Tilapalvelut’s Privacy Policy

EU General Data Protection Regulation (GDPR)

The data protection regulation shall apply from 25th May 2018 onwards. This has led to the processing regulations of personal data becoming more detailed and stricter. The requirements of the data protection regulation must be taken in to account in all processing of personal data: in processes, data systems and acquisitions.

The aim of the new legislation is to improve the protection of personal data and the rights of data subjects. The appropriate processing of personal data increases transparency and strengthens the data subjects’ rights to monitor the processing of their personal data.

Various personal data is processed in Tilapalvelut Oy’s operations, such as in connection with staff administration, finance administration and camera surveillance. For this reason, Tilapalvelut Oy is obliged to prove that data protection matters have been sufficiently considered in its operations. In other words, we must ensure that personal data is processed in a legal, appropriate, and in terms of the data subject, in a transparent manner. In addition to this, personal data must be processed in a way that ensures the appropriate security of the personal data, including protection from unauthorised and illegal processing, as well as accidental losses.

Tilapalvelut’s privacy policies

The law requires Tilapalvelut, as the data controller, to prepare a privacy policy for each person register. The policy is used to, for example, inform customers about why their data is collected and what the data is used for.

Person register’s data

1. Name of the register

Tampere Tilapalvelut Oy’s camera surveillance person register

2. Purpose for processing personal data

  • Access control
  • Ensuring person safety
  • Prevention of situations that risk safety
  • Investigation of situation that has caused a risk to general safety
  • Investigation of situation that has been caused by an occupational accident or a risk to occupational safety
  • Protection of assets
  • Prevention of misuse
  • Investigation of misuse
  • Ensuring the benefits and rights of employees

According to Section 16 Subsection 1 of the Act on the Protection of Privacy in Working Life (759/2004), the employer may implement surveillance that is based on the use of a technical device, which conveys continuous imaging or records image (camera surveillance) in premises that are in use, for the purpose of ensuring the personal safety of employees and other people in the premises, for the protection of property or to supervise the appropriate completion of production processes, as well as to prevent and investigate and situations that have placed property or a production process at risk.

In addition, the employer has the right to use the register’s data to prove the reason for terminating an employment in situations referred to in Section 17 Subsection 2:1-3 of the Act on the Protection of Privacy in Working Life, for resolving or proving any disturbance or harassment referred to in the Act on Equality between Men and Women (609/1986) or harassment and inappropriate behaviour referred to in the Occupational Safety and Health Act (738/2002), as well as to resolve any occupational accident or other situation that has caused danger or threat as referred to in the Occupational Safety and Health Act.

3. Data controller

Tampere Tilapalvelut Oy, business ID 2863261-6

4. Data Protection Officer

Data Protection Officer Antti Räsänen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
Phone 040 806 3145

5. Register’s contact person and contact details

Maintenance Engineer Matti Pulkkinen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 0500 806 053

6. Processing of register’s personal data has been outsourced with a service agreement

  • Yes

More information about outsourced processing:

There are mandates involved with the maintenance duties and expert application support of the register’s electronic data systems and their servers.

7. Legality of processing personal data

A)

Legitimate interest. The data controller’s legitimate interest is based on the data controller’s right to protect and monitor the data controller’s property as well as ensure the safety of the data controller’s properties and facilities. Camera surveillance has been organised in such a way that it does not violate the privacy protection of data subjects more than is necessary on the basis of the intended purposes defined by the data controller. The rights and freedoms of the data subjects do not supersede the data controller’s legitimate interest.

B)

The register is a public authority register

C)

The register’s data is used for automated individual decisions, including profiling

  • No

Person register’s personal data, data sources and disclosure of data

8. Personal data in the register

  • Image and audio material recorded by cameras that are part of the surveillance system, which has been created in premises and yard areas that are within the scope of technical camera surveillance, including the time of recording and the place of recording.
  • Surveillance areas are, in principle, indicated with visible “Recording video surveillance” signs and/or stickers.
  • Reports created on the basis of material

Publicity and confidentiality of information:

Recorded personal data is confidential

Associating data with other person registers:

Where necessary, data is combined with register data concerning access control and safety e.g. in criminal investigations (e.g. electronic door openings with access rights)

9. Maintenance systems of register data (system’s/application’s name(s))

Video recorders and computer hardware

10. The register includes manual (paper) material

Yes

11. Data sources of the register

Image and audio material conveyed by cameras in the recording surveillance system

12. Principles concerning the protection of data

The storage, archiving, deletion and other processing of data is controlled with archive formation plans and data security and data protection guidelines. Data that has been electronically stored in the register has been protected in such a way that only authorised persons have access to such data. Each user agrees to the terms set out on the Use and confidentiality of data and data systems, when gaining access rights.

