The right to the protection of personal data
The European Union’s General Data Protection Regulation (GDPR) defines the principles for the processing of personal data. The national Data Protection Act, which specifies and supplements the EU’s General Data Protection Regulation, is applied alongside the GDPR.
The right to the protection of personal data is a fundamental right. Data protection refers to measures that protect a person’s privacy when processing personal data. The processing of data must be appropriate and carried out for a specific purpose and on the basis of legitimate grounds laid down in legislation.
Why and for what purpose is information collected about me?
The City of Turku provides both statutory and other services for its residents. The high-quality provision of these services, the planning of the services and related monitoring, invoicing and gathering statistics require processing the personal data of service users. Data processing in the services of the City of Turku is often based on the implementation of the controller’s statutory obligation (exercise of official authority). In some cases, the processing may also be based on the user’s consent. You have the right to withdraw your consent at any time by notifying the controller, after which your data will be deleted.
You can read more about the purposes and legality of the processing of personal data in our privacy statements at www.turku.fi/tietosuoja (in Finnish).
What data is collected about me?
We only collect data that is necessary for the intended use and the implementation of the services. Personal data is processed on the basis of the purpose of the register. Privacy statements have been drawn up for the registers, which contain more detailed information on the data content of the register.
How long will personal data be stored?
We store your personal data for the period required by law. The City of Turku specifies the storage times of personal data in its code of conduct.
What rights do I have?
Provisions on the rights of the data subject are laid down in the EU’s General Data Protection Regulation and nationally in the Data Protection Act. Read below what rights you have with regard to your personal data.
You have the right to check register data about you or to check that the register does not contain data about you. By request, written copies can be provided of the information you have requested.
The right of access by a minor is exercised by the minor’s official guardian.
The right of access is implemented without undue delay. Submitting or providing additional information related to a request for information shall take place within one month from the date of receipt of the request. If the request for information is particularly complex and extensive, the deadline may be extended by two months. Exercising the right of access and receiving copies of your data are, as a rule, free of charge. However, if several copies are requested, the city may charge a reasonable fee based on administrative costs.
The right of access may be refused on the grounds referred to in section 34 of the Data Protection Act. The grounds for refusal may include that providing the information could pose a risk to the data subject or the rights of someone else. If the right of access is refused, a written certificate of refusal is issued to the customer.
In some cases, the Data Protection Ombudsman may issue an order to the controller to implement the customer’s right of access.
The data controller must, without undue delay, at its own initiative or in response to the data subject’s demand, erase or complete data in the register that is unnecessary, incomplete and outdated with regard to the purpose of the data processing.
The request for rectification must be made in writing and addressed to the contact person responsible for register matters. The request should include a detailed explanation on which information is requested to be rectified and why, what information the data subject feels is correct and in what way the corrections should be implemented. If the request to rectify data is refused, a certificate of refusal is given to the data subject.
In certain exceptional cases, you may have the right to have your personal data completely deleted from the city’s registers. However, such a right does not exist when the processing of personal data is based on legislation or the exercise of the city’s official authority.
In certain situations, you may have the right to request a restriction on the processing of your personal data until your data has been duly checked and corrected or supplemented.
The controller shall inform each recipient to whom personal data have been disclosed of any rectification, deleted data or restriction of processing of your personal data, unless this proves impossible or requires unreasonable effort. The controller shall inform the data subject of these recipients if the data subject so requests.
In some cases, you have the right to demand the City of Turku to disclose your data to you for transferring it to another system. The right does not apply to the personal data registers of the City of Turku if personal data has been collected for the performance of a task carried out in the public interest or for the controller’s exercise of official authority.
You have the right to object at any time to the processing of your personal data on the basis of a personal and special situation when the processing is based on the performance of a task carried out in the public interest or the exercise of official authority vested in the city. In this case, the data can only be further processed if there is a significant and justified reason that the city can demonstrate. The processing may also continue if it is necessary for the establishment, filing or defence of a legal claim.
In special situations, you have the right to object to automated individual decisions, including profiling.
You have the right to be informed of a data breach when a breach is likely to pose a high risk to your rights and freedoms. In such a situation, we notify you of the violation without delay.
You have the right to submit a complaint to the data protection authority when, in your opinion, relevant legislation is being violated in the processing of your personal data. Follow the instructions issued by the data protection authority to lodge a complaint at www.tietosuoja.fi/en.
Submitting a request to the controller
You can submit a request in the following ways:
You can submit a request at the Turku service point of the City of Turku at Puolalankatu 5.
Please be prepared to prove your identity and identify the personal information you require in order to speed up the processing of your request.
Whenever you visit the service point in person, you may always ask the person responsible for your services to explain and, if necessary, correct the information stored about you and related to the services, such as your contact information.
If you wish to receive reports on your personal data as printouts or copies, submit a free-form request signed by you which includes your name, personal identity code, postal address, telephone number, e-mail address and specific details about the personal data file or service that you wish to check and from what period of time.
Send the request by post to P.O. Box 355, 20101 Turku or deliver it personally to the Turku service point at Puolalankatu 5, 20100 Turku.
Suomi.fi Messages (requires strong identification)
Address the request to the contact person responsible for register matters mentioned in the privacy statement in a document signed manually or in a similarly certified manner or that has been signed personally at the controller’s office.
Who receives my data? Is my data disclosed to third parties?
In some cases, your data may be disclosed to third parties, such as national registers or other authorities.
Do you transfer data outside the EU or EEA?
We will not transfer your data outside the EU or EEA unless the adequate data protection has been ensured in a manner approved by the European Commission.
How we protect your personal data
- Data protection follows the City of Turku’s data protection and information security policy.
- We are aware of the personal data we collect and assess the risks involved.
- We only collect personal data that is necessary for their intended use.
- We take care of data lifecycle management.
- We train staff annually to ensure data protection competence.
- We inform data subjects about the principles of the processing of personal data, the rights of the data subject, and the implementation of these rights.
- We assess the risks related to the processing of personal data.
- We require contracting partners to comply with the data protection principles laid down in legislation.
Processing of personal data on behalf of the City of Turku
In our operations, we may also disclose personal data on behalf of the controller to parties processing the data, such as tendering parties operating within the framework of a commission agreement. External processors of personal data in our operations include contracted system suppliers and other external service providers. When procuring services from external service providers, we only select processors that comply with good personal data processing practices and meet the requirements of the General Data Protection Regulation as our contracting partners. Compliance with data protection requirements is ensured by written agreements.