Privacy statement of Senate Group’s Permit register
1. Data controllers and contact information
Senate Properties and Defence Properties Finland
Senate Properties: Lintulahdenkatu 5 A, P.O.Box 237, 00531 Helsinki, Finland
E-mail: kirjaamo(at)senaatti.fi
Defence Properties Finland: Isoympyräkatu 10, P.O.Box 1, 49401 Hamina, Finland
E-mail: kirjaamo(at)puolustuskiinteistot.fi
Tel: +358 294 830 000
Data Protection Officer Petri Konttinen, firstname.lastname(at)senaatti.fi
2. Purpose of the processing of personal data and
the legal basis for the processing
The data controllers (Senate Properties and Defence Properties Finland) process data on the basis of security agreements and the Security Clearance Act (726/2014) when persons are required to work on the premises or in projects of Senate Properties, Defence Properties Finland or their customers.
Processing of data is necessary for the performance of tasks carried out by the controllers on the public interest (GDPR Article 6.1(e)). Senate Properties and Defence Properties Finland act as joint controllers in accordance with GDPR Article 26.
3. Processed personal data and groups of data subjects
The system maintains information on who has been authorised to work on the premises or in projects of the controllers or their customers. In addition, information is maintained on who is granted access to the confidential information or information system of controllers or their customers.
The following information is collected about individuals: name, home address, personal identity code, nationality, employer information, job description, supervisor’s information, email address, phone number. Information on persons may also be collected in accordance with section 17 of the Security Clearance Act (726/2014).
Puolustuskiinteistöjen osalta kerätään aina em. lain mukaiset tiedot (Pääesikunta).
4. Regular data sources
The individual or their employer (the company’s designated contact person) enters the information into the system for individual authorisation.
Should an individual be subjected to security clearance vetting in accordance with the Security Clearance Act and the individual is unable to use the authority’s e-service, the person must provide the information and consent for the security clearance vetting in the Permit register.
Using an exceptional procedure, data can also be collected using an encrypted email message. The exceptional procedure can be used, for example, when the person is unable to use the controllers’ system or the information related to the initiation of the person’s authorisation procedure is not available through any other means.
5. Recipients or categories of recipients of the personal data
Access to the data is restricted to authorised persons of the controllers, representatives of the controllers’ customers and designated representatives of the data subject’s employer. The data has been transferred to the controllers’ service providers for maintenance and support tasks.
Data may be disclosed to the Finnish Defence Forces for the purposes of access permits. Data may may also be disclosed to other parties if they have a legal right to receive personal data.
6. Data transfers outside the EU or EEA
Data is not transferred to outside of the EU or EEA.
7. Security of personal data
Senate Group ensures the secure processing of data by ensuring technical and administrative requirements through audits, inspections and risk management. The requirements are assessed for all information systems of the controller, as well as for their service providers, at the required risk management level. Data is encrypted using strong encryption methods, or pseudonymised by excluding unnecessary personal data that could identify the individual. The continued confidentiality, integrity, availability and fault-tolerance of information systems and services are ensured through back-ups and regular security audits, as well as appropriate software and security updates. Procedures to regularly test, examine and evaluate the security of information systems and services are part of the Senate Group’s continuous improvement process.
Access to personal data is granted solely to specifically designated persons of the controllers and their customers and service providers who are authorised to process personal data on the basis of their job description. These persons have access to the system by means of personal IDs and passwords.
8. Data retention period and the principles for determining it
Data is deleted automatically from the system in accordance with separately defined deletion periods. Non-disclosure agreements are retained for 25 years.
9. Rights of the data subjects
Data subjects may exercise their rights under the General Data Protection Regulation in the following matters:
- The right to access personal data (to be informed about the processing of their personal data)
- The right to withdraw consent for the processing of personal data in full, if the consent was given solely for direct marketing purposes
- The right to correct their own personal data
- The right to erasure of their own personal data
- The right to restrict the processing of their own personal data
- The right to object to the processing of their own personal data
- The right not to be unconsciously subject to a decision based on automated processing.
The controller shall provide information on action taken on request under Articles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject (Article 12.3 of the GDPR).
The data subject also has the right to lodge a complaint with the Data Protection Ombudsman acting as a supervisory authority.