Drafted 28 Jan 2019

1. Register controller

Name: State Treasury
Address: Sörnäisten rantatie 13, PO Box 14, FI-00054 State Treasury
Other contact details: tel. +358 (0)295 50 2000, kirjaamo@valtiokonttori.fi

2. Contact person in matters related to the register

Name: Mr. Sami Moksunen, Administrative Affairs and Development division, Communications Unit
Address: Sörnäisten rantatie 13, PO Box 14, FI-00054 State Treasury
Other contact details: +358 (0)295 50 3206, sami.moksunen@valtiokonttori.fi

3. Data protection officer

Ms. Eija Louhelainen, tietosuojavastaava@valtiokonttori.fi

4. Legal basis and purpose for processing of personal data

  1. Responding to customer feedback (feedback form): The contact details provided by the customer are used only for responding to feedback. The giving of contact details is voluntary. The customer gives their consent by writing their contact details on the feedback form.
  2. Delivering subscriptions for published materials (the State Treasury’s various publications, press releases and newsletters, and order forms): The contact details provided by the customer are used only for delivering the subscription. The State Treasury maintains a separate customer register in eMailer for the purpose of distributing publications (not linked to the website). The customer gives their consent by writing their contact details on the subscription form.
  3. Lists of specialist groups that are part of webpage content (work community arbitrators in agencies): To support cooperation, lists of agency experts are published on the website (the controller for this register is the Information and Working Life Management Services unit of the Government Finance Administration, Information and Working Life Management Division). The lists are connected to the official work of the specialists in question. Officials have the right, nevertheless, to refuse to have their name published in the lists mentioned above.
  4. Visitor monitoring: To support website development, we use cookies to collect statistical data about the use of the website. However, the user cannot be identified based on the data collected. We use Google Analytics visitor monitoring.
  5. Call recordings: Calls made to and by the customer service of the State Treasury’s Services for Citizens division are recorded. You will be informed that the call is being recorded at the beginning of the call.The Services for Citizens division processes personal information in order to carry out statutory duties. The recordings help us verify calls and improve the quality of our service.
    Some of the incoming and outgoing calls at the State Treasury’s Finance division are recorded. The State Treasury follows general financial sector practices in the recording of telephone calls and listening to recordings. Recordings allow telephone conversations to be verified and the terms and conditions of transactions and contracts to be ascertained after the fact in the event that any disputes arise between the parties.

    The recording of telephone calls is based on Article 6(1)(b;c;e) of the EU’s General Data Protection Regulation. The recording is necessary in order to be able to fulfil agreements or carry out statutory duties and tasks related to the public interest

5. Information content of the register

  1. Feedback: data provided by feedback giver (not compulsory), generally email address and name, possibly telephone number. The State Treasury responds to the feedback using the data.
  2. Subscriptions / subscription cancellations for published materials (* = required information):
    A. Newsletters and other online publications: first name*, last name*, email address*, organisation, the publications subscribed*.
    B. Publications about government debt management: first name*, last name*, email address*, organisation, street address, postal code and city, country, and the publications subscribed*.
  3. Lists of specialist groups that are part of webpage content:
    A. Work community arbitrators: name, organisation, operating area.
  4. Visitor monitoring (Google Analytics): User IP address without the identifying final section (= anonymised IP), in which case Google Analytics only uses part of the IP address collected instead of the entire address. The user is able to select the ‘do not track’ setting on their browser, in which case Google Analytics does not even collect the above data. Using the IP address, data is collected for the purpose of visitor monitoring on the actions carried out by the user on the website. This data includes e.g. navigation within the site, clicking on links, length of visit and information about where the visitor connected to the service from and where they transferred to afterwards. Further information about the anonymisation of an IP address is available at https://support.google.com/analytics/answer/2905384/
  5. Call recordings:  Calls made to and from numbers to be recorded are recorded in their entirety. In addition, the following identifying information is stored:
    • the start and end times of the call
    • the number of the caller
    • the number called
    • name and telephone number of the officer

6. Ordinary information sources

Steps 1, 2 and 5: The data is collected from the customer themselves.
Step 3: The data is collected in cooperation with the relevant agencies and individuals and published with their consent as part of the official duties of the persons involved.
Step 4: The data is collected using cookies.