13. Disclosure of personal data in the register

Regular disclosures of data

  • No

Basis for the disclosure of data

In suspected criminal situations, data may be disclosed to police authorities, if they have a justified reason to gain access to the data.

Data can be disclosed and processed between the City of Tampere’s own organisations for the purpose of promoting and implementing tasks carried out between business organisations and the City of Tampere’s organisations.

14. Transfer of the register’s data to a third country or international organisation (outside the EU or European Economic Area (EEA))

No

15. Personal data’s retention periods / Criteria determining the retention period

Recordings are stored carefully in such a way that they are only available to authorised people. The retention period is on average 14 days. If a report concerning damages, a crime or other matter requiring investigation is made during the retention period, the material can be retained to this extent for the period necessary for carrying out investigations. Recording equipment and recordings are stored in monitored facilities and they can only be processed by authorised people.

Person register’s data

1. Name of the register

Tampere Tilapalvelut Oy’s register of contracts

2. Purpose for processing personal data

  • Contract management and monitoring
  • Maintenance of customer accounts
  • Making orders
  • Validity and termination of agreements

Tilapalvelut Oy’s contracts are stored in the register of contracts. The register allows contract documents to be available and utilisable in the company’s daily internal activities. The data subjects of the register are people, who have a proper connection to the data controller as representatives of contractual partners.

Contracts are available to the company’s employees, who need the information to carry out their work duties. In addition, the framework agreements’ data is available to the employees of the Properties, premises and housing policy service group.

3. Data controller

Tampere Tilapalvelut Oy, business ID 2863261-6

4. Person in charge of register, job title and contact details

Administration Manager Mauri Heikkinen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 040 773 4505

5. Register’s contact person and contact details

Designer Anna Koivumäki
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 040 660 1941

6. Processing of register’s personal data has been outsourced with a service agreement

No

7.  Legality of processing personal data

A)

  • Enforcement of a contract

B)

The register is a public authority register

  • No

The register is public administration’s voluntary tasks’ register

  • No

C)

The register’s data is used for automated individual decisions, including profiling

  • No

 

Person register’s personal data, data sources and disclosure of data

8. Personal data in the register

  • Contact details of contract contact persons (name, email, phone number, job title)
  • Information of the employees of a contractual partner (photo, date of birth, education, work experience, qualifications)

9. Maintenance systems of register data (system’s/application’s name(s))

  • Intranet (Tilapalvelut Oy)
  • Microsoft Office
  • Internal network’s protected/restricted network hard drive
  • Virta offices

10. The register includes manual (paper) material

Yes, Tilapalvelut Oy’s paper archive

11. Data sources of the register

Contractual partner

12. Principles concerning the protection of data

The storage, archiving, deletion and other processing of data is controlled with archiving guidelines and data security and data protection guidelines. Data that has been electronically stored in the register has been protected in such a way that only authorised persons have access to such data. Each user agrees to the terms set out on the Use and confidentiality of data and data systems, when gaining access rights.

The data of the register of contracts is protected by means of user rights. The manual material is in locked archive premises.

13. Disclosure of personal data in the register

Regular disclosures of data

  • No

14. Transfer of the register’s data to a third country or international organisation (outside the EU or European Economic Area (EEA))

No

15. Personal data’s retention periods / Criteria determining the retention period

The retention period of contracts has been defined in Tilapalvelut’s archive formation plan.

Person register’s data

1. Name of the register

Tampere Tilapalvelut Oy’s finance administration’s person register

2. Purpose for processing personal data

The data controller (Tampere Tilapalvelut Oy) collects, stores, organises, analyses, retains, edits, searches and disclosed personal data for the purposes of carrying out sales invoicing and purchase invoices.

