Data protection of the Vantaa.fi online service
In accordance with the EU General Data Protection Regulation, a person must be given information if they personal data is recorded in a personal register. Personal information includes, for example, name and address information. The registered person must also be informed about the purpose of personal data processing, where the data is disclosed according to the rules, and about the data subject's rights, as well as how personal data is processed in the publication system of the vantaa.fi web service.
This is a data protection information document that covers Vantaa’s official website vantaa.fi and the related themed xxx.vantaa.fi sites. The sites are created and managed through the Drupal content management and publication system. The data protection is described based on the situation on 15 March 2022.
The sites utilise integration to display public information from the following systems
Names and contact details of persons from Vantaa’s AzureAd environment: The system’s user credentials, providers of additional information regarding the ‘Topical’ content type, and elected officials.
Names and contact details of persons from Vantaa’s Matti system: Providers of additional information regarding the ‘Planning project’ content type.
Vantaa’s retrieved open-source information within the ‘Office register’ (TPR) family are shown on the TPR pages.
The website is monitored using Siteimprove’s availability and analytics tools.
The arrangement in question is owned by Vantaa and covers the City’s online services and the system that enables related content management and publication.
Using the Drupal system, site administrators manage the Vantaa website and relevant access rights. Content creation rights for the system are provided based on user role.
The system processes the following personal data
Drupal processes both identifiable and other personal data. The Drupal system includes the following personal data categories:
User credentials: username, first name, last name, e-mail address
Details of elected officials: the name, e-mail address, party and roles within a body are imported automatically. Elected officials can also independently publish a telephone number, major region, photo and other information about themselves.
Vantaa’s public websites include the following personal data categories
Employees’ personal details that are available on the website, such as name, telephone number, photo and e-mail address.
Notifications or other texts on the website that may include personal data.
Other personal details available on the website.
The IP addresses of site visitors that Vantaa has designated to be anonymised in analyses.
The relevant monitoring tool analyses information available on the website and data subject details belonging to the aforementioned personal data categories.
The site’s analytics applications do not collect information on what users enter in any forms available on the site. Information is collected based on the cookies accepted by each user. You can check the cookie settings through the site footer.
About the website
Purpose of processing personal data
Vantaa publishes personal data in accordance with the statutory obligations related to public activities.
For the purpose of user credentials, the City of Vantaa only collects the personal details necessary for the operation of the online service, content production, system maintenance and management of the aforementioned tasks. The City of Vantaa will never use this data for any other purposes, such as direct marketing or commercial aims.
Basis for processing personal data
Obligation to communicate
The Local Government Act states that a municipality must provide sufficient information on the services it arranges, the municipality’s finances, matters under preparation in the municipality, plans concerning these, the processing of these matters, the decisions taken and their effects.
Municipalities must provide information on how to participate in and influence the preparation of decisions.
Municipalities must ensure that the necessary information about preparatory work concerning matters for consideration by decision-making bodies is given out in a public information network once the meeting agenda is ready in order to satisfy the general need for information. In their online communications, municipalities must ensure that information which is required to be kept secret is not released in a public information network and that privacy protection is observed in handling personal data.
Obligation to publish a register of private interests
The municipal board, members of the local executive and of decision-making bodies managing tasks referred to in the Land Use and Building Act (132/1999), chairpersons and deputy chairpersons of the local council and of local authority committees, the chief executive, the mayor and deputy mayor, and presenting officers for the local executive and for local authority committees must submit a declaration of private interests concerning their managerial duties and positions of trust in enterprises engaged in business activities and in other corporate entities, about their significant assets and about other private interests that could be of significance in attending to a position of trust or in public posts.
Municipalities must maintain a register of private interests in a public information network, unless the provisions on secrecy require otherwise. When the position of trust or the task to which the obligation to declare relates comes to an end, the information about the person must be removed from the register and from the information network.
Is it necessary to provide personal data?
Yes. The content of the Vantaa.fi online service cannot be provided without personal data, which means that the details are necessary for arranging the service.
Will personal data be disclosed to other parties?
All public information can be viewed on the website.
Non-public personal data contained by the system will not be disclosed.
In what way are the personal details protected?
In order to ensure privacy, data security and data protection have been secured by means of various technical and organisational measures. For example, personal data may only be processed by persons who require the data for completing their work-related or public service tasks and only to the extent required on a task-specific basis.
