Drafted 28 Jan 2019, latest updated on 3 March 2022

1. Register controller

Name: State Treasury
Address: Sörnäisten rantatie 13, PO Box 14, FI-00054 State Treasury
Other contact details: tel. +358 (0)295 50 2000, registry(at)statetreasury.fi

2. Contact person in matters related to the register

Name: Mr. Sami Moksunen, Administrative Affairs and Development division, Communications Unit
Address: Sörnäisten rantatie 13, PO Box 14, FI-00054 State Treasury
Other contact details: +358 (0)295 50 3206, sami.moksunen(at)statetreasury.fi

3. Data protection officer

Heikki Kangas, tel. +358 (0) 295 50 2156, dpo(at)statetreasury.fi

4. Legal basis and purpose for processing of personal data

  1. Responding to customer feedback (feedback form): The contact details provided by the customer are used only for responding to feedback. The giving of contact details is voluntary. The customer gives their consent by writing their contact details on the feedback form.
  2. Delivering subscriptions for published materials (the State Treasury’s various publications, press releases and newsletters, and order forms): The contact details provided by the customer are used only for delivering the subscription. The State Treasury maintains a separate customer register in eMailer for the purpose of distributing publications (not linked to the website). The customer gives their consent by writing their contact details on the subscription form.
  3. Notifying Contact Changes to the State Treasury: The State Treasury produces services for public administration (payment services, online payment, financial services, municipal services and analysis services), in connection with which we maintain lists of contacts of public administration organisations. Organizations notify their own contacts to the State Treasury by email. Contact information is used only for the delivery of targeted bulletins and other customer messages related to the services in question. The messages relate to the official work of those persons. The State Treasury maintains customer registers for its services in eMailer (not in connection with home pages). Persons give their consent by submitting their contact information to the State Treasury.
  4. Lists of specialist groups that are part of webpage content (work community arbitrators in agencies): To support cooperation, lists of agency experts are published on the website (the controller for this register is the Information and Working Life Management Services unit of the Government Finance Administration, Information and Working Life Management Division). The lists are connected to the official work of the specialists in question. Officials have the right, nevertheless, to refuse to have their name published in the lists mentioned above.
  5. Visitor monitoring: To support website development, we use cookies to collect statistical data about the use of the website. However, the user cannot be identified based on the data collected. We use Siteimprove Analytics visitor monitoring.
  6. Call recordings: Calls made to and by the customer service of the State Treasury’s Services for Citizens division are recorded. You will be informed that the call is being recorded at the beginning of the call.The Services for Citizens division processes personal information in order to carry out statutory duties. The recordings help us verify calls and improve the quality of our service.
    Some of the incoming and outgoing calls at the State Treasury’s Finance division are recorded. The State Treasury follows general financial sector practices in the recording of telephone calls and listening to recordings. Recordings allow telephone conversations to be verified and the terms and conditions of transactions and contracts to be ascertained after the fact in the event that any disputes arise between the parties.The recording of telephone calls is based on Article 6(1)(b;c;e) of the EU’s General Data Protection Regulation. The recording is necessary in order to be able to fulfill agreements or carry out statutory duties and tasks related to the public interest.
  7. Siteimprove feedback function: The State Treasury uses the Siteimprove feedback function on its website to collect information about user experiences on the site. Cookies are used in the service. Cookies do not allow users to be identified.
  8. Chatbot Service: The Statetreasury.fi website has a chatbot service to help users find information on the site. The service records conversations between the client and the chatbot in the database, but anonymizes the content entered by the customer before saving it. The client’s IP address is not saved. The operator of the Chatbot service follows procedures and processes for protecting personal data in accordance with the requirements of data protection law. The service is offered only in Finnish.
  9. User IP Address: Technical log data is collected from the use of the site and related APIs, which are used to verify the operation of the site and to determine possible interference situations.

5. Information content of the register

  1. Feedback: data provided by feedback giver (not compulsory), generally email address and name, possibly telephone number. The State Treasury responds to the feedback using the data.
  2. Subscriptions / subscription cancellations for published materials (* = required information):
    A. Newsletters and other online publications: first name*, last name*, email address*, organisation, the publications subscribed*.
    B. Publications about government debt management: first name*, last name*, email address*, organisation, street address, postal code and city, country, and the publications subscribed*.
  3. Contact changes: first name, last name, email, organization
  4. Lists of specialist groups that are part of webpage content:
    A. Work community arbitrators: name, organisation, operating area.
  5. Visitor monitoring (Siteimprove Analytics): User IP address without the identifying final section (= anonymised IP), in which case Siteimprove Analytics only uses part of the IP address collected instead of the entire address. The user is able to select the ‘do not track’ setting on their browser, in which case Siteimprove Analytics does not even collect the above data. Using the IP address, data is collected for the purpose of visitor monitoring on the actions carried out by the user on the website. This data includes e.g. navigation within the site, clicking on links, length of visit and information about where the visitor connected to the service from and where they transferred to afterwards. Further information about the anonymisation of an IP address is available at https://help.siteimprove.com/support/solutions/articles/80000863889
  6. Call recordings:  Calls made to and from numbers to be recorded are recorded in their entirety. In addition, the following identifying information is stored:
    • the start and end times of the call
    • the number of the caller
    • the number called
    • name and telephone number of the officer
  7. Siteimprove feedback function: Siteimprove stores a random-generated string in the browser to identify transactions from the same browser. The following information can be combined with the cookie: the time of day, the pages visited, what reactions the customer has given on each page and what feedback the client has given on each page. Cookies do not allow users to be identified.
  8. Chatbot Service: The service records conversations between the client and the chatbot in the database, but anonymizes the content entered by the customer before saving it. The client’s IP address is not saved.
  9. User IP Address: In technical log data, the user’s IP address is stored.