The data subjects of the register are people, who have a proper connection to the data controller, either as a customer or a contractual partner. Registered personal data may also be based on the data controller’s customer mandate or for the implementation of a service performance defined by law.

The data controller uses data in the register to carry out tasks concerning the data subjects that it is subject to in accordance with laws (Art 6 Section 1 c), separate decisions, orders or on the basis of a need concerning the fulfilment of a contract (Art 6 Section 1 b).

3. Data controller

Tampere Tilapalvelut Oy, business ID 2863261-6

4. Person in charge of register, job title and contact details

Financial Manager Jani Knuuttila
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 040 5423 136

5. Register’s contact person and contact details

ICT Officer Antti Räsänen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 040 806 3145

6. Processing of register’s personal data has been outsourced with a service agreement

  • Yes

At the company’s mandate, third-party service providers shall process personal data, for example, in connection with opening data in the SAP system and in connection with RATI notifications (obligation to inform concerning construction). In addition, there are mandates involved with the maintenance duties and application expert support of the register’s electronic data systems and their servers.

7. Legality of processing personal data

A)

Legal obligation

Legislation guiding operations:

  • Archives Act (831/1994)
  • Value Added Tax Act (1501/1993)
  • EU General Data Protection Regulation (2016/679)
  • Accounting Act (1336/1997)
  • Act on Tax Assessment Procedure (1558/1995)
  • Act on Debt Collection (513/1999)
  • Act on the Status and Rights of Social Welfare Clients (812/2000)
  • Data Protection Act (added, when the law is approved by the Parliament).

Enforcement of a contract

B)

The register is a public authority register

  • No

The register is public administration’s voluntary tasks’ register

  • No

C)

The register’s data is used for automated individual decisions, including profiling

  • No

 

Person register’s personal data, data sources and disclosure of data

8. Personal data in the register

  • Tampere Tilapalvelut Oy’s customers and contractual partners: Name, phone number, address details.
  • Personal data received by Tampere Tilapalvelut Oy and personal data based on mandates of the City of Tampere (Elderly people’s services and Disabled services) for the implementation and invoicing of service performances: Name and address details.

9. Maintenance systems of register data (system’s/application’s name(s))

  • SAP system (Systeme, Anwendungen und Produkte in der Datenverarbeitung Aktiengesellschaft).
  • Internal network’s protected/restricted network hard drive.
  • Virta offices.

10. The register includes manual (paper) material

Yes, Tilapalvelut Oy’s paper archive.

11. Data sources of the register

  • Customers
  • Contractual partners and clients
  • Business and organisation data system
  • Tilaajavastuu online service

12. Principles concerning the protection of data

The storage, archiving, deletion and other processing of data is controlled with archiving guidelines and data security and data protection guidelines. Data that has been electronically stored in the register has been protected in such a way that only authorised persons have access to such data. Each user agrees to the terms set out on the Use and confidentiality of data and data systems, when gaining access rights. There is access control and/or locked doors in place in case of manual archives and operating units. Documents are stored in monitored facilities and/or locked cabinets

13. Disclosure of personal data in the register

Regular disclosures of data

  • Yes

The data controller shall further disclose necessary personal data to the City of Tampere (Elderly people’s services and Disabled services) which it has received for the implementation of assigned mandates (such as the name and address details of the subject of the mandate) in connection with sales invoices. The transfer of data is therefore a case of further disclosing to a data source, who the data controller has received the personal data from.

14. Transfer of the register’s data to a third country or international organisation (outside the EU or European Economic Area (EEA))

No

15. Personal data’s retention periods / Criteria determining the retention period

The data controller shall not store personal data for longer than allowed by law, and only for the duration necessary for offering the data controller’s services and for implementing the obligations set out by legislation.

According to Section 2 Subsection 10.1 of the Accounting Act, the financial statements, annual report, accounting books and the list of accounting books and materials must be stored for at least 10 years after the end of the financial year in order to meet the requirements set out in Section 6,7 and 9 of the second chapter. In addition, according to Section 2 Subsection 10.2 of the Accounting Act, the receipts for the financial year, correspondence concerning business transactions as well as accounting books other than those referred to in Subsection 1 shall be stored for at least six years from the end of the year during which the financial year has ended, in such a way that the requirements of Section 6, 7 and 9 are fulfilled. According to the Value Added Tax Act (1501/1993), any receipts concerning property investments must be retained for 13 years from the end of the calendar year that ends, when the review period referred to in the Value Added Tax Act begins (209 q §).