Will personal data be transferred outside the EU or EEA area?
In cases where the processor of personal data processes the data on behalf of the City of Vantaa, the appropriate level of data security and data protection is agreed upon in the agreement made with the processor. As a general rule, information is only processed within the EU or EEC area.
What does the City do in the event of a data security breach?
Despite the protection measures, in some exceptional cases it is possible for personal data to be compromised by a data security breach or end up in the hands of a third party. In these cases, the City of Vantaa will take immediate action to rectify the situation and submit the necessary reports to the national Data Protection Ombudsman and the data subjects affected. The City of Vantaa will notify the Data Protection Ombudsman of any breach without undue delay and, where possible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to risk the rights and freedoms of any data subjects.
If the breach is likely to cause a high risk with regard to the data subjects’ rights and freedoms, the City of Vantaa will notify the data subjects of the breach without undue delay. In this case, the City will report the leak to those data subjects whose data is affected by the data security breach. If the data breach impacts a large group of people and does not require data subjects to take any immediate measures, notification may also be provided by means of a public release.
How long will the data be retained?
Your data will be stored and destroyed in accordance with the City of Vantaa data management plan. The document storage periods specified in the data management plan are based on legislation, the regulations of the National Archives of Finland on documents intended for permanent storage and the recommendations of the Association of Finnish Local and Regional Authorities on documents to be stored for a fixed period. After the storage period, the data will be destroyed.
Will the personal data be used for profiling or automated decision-making?
Your personal data will not be used for profiling or automated decision-making.
What kinds of rights do data subjects have, how does one exercise them and how long does processing take?
The term ‘data subject’ refers to the natural person whose personal data is being processed. Depending on the grounds for processing, data subjects have the right to:
check the information processed by the application,
request the rectification of erroneous or inaccurate information,
request the erasure of personal data,
request the restriction of the data processing, and
object to the processing of the data.
right to obtain the data and transfer it to another data controller, and to withdraw their consent at any time, if the processing is based on consent.
Access requests can be submitted via a separate form available through the vantaa.fi website and Vantaa Info desks. Should you wish to exercise other rights of a data subject or request additional information on the processing of personal data, please contact the person listed below in Section 15. The statutory requirements regarding exercising your rights will be confirmed on a case-by-case basis. Exercising your rights may require you to verify your identity.
The City of Vantaa will complete the requested measures without undue delay, but in any case no later than within a month of receiving the request. If necessary, the deadline may be postponed by a maximum of two months, based on the complexity and quantity of the requests. In the event that the deadline is postponed, the City of Vantaa will provide notification of the delay and the relevant grounds to the requesting party within one month of receiving the request.
Is exercising a data subject’s rights subject to a charge?
As a general rule, exercising one’s rights is free of charge. However, the City of Vantaa may collect a reasonable fee corresponding to the administrative costs for fulfilling a request or refuse a request if the data subject’s requests are clearly unfounded, unreasonable or recurring. If the intention is to collect a fee for fulfilling a request, the City of Vantaa will contact the person who submitted the request before fulfilment. In the event that the City of Vantaa refuses to fulfil the requested measure, the person who submitted the request will be provided with the grounds for the refusal in writing and informed of the opportunity to refer the matter to the Data Protection Ombudsman and resort to other legal remedies.
How can I submit an appeal to a supervisory authority?
If you suspect that your personal details are being processed unlawfully, you can appeal to a supervisory authority in the EU member state of your permanent residence or employment, or the member state where you consider the violation to have taken place. In Finland, the relevant supervisory authority is the Data Protection Ombudsman. More information and instructions on submitting an appeal are available on the website of the Office of the Data Protection Ombudsman and the office’s telephone guidance service.
More information: The Data Protection Ombudsman’s current instructions and contact details, tietosuoja.fi.
Where can I request more information, and which party serves as the data controller?
More information on the processing of personal data is available from the contact person specified below. Please note that e-mail is not a safe medium for processing personal data. As such, please do not send sensitive information, such as your personal identity code, via e-mail.
The data controller is the City of Vantaa. The contact information for the data controller and the data protection officer of the City of Vantaa are provided below:
City of Vantaa
Business ID 0124610-9