Data protection

Use of the website and data protection statement

By using the www.palkeet.fi website, the user accepts the terms of this data protection statement.

What data is collected about the user?

We collect the user’s personal data to the extent necessary for our purposes if the user themselves provides this data on the feedback form. Providing such data is not required.

The personal data provided is conveyed via the feedback form on the website to Palkeet’s email address; no personal data is saved on the website. Data provided by the user or data from which the individual can be identified is visible on the feedback form. Identified data can include the individual’s name, email address, phone number, possible content of the message and the time and date when the message was sent, for example.

The website also collects anonymous data for network analytics with the Snoobi Analytics service.

What is the data used for and how is it stored?

We process the data collected for developing the service and detecting and preventing possible misuse. The data collected with feedback forms is stored in Palkeet’s email box for the necessary time.

We retain identified data about the user only for as long as necessary in accordance with valid legislation.

The data collected with the Snoobi Analytics service is stored in the Snoobi Analytics tool. The data collected, saved and analysed by Snoobi Analytics does not contain data from which the individual can be identified. Furthermore, Snoobi manages this data in accordance with its privacy policy. Further information on the Snoobi Analytics website.

Processing and disclosure of data to third parties

Data processing is carried out by employees of Palkeet according to the legislation regulating the processing of personal data. Palkeet retains the right to partly outsource the processing of personal data to a third party, in which case we ensure with contractual arrangements that personal data is processed according to the legislation regulating the processing of personal data.

Palkeet does not transfer data outside the EU or EEA.

We do not sell, rent or disclose the user’s personal data to third parties. However, we may disclose the user’s personal data in the manner required by requests submitted by competent authorities or other parties, based on legislation in force at the time.

Use of cookies

The website sends a cookie to the Snoobi Analytics service to allow the number of users and visits to be identified. The data collected about the use of the website for statistical purposes includes the number of users, the country of use, the time of visit and the browser used.

Google’s reCAPTCHA cookies are used on our website to send forms.

Right to access data and blocking the use of cookies

The user has the right to check what personal data has been saved about them. The user can check their personal data by contacting Palkeet (kirjaamo@palkeet.fi). This right of access is subject to valid legislation.

The user may block the use of cookies by changing their browser settings according to the instructions of the browser’s manufacturer and clear any cookies from the browser’s cache. Clearing the cookies does not stop possible collection of data.

Why do we process your data?

At the beginning of a phone call, we will notify you if we will be recording the call. Phone calls are recorded to ensure smooth customer service and improve customer service through training. In educational use, all reasonable means are taken to anonymise the personal data.

What information do we store?

The personal details recorded and processed in the context of a call are the ones you report to us, which are required to fulfil the statutory rights and responsibilities of the controller. These details include data related to customer identification, salary payment and invoicing. In addition to the recorded call, the register stores the direction (incoming/outgoing or internal), time and duration of the call, the telephone numbers of the caller and the person who answers the call, and the name of the customer service representative.

We will not transfer your personal data

As a general rule, we do not disclose your data to any third parties. Data may only be disclosed in accordance with current legislation, or with the data controller’s consent. Information is not transferred outside the EU/EEA or to international organisations.

We erase all information related to a call in 31 days

The information in the register is stored for 31 days, after which it is automatically removed from the system.

We protect the processing of your personal data by the following means, for example

At least a basic security check is carried out by the Finnish Security and Intelligence Service on all the employ-ees who process personal data. The data in the register is protected against unauthorised viewing, alterations and erasure. The protection measures include user authorisation control, technical protection of databases and servers, physical protection of the facilities, access control, protection of telecommunications, and backup copies of the data. A right to access and process the data is granted if required by a work role. The access to the system is based on personal user identification. Administrative controls are used in order to ensure that the operations are carried out appropriately.

Opportunity to check your own data

You have the opportunity to check the information related to your call by submitting a request to the control-ler. You can listen to the recorded call under the supervision of the controller and on a device provided by it. A duplicate of the call recording can also be delivered to you in a written transcribed format.