Person register’s data

1. Name of the register

Tampere Tilapalvelut Oy’s staff administration’s person register

2. Purpose for processing personal data

Management of staff administration and service relationship matters.

The data subjects of the register are people, who have an appropriate connection with the data controller either as an employee, a former employee, a person working on a mandate or a person who has worked on a mandate, a jobseeker, a student, a trainee or as a person who belongs or has belonged to the proscribed organs of the company.

The company uses the data in the register when carrying out such activities concerning the data subjects, which are its responsibility on the basis of laws, collective agreements and separate decisions and regulations. The register is also used for acquiring work force, supporting the internal access of staff, maintaining the staff’s skill data, maintenance of vaccination data, as a tool for employees as well as a tool for staff management.

3. Data controller

Tampere Tilapalvelut Oy, business ID 2863261-6

4. Data Protection Officer

Data Protection Officer Antti Räsänen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
Phone 040 806 3145

5. Register’s contact person and contact details

Administration Manager Mauri Heikkinen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 040-773 4505

6. Processing of register’s personal data has been outsourced with a service agreement

Yes

At the company’s mandate, third-party service providers shall process personal data, for example, in connection with interviews and assessments concerning recruitments. In addition, there are mandates involved with the maintenance duties and application expert support of the register’s electronic data systems and their servers.

7. Legality of processing personal data

A)

  • Legitimate interest. The data controller’s legitimate interest is based on the data controller’s right to process employees’ personal data otherwise than just to enforce an employee’s employment contract, to the extent necessary while considering that the data controller may only process personal data that is directly necessary in terms of the employee’s employment, which are related to the management of the employment parties’ rights and obligations or the benefits offered to the employees by the employer, or due to the special nature of the work duties. The rights and freedoms of the data subjects do not supersede the data controller’s legitimate interest.
  • Legal obligation. The processing of personal data is partly based on the data controller’s legal obligations, such as the requirements set out by employment contracts legislation and legislation concerning occupational safety.
  • Consent
  • The data subject has the right at any time to withdraw consent concerning the processing of personal data without notifying the data controller.
  • Enforcement of a contract
  • The processing of personal data is necessary for enforcing and preparing an employment contract.

B)

The register’s data is used for automated individual decisions, including profiling

  • No

 

Person register’s personal data, data sources and disclosure of data

8. Personal data in the register

Description of data subjects’ groups and personal data groups:

Basic details, such as

  • Name
  • Social security number
  • Home address and other contact details
  • Bank contact details and tax card
  • Contact details of next-of-kin

Basic details related to employment, such as

  • Start and end date of employment
  • Employee’s photograph
  • Employment contract and its terms, such as monetary wage and other methods of remuneration and benefits
  • Content of job duties and title
  • Details concerning employment benefits
  • Details related to taxes and employer fees
  • Details related to insuring the employee
  • Details about trade union membership
  • Separate commitments and consents collected from the employee, such as the right to review emails or a separate non-disclosure agreement
  • Details concerning the end of employment and work certificates

Details concerning the management of work duties, work development and the monitoring of working hours

  • Working time accounts
  • Qualification details and details concerning training
  • Details concerning objectives and development discussions
  • Details about responsibility duties and memberships paid by the employer
  • Sick leaves, annual leaves, parental leaves and family care leaves as well as any other agreed absences (e.g. study and job alternation leaves)
  • Medical certificates or statements or other details concerning the employee’s health status or work capacity, to the extent that legislation allows the processing of such data

Details concerning work equipment, such as

  • Licences issued to the employee and usernames and passwords to the employee’s electronic systems and registers
  • Identification details of work equipment assigned to the employee, such as for computers and mobile devices, as well as access cards, keys and other equivalent equipment

9. Maintenance systems of register data (system’s/application’s name(s))

  • DNA switch/phonebook
  • Efecte
  • E-form
  • ESS7 (added)
  • ID card system
  • HEPE
  • City’s website
  • Microsoft Office
  • Personec F and Personec F (ESS)
  • SAP Bw
  • SAP Hr
  • SAP portal
  • Selma
  • Sinfo
  • Timecon GMS
  • Titania
  • Trip & Expence
  • Tunkki
  • Työturva Monitor
  • Internal network’s protected/restricted network hard drive
  • Virta offices
  • Windows (AD)

