Processing of personal data at the City of Vantaa’s services for promoting integration (Services for International Customers)

The data of immigrants and immigrant customers may be processed in accordance with Section 72, Subsection 1 of the Integration Act (681/2023):

1. for the organization and production of the services and duties specified in the Integration Act;
2. for the supervision, development, monitoring, evaluation, anticipation and guidance of the duties specified in Section 1; and
3. for the gathering of statistics and knowledge-based management related to the duties specified in Section 1.

If you have also registered as a job seeker, the intended uses of customer data and the data to be processed by public employment services are separately set out in Chapter 13 of the Act on Public Employment and Business Service (380/2023). You can find more information about these intended purposes and data in the City of Vantaa employment office's information document.

We will never use personal data for other purposes such as direct marketing or commercial purposes.

It is based on compliance with the statutory obligations of the municipality. The Integration Act (681/2023) sets out the obligation of municipalities to organize services that promote integration and provides for the processing of the personal data of immigrants and immigrant customers.

Legal basis of processing:

The EU's General Data Protection Regulation (2016/679), Article 6(1)(c) 
Section 6 of the Data Protection Act (2018/1050)

The following data pertaining to personal customers may be collected and processed in accordance with Section 73 of the Integration Act (681/2023):

1. identity number;
2. name and contact information;
3. information pertaining to residence permit applications and decisions;
4. transacting language, need for an interpreter and other information relating to organizing transactions;
5. information about training, work history and professional skills, as well as other information needed for assessing skills and the need for integration services.
6. information pertaining to the assessment of skills and the need for integration services, the service content and duration of the integration plan and other plans, and information pertaining to the implementation of the plans;
7. information about the services promoting integration and the final examination of language proficiency, as well as referral to other services;
8. any data and assessments pertaining to the state of health, work ability and functional capacity that impact the person’s integration and which are necessary for the provision of the service to the person in question;
9. information pertaining to the allocation to municipalities as specified in Section 43 of the Integration Act; and
10. information pertaining to compensation as specified in Chapter 8 of the Integration Act.

We receive data for the person register from you in various service situations; among others, when you use our online services, visit our service point in person or when you talk to our employees over the phone.

In addition, in accordance with the information access regulations of the Integration Act (681/2023), we have the right to obtain information pertaining to you from other authorities and service providers.

Yes, it is necessary to provide personal data. The services specified in the Integration Act (681/2023) cannot be organized for you without your personal data. In accordance with the Integration Act, the municipality has the right to collect and process the personal data of immigrants and immigrant customers.

We will only disclose your personal data to another party if the data transfer is based on law or if you have given your consent to the disclosure of your data. You can cancel your consent to the disclosure of your data to outside parties at any time. The data will not be disclosed to outside parties for other purposes such as direct marketing or commercial purposes.

Sections 82–94 of the Integration Act (681/2023) provide for the disclosure of data. The right of the requester to receive data may also be based on any law other than the Integration Act.

The public or private educational institution or other service provider providing services promoting integration as specified in Chapter 2 of the Integration Act to whom the customer is directed in accordance with the integration plan has, in accordance with Section 94 of the Integration Act, the right to receive from the municipality and previous service providers the following information pertaining to the personal customer, free of charge and notwithstanding confidentiality regulations, for the purpose of carrying out the duties specified in Chapter 2 of the Integration Act:

1. names;
2. date and place of birth;
3. identity number;
4. mother tongue;
5. transacting language;
6. citizenship or statelessness and nationality;
7. domicile and place of residence;
8. contact information;
9. official's name
10. integration plan creation date and validity;
11. noted training recommendation and other information relating to training which came up during the assessment of skills and the need for integration services;
12. the results of the baseline language proficiency examination;
13. previously completed training or degree;
14. previous occupation or work experience;
15. the customer’s target occupation;
16. study plan and assessment of the implementation thereof from any previous studies or training promoting integration;
17. agreed measures and goals for the future from any previous studies or training promoting integration; and
18. any information other than that specified in sections 1–17 which is necessary for participation in teaching or the service.