6. Ordinary information sources

Steps 1, 2, 3 and 6: The data is collected from the customer themselves.
Step 4: The data is collected in cooperation with the relevant agencies and individuals and published with their consent as part of the official duties of the persons involved.
Steps 5, 7 and 8: The data is collected using cookies.
Step 9: Technical logs are stored on the system log server where they are available for the purpose of determining interference cases.

7. Regular disclosures of data

Steps 1, 2, 3 and 6: The data is not disclosed to others.
Step 4: The data is published as part of public webpage content.
Step 5 and 7–9: The data is not regularly disclosed to others.

8. Regular disclosures of personal data or transfer of data to outside the EU or the EEA

The data is not disclosed to others.

9. Principles of register protection

Steps 1–5 and 7: The register does not contain confidential material.
Only individuals authorised by the controller have access to the data processed within the information system. Access rights are kept up-to-date by regular inspection, and unnecessary access rights are removed. The information network and terminals containing the register are protected using technical measures.

Step 6 (Call recordings): The register contains confidential materials.
Only individuals authorised by the controller, who are under obligation of secrecy, have access to the data processed within the information system. Access rights are kept up-to-date by regular inspection, and unnecessary access rights are removed. The information network and terminals containing the register are protected using technical measures.

10. Data storage period / criteria for determining storage period

Step 1 (feedback): The data is stored only for the period required for processing the customer’s affairs. It is not saved into the register.

Step 2 (subscriptions): The data is saved into the State Treasury’s customer register for publication subscriptions in Emaileri and it is stored there for the duration of service’s life cycle or until the customer cancels their subscription. A link for cancellation of subscription is included in every email message sent.

Step 3 (Contact Changes): Data is stored in the State Treasury Customer Registry in Emailer and stored for the life of the services to be produced (payment services, online payment, financial services, municipal services and analysis services) or until the customer declares that this issue is not are no longer associated with his official work.

Step 4 (lists of specialists): The data is stored for as long as the matter in question is relevant and of use to State Treasury customers.

Step 5 (visitor monitoring): The data collected using cookies is stored in the Siteimprove Analytics, where data is stored for 1000 days. When the cookie storage period ends, expired data is automatically removed.

Step 6 (call recordings): Call recordings are stored for no longer than 2 months, after which period they are removed automatically. In quality improvement projects and in case of a complaint, recordings can be stored for a longer period, not exceeding 12 months.

Step 7 (React & Share feedback function): React & Share cookies are saved for 30 days, after which they automatically exit.

Step 9 (User IP Address): Data is stored in different systems for a different length of time depending on the technical implementation of the log-in system. Storage times range from 6 months to 2 years.

11. Information about automatic decision-making (e.g. profiling) and information about the logic of data processing and its impacts on the data subject

No automatic decisions or profiling are carried out using the data.

12. Right of access

Steps 1–7: The data subject has the right to access their data in the register. Requests should be sent to the registry office.

Step 9 (User IP Address): The data subject has the right to access their data in the register. Requests should be sent to the registry office. The right to audit is based on the verified IP address supplied with the data item’s request for verification.

13. Rectification of data

The data subject has the right to access his or her data in the register. Requests should be sent to the registry office.

14. The right to object to processing of personal data

Steps 1–5 and 7: The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of their personal data, such as profiling.

Step 6 (call recordings): The Services for Citizens division of the State Treasury processes personal data in order to carry out its statutory duties, and the data subject does not have the right to object to the processing of their personal data. A separate privacy statement, stating the grounds for processing personal data, has been drafted for each topic category. The State Treasury’s Finance division processes personal data in order to carry out statutory duties and tasks related to the public interest. The data subject does not have the right to object to the processing of their personal data.

15. Right to restriction of processing

The data subject has the right to restrict the processing of his or her personal data as specified in Article 18 of the GDPR.

16. Right to erasure

Steps 1–5 and 7: The data subject has the right to request that the controller erase their personal data from the person register. Requests should be sent to the registry office.

Step 6 (call recordings): The Services for Citizens division of the State Treasury processes personal data in order to carry out its statutory duties, and the data subject does not have the right to have their personal data removed. The State Treasury’s Finance division processes personal data in order to carry out statutory duties and tasks related to the public interest. The data subject does not have the right to have their personal data removed.

Step 9 (User IP Address): The data subject has the right to request that the controller erase their personal data from the person register. Requests should be sent to the registry office. The right to delete data is based on the verified IP address supplied with the data item deletion request.

17. Right to lodge a complaint

The data subject has the right to lodge a complaint with a supervisory authority if the data subject believes that his or her rights have been infringed by the actions of the controller.

18. Other rights

Personal data is neither used nor disclosed for the purpose of direct advertising, distance marketing or other directing marketing, market and opinion research, registers of individuals, or genealogies.

19. Use of cookies

We use cookies on our webpages. The only purpose of the cookies is to technically facilitate the use of the service. A cookie is a small text file which is sent to the user’s computer and stored there, and which enables the website administrator to recognise regular visitors to the website and to facilitate their use of the webpages.

Cookies do not cause damage to a user’s computer or files. If a user visiting our webpages does not want us to obtain the information mentioned above through the use of cookies, most web browsers have functions for disabling cookies. On ChromeTM, for example, this can be done by selecting “Settings”, then “Privacy and security”, and then “Site settings” and ”Cookies and Site Information”.

It is nevertheless good to take note that the cookies may be needed for the correct functioning of some of the services we offer and some of the websites available.

For more information on cookies in Siteimprove Analytics, see page Siteimprove Analytics cookies >