10. The register includes manual (paper) material

Yes

11. Data sources of the register

  • Data subject him-/herself
  • Data subject’s supervisor
  • Interviews related to job seeking
  • Staff administration’s decisions
  • Police authority
  • Kela
  • Occupational healthcare and other providers of health care services
  • Keva
  • Insurance companies
  • Tax administration
  • Employment and Economic Development Centre

Where necessary, data is combined with the City of Tampere’s and Tilapalvelut Oy’s camera surveillance register details and the company’s and city’s access control, working hours and meal allowance person register, as well as the details of the region of Tampere’s user and non-disclosure register of data and data systems.

In addition, the information of the register is combined with the information of the user register of the data systems used by the data controller.

Data is also combined with the occupational health care information acquired by the company.

12. Principles concerning the protection of data

The storage, archiving, deletion and other processing of data is controlled with archive formation plans and data security and data protection guidelines. Data that has been electronically stored in the register has been protected in such a way that only authorised persons have access to such data. Each user agrees to the terms set out on the Use and confidentiality of data and data systems, when gaining access rights.

13. Disclosure of personal data in the register

Regular disclosures of data

  • Yes

Personal data is disclosed within the scope allowed and obliged by currently prevailing legislation. Data is regularly disclosed to Tax Administration, Kela, pension institutions, occupational health care providers and trade unions.

Data is transferred to service suppliers mentioned in Section 9 as well as equivalent operators, who process personal data on behalf of the data controller.

14. Transfer of the register’s data to a third country or international organisation (outside the EU or European Economic Area (EEA))

No

15. Personal data’s retention periods / Criteria determining the retention period

Storage is carried out in accordance with Tampere Tilapalvelut Oy’s archive formation plan.

Person register’s data

1. Name of the register

Tampere Tilapalvelut Oy’s project administration’s person register

2. Purpose for processing personal data

Projects’ contact detail lists, monitoring of project progress and conveyance of information, e.g. distribution of minutes, meeting invitations, etc.

The data subjects of the register are people, who have a proper connection to the data controller, either as a customer or a supplier.

3. Data controller

Tampere Tilapalvelut Oy, business ID 2863261-6

4. Person in charge of register, job title and contact details

Development Manager Jukka Kauppinen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 050 321 0355

5. Register’s contact person and contact details

ICT Officer Antti Räsänen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 040 806 3145

6. Processing of register’s personal data has been outsourced with a service agreement

No

7. Legality of processing personal data

A)

  • Enforcement of a contract

B)

The register is a public authority register

  • No

The register is public administration’s voluntary tasks’ register

  • No

C)

The register’s data is used for automated individual decisions, including profiling

  • No

 

Person register’s personal data, data sources and disclosure of data

8. Personal data in the register

Description of data subjects’ groups and personal data groups

  • Contact details of people participating in the project (name, email, phone number, job title, employer)

Maintenance systems of register data (system’s/application’s name(s))

  • Haahtela Pris (project bank)
  • Internal network’s protected/restricted network hard drive
  • Virta offices

9. The register includes manual (paper) material

No

10. Data sources of the register

Data subjects themselves

11. Principles concerning the protection of data

The storage, archiving, deletion and other processing of data is controlled with archiving guidelines and data security and data protection guidelines. Data that has been electronically stored in the register has been protected in such a way that only authorised persons have access to such data. Each user agrees to the terms set out on the Use and confidentiality of data and data systems, when gaining access rights.

12. Disclosure of personal data in the register

Regular disclosures of data

  • No

13. Transfer of the register’s data to a third country or international organisation (outside the EU or European Economic Area (EEA))

No

14. Personal data’s retention periods / Criteria determining the retention period

Duration and warranty period of a project

Person register’s data

1. Name of the register

Tampere Tilapalvelut Oy’s maintenance’s person register

2. Purpose for processing personal data

Duties concerning the maintenance of properties and the arrangement of services. Easy availability of contact persons is ensured.

The data subjects of the register are people, who have a proper connection to the data controller, either as a service provider, client or user of the premises.

