Processing personal data in Business Vantaa’s customer relationships and partnerships

The purpose of processing the personal data in the register is the operation of the City of Vantaa's Business Development Services relating to the city’s trade and business, innovation and competitiveness policies and the promotion of entrepreneurship. This processing activity includes, for example:

• services for startups and existing businesses, public and third-sector services
• management of customer and business/partner relationships
• organization of events and entrepreneur network activities   
• marketing and communications 
• reporting

When we manage services for startups, customer and business relationships and partnerships, event arrangements and entrepreneur network activities, we process your personal data

• on the basis of Article 6(1)(e) of the EU’s General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When we target marketing and communications to private persons, we process your personal data:

• on the basis of Article 6(1)(a) of the EU’s General Data Protection Regulation: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

When we target marketing and communications to communities, we process your personal data:

• on the basis of Article 6(1)(e) of the EU’s General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The data describes the position of a person, the person’s duties or the performance of these duties in a public sector entity, business and industry, activities of civil society organizations, or other corresponding activities, in so far as the objective of the processing is of public interest and the processing is proportionate to the legitimate aim pursued, in which case the processing is lawful in accordance with the Section 4 of the Data Protection Act.

When we provide services for startups, manage customer and business relationships and partnerships, organize events or business network activities, we process the following personal data:

• data subject’s name, contact information (incl. email address, phone number, social media contact information), gender, date of birth, language, customer service language and dietary information.
• private entrepreneur’s company name, business ID.
• training and competence information.
• business plan, financial plan and similar plans that the customer has submitted in connection with customer counseling.
• information related to customer, partner and counseling meetings and event activities.
• title, participation in events, meetings at events, interests, role at events, presentation text.
• information related to a private entrepreneur’s financial situation that they have provided in connection with customer counseling.
• customer feedback received from business counseling.

When special categories of personal data relating to a person’s diet are processed in providing the service, the processing is lawful on the basis of Article 9(2)(a) of the EU’s General Data Protection Regulation, in accordance with which the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.

When we carry out marketing and communications, we process the following personal data:

• data subject’s name, contact information (incl. email address, phone number), customer service language.

How do we collect personal data?

Personal data is primarily collected from the data subjects themselves. In the case of an employee of a company, association or other organization, personal data may also be collected from public data repositories (e.g. YTJ, PRH) through interface implementations or using viewing access. Personal data may also be collected from organizations’ public websites, through various social media services or by purchasing address databases from commercial actors (Profinder).

The content of the services and provision of information thereof cannot be produced without personal data, meaning that the data is necessary. The processing of personal data is based on compliance with a legislative obligation and the consent provided by the user. The client has the right to restrict use of their personal data or to ask that they be removed. In case handling and storing of the data are based on a legislative obligation, the data will only be removed after termination of the legal deadline.

We will only disclose your personal data to another party if the data transfer is based on law or if you have given your consent to the disclosure of your data. You can cancel your consent to the disclosure of your data to outside parties at any time. The data will not be disclosed to outside parties for other purposes such as direct marketing or commercial purposes.

To ensure your privacy, we have protected your personal data with the help of various technological and organizational measures. For example, only the employees that need the data to perform their work are allowed to handle the data and only to the extent required by any individual task. In the customer-information system, this is monitored with the help of logfiles, among other things. Paper documents are stored in the city’s various archives, on safe premises that are inaccessible to outside parties.

The employees are bound by confidentiality and professional secrecy, which continues also after termination of employment.

In cases where a party processes personal data on behalf of the City of Vantaa, the level of appropriate information security and data protection has been agreed on in the contract made with the processor. The processor of personal data refers to a party that processes personal data on behalf of the City of Vantaa, for example, a service provider.

As a general rule, data is processed only within the EU or EEA, but the processor may also transfer data outside the EU or EEA countries. Nevertheless, the transfer is only allowed when it meets the demands of the data protection legislation and contract that ensure a sufficient level of protection of personal data.