Right to file a complaint with a supervisory authority

If you find that your personal data is being processed in violation of the data protection legislation, you have the right to file a complaint with a supervisory authority. Contact details for the Data Protection Ombudsman:

Office of the Data Protection Ombudsman
PO Box 800, 00531 Helsinki
E-mail: tietosuoja(at)om.fi
Telephone exchange: +358 29 566 6700

Contact details for the register controller

Finnish Government Shared Services Centre for Finance and HR (Palkeet)
PO Box 49, FI-80101 Joensuu, +358 29 556 2000

Representative of the register controller Juha Pennanen, e-mail: juha.pennanen@palkeet.fi
Data Protection Coordinator, e-mail: tietosuojavastaava@palkeet.fi

Name of the register

Subscriber register of Palkeet’s customer bulletins and stakeholder newsletters

Controller

The Finnish Government Shared Services Centre for Finance and HR (Palkeet), Kauppakatu 40, FI-80100 Joensuu
Telephone exchange: +358 2955 62000
Representative of the register controller: Anna Kelho, anna.kelho@palkeet.fi
Data Protection Coordinator: tietosuojavastaava@palkeet.fi

Purpose of data processing

Managing the personal data intended for sending Palkeet’s customer bulletins and stakeholder newsletter. Processing personal data related to sending customer bulletins is necessary for implementing a statutory customer relationship in which the data subject’s employer is a party. The processing is based on the General Data Protection Regulation (EU 2016/679) Article 6(c), according to which processing is necessary to observe the controller’s statutory obligation (Act on the Finnish Government Shared Services Centre for Finance and HR, 8 February 2019/179, Sections 1 and 2).

The customer’s personal data can be processed for the following purposes:

• service implementation
• invitations to client events
• management and development of client relationships
• development of customer service and business operations.

The basis for the processing of personal data in the context of the stakeholder newsletter is the consent provided by the data subjects upon subscribing to the newsletter (EU 2016/679, Article 6 (a)).

Data subjects can withdraw the consent by cancelling the newsletter subscription. This ends the processing of personal data and results in the removal of the data subject’s personal data, as described in “Deadlines planned for the deletion of data groups.”

Description of the groups of data subjects and personal data

In relation to customer communications, the register may contain the following information:

• contact details, such as name, address, telephone number and e-mail address
• title or role.

Mailing list for those who have subscribed to the stakeholder newsletter through the Palkeet website (www.palkeet.fi). First and last name, e-mail address, customer agency (if customer), subscriber role (financial administration and/or HR administration).

Groups of recipients of personal data to whom personal data has been or will be disclosed

A separate agreement has been prepared on Palkeet’s role as a controller and Koodiviidakko Oy’s role as a processor of personal data. Koodiviidakko Oy processes personal data on behalf and for the benefit of Palkeet in producing the customer and stakeholder newsletter service.

Data may only be disclosed in accordance with and as permitted by the current legislation. Neither Palkeet nor Koodiviidakko may not disclose information in the newsletter subscriber register to other parties for marketing or other purposes. As the controller, Palkeet is responsible for the personal data processing in accordance with the applicable laws and regulations.

Transferring personal data to third countries or international organisations

Information is not transferred outside the EU/EEA or to international organisations.

Deadlines planned for the deletion of data groups

The processing of personal data contained in the subscriber register of the customer and stakeholder newsletter begins upon subscription and, for the purposes of managing the customer and stakeholder newsletter, ends immediately once a subscriber cancels the subscription. The personal data of newsletter subscribers are removed from the system at six-month intervals.

Description of the technical and organisational protective measures

The material is only processed in digital format. Only the employees who are authorised to process the information for their work tasks are permitted to access the system containing customer and stakeholder information. The data in the register is protected against unauthorised viewing, alterations and erasure. The protection measures include user authorisation control, technical protection of databases and servers, physical protection of the facilities, access control, protection of telecommunications, and backup copies of the data. A right to access and process the data is granted if required by a work role. The access to the system is based on personal user identification. The physical location of the data centres and data is in Finland. Administrative controls are used in order to ensure that the operations are carried out appropriately.

Data sources when the data is not received from the data subject

For the purpose of customer communications, the contact details provided by the customer, the work role, and the services and systems accessible by the customer as per the service agreement are merged. The data subject is the sole data source for the stakeholder newsletter.