3. Data controller

Tampere Tilapalvelut Oy, business ID 2863261-6

4. Person in charge of register, job title and contact details

Maintenance Manager Marko Siirtola
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 050-3516437

5. Register’s contact person and contact details

Maintenance Manager Marko Siirtola
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 050-3516437

6. Processing of register’s personal data has been outsourced with a service agreement

Yes

7. Legality of processing personal data

A)

  • Consent
  • Enforcement of a contract

B)

The register is a public authority register

  • No

The register is public administration’s voluntary tasks’ register

  • No

C)

The register’s data is used for automated individual decisions, including profiling

  • No

 

Person register’s personal data, data sources and disclosure of data

8. Personal data in the register

Description of data subjects’ groups and personal data groups:

  • User details (job title, name, phone, mobile, email, language, RES publication key, PRIS publication key) (Property data)
  • Company register (private person) (Name, social security number, address details, phone, email and bank details) (Property data)
  • Company register (company) (Name, address details, phone and email) (Property data)
  • User register (Name, user group, address, email, phone, fax, social security number, profession, employer, salary base, language, e-billing address and additional information) (Property data)
  • Property managers and other staff of Tilapalvelut Oy’s subjects (Name, phone) (RES)
  • Service request operators (customers)
  • Service providers and their contact details

9. Maintenance systems of register data (system’s/application’s name(s))

  • Haahtela property data
  • Haahtela RES
  • Haahtela Pris
  • E-form
  • Internal network’s protected/restricted network hard drive
  • Virta offices

10. The register includes manual (paper) material

Yes

11. Data sources of the register

  • Data subject him-/herself
  • Data subject’s supervisor
  • Users of premises
  • City of Tampere (Properties, premises and housing policy service group)
  • Tredu kiinteistöt Oy
  • Tampere Palvelukiinteistöt Oy

12. Principles concerning the protection of data

The storage, archiving, deletion and other processing of data is controlled with archive formation plans and data security and data protection guidelines. Data that has been electronically stored in the register has been protected in such a way that only authorised persons have access to such data. Each user agrees to the terms set out on the Use and confidentiality of data and data systems, when gaining access rights.

13. Disclosure of personal data in the register

Regular disclosures of data

  • No

14. Transfer of the register’s data to a third country or international organisation (outside the EU or European Economic Area (EEA))

No

15 .Personal data’s retention periods / Criteria determining the retention period

Storage is implemented in accordance with the company’s and the City of Tampere’s archive formation plans to the extent that a service concerning the company’s person registers is purchased by the City of Tampere.

Customer register’s data

1. Name of the register

Tampere Tilapalvelut Oy’s customer register

2. Purpose for processing personal data

Tilapalvelut’s customers’ data is stored in the register. Personal data is processed for purposes that concern the management, administration and development of the customer account, as well as for carrying out customer surveys.

The basis for processing personal data is the customer relationship between the data controller and the customer.

The data controller shall personally process personal data as well as utilise contractual partners operating on behalf of the data controller in the processing of personal data.

3. Data controller

Tampere Tilapalvelut Oy, business ID 2863261-6

4. Data Protection Officer

Data Protection Officer Antti Räsänen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
Phone 040 806 3145

5. Register’s contact person and contact details

Administration Manager Mauri Heikkinen
Tampere Tilapalvelut Oy
PO Box 1000, 33101 Tampere
phone 040-773 4505

6. Processing of register’s personal data has been outsourced with a service agreement

Yes

At the company’s mandate, third-party service providers shall process personal data in connection with customer satisfaction surveys.

7. Legality of processing personal data

Legitimate interest. Personal data is processed in the management of customer accounts.

 

Person register’s personal data, data sources and disclosure of data

8. Personal data in the register

The following information is processed about the data subject:

Name, title, work email, work phone number, property name, property address, service sector, industry, level of customer account.

9. Data sources of the register

The data subjects themselves and public data sources

10. Principles concerning the protection of data

The storage, archiving, deletion and other processing of data is controlled with archive formation plans and data security and data protection guidelines. Data that has been electronically stored in the register has been protected in such a way that only authorised persons have access to such data.