It is possible that, regardless of protection, your personal data may exceptionally end up as a target of a breach of data, as well as in the possession of an outside party. In these cases, we will take immediate measures to rectify the situation, and we will inform the data protection ombudsman if the breach of data security causes any risk to you. The notification will be made, at the latest, within 72 hours of noticing the breach of data security. If the breach of data security presents a high risk, we will also inform you about it.

Data will be stored and deleted in accordance with the City of Vantaa’s information management plan.

Customer service processes: Services for startups, management of customer and business/partner relationships and network activities based on a customer relationship or contract relationship:

• Stored for the duration of the customer relationship and 5 years after the end of the customer relationship.

Marketing and communications as well as independent network activities:

• Personal data shall be stored for the duration of active use/validity of consent or for at most five years. The data subject may request the deletion of their data at any time, in which case the data shall be deleted from the register.

Your data will not be used for profiling or automatic decision-making.

The data subject refers to the person whose personal data is being processed. If we process your personal data, you have the right to

• check how your data is processed
• demand that inaccurate or faulty data be corrected
• demand that your data be removed
• request that handling of your data be restricted
• object to handling of your data
• get your data and transfer it to another controller as well as cancel your consent at any time, if processing is based on your consent.

You can submit a personal data inspection request through the e-services, in person at Vantaa-Info, or by mailing the inspection request to the City of Vantaa’s Registry. You can find more detailed instructions on the city’s Data Protection webpage.

If you wish to exercise the data subject’s other rights or ask for additional information on handling personal data, please contact the person mentioned below in paragraph 14. Legislative preconditions for exercising your rights will be verified on a case-specific basis. Exercising your rights may require verification of your identity.

We will execute information requests without undue delay, but, at the latest, within a month of receiving the request. The deadline can be extended by at most two months, when required, by accounting for the complexity and amount of data of the request. If the deadline is extended, we will inform you about it.

As a general rule, exercising your rights is free of charge. We may, however, charge a reasonable fee, corresponding with the administrative costs, for implementing the request, or decline to perform the measure, if the request is obviously ungrounded, unreasonable, or recurrent. If there is a charge for executing your request, we will contact you. If we decline to perform the measure, we will inform you in writing about the grounds for the refusal, as well as about the option to submit the matter to be handled by the data protection ombudsman, or to exercise other legal remedies.

If you suspect that your personal data is being illegally processed, you can submit an appeal to the data protection ombudsman. Further information on and instructions for submitting an appeal is provided by the contact person mentioned in section 14, the city's data protection officer, the data protection ombudsman's office website, and phone consultation:

Data protection ombudsman's office / www.tietosuoja.fi

Street address: Lintulahdenkuja 4, 00530 Helsinki

Mailing address: P.O. Box 800, 00531 Helsinki

Email: tietosuoja(at)om.fi

Phone (switchboard): 029 566 6700

Phone (consultation for private persons): 029 566 6777

Additional information on processing personal data is provided by the contact person below. Please note that email is not a safe medium for processing personal data. Be sure not to send, for example, your identity number or any sensitive information by email.

Contact person

business.vantaa@vantaa.fi

The data controller is the Vantaa City Executive Board. You will find the contact information of the data controller and the City of Vantaa's data protection officer below:

Controller                                                                                         

The City of Vantaa                                                                                                

Vantaa City Executive Board                                                                              

Business ID: 0124610-9                                                                  

Asematie 7, 01300 Vantaa                                                             

Data protection officer

tietosuojavastaava@vantaa.fi

Registry     

Mailing address: P.O. Box 1100, 01030 Vantaan kaupunki

Street address: Tikkurila Vantaa-info, Dixi, Ratatie 11, 2nd floor, 01300 Vantaa.

Phone (switchboard): 09 839 11

Fax: 09 8392 4163, email: kirjaamo(at)vantaa.fi