Your rights as a data subject

When processing of personal data related to the stakeholder newsletter, you have the right to:

• receive information on how your personal data is processed
• access your data
• have the data rectified
• have the data erased
• restrict the processing of the data
• receive information about notifications regarding a rectification or restricted processing
• you also have a right to file a complaint to a monitoring authority if you believe that the processing of your personal data breaches data protection legislation.
  Office of the Data Protection Ombudsman.
  Visiting address: Lintulahdenkuja 4, 00530 Helsinki
  Postal address: PO Box 800, 00531 Helsinki
  E-mail: tietosuoja(at)om.fi
  Telephone exchange: +358 29 566 6700
  General advice for private individuals: +358 29 566 6777

In relation to informing customers, you have the aforementioned rights, with the exceptions of the following:

• the right to erasure (‘the right to be forgotten’)
• * the right to data portability.

When the processing is based on observing the controller’s statutory obligation under the General Data Protection Regulation’s Articles 17 and 20, the two aforementioned rights are not applied.

Controller

The government agency for which you are preparing a fee or travel claim serves as the joint controller for the service with the Finnish Government Shared Services Centre for Finance and HR. The division of our responsibilities is based on the Act on the Finnish Government Shared Services Centre for Finance and HR, according to which:

• The Finnish Government Shared Services Centre for Finance and HR (Palkeet) is responsible for the technical aspects and related elements, such as useability, data integrity, data protection and data storage, of information systems required to carry out duties and provide services.
• The government agency to which you are submitting a fee or travel claim is responsible for the other data controller duties, such as passing on information to you and serving as your point of contact whenever you opt to exercise your rights as a data subject, for example to rectify or request to see your personal data that we process.

The contact information for the government agency, the data protection coordinator and the controller are provided on the website of the agency to which you are submitting the fee or travel claim.

The contact information for the Finnish Government Shared Services Centre for Finance and HR is available at www.palkeet.fi.

Purpose of processing personal data

Personal data is processed in the context of the statutory financial and HR administration services that the Finnish Government Shared Services Centre for Finance and HR (hereinafter ‘Palkeet’) provides to other government agencies and institutions in relation to the fees, travel costs, daily allowances and travel compensation of persons outside the central government. Palkeet serves as a joint controller with its customer agencies. The government agency to which you are submitting a fee or travel claim serves as the other joint controller for the service.

Legal basis of processing personal data

In the services provided by Palkeet, the lawfulness of the processing of personal data is based on the controller’s statutory obligation in accordance with Article 6(1)(c) of the General Data Protection Regulation (Act on the Finnish Government Shared Services Centre for Finance and HR, 8 February 2019/179, Section 1(2), according to which Palkeet is tasked with providing financial and HR administration). The government agency to which

you are submitting the fee or travel claim will also process your personal data based on compliance with a statutory requirement (e.g. Act on Collective Agreements for Public Officials in Central Government 6 November 1970/664, Section 2; Collective Agreements Act 7 June 1946/436; State Budget Act 13 May 1988/423, Section 14; State Budget Decree 11 December 1992/1243, Section 44).

The personal data processed is not subject to automated decision-making or profiling.

Personal data processed

This service processes your personal data related to fees or travel invoices. The personal data to be processed include the following:

first names and last name, personal identity code, home address, postal code, town or city, country, telephone number, e-mail address, bank account, taxation information, and information related to the fee, cost item and travel.

The data used in the service comprise information from the Suomi.fi service, which is used for authentication, and the details you enter into the service.

Transfer or disclosure of personal data

As a general rule, personal data is not disclosed to third parties. Payment-related information is transferred to the payer’s and recipient’s banks. The income register is notified of every fee and instance of compensation paid to a person after each payment. In addition to this, information is disclosed to Visma Enteriprise Oy for the provision of services related to the maintenance and support of the M2 Blue travel and cost management system. The personal data processed is not transferred outside the EU or EEA.

