Processing of personal data in basic education

The processing of personal data necessary for organising basic education is based on statutory obligation and the public interest or the exercise of public authority belonging to the controller. The child’s photos, videos and work are processed with the consent of the child’s guardian and only in the manner specified therein. The consent will be requested in writing with a separate photographing, videoing and publishing permission. Some data is processed based on consent. Granting consent is voluntary and can be revoked at any time.

Legal basis for the processing:

• The EU's General Data Protection Regulation (2016/679), Article 6.1 a, c, and e.
• Section 6 and 4 of the Data Protection Act (1020/2018)
• Basic Education Act (21.8.1998/628)
• Child Welfare Act (417/2007)
• Act on Checking the Criminal Background of Persons Working with Children (504/2002) 
• Basic Education Decree (852/1998)  
• Government Decree on the National Objectives for Education Referred to in the Basic Education Act and on the Distribution of Lesson Hours (422/2012)  

For example, the names, personal identity codes and contact details of the child and their guardians are required for organising basic education. The City of Vantaa primarily obtains the necessary information from the Digital and Population Data Services Agency (DVV) and the child’s guardians. Other information, such as the child’s evaluation data, information on the organisation of school transport and school meals (special diets) and documents related, for example, to decisions concerning the child, also accumulate in the course of providing basic education. Subject to conditions provided by law, the City of Vantaa may also request information necessary for organising basic education from other authorities, such as a previous early childhood education or basic education organiser.

Yes. Basic education cannot be provided without personal data, which means that the details are necessary for arranging the operations.

The City of Vantaa may disclose your or your child’s data only with your consent or if required by law. For example, if the child transitions to basic education or changes school, the municipality is obliged to disclose to the new basic education provider the information necessary for organising basic education in the manner prescribed by law. The municipality is obliged to disclose information to national registers of education records, qualifications and degrees and, under certain conditions, to outreach youth work. The necessary information is also disclosed for the Wellbeing Services County of Vantaa and Kerava’s pupil and student welfare work.

In order to make it possible to grant school-travel cards, the City of Vantaa discloses personal data to Helsinki Region Transport, HSL. The City of Vantaa makes the decisions on school transportation (travel cards for schoolchildren). The personal data disclosed to HSL consists of the child’s name, identity number, information on the school, as well as the guardian’s email address. It the child does not have a Finnish identity number, the child’s date of birth is given instead of the identity number.

In order to ensure your family’s privacy, data security and data protection have been secured by means of various technical and organisational measures. For example, personal data may only be processed by persons who require the data for completing their work-related or public service tasks and only to the extent required on a task-specific basis. In the client data system, this is monitored, among other things, by using log information. Paper documents are kept in city archives in a safe place that no outsider can access.

Staff are bound by the obligation of professional confidentiality and will continue to be bound by it after the end of their employment. The school is responsible for destroying its files and any copies it has received.

In cases where the processor of personal data handles personal data on behalf of the City of Vantaa, the appropriate level of data security and data protection has been agreed to in an agreement with the processor. As a rule, data is only processed in the EU or EEA area, but the processor can also transfer data outside the EU or EEA. However, the transfer is only permitted if it meets the requirements set out in the data protection legislation and the agreement, which ensure an adequate level of protection of personal data.

In the case of Microsoft O365 and Google Workspace for Education services/systems, personal data can be transferred to the United States based on the 10 July 2023 decision of the European Commission on the adequacy of data protection level in the United States. The US companies to which data is transferred are certified companies committed to the safeguards agreed between the EU and the US.

Google transfers data applying standard clauses adopted by the European Commission where necessary and where transfers are not subject to an adequacy decision. In addition, Google has an addendum.

Microsoft also complies with the UK extension to the 10 July 2023 decision of the European Commission on the adequacy of data protection level in the United States and the Swiss-US Data Privacy Framework (Swiss-U.S. DPF). In addition, the transfer of personal data outside the EU or EEA is based on Microsoft’s terms.

In the case of the iOS app, the transfer of personal data outside the EU or EEA is based on the terms of Apple services and standard clauses adopted by the European Commission.

Despite the protection measures, in some exceptional cases it is possible for personal data to be compromised by a data security breach or end up in the hands of a third party. In these cases, the City of Vantaa will take immediate action to rectify the situation and submit the necessary reports to the national Data Protection Ombudsman and the data subjects affected.  The City of Vantaa will notify the Data Protection Ombudsman of any breach without undue delay and, where possible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to risk the rights and freedoms of any data subjects.

If the breach is likely to cause a high risk with regard to the data subjects’ rights and freedoms, the City of Vantaa will notify the data subjects of the breach without undue delay. In this case, the city will report the breach to those data subjects whose data is affected by the data security breach. If the data breach concerns a large group of people and does not require any immediate action from registered parties, the details of the data breach can also be provided as a general notification.

The data is stored and destroyed in accordance with the City of Vantaa’s data management plan.

The document storage periods specified in the data management plan are based on legislation, the regulations of the National Archives of Finland on documents intended for permanent storage and the recommendations of the Association of Finnish Local and Regional Authorities on documents to be stored for a fixed period. At the end of the period, the data is destroyed. The retention periods for basic education documents vary, with some data retained permanently.

Your personal data will not be used for profiling or automated decision-making.

The term ‘data subject’ refers to the natural person whose personal data is being processed. Depending on the basis for the processing, the registered party has the right to

• check the information processed by the application
• request the rectification of erroneous or inaccurate information
• request the erasure of personal data
• request the restriction of the data processing
• object to the processing of the data
• right to obtain the data and transfer it to another data controller, and to withdraw their consent at any time, if the processing is based on consent.

You can make a personal data review request via the e-service, in person at Vantaa Info or by posting the review request form to the City of Vantaa Registry Office. More detailed instructions can be found on the City’s Data Protection page.

If you wish to enforce other rights to which you are entitled as a data subject or request additional information on the processing of personal data, please contact the person specified under section 14 below. The legal basis for the enforcement of your rights is verified on a case-by-case basis. In order to enforce your rights, you may have to prove your identity.

We will fulfil the requests without undue delay, but no later than within one month of receiving each request. If necessary, the deadline may be postponed by a maximum of two months based on the complexity of the request and the quantity of the data. If the deadline is postponed, you will be notified.

The exercise of the rights is, in principle, free of charge. However, the City of Vantaa may collect a reasonable fee corresponding to the administrative costs for fulfilling a request or refuse a request if the data subject’s requests are clearly unfounded, unreasonable or recurring. If the intention is to collect a fee for fulfilling a request, the City of Vantaa will contact the person who submitted the request before fulfilment. In the event that the City of Vantaa refuses to fulfil the requested measure, the person who submitted the request will be provided with the grounds for the refusal in writing and informed of the opportunity to refer the matter to the Data Protection Ombudsman and resort to other legal remedies.

If you suspect that your personal details are being processed unlawfully, you can appeal to a supervisory authority in the EU member state of your permanent residence or employment or the member state where you consider the violation to have taken place. In Finland, the relevant supervisory authority is the Data Protection Ombudsman.  More information and instructions on submitting an appeal are available on the website of the Office of the Data Protection Ombudsman and the office’s telephone guidance service.

• Office of the Data Protection Ombudsman/www.tietosuoja.fi
• Visiting address: Lintulahdenkuja 4, FI-00530 Helsinki
• Postal address: PO Box 800, FI-00531 Helsinki
• Email: tietosuoja(at)om.fi
• Tel. (exchange): +358 29 566 6700
• Tel. (helpline for private individuals): +358 29 566 6777

More information on the processing of personal data is available from the contact person specified below. Please note that email is not a safe medium for processing personal data. As such, please do not send sensitive information, such as your personal identity code, via email.

Contact person for the register

Principals in basic education in accordance with the appendix

The controller is the City of Vantaa’s Education and Learning Committee. Contact details of the controller and the City of Vantaa data protection officer can be found below:

Controller

City of Vantaa

Education and Learning Committee

Business ID 0124610-9

Asematie 7, FI-01300 Vantaa

Data protection officer

tietosuojavastaava@vantaa.fi

Tel.: +358 40 071 3358

Registry office:    

Postal address: PO Box 1100, FI-01030 City of Vantaa

Visiting address: Vantaa Info Centre Tikkurila, Dixi, Ratatie 11,

2nd floor, FI-01300 Vantaa.

Tel. (exchange): 09839 11

Fax +358 9 8392 4163, email: kirjaamo(at)vantaa.fi