7. Regular disclosures of data

Steps 1, 2 and 4: The data is not disclosed to others.
Step 3: The data is published as part of public webpage content.
Step 5: The data is not regularly disclosed to others.

8. Regular disclosures of personal data or transfer of data to outside the EU or the EEA

The data is not disclosed to others.

9. Principles of register protection

Steps 1–4: The register does not contain confidential material.

Only individuals authorised by the controller have access to the data processed within the information system. Access rights are kept up-to-date by regular inspection, and unnecessary access rights are removed. The information network and terminals containing the register are protected using technical measures.

Step 5: The register contains confidential materials.

Only individuals authorised by the controller, who are under obligation of secrecy, have access to the data processed within the information system. Access rights are kept up-to-date by regular inspection, and unnecessary access rights are removed. The information network and terminals containing the register are protected using technical measures.

10. Data storage period / criteria for determining storage period

Step 1 (feedback): The data is stored only for the period required for processing the customer’s affairs. It is not saved into the register.

Step 2 (subscriptions): The data is saved into the State Treasury’s customer register for publication subscriptions in eMailer, and it is stored there until the customer cancels their subscription.

Step 3 (lists of specialists): The data is stored for as long as the matter in question is relevant and of use to State Treasury customers.

Step 4 (visitor monitoring): The data is saved into the Google Analytics visitor monitoring service, in which the data is stored for 26 months. At the end of the data storage period, expired data is automatically removed monthly.

Step 5 (call recordings): Call recordings are stored for no longer than 2 months, after which period they are removed automatically. In quality improvement projects and in case of a complaint, recordings can be stored for a longer period, not exceeding 12 months.

11. Information about automatic decision-making (e.g. profiling) and information about the logic of data processing and its impacts on the data subject

No automatic decisions or profiling are carried out using the data.

12. Right of access

Steps 1–5: The data subject has the right to access their data in the register. Requests should be sent to the registry office.

13. Rectification of data

The data subject has the right to access his or her data in the register. Requests should be sent to the registry office.

14. The right to object to processing of personal data

Steps 1–4: The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of their personal data, such as profiling.

Step 5 (call recordings): The Services for Citizens division of the State Treasury processes personal data in order to carry out its statutory duties, and the data subject does not have the right to object to the processing of their personal data. A separate privacy statement, stating the grounds for processing personal data, has been drafted for each topic category.

The State Treasury’s Finance division processes personal data in order to carry out statutory duties and tasks related to the public interest. The data subject does not have the right to object to the processing of their personal data.

15. Right to restriction of processing

The data subject has the right to restrict the processing of his or her personal data as specified in Article 18 of the GDPR.

16. Right to erasure

Steps 1–4: The data subject has the right to request that the controller erase their personal data from the person register.

Step 5 (call recordings): The Services for Citizens division of the State Treasury processes personal data in order to carry out its statutory duties, and the data subject does not have the right to have their personal data removed.

The State Treasury’s Finance division processes personal data in order to carry out statutory duties and tasks related to the public interest. The data subject does not have the right to have their personal data removed.

17. Right to lodge a complaint

The data subject has the right to lodge a complaint with a supervisory authority if the data subject believes that his or her rights have been infringed by the actions of the controller.

18. Other rights

Personal data is neither used nor disclosed for the purpose of direct advertising, distance marketing or other directing marketing, market and opinion research, registers of individuals, or genealogies.

19. Use of cookies

We use cookies on our webpages. The only purpose of the cookies is to technically facilitate the use of the service. A cookie is a small text file which is sent to the user’s computer and stored there, and which enables the website administrator to recognise regular visitors to the website and to facilitate their use of the webpages.

Cookies do not cause damage to a user’s computer or files. If a user visiting our webpages does not want us to obtain the information mentioned above through the use of cookies, most web browsers have functions for disabling cookies. On Internet ExplorerTM, for example, this can be done by selecting “Tools”, then “Internet Options”, and then “Privacy”.

It is nevertheless good to take note that the cookies may be needed for the correct functioning of some of the services we offer and some of the websites available.

For more information on cookies in Google Analytics, see https://support.google.com/analytics/answer/6004245?hl=fi