Created: 6 October 2021
1 Controller
Government ICT Centre Valtori
Vapaudenkatu 58, 40100 Jyväskylä
Telephone +358 295 50 4000 (switchboard)
Email [email protected]
Data Protection Officer
Aapo Immonen
Email [email protected]
Telephone + 358 295 50 4000 (switchboard)
2 Purpose of processing personal data
Personal data is processed in the leasing process in order to manage lease agreements and deliver new devices to users. The data is used to determine the location and users of devices during the lifecycle of the devices. The legal basis for the processing is the legitimate interest of the controller.
3 Data content of the register
Device register: first name, last name, agency address and, in some cases, device location by room or space
End users’ contact information: email address, and if the user wants their device delivered at home, work phone number and home address
Additionally, the leasing process involves customer service requests in the TOP portal, also containing personal data. Further information on the processing of personal data related to the TOP portal is available in the TOP privacy statement.
4 Regular disclosure of data and recipients of personal data
Device register: The data processor is 3 Step IT. When the lease agreement of a device is about to expire, the basic information of the device (serial number, user name, address) are provided to the contact person of the customer organisation and the device user. A device register extract may be sent to contact persons if they so request.
End user contact information: The data processor is Webropol if the data has been collected using a Webropol survey. The name of the user and the delivery address of the device as well as the user’s work telephone number are disclosed to the device suppliers and their logistics centres that process the data as the controller.
In TOP service requests, data processors include the capacity service provider, application supplier and operational service provider.
5 Transfer of personal data to a third country or an international organisation
The personal data is not transferred outside the EU/EEA.
6 Retention periods for data groups
Device register: Personal data will be stored as long as the agreement is valid with the device supplier. For owned devices, the data is deleted when the lifecycle of a device ends.
End user contact information: Valtori stores data in accordance with TOP retention practices; more detailed information is available in the TOP privacy statement.
7 Technical and organisational security measures
Physical materials:
If physical data materials are received in the register or if data is printed, it is stored in a locked facility. Unnecessary physical materials will be disposed of in a secure manner in accordance with the decisions and regulations issued on data retention and in accordance with document management guidelines.
Digitally processed materials:
Data is collected in systems and databases protected by firewalls, passwords and other technical means. Only authorised persons have access to the data, and access management is carried out in accordance with applicable practices. Databases and their backups are located in locked and guarded facilities and can only be accessed by certain designated persons. Some of the personal data in the register is confidential.
8 Data sources when data has not been obtained from the data subject
Device register: The data is obtained from the state AD directory. Some of the data is updated manually by Valtori and some is transferred automatically. The customer agency can also provide information.
The end user’s contact information is obtained directly from the end user, excluding the email address retrieved from the AD directory or the contact person of the agency.
9 Rights of the data subject
9.1 Right of access for data subjects under Article 15
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data. The data subject also has the right to lodge a complaint with a supervisory authority.
The data subject may submit a data access request to the controller’s representative (contact details in section 1). If less than one year has elapsed since the right of access was invoked by the data subject, the controller may charge an administrative fee for providing the data (Article 12 [5]).
The data in the register is not used for profiling, and no automatic decision-making is targeted at the data.
9.2 Right to rectification under Article 16
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. The request is addressed to the controller’s representative (contact details in section 1).
9.3 Right to erasure under Article 17
The data subject has the right to obtain from the controller the erasure of personal data processed in the legitimate interest of the controller. The request is addressed to the controller’s representative (contact details in section 1).
9.4 Right to restriction of processing under Article 18
The data subject has the right to obtain from the controller restriction of processing where:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead
- the controller no longer needs the personal data for the purposes of processing, but it is required by the data subject for the establishment, exercise or defence of legal claims
If the accuracy of the personal data is contested by the data subject, the processing of the data is restricted for a period so that the controller can verify its accuracy. The data subject addresses the request and justifications to the controller’s representative (contact details in section 1).
9.5 Notification obligation regarding rectification or erasure of personal data or restriction of processing under Article 19
The controller must communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16 and Article 18 to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The controller must inform the data subject about those recipients if the data subject requests it. If the data subject wishes to receive information about the recipients of data, they must submit a request to the controller’s representative (contact details in section 1).
9.6 Right to object to the processing of personal data under Article 21
The data subject has the right to object to the processing of personal data processed in the legitimate interest of the controller. In that case, the controller reassesses whether the processing can be stopped or whether there is a compelling reason to continue processing the data, overriding the rights of the data subject. If the data subject wishes to object to the processing of personal data, the request is submitted to the controller’s representative (contact details in section 1).