Processing of personal data, The Event Register
Date of publication: 26 March 2019
1. Data controller
City of Espoo.
2. Person responsible for the register
Director of Communications.
3. Contact person of the register
Communications Unit, Mayor's Office, firstname.lastname@example.org
4. Data Protection Officer
5. For what purpose will personal data be processed?
The personal data in the register is processed for the purposes of communicating about events, supporting practical event arrangements, collecting feedback about events and reporting on it, and marketing corresponding events.
6. On what grounds will personal data be processed?
- Article 6(1)(a) of the General Data Protection Regulation of the European Union: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Article 6(1)(e) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. What data will be processed?
The Event Register contains the following information:
- contact information (email, telephone number, postal address depending on the case)
- organisation and title
- date of birth (depending on the case)
- information about special diets
- feedback information (primarily anonymous)
- the person’s consent to e.g. a newsletter
8. What are the sources of data?
The data subject provides the information when registering for an event.
9. Will data be disclosed or transferred outside the city?
Data will not be disclosed to parties external to the City of Espoo. If the City of Espoo organises the event in question in cooperation with other organisations and they act as joint controllers of the register, this will be explicitly stated on the event invitation.
10. Will data be transferred outside the EU/EEA?
Personal data will not be transferred outside the EU or the European Economic Area (EEA).
11. How long will data be stored?
- The information about special diets is removed as soon as possible after the event.
- A minimum storage period applies to personal data. Personal data is stored for as long as needed to enable the data subject to register for an event, and to enable the event to take place.
- Data storage periods are described in closer detail in the records management plan of the City of Espoo.
- Personal data collection lists on paper will be destroyed in a data-secure way immediately after the information has been transferred into an electronic format.
12. How will data be protected?
Electronic materials are stored in data systems and applications protected against unauthorised use for example with personal usernames and passwords. Access rights are limited so that users can access only the data they need to fulfil their duties.
Each user must accept the data and data system user agreement and non-disclosure agreement of the City of Espoo.
13. Rights of the data subject
Further instructions on submitting information requests referred to in the General Data Protection Regulation: https://www.espoo.fi/en/city-espoo/data-protection#section-7317(extrernal link)
13.1 Can I access my data?
You have the right to obtain from the controller a copy of the personal data that is subject to processing. The controller shall provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Requests from the data subject and any resulting actions are free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.
13.2 When can I request rectification of my data?
You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.
13.3 When can I request erasure of my data?
You have the right to have the controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In these cases, the data will only be erased after the statutory time limit.
13.4 When can I request restriction of processing of my data?
If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.
13.5 Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi.