Privacy Policy

Privacy Policy of the OmaStadi Service

EU General Data Protection Regulation (2016/679), articles 13 and 14

Controller

City of Helsinki / City Board

Person in charge of the register

City Executive Office / Communications Department / Communications Director

Why do we process your personal data?

Your personal data is processed so you can submit, comment or vote on proposals in the OmaStadi service. You are required to register with your name and email address to leave a suggestion or comment on OmaStadi. Those who submit proposals can also be contacted to inform them about the progress of the process and how they can participate. We process personal data at the voting stage to ensure that you are eligible to vote and that every person only votes once.

Legal basis for processing your personal data

The processing of your personal data is based on Article 6(1)(a) of the EU General Data Protection Regulation: The data subject has given consent to the processing of their personal data.

What personal data do we process about you?

When you register for the OmaStadi service, we process the following personal data: name, user name and email address. If you prefer, you can also add a profile photo and profile description to your profile, in which case we will also process this data.

When you log in to vote on the OmaStadi service using strong authentication, we process the following personal data: your name, email address, place of residence, postal code and personal identity code.

When they vote, students over the age of 13 are authenticated using the mPassID used by schools, in which case we process the following personal data: their first name, last name, nickname, municipality code, municipality name, school code, school name, class ID and grade level.

How do we collect personal data?

We collect personal data from the data subjects themselves when they login to OmaStadi.

The data collected as part of strong identification are obtained from the Suomi.fi service.

The information needed for students to vote is obtained through mPassID.

To whom do we disclose your personal data?

No personal data will be disclosed.

Personal data processors

Mainio Tech Oy is the processor of personal data in the OmaStadi service.

The city may outsource the processing of your personal data to an external system supplier or service provider under a separate service contract. In this case, the processing of personal data takes place on behalf of and on account of the city and for carrying out the purposes defined by the city. The city will remain the data controller for your personal data. The city and the service provider are jointly responsible for the appropriate processing of your personal data.

Will your personal data be transferred outside the EU or EEA?

No personal data will be transferred.

By default, the City of Helsinki ensures that your personal data is processed within the EU or EEA. However, in some cases, the city’s services or functions may also be implemented using service providers, services and servers located elsewhere. In this case, your personal data may also be transferred outside the EU or EEA. The General Data Protection Regulation sets strict criteria for transferring personal data to countries whose legislation on the processing of personal data deviates from the requirements of European data protection law. In this case, the City of Helsinki undertakes to comply with the requirements for an adequate level of protection for personal data, and, where applicable, commits the system suppliers and service providers it uses to ensure corresponding data protection obligations in accordance with data protection legislation.

How long do we retain your personal data?

Personal data in the OmaStadi service will be retained for five years. The personal data collected when voting will be anonymised two weeks after the end of the voting period.

How do we protect your personal data?

We process personal data in a secure manner that complies with legal requirements. We have carefully assessed the potential risks associated with our processing activities and have taken measures to manage those risks.

Automated decision-making and profiling

Your personal data will not be used for individual automated decisions or profiling.

Your rights regarding the processing of your personal data

The rights of the data subject and instructions on how to exercise them can be found at:
https://www.hel.fi/en/decision-making/information-on-helsinki/data-protection-and-information-management/data-protection/rights-of-data-subjects-and-exercising-these-rights

Right to review data (right of access to data, Article 15)

You have the right to know what personal data is being processed about you and what data has been stored about you. The city will provide the information without undue delay, at the latest, within one month of receiving the request. If necessary, this period may be extended by a maximum of two months if the request is of exceptional scope and complexity. If the time limit is extended, the city will inform the person requesting the information of this within one month of receiving the request, as well as of the reasons for the delay.

Right to rectification (Article 16)

You have the right to demand that the city rectify imprecise and inaccurate personal data concerning you without undue delay. In addition, they have the right to the supplementation of incomplete information. Any incompleteness of the data will be resolved by taking into account the purpose of the processing of personal data in the register. If the city does not accept the person’s demand for rectification, it will issue a written certificate stating the reasons the demand was not accepted. The possibility of lodging a complaint with a supervisory authority and of seeking other remedies is also mentioned in connection with the certificate.

Right to be forgotten (Article 17)

In some exceptional cases – for example, if the processing of data was based on the person’s consent and they withdraw their consent – the person has the right to have their data erased, i.e. to be forgotten. If the city does not accept the person’s demand for erasure, it will issue a written certificate stating the reasons the demand was not accepted. The possibility of lodging a complaint with a supervisory authority and of seeking other remedies is also mentioned in connection with the certificate. The right to erasure does not exist if the processing is based on compliance with the city’s statutory obligation, or it is related to the performance of a task carried out in public interest or the exercise of public authority vested in the city.

Right to restriction of processing (Article 18)

In certain situations, a person may have the right to request that the processing of their personal data be restricted until their data has been duly checked and corrected or supplemented. Such situations include a person denying the accuracy of their data, in which case the processing of their data is restricted for the time the city checks their accuracy.

Right to data portability (Article 20)

A person has the right to transfer their personal data from one controller to another if they have themselves provided the controller with their personal data, and the processing of the data is based on consent or a contract, and the processing is carried out automatically. This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the city.

Right to object (Article 21)

A person has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data where the processing is based on the performance of a task carried out in the public interest or in the exercise of an official authority vested in the city. In this case, the data may be further processed only if there is a substantial and justified reason for the processing that can be demonstrated by the city. The processing may also continue if the processing is necessary for the establishment, exercise or defence of legal claims.

Right to lodge a complaint with an authority (Article 77)

You have the right to lodge a complaint with a supervisory authority if you consider the processing of your personal data to infringe on the EU General Data Protection Regulation (EU) 2016/679. In addition, you have the right to exercise other administrative and judicial remedies.

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4
Postal address: PO Box 800, 00531 Helsinki
Email: tietosuoja@om.fi
Telephone exchange: +358 29 56 66700

How can you contact us about privacy issues?

As a logged-in user, you can view your saved data in several city systems. You can request a correction to incorrect data in the service where that data was generated.

Contact details: Product Owner, Strategy Department, City Executive Office
Registrar’s Office, City of Helsinki
helsinki.kirjaamo@hel.fi
+358 9 310 13700

Contact details of the Data Protection Officer
City of Helsinki’s Data Protection Officer
tietosuoja@hel.fi
09 310 1691 (telephone exchange)

This privacy policy has been updated on 14 September 2023.

Please sign in

Or

Sign in using your email address and a password of your choice.

Forgot your password?

You need to enable all cookies in order to see this content.