Principles for processing personal data
The City of Jyväskylä only collects personal data for certain legal purposes. Customers have the right to know how and for what purpose their personal data is processed.
What personal data does the City of Jyväskylä collect?
Identifying data (name and personal identity code) is needed to identify the recipient of a service, an invoice or a communication. In some services, also other identifying data may be need, such as the property identifier or the car registration number.
Contact details (street address, telephone number, email address) are needed in all services to reach the customer.
In some services prescribed by law, also financial data is needed. For example, day care fees are based on income. Income data are is required when applying for supplementary and preventive social assistance and in debt counselling services.
Medical records are needed in basic social security services (health and nursing services) . The processing of medical records is strongly protected by special legislation.
Multiprofessional teams (e.g., in student welfare services and rehabilitative work services) need domain-specific personal data to be able to serve customers in the best possible way (e.g., psychologists, social workers, school social workers, doctors, youth workers).
Accuracy of and the right to check personal data
For each service, the City only collects the data that is necessary for that particular service (data minimisation).
In most online customer services , such as Hyvis, Wilma, etc., customers can check their personal data by logging in the service. If this is not possible, the customer can submit a data request form. See: submitting a data request form.
The City does its best to regularly check that the personal data processed are accurate and up-to-date.
Retention of personal data
Personal data will only be retained as long as there is a customer relationship, a need for services or a basis for billing.
Sometimes legislation, accounting regulations or requests for rectification may require the City to retain personal data longer than otherwise needed. Also, public authorities have the right and duty to retain certain documents for longer periods of time or even permanently (General Data Protection Regulation, article 89, paragraph 1 ).
In some cases, customer data may be made anonymous and retained in a form in which identification is not possible.
Security of personal data
Personal data is only processed by those employees and officials authorised to do it.
The City uses technical measures to protect personal data against damage, loss and destruction. The measures include e.g., access management, log data, backing up, firewalls and access control. In addition, all employees of the City are required to maintain confidentiality and to get acquainted with data protection and security regulations.
Service providers are contractually committed to complying with the City’s standards of data protection and confidentiality at all stages of personal data processing.
Certain specific personal data are processed in the City’s own secure intranet and remote access environments.
Sensitive customer and patient data are not sent by email.
Disclosing personal data
The City may transfer personal data to other officials if they are authorised to receive it.
The City does not transfer personal data for direct marketing purposes.
As a rule, the City does not transfer personal data to third countries or outside the EU.
Consent as a basis for processing personal data
Consent is required when the processing of personal data is not prescribed by law. Consent necessitates clear approval from the customer, and it can be withdrawn. Consent is used as a basis for personal data processing e.g., in image banks, when taking photos of children at schools and day care centres and when processing guest lists.
Right to object to and restrict the processing of personal data
In certain circumstances customers may also have other rights. Customers have the right to restrict the processing of their personal data, in which case the data can only be stored. Restriction is possible if the customer has objected to the processing of their personal data, if they have challenged the accuracy of the data or if they want to establish, present or defend a legal claim.
Right to file a complaint with a supervisory authority
Customers have the right to file a complaint with the Data Protection Ombudsman if they consider that the processing of their personal data violates the EU General Data Protection Regulation or Finnish data protection acts and regulations.
Contact details for the data protection officer:
Office of the Data Protection Ombudsman
P.O. Box 800
Visiting address: Ratapihantie 9, 6th floor, 00520 HELSINKI
Tel. 029 56 66700