Skip to Content
  • Valitse kieli Suomi
  • Välj språket Svenska
  • Select language English
Valtori
Search page
  • Frontpage
  • Information on Valtori
  • Services
  • Competitive bidding processes
  • Working at Valtori
  • Contact information

Privacy statements

  • Valtori
  • en
  • Information on Valtori
  • Privacy statements

Created: 6 October 2021

1 Controller

Government ICT Centre Valtori
Vapaudenkatu 58, 40100 Jyväskylä
Telephone +358 295 50 4000 (switchboard)
Email [email protected]

Data Protection Officer
Aapo Immonen
Email [email protected]
Telephone + 358 295 50 4000 (switchboard)

2 Purpose of processing personal data

Personal data is processed in the leasing process in order to manage lease agreements and deliver new devices to users. The data is used to determine the location and users of devices during the lifecycle of the devices. The legal basis for the processing is the legitimate interest of the controller. 

3 Data content of the register

Device register: first name, last name, agency address and, in some cases, device location by room or space

End users’ contact information: email address, and if the user wants their device delivered at home, work phone number and home address

Additionally, the leasing process involves customer service requests in the TOP portal, also containing personal data. Further information on the processing of personal data related to the TOP portal is available in the TOP privacy statement.  

4 Regular disclosure of data and recipients of personal data

Device register: The data processor is 3 Step IT. When the lease agreement of a device is about to expire, the basic information of the device (serial number, user name, address) are provided to the contact person of the customer organisation and the device user. A device register extract may be sent to contact persons if they so request.

End user contact information: The data processor is Webropol if the data has been collected using a Webropol survey. The name of the user and the delivery address of the device as well as the user’s work telephone number are disclosed to the device suppliers and their logistics centres that process the data as the controller. 

In TOP service requests, data processors include the capacity service provider, application supplier and operational service provider.

5 Transfer of personal data to a third country or an international organisation 

The personal data is not transferred outside the EU/EEA. 

6 Retention periods for data groups

Device register: Personal data will be stored as long as the agreement is valid with the device supplier. For owned devices, the data is deleted when the lifecycle of a device ends.
End user contact information: Valtori stores data in accordance with TOP retention practices; more detailed information is available in the TOP privacy statement. 

7 Technical and organisational security measures

Physical materials:
If physical data materials are received in the register or if data is printed, it is stored in a locked facility. Unnecessary physical materials will be disposed of in a secure manner in accordance with the decisions and regulations issued on data retention and in accordance with document management guidelines.

Digitally processed materials:
Data is collected in systems and databases protected by firewalls, passwords and other technical means. Only authorised persons have access to the data, and access management is carried out in accordance with applicable practices. Databases and their backups are located in locked and guarded facilities and can only be accessed by certain designated persons. Some of the personal data in the register is confidential.

8 Data sources when data has not been obtained from the data subject

Device register: The data is obtained from the state AD directory. Some of the data is updated manually by Valtori and some is transferred automatically. The customer agency can also provide information.

The end user’s contact information is obtained directly from the end user, excluding the email address retrieved from the AD directory or the contact person of the agency. 

9 Rights of the data subject

9.1 Right of access for data subjects under Article 15

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data. The data subject also has the right to lodge a complaint with a supervisory authority.

The data subject may submit a data access request to the controller’s representative (contact details in section 1). If less than one year has elapsed since the right of access was invoked by the data subject, the controller may charge an administrative fee for providing the data (Article 12 [5]). 

The data in the register is not used for profiling, and no automatic decision-making is targeted at the data.

9.2 Right to rectification under Article 16

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. The request is addressed to the controller’s representative (contact details in section 1). 

9.3 Right to erasure under Article 17

The data subject has the right to obtain from the controller the erasure of personal data processed in the legitimate interest of the controller. The request is addressed to the controller’s representative (contact details in section 1).

9.4 Right to restriction of processing under Article 18

The data subject has the right to obtain from the controller restriction of processing where:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead
  • the controller no longer needs the personal data for the purposes of processing, but it is required by the data subject for the establishment, exercise or defence of legal claims

If the accuracy of the personal data is contested by the data subject, the processing of the data is restricted for a period so that the controller can verify its accuracy. The data subject addresses the request and justifications to the controller’s representative (contact details in section 1). 

9.5 Notification obligation regarding rectification or erasure of personal data or restriction of processing under Article 19

The controller must communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16 and Article 18 to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The controller must inform the data subject about those recipients if the data subject requests it. If the data subject wishes to receive information about the recipients of data, they must submit a request to the controller’s representative (contact details in section 1). 

9.6 Right to object to the processing of personal data under Article 21

The data subject has the right to object to the processing of personal data processed in the legitimate interest of the controller. In that case, the controller reassesses whether the processing can be stopped or whether there is a compelling reason to continue processing the data, overriding the rights of the data subject. If the data subject wishes to object to the processing of personal data, the request is submitted to the controller’s representative (contact details in section 1).

  • Organisation and steering
  • Strategy and values
  • Sustainability
  • Figures and history
  • Current news
Image Valtori logo

Safe and smooth ICT services – working for Finland

Information on the valtori.fi website
Privacy statements
Accessibility statement
Description of document publicity

© Valtori

  • Frontpage
  • Information on Valtori
  • Services
  • Competitive bidding processes
  • Working at Valtori
  • Contact information
  • Contact information for customers
  • Give feedback
  • Whistleblowing report channel
  • Subscribe to publications
  • Frontpage
  • Information on Valtori
    • Organisation and steering
    • Strategy and values
    • Sustainability
      • Valtori sustainability report 2023
        • 2023 in brief
        • Valtori’s ICT services for central government
        • We take sustainability into account in procurements
        • We take care of the life cycle of ICT equipment
        • We improve cost-efficiency through automation
        • We streamline interactions using digital channels
        • We ensure continuity of operations
        • Ecological sustainability
        • Financial sustainability
        • Social sustainability
        • A look at 2024
        • Description of the preparation of the report
    • Figures and history
    • Current news
      • Archived
  • Services
    • Service strategy
    • For service users
  • Competitive bidding processes
  • Working at Valtori
  • Contact information
    • Management
    • For customers
    • For the media
    • Subscribe to publications
Back to top