Technical and organisational security measures in the processing of personal data

In the service, personal data is only processed in an environment corresponding to the security level of Palkeet’s customer agencies, and at least a basic security check has been carried out by the Finnish Security and Intelligence Service regarding all persons who participate in the processing of the data. The data is protected against unauthorised viewing, alterations and erasure. The protection measures include user authorisation control, technical protection of databases and servers, physical protection of the facilities, access control, protection of telecommunications, and backup copies of the data. A right to access and process the data is granted if required by a work role, and the access to the systems is based on personal user IDs. The physical location of the data centres and data is within the EU or EEA. Furthermore, administrative controls are used in order to ensure that the operations are carried out appropriately.

Retention of personal data

The storage periods of the personal data in the user register are based on legislation where the storage times for accounting materials are defined. Primarily, the storage period is six or ten years. Details stored in the form template for reuse are erased in six months.

Rights of the data subjects

According to the General Data Protection Regulation, the rights of the data subjects vary based on the grounds for the processing of personal data. As the legal basis for the processing of personal data in the service is statutory, the rights of the data subjects are described according to the legal basis in question in this privacy policy.

Right to be informed of the processing of personal data

According to Article 12 of the General Data Protection Regulation, the processing of personal data must be transparent, and the data subjects have the right to receive information about the processing of their personal data. This policy describes the processing of personal data in the service.

Right to access data (Data subject’s right to check what data is saved about them)

According to Article 15 of the General Data Protection Regulation, data subjects have the right to access their own personal data. Data subjects are entitled to receive from the controller, within a reasonable time, confirmation of whether their personal data is processed, and, if the data is processed, to access their personal data.

If a data subject is unable to personally check the personal data processed about them, they can submit an inspection request to the agency for which it is preparing a cost or travel claim. The contact information can be found on the agency’s website. If less than one year has passed since the data subject last exercised their right of inspection, the controller may charge a fee based on the administrative costs of disclosing this information, in accordance with Article 12(5).

Right to rectification

Data subjects have the right to request that the controller rectify any inaccurate personal data kept about the data subjects without undue delay in accordance with Article 16 of the General Data Protection Regulation. Address the rectification request to the agency to which you are submitting a cost or travel claim.

Right to restrict processing

According to Article 18 of the General Data Protection Regulation, a data subject has a right to have the data controller restrict the processing, if:

• the data subject denies the accuracy of their personal data, in which case its processing will be restricted until the data controller has verified the accuracy of the data.
• the processing violates legislation, and the data subject objects to the erasure of their personal data and instead demands that the use of the data be restricted.
• Palkeet, as the controller, no longer requires said personal data for processing purposes, but the data subject needs the data to establish, file or defend a legal claim.

If a data subject denies the accuracy of their personal data, the processing of said data is restricted until the data controller is able to verify its accuracy. The data subject must submit a request, accompanied by the grounds based on which the request is made, to the controller’s representative, after which Palkeet will restrict the processing of the personal data in question within the information system. The processing is restricted by limiting access to the data, in order to prevent its use.

Notification obligation regarding rectification or erasure of personal data or restriction of processing

According to Article 19 of the General Data Protection Regulation, the controller is obligated to communicate any rectification or erasure of personal data and restriction of processing carried out in accordance with Articles 16 and 18 to each recipient to whom personal data has been disclosed, unless this proves to be impossible or involves disproportionate effort. The data controller must notify a data subject of these recipients, if the data subject requests this information. If a data subject requests information about the recipients, they must submit this request to the controller’s representative (the agency to which you are submitting the fee or travel claim).

Right to not be subject to automated decision-making

According to Article 22 of the General Data Protection Regulation, data subjects have the right to not be subject to automated decision-making. In the service in question, this right of the data subjects is implemented as a general rule, as no automated decision-making or profiling is applied to the personal data processed.

Right to file a complaint with a supervisory authority

Data subjects always have the right to submit the lawfulness of the processing of their personal data to the Data Protection Ombudsman for evaluation.

Office of the Data Protection Ombudsman
Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki
Postal address: PO Box 800, 00521 Helsinki
Switchboard: +358 (0)2956 66700
Fax: +358 (0)2956 66735
E-mail: tietosuoja(at)om.fi