If a service has not been agreed in the integration plan, your consent will be requested for the disclosure of your data to the service provider. Your consent will always be requested when needed. Giving your consent is voluntary, and you can always revoke your previously given consent.  

The National Archives of Finland can order some customer information to be permanently stored pursuant to the Archives Act (831/1994).
The data ordered to be permanently stored will be transferred for storage to the National Archives of Finland after deletion from the customer information system.

To ensure your privacy, we have protected your personal data with the help of various technological and organizational measures. For example, only the employees that need the data to perform their work are allowed to handle the data and only to the extent required by any individual task. In the customer-information system, this is monitored with the help of logfiles, among other things. Paper documents are stored in the city’s various archives, on safe premises that are inaccessible to outside parties.

The employees are bound by confidentiality and professional secrecy, which continues also after termination of employment.

In cases where a party processes personal data on behalf of the City of Vantaa, the level of appropriate information security and data protection has been agreed on in the contract made with the processor. The processor of personal data refers to a party that processes personal data on behalf of the City of Vantaa, for example, a service provider.

As a general rule, data is processed only within the EU or EEA, but the processor may also transfer data outside the EU or EEA countries. Nevertheless, the transfer is only allowed when it meets the demands of the data protection legislation and contract that ensure a sufficient level of protection of personal data.

The data in the Microsoft M365 services used by the City of Vantaa can be processed outside the EU/EEA, although they are, as a rule, located in the EU area. The transfer is based on the EU Commission's decision, ratified on July 10, 2023, on the sufficient level of the U.S. data protection. The U.S. companies to which data is transferred are certified and committed to the data protection measures agreed between the EU and the U.S. In this case, the transfer of data is compliant with the EU's General Data Protection Regulation.

It is possible that, regardless of protection, your personal data may exceptionally end up as a target of a breach of data as well as in the possession of an outside party. In these cases, we will take immediate measures to rectify the situation, and we will inform the data protection ombudsman if the breach of data security causes any risk to you. The notification will be made, at the latest, within 72 hours of noticing the breach of data security. If the breach of data security presents a high risk, we will also inform you about it.

Data will be stored and deleted in accordance with the City of Vantaa’s information management plan. The duration of storing documents specified in the information management plan is based on legislation, the National Archives of Finland's regulations for permanently stored documents, as well as the Association of Finnish Local and Regional Authorities’ recommendations for temporarily stored documents. After the end of the data storage period, the data will be deleted.

The KEHA Centre will delete all data pertaining to the customer from the national database four (4) years after the termination of the customer or contractual relationship. However, the data does not need to be deleted if it is required for carrying out duties based on legislation or for a pending issue (Integration Act, Section 77).

The National Archives of Finland can order some customer information to be permanently stored pursuant to the Archives Act (831/1994).
The data ordered to be permanently stored will be transferred to the National Archives of Finland for storage after deletion from the customer information system. The KEHA Centre will be responsible for the deletion of documents from the system specified in the Integration Act and documents submitted through the Oma Asiointi service. The City of Vantaa is an independent records creator insofar as documents contained in or submitted through the national systems of integration are not concerned.

The city is responsible for archiving the documents received and created in connection with carrying out its duties in accordance with the Archives Act.

The processing and archiving of the documents received and created by the city takes place in accordance with the information management plan.

Your data will not be used for profiling or automatic decision-making.

The registered person refers to the person whose personal data is being processed. If we process your personal data, based on the EU’s General Data Protection Regulation (GDPR), you are entitled to:

• check how your data is processed (GDPR, Article 15)
• demand that inaccurate or faulty data be corrected (GDPR, Article 16)
• demand that your data be removed (the “right to be forgotten”, GDPR, Article 17)
• demand that the use of your data be restricted (GDPR, Article 18)
• object to the processing of your data (GDPR, Article 21)
• obtain your data and transfer it to another controller as well as cancel your consent at any time, if processing is based on your consent (GDPR, Article 20 and Article 7(3)).

The Integration Act (681/2023) sets out the restrictions of the registered person’s rights. The registered person does not have the right referred to in Article 18 of the EU's GDPR to restrict the processing of their data (Integration Act, Section 73, Subsection 3).

With regard to the right to remove data (GDPR 17), it must be taken into account that the storage of personal data is lawful, and that data does not need to be deleted when it is stored for the purpose of carrying out a statutory obligation (organization of statutory integration services), fulfilling duties in the public interest or exercising the public authority of the data controller.

When canceling your previously given consent to the disclosure/exchange of data, the cancellation of consent does not impact the legality of the processing carried out on the basis of the consent prior to its cancellation (GDPR, Article 7(3)).

You can submit a personal data inspection request through the e-services, on the spot at Vantaa-Info, or by mailing the inspection request to the City of Vantaa’s Registry. You can find more detailed instructions on the city’s Data Protection webpage.

If you wish to exercise the registered person's other rights or ask for additional information on the processing of personal data, please contact the person mentioned below in section 14. We will case-specifically verify the preconditions for exercising your rights. Exercising your rights requires verification of your identity.

We will execute information requests without undue delay, but, at the latest, within a month of receiving the request. The deadline can be extended by at most two months, when required, by accounting for the complexity and amount of data of the request. If the deadline is extended, we will inform you about it.

As a general rule, exercising your rights is free of charge. We may, however, charge a reasonable fee, corresponding with the administrative costs, for implementing the request, or decline to perform the measure, if the request is obviously ungrounded, unreasonable, or recurrent. If there is a charge for executing your request, we will contact you. If we decline to perform the measure, we will inform you in writing about the grounds for the refusal as well as about the option to submit the matter to be handled by the data protection ombudsman or to exercise other legal remedies.

If you suspect that your personal data is being illegally processed, you can submit an appeal to the data protection ombudsman. Further information on and instructions for submitting an appeal is provided by the contact person mentioned in section 14, the city's data protection officer, the data protection ombudsman's office website, and phone consultation:

Data protection ombudsman's office / www.tietosuoja.fi
Street address: Lintulahdenkuja 4, 00530 Helsinki
Mailing address: P.O. Box 800, 00531 Helsinki
Email: tietosuoja(at)om.fi 
Phone (switchboard): 029 566 6700
Phone (consultation for private persons): 029 566 6777

The data controller is the City of Vantaa's Director of Employment and Integration Services. The City of Vantaa is responsible for the duties of the data controller for customers, as set out in the Integration Act (681/2023) with regard to the responsibilities of the municipality (Integration Act, Section 78).

Joint controllers. The KEHA Centre and the municipalities are the joint controllers of the national database referred to in Section 74 of the Integration Act. As data controller, the KEHA Centre is responsible for the data controller’s obligations which are set out in the law (Integration Act, Section 78).

The contact information of the data controller, the City of Vantaa’s data protection officer and the KEHA Centre acting as data controller can be found below:

Data controller (City of Vantaa’s integration authority)    
City of Vantaa                     
Director of Employment and Integration Services                
Business ID: 0124610–9             
Asematie 7, 01300 Vantaa            

Data protection officer
tietosuojavastaava@vantaa.fi

Registry    
Mailing address: P.O. Box 1100, 01030 Vantaan kaupunki
Street address: Tikkurila Vantaa Info, Dixi, Ratatie 11, 2nd floor, 01300 Vantaa.
Phone (switchboard): 09 839 11
Fax: 09 8392 4163, email: kirjaamo(at)vantaa.fi

Joint controller KEHA Centre
tietosuoja.keha@ely-keskus.fi

Processors of personal data
The City of Vantaa may outsource the processing of your personal data to an external system provider or service provider through a separate commission agreement.

In this case, the processing of personal data takes place on behalf of the city and for the purposes designated by the city.
The city remains the data controller of your personal data.
The city and service provider are jointly responsible for the appropriate processing of your personal data.

Additional information on processing personal data is provided by the contact person below. Please note that email is not a safe medium for processing personal data. Be sure not to send, for example, your identity number or any sensitive information by email.