Data protection statement for Verke’s register of stakeholders and communications

Henkilö pitää puheinta kädessä järvimaisemassa.

1. Data controller

Data controller:

Verke / City of Helsinki (Business ID 0201256-6)

Contact person for matters related to the register:

Minna Ilva, Local Youth Work Manager, minna@verke.org

Verke

Address: The Culture and Leisure Division, PO Box 514, FI-00099 City of Helsinki

Visiting address: Fredriksberg, Konepajankuja 3 (B-building), 00510 Helsinki

Telephone: +358 41 5121703

E-mail: info@verke.org

Data Protection Officer:

City of Helsinki, Culture and Leisure Division

Marko Luukkanen, lawyer, tel. 310 89130

 

2. Name of the register

Verke’s register of stakeholders and communications

 

3. Purpose of processing personal data

In 2020–2023, Verke will act as a centre of expertise for digital youth work, as appointed by the Ministry of Education and Culture. The centres of expertise are directed by the Youth Act (1285/2016), as well as the National Youth Work and Youth Policy Programme 2020–2023. Verke is operating under the administration of the youth services entity of the City of Helsinki Culture and Leisure Division.

Verke will process personal data for purposes defined as related to the objectives and operations of the centres of expertise for digital youth work. These purposes are related to training and organising events, producing material, communications, maintaining relationships and offering other services of the centre of expertise.

The processing of personal data is based on the valid legislation on data protection and Articles 6 and 9 of the General Data Protection Regulation of the European Union (GDPR).

The data in Verke’s stakeholder and communications register allow Verke’s free services to be offered to operators in the field, as well as communications with Verke’s stakeholders, partners and other parties interested in its operations. The various communications channels are used to provide information about Verke’s operations, events and service selection, announce changes to the above, and deal with current topics in digital youth work. The log entries compiled automatically from the data system may be used to ensure data security and prevent anomalies. The register may also be used for research and development purposes, e.g. through surveys and interviews directed at the stakeholders.

 

4. The register’s data content

The register may include the following types of personal data:

  • first name and last name
  • contact details (postal address, phone number, e-mail address)
  • organisation
  • title
  • newsletter and other mailing list subscriptions, event registration and participation, publication order data
  • marketing permissions and refusals
  • log entries
  • other data voluntarily entered by the person into Verke’s data system, such as special diets / allergies, the person’s profile picture, potential matters to be noted in event organisation, and matters related to competence or background.

 

5. The register’s regular information sources

The data in the register is primarily collected from the data subjects themselves (e.g. in connection with a newsletter subscription, publication order or event registration).

Data may also be collected, saved and updated from public sources, such as the websites of organisations, the data subjects themselves, or in connection with occasions, events or training sessions held by Verke.

 

6. Storage of personal data

The data in the register will only be stored for as long as needed and to the extent necessary in relation to the original or compatible purposes for which the data was collected.

The data listed below will also be stored for the following periods:

  • The basic data of the data subjects included in the register will be stored for as long as it is necessary for maintaining and developing the partner or stakeholder relationship. The need for storing the data will be assessed once a year, at the minimum.
  • The personal data of a newsletter subscriber will be stored until they stop subscribing to the newsletter. The subscriber may cancel the newsletter subscription via a link included in the messages, in which case the data will be removed from the subscriber register. However, the information about the cancellation may remain in the register, but only for up to a year.
  • The personal data of those who have completed the publication order form will be stored until the order has been delivered and received. The personal data will be archived, and they may be used at a later date to send out a separate stakeholder survey. The personal data entered in the order form will be stored for the term of the centre of expertise, i.e. for no more than four years.
  • For a partner and/or stakeholder event or similar occasion held by Verke, the personal data of the attendees related to organising the event will be stored for the duration of the event in question, and, in any case, until any payments or other operations related to the event have been completed. The personal data related to events will be archived and stored for the term of the centre of expertise, i.e. for no more than four years.

Verke will assess the necessity of storing the data regularly in accordance with its internal policies. In addition to this, Verke will also take all reasonable steps to ensure that personal data that is inaccurate, incorrect or outdated for the purposes of the processing is removed or rectified without delay.

 

7. Disclosure and transfer of personal data

Personal data will be primarily processed within the European Union or the European Economic Area. The data entered by newsletter subscribers will be stored on the servers of the MailChimp service located in the United States.

Based on a cooperation agreement between the parties, Verke may use subcontractors in the technical or operative implementation of the processing activities (such as ordering print publications, loaning technical equipment).

Personal data may be disclosed to partners for the purposes of organising or implementing an event or communications after the event. The parties will be specified for each event in connection with the invitation and/or registration.

In other cases, Verke will not disclose personal data to third parties without permission from the data subject.

 

8. Security principles of the register

The register will only be used by persons whose job description expressly involves using the register. Databases and back-up copies thereof are located in locked facilities and protected with firewalls, passwords and other technical means. Verke’s employees are committed to adhering to confidentiality and not disclosing any data received in connection with the processing.

 

9. Rights of data subjects

The data subjects have the following rights in accordance with the GDPR:

(a) the right to receive the data controller’s confirmation that the data subject’s personal data is being or not being processed, and, if the data is being processed, the right to gain access to the personal data, as well as the following information:

  • purposes of the processing
  • categories of personal data in question
  • recipients or groups of recipients to whom personal data has been or will be disclosed
  • when possible, the intended storage time of the personal data, or, if this is not possible, the criteria for defining this time
  • the data subject’s right to request that the data controller rectify, remove or restrict the use of the data subject’s personal data or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • if personal data is not collected from the data subject, all available information about the data source
  • existence of automated decision-making, such as profiling, as well as significant information about the logic of such processing, as well as the significance and potential consequences of such processing for the data subject;

(b) the right to withdraw their consent at any time, without this affecting the legality of the processing carried out based on the consent prior to the withdrawal;

(c) the right to demand that the data controller rectify inaccurate or incorrect personal data of the data subject without undue delay, and the right to have incomplete personal data completed;

(d) the right to have the data controller remove personal data of the data subject without undue delay in situations defined in the GDPR;

(e) the right to have the data controller restrict the processing in situations defined in the GDPR;

(f) the right to receive the personal data of the data subject, which the data subject has submitted to Verke, in a structured, commonly used and machine-readable format, and the right to transfer the data in question to another data controller without obstructions from the data controller to which the data has been transferred, if the processing is based on consent as defined in the GDPR and the processing is done automatically;

(g) the right to lodge a complaint with a supervisory authority if the data subject believes that the GDPR has been violated in the processing of their personal data.

Written requests regarding the inspection, rectification or removal of personal data should be sent by e-mail to info@verke.org. The request for inspection may also be presented in person at the data controller’s office at the address specified above.

It is recommended that a data subject of Verke’s stakeholder and communications register use the same e-mail address that they assume is stored in the register. In addition to this, Verke may also request additional information or confirmation to verify the person’s identity.

 

10. Amending the data protection statement

Verke reserves the right to amend the data protection statement by announcing this on its website. The changes may be based on changes in legislation, for example. We recommend that you review the content of the data protection statement regularly.

 

This statement was last updated on 24 February 2023.