11. Disclosure of personal data in the register

No

12. Transfer of the register’s data to a third country or international organisation (outside the EU or European Economic Area (EEA))

No

13. Personal data’s retention periods / Criteria determining the retention period

Storage is carried out in accordance with Tampere Tilapalvelut Oy’s archive formation plan.

Rights of the data subject and their implementation in Tampere Tilapalvelut Oy’s person registers

The EU General Data Protection Regulation (EU) 2016/679 ensures various rights for the person, whose data is processed (=data subject). Rights are applied in different ways depending on the basis of processing personal data. The person has e.g. the right to know, if his/her personal data is being processed and what personal data is processed, as well as the right to request for details about him/her. The person also has the right to require any incorrect personal data to be rectified.

Right to review data (right to access personal data, Article 15)

The person has the right to know, whether or not his/her personal data is being processed, and what personal data is stored about him/her. At the data subject’s request, Tampere Tilapalvelut Oy shall deliver the details as soon as possible without undue delay. The deadline for delivering details or providing additional information concerning a request for data is one month from the receipt of the request. If the request for data is abnormally complex or extensive, the deadline can be extended to two months.

In principle, the data subject’s details are delivered free of charge. If several copies are requested, Tilapalvelut may however charge a reasonable fee for them based on administrative costs. If the request for data is eminently unjustified or unreasonable, particularly if requests for data are repeatedly presented, Tilapalvelut may charge for the administrative costs caused for delivering the details or refuse to deliver the details at all. In such cases, Tilapalvelut shall prove the distinct unfounded or excessive nature of the request.

If Tilapalvelut does not deliver the data, a written certificate on the matter shall be issued. In the same connection, we tell about the right to legal remedies, for example, the option to appeal to a supervising authority.

Right to rectify information (Article 16)

The person has the right to require that any personal data concerning him/her that are incorrect, inaccurate or incomplete are rectified or supplemented without undue delay. In addition, the person has the right to require that any unnecessary personal data is removed. The necessity and inaccuracy are assessed according to the recording moment of the data.

If Tilapalvelut does not approve the request to rectify, a written certificate is issued, which states the reasons on which basis the request has not been approved. We shall also tell about the right to legal remedies, for example, the option to appeal to a supervising authority.

Right to be forgotten (Article 17)

Only in certain exceptional situations, the person has the right to have all his/her personal data removed from Tilapalvelut’s registers (right to be forgotten). Such right does not however apply in cases where the processing of personal data is necessary to fulfil a legal obligation or for the purpose of using the government Tilapalvelut is entitled to. Tilapalvelut’s archiving guidelines and the storage times of data set out in legislation shall apply to the storage and removal of data.

Right to limit processing (Article 18)

A person may, in certain circumstances, have the right to request for limitation of processing his/her personal data for the duration that his/her data has been appropriately reviewed, rectified or supplemented.

Right to transfer data from one system to another (Article 20)

The right does not apply to such processing of personal data, which is necessary for carrying out a task concerning general interest or for using the government that the data controller is entitled to. Thus, the right is not applicable in principle to Tilapalvelut’s person registers.

Right to oppose (Article 21)

The person has the right to oppose the processing of personal data at any time on the basis of his/her personal, special circumstances, even if processing is based on carrying out a task concerning general interest or the use of the governing power that Tilapalvelut is entitled to. In this case, data may only be continued to be processed, if there is a substantially important and justified reason for the processing, which can be proven.

Right to complain to an authority (Article 77)

A person has the right to appeal particularly to the supervising authority of his/her permanent residential or workplace location, if he/she deems that the EU General Data Protection Regulation (EU) 2016/679 is being violated in the processing of personal data. In addition to this, the person has the right to use other administrative appeal methods and legal remedies.

A person also has the right to make a claim against the data controller or the personal data processing organisation, if he/she deems that his/her rights have been violate due to the data protection regulation not being observed in the processing of his/her personal data.

How are rights implemented?

Please contact Tilapalvelut’s Data Protection Officer or the register’s contact person.

Data Protection Officer:
Antti Räsänen
ICT Officer
040 306 3145
firstname.lastname@tampere.fi

Data protection officer’s contact details and duties

Antti Räsänen
ICT Officer
040 306 3145
firstname.lastname@tampere.fi

  • Participates in the planning operations concerning the organisation’s processing of personal data
  • Participates in the preparation and maintenance concerning the data protection and data privacy guidelines approved by the data controller
  • Monitors and supervises the processing of personal data and their protection methods
  • Participates in the implementation of data protection training organised for the data controller’s staff
  • Supports the staff and data subjects in data protection issues
  • Operates as a link to supervising authorities
  • Reports to the management group of the organisation about the status of data protection and development needs, including internal audits and user supervision
  • Is responsible for other tasks supporting data protection that have been assigned by the management group of the organisation

Rights of the data subject and their implementation in Tampere Tilapalvelut Oy’s person registers

The EU General Data Protection Regulation (EU) 2016/679 ensures various rights for the person, whose data is processed (=data subject). Rights are applied in different ways depending on the basis of processing personal data. The person has e.g. the right to know, if his/her personal data is being processed and what personal data is processed, as well as the right to request for details about him/her. The person also has the right to require any incorrect personal data to be rectified.

Right to review data (right to access personal data, Article 15)

The person has the right to know, whether or not his/her personal data is being processed, and what personal data is stored about him/her. At the data subject’s request, Tampere Tilapalvelut Oy shall deliver the details as soon as possible without undue delay. The deadline for delivering details or providing additional information concerning a request for data is one month from the receipt of the request. If the request for data is abnormally complex or extensive, the deadline can be extended to two months.

In principle, the data subject’s details are delivered free of charge. If several copies are requested, Tilapalvelut may however charge a reasonable fee for them based on administrative costs. If the request for data is eminently unjustified or unreasonable, particularly if requests for data are repeatedly presented, Tilapalvelut may charge for the administrative costs caused for delivering the details or refuse to deliver the details at all. In such cases, Tilapalvelut shall prove the distinct unfounded or excessive nature of the request.

If Tilapalvelut does not deliver the data, a written certificate on the matter shall be issued. In the same connection, we tell about the right to legal remedies, for example, the option to appeal to a supervising authority.

Right to rectify information (Article 16)

The person has the right to require that any personal data concerning him/her that are incorrect, inaccurate or incomplete are rectified or supplemented without undue delay. In addition, the person has the right to require that any unnecessary personal data is removed. The necessity and inaccuracy are assessed according to the recording moment of the data.

If Tilapalvelut does not approve the request to rectify, a written certificate is issued, which states the reasons on which basis the request has not been approved. We shall also tell about the right to legal remedies, for example, the option to appeal to a supervising authority.

Right to be forgotten (Article 17)

Only in certain exceptional situations, the person has the right to have all his/her personal data removed from Tilapalvelut’s registers (right to be forgotten). Such right does not however apply in cases where the processing of personal data is necessary to fulfil a legal obligation or for the purpose of using the government Tilapalvelut is entitled to. Tilapalvelut’s archiving guidelines and the storage times of data set out in legislation shall apply to the storage and removal of data.

Right to limit processing (Article 18)

A person may, in certain circumstances, have the right to request for limitation of processing his/her personal data for the duration that his/her data has been appropriately reviewed, rectified or supplemented.

Right to transfer data from one system to another (Article 20)

The right does not apply to such processing of personal data, which is necessary for carrying out a task concerning general interest or for using the government that the data controller is entitled to. Thus, the right is not applicable in principle to Tilapalvelut’s person registers.

Right to oppose (Article 21)

The person has the right to oppose the processing of personal data at any time on the basis of his/her personal, special circumstances, even if processing is based on carrying out a task concerning general interest or the use of the governing power that Tilapalvelut is entitled to. In this case, data may only be continued to be processed, if there is a substantially important and justified reason for the processing, which can be proven.

Right to complain to an authority (Article 77)

A person has the right to appeal particularly to the supervising authority of his/her permanent residential or workplace location, if he/she deems that the EU General Data Protection Regulation (EU) 2016/679 is being violated in the processing of personal data. In addition to this, the person has the right to use other administrative appeal methods and legal remedies.

A person also has the right to make a claim against the data controller or the personal data processing organisation, if he/she deems that his/her rights have been violate due to the data protection regulation not being observed in the processing of his/her personal data.

How are rights implemented?

Please contact Tilapalvelut’s Data Protection Officer or the register’s contact person.

Data Protection Officer:
Antti Räsänen
ICT Officer
040 306 3145
firstname.lastname@tampere.fi