located in protected and supervised premises. Each user has personal user rights to client data systems and files, and their use is monitored. User rights are given on a task-specific basis. Each user must accept a data and data system user agreement and non-disclosure agreement.

The information is also available on Mapita Oy’s server, access to which requires a login and a password. The server is protected with appropriate measures. Mapita’s servers are located in Ireland and they follow the EU’s and Finland’s data protection regulations. The servers are maintained by Amazon Web Services, Inc., which also follows the EU’s data protection regulations.

B. Manual materials

Archives and units have access control and locked doors. Documents are stored in supervised premises and/or locked cabinets.

Instructions on submitting information requests referred to in the General Data Protection Regulation to the City of Espoo:

https://www.espoo.fi/en-US/Eservices/Data_protection/Client_rights

13. Right of access to data

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

The controller shall provide information without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

All information and actions taken on the grounds of a data subject’s right of access request, any information provided under Articles 13 and 14 of the GDPR and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

  • charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  • refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

14. Right to rectify data

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Whether the data is incomplete will be determined in the light of the purpose for which the data in the register is processed.

If the controller refuses the request of a data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal and inform the data subject of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

15. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. This right is laid down in Article 77 the General Data Protection Regulation (GDPR, 2016/679).

16. Other potential rights

Right to erasure (Article 17 of the GDPR)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds laid down in 17 Article 1 applies. The data subject does not have the right to erasure for example if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to restriction of processing (Article 18 of the GDPR)

The data subject shall have the right to obtain from the controller restriction of processing where one of the requirements laid down in Article 18(1)(a–d) applies.

Right to object (Article 21 of the GDPR)

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to data portability (Article 20 of the GDPR)

The data subject shall have the right to have his or her data transmitted only if the processing of data is based on consent or on a contract, and if the processing is carried out by automated means. The data subject’s right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

If the processing of data is based on consent, the data subject shall have the right to withdraw his or her consent at any time.