Data Protection

• Since 25 May 2018, the processing of personal data has been governed throughout the European Economic Area by a common law: the EU General Data Protection Regulation (GDPR). In addition to the GDPR, the national Data Protection Act applies as a complementary regulation. As a public authority, the city is also subject to the Act on the Openness of Government Activities (the Publicity Act).
  

How the City of Rovaniemi Handles Data

The City of Rovaniemi complies with the general data protection principles defined in the GDPR

• Lawfulness, fairness, and transparency – We process data lawfully, appropriately, and transparently for the data subject.
• Purpose limitation – We collect data only for specific, explicit purposes.
• Data minimization – We collect only the data necessary for our operations.
• Accuracy – We update data when needed and remove or correct inaccurate or incorrect information.
• Storage limitation – We retain data only for as long as necessary.
• Integrity and confidentiality – We process data securely and confidentially.
  

The City of Rovaniemi processes personal data when providing statutory services assigned to municipalities in Finland, as well as other tasks within the municipality’s scope of operations. Under Article 6 of the General Data Protection Regulation (GDPR), the most common legal grounds for processing in the city’s activities are statutory obligations, the exercise of public authority, or tasks carried out in the public interest. For example, schools process information about pupils and guardians based on the Basic Education Act.

In some cases, processing may also be based on a contract between the city and the data subject. This applies, for instance, to the relationship between the city and its employees, where processing is based on an employment contract between the parties.

Consent is used as a legal basis only rarely, for example in prize draws or competitions organized for marketing purposes.

What is Personal Data?

Personal data refers to any information that describes a natural person or their characteristics or living conditions and can be identified as relating to them, their family, or those living in the same household.

Examples of personal data include name, personal identification number, location data, photographs, email address, medical records, and a computer’s IP address. The purpose of data protection is to safeguard personal data.

Why and for What Purpose Do We Collect Your Personal Data? (Legal Basis for Processing)

Most of the services provided by the City of Rovaniemi are based on fulfilling statutory obligations, public interest, or the exercise of public authority. In these cases, we do not require separate consent to process your personal data.

However, some services require your consent for data collection, and in such cases, we will ask for your permission. You also have the right to withdraw your consent at any time.

You can read more about the purposes and lawfulness of personal data processing in the data protection statements prepared for the city’s registers.

How We Process Your Personal Data

When you use the City of Rovaniemi’s services, we process your personal data only to the extent necessary to handle your matter. Data is processed according to the purpose of the register and based on the services you use.

When processing your personal data, we comply with legislation and good data management practices.
Your data is protected within the city’s services and is not disclosed except as required by statutory obligations. Our staff are bound by confidentiality. Employees who process personal data receive regular training. The use of systems containing personal data and access rights are monitored. Personal data may only be processed by employees who have the right to do so based on their job duties. Data retention, archiving, disposal, and other processing are guided by records management plans and data security and privacy guidelines.

Protection of Personal Data

We protect your personal data using appropriate technical and organizational safeguards. These include proactive and reactive risk management, firewalls, encryption technologies, secure facilities, access control, and security systems.

We also ensure that stored data and other critical information related to personal data security are handled confidentially and only by employees whose job duties require it. Additional safeguards include security planning, controlled granting and monitoring of access rights, ensuring staff competence in data processing, and careful selection of subcontractors.

We continuously update our internal practices and guidelines.

Disclosure and Retention of Data

The City of Rovaniemi discloses personal data only to parties legally entitled to receive it for the performance of official duties or other tasks. We also comply with the Act on the Openness of Government Activities regarding data disclosure.

Personal data is retained according to the service’s information management plan, legislation, and official regulations. Permanently stored analog data is kept in the City of Rovaniemi’s archives. Data is also retained for a fixed period in the electronic systems where it was processed. The retention period for your data may vary between different registers.

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access your personal data.
• Request correction or deletion of your data.
• Request restriction of processing or object to processing.
• Request the transfer of your personal data from one system/controller to another.
• Withdraw your consent if the processing of personal data is based on your consent.
• Lodge a complaint with the Office of the Data Protection Ombudsman if you believe that the processing of your personal data has violated applicable data protection legislation.

Please note that these rights depend on the legal basis for processing. Some rights, such as the right to request deletion of data, do not apply to information processed under statutory obligations. For example, schools must process data about pupils and guardians.
Our data protection statements provide more detailed information about which rights apply to each data resource.

As a data subject, you have the right to check what information about you has been stored in the various registers of the City of Rovaniemi.

Requests for access must be made in writing using the data request form and addressed to the City Registry Office, which will forward the request to the appropriate data controller.

Instructions for submitting a data request can be found on the following page:

Data Access Requests

This checklist is intended for service providers who process personal data on behalf of and for the City of Rovaniemi. Typical personal data includes customer information, health data, social welfare client data, personal identification numbers, bank account numbers, photographs that can identify an individual, and contact details such as email addresses. The checklist guides employees in complying with data protection requirements in their work.

Data protection refers to measures designed to safeguard an individual’s privacy when processing personal data. For the City of Rovaniemi, this means protecting the personal data of customers, staff, and partners. Data protection is part of compliance, information security, and risk management.

Data protection legislation applies whenever personal data is processed in the city’s operations. Responsibilities related to data security and data protection are defined in the city’s information security policy. Each service provider is responsible for implementing data security and data protection relevant to their tasks and for the proper use of information and systems.

Follow Legislation and Instructions for Processing Personal Data

 Confidentiality and Non-Disclosure

•  Each service provider (including trainees and students) is responsible for complying with confidentiality and non-disclosure regulations.
•  Handle customer data with respect for their privacy.

Diligence

•  Exercise special care when processing personal data. This applies to discussions, note-taking, reading, transporting, or displaying documents.

 Clean Desk Principle

•  Follow the clean desk principle. Handwritten notes are also considered personal data and should not be kept or used for long periods.
•  When handling, printing, scanning, or copying confidential documents, ensure sensitive material does not fall into the wrong hands. Avoid unnecessary copying or similar actions.
•  Destroy drafts and copies containing confidential information securely as soon as they are no longer needed.

 Risk-Based Approach

•  Assess risks related to personal data processing from the customer’s perspective. What risks could occur if their data is disclosed without justification?

 Purpose Limitation

•  Process only personal data necessary for the agreed purpose.
•  Respect the defined purpose of each register and process only relevant and necessary data. Do not record unnecessary personal data.

 Remember that electronic data processing always leaves traces. The city conducts checks to ensure compliance. Be aware that the data subject (customer) has the right to request their own data. GDPR-based access requests are handled through the City of Rovaniemi’s Registry Office.

Ensure Adequate Data Security

•  Ensure access rights management for your services so that only authorized parties have access to personal data.
•  Keep devices, networks, servers, and security software up to date.
•  Respond immediately to any data protection or security incidents.

 If you detect a data protection or security incident, contact the City of Rovaniemi’s Data Protection Officers, your service area’s data protection liaison, or the city’s IT services.

Ask If You Are Unsure

 Use the expertise of the city’s Data Protection Officers, service area liaisons, and IT department when needed. Do not hesitate to ask questions!