Privacy policy of Senate Group's Identity and Access Management
1. Data controllers and contact information
Senate Properties and Defence Properties Finland
Senate Properties: Lintulahdenkatu 5 A, P.O.Box 237, 00531 Helsinki, Finland
E-mail: kirjaamo(at)senaatti.fi
Defence Properties Finland: Isoympyräkatu 10, P.O.Box 1, 49401 Hamina, Finland
E-mail: kirjaamo(at)puolustuskiinteistot.fi
Tel: +358 294 830 000
Data Protection Officer Petri Konttinen, firstname.lastname(at)senaatti.fi
2. Purpose of the processing of personal data and
the legal basis for the processing
The purpose of processing personal data is to manage the access rights of employees of Senate Properties and its subsidiary state unincorporated enterprise Defence Properties Finland to the Group’s information systems. In addition, the system manages the access rights of Senate Properties’ and Defence Properties Finland’s stakeholders (clients and service providers) to the electronic services provided by Senate Group.
Senate Properties and Defence Properties Finland act as joint controllers in accordance with Article 26 of the GDPR. Processing of data is necessary for the performance of tasks carried out in the public interest by the controllers (Article 6.1e of the GDPR). In respect of Group employees, processing is necessary for the performance of a contract to which the data subject is party. (GDPR Article 6.1b).
3. Processed personal data and groups of data subjects
The system processes data on employees of the Group, employees of the Group’s client organisations, and employees of service providers.
Following information is stored about employees of Senate Group: name, phone number, e-mail address, organisation, username, the person’s supervisor, job title, address of the place of work, start date of employment, and external ID.
Following information is stored about customers and service providers employees: name, phone number, e-mail address, organisation, username.
4. Regular data sources
The data of Senate Group´s employees are obtained from Senate Group´s personnel systems.
The data of customers employees are obtained when they register using VIRTU (the user stores the phone number in the system themselves).
The data of service providers employees are obtained when they register in the system themselves, or Senate Group´s administrator registers the data on behalf of them.
Users may supplement their information.
5. Recipients or categories of recipients of the personal data
The Group’s main users, as well as the Group’s service providers who perform system maintenance and support tasks on behalf of the controllers have access to personal data.
6. Data transfers outside the EU or EEA
The data will not be transferred outside the EU or the EEA.
7. Security of personal data
Senate Group has taken the necessary technical and organisational measures to protect personal data against unauthorised access and against accidental or unlawful destruction, alteration, disclosure, transmission or other unlawful forms of processing.
The data in the system is protected by a firewall and other technical measures. Authentication is required to use the systems.
System users who have an authentication code to the system can only see their own profile information.
8. Data retention period and the principles for determining it
Every three months, the service provider erases the data on persons who have not used the system for two years.
9. Rights of the data subjects
Data subjects may exercise their rights under the General Data Protection Regulation in the following matters:
- The right to access personal data (to be informed about the processing of their personal data)
- The right to withdraw consent for the processing of personal data in full, if the consent was given solely for direct marketing purposes.
- The right to correct their own personal data
- The right to correct their own personal data
- The right to restrict processing of their own personal data
- The right to object to the processing of their own personal data, and to object marketing communication
- The right not to be unconsciously subject to a decision based on automated processing.
The controller shall provide information on action taken on request under Articles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject (Article 12.3 of the GDPR).
The data subject also has the right to lodge a complaint with the Data Protection Ombudsman acting as a supervisory authority.