Privacy policy of Helsinki City Premises Ltd

This privacy policy details what personal data is processed and how in the operations of Helsinki City Premises Ltd, the operations of which entail the administration, leasing and development of sites with cultural and historical significance owned by the City of Helsinki, and the administration of related websites such as kaupunkitilat.fi, vanhakauppahalli.fi, hietalahdenkauppahalli.fi, hakaniemenkauppahalli.fi, torikorttelit.fi, helsingintorit.fi and helsingintukkutori.fi.

1. Controller and contact details

Helsinki City Premises Ltd (business ID: 3226884-5)
Siltasaarenkatu 6–10, 6th floor
00530 Helsinki
www.kaupunkitilat.fi
(hereinafter ‘controller’)
email: viestinta@kaupunkitilat.fi

When enquiring about data protection, please use the specifying reference ‘data protection matters’.

2. Personal data being processed and sources thereof

We collect and process the following personal data:

• first name and last name
• company, association, department, business ID
• title
• personal identity code
• contact details: email, postal address and telephone number
• job applications and other information obtained in application processes
• information related to lease agreements or other agreements between parties (incl. lease term, rent and security deposit information, any separate compensations such as compensation for electricity and water consumption, rent review information and information about leased premises)
• communication between parties, facility reservations, feedback and complaints
• payment method and invoicing information
• vehicle registration number
• data collected in development projects and investment/renovation projects
• IP address and any other device information, such as the name of the device and the unique device address pertaining to devices connected to the controller’s guest network, and log information concerning aspects such as user rights, credentials and settings pertaining to systems of the controller and its cooperation partners provided by the controller to be used by its clients
• video material recorded by surveillance cameras in video-monitored facilities, including the time and place of activity in a digital format without audio
• any marketing permissions and prohibitions
• any other information concerning client relationship management, cooperation or other relevant matters.

Personal data is usually collected from the data subject themselves (e.g. in connection with cooperation, legal proceedings [incl. company law proceedings], meetings and other communication). Additionally, personal data necessary for supplying the services determined in cooperation agreements may be received from cooperation partners, authorities, public data sources and registers, the person’s employers, colleagues or the person themselves, as well as information services to the extent permitted by law. In development projects, data is collected from service providers, contractors, persons’ employers, colleagues or the persons themselves, public data sources and information services.

Camera surveillance is used at individual sites designated as monitoring sites by the controller. Camera surveillance is used only where necessary, in a limited extent and with pre-determined protection measures, and only in facilities that are not private dwellings. Surveillance is not carried out in areas covered by privacy protection, such as sanitary facilities. The use of camera surveillance is indicated with appropriate signs/stickers. With regard to camera surveillance, the data consists of footage recorded in the monitored facilities by cameras placed in necessary places. The data is collected into the system of the controller’s cooperation partner. If necessary, the controller’s cooperation partner provides supplementary information. For data security reasons, the site and cooperation partner list is not public. For the avoidance of doubt, data regarding any camera surveillance and access control carried out fully/independently by third parties (such as lessees themselves) at sites administrated by the controller is provided directly by these parties. The controller is not responsible (incl. the legal basis and lawful implementation of surveillance) for camera surveillance and access control initiated and carried out fully by third parties in any respect.

We use the cookie-free Matomo Analytics service and other online analytics services in order to improve the usability of our websites. You can find more information on Matomo Analytics in Finnish on the following website: https://www.matomo-analytics.fi/#tietosuoja.

3. Purpose and legal basis of processing personal data

The processing of personal data is based primarily on stakeholder, client or cooperation relationships, particularly on agreements between parties, legally prescribed obligations or legitimate interests.

The controller carries out operations such as property leasing, development and maintenance operations. As such, the controller collects and processes personal data in order to implement agreements related to the business activities in question or carry out pre-agreement procedures – e.g. to fulfil obligations and rights related to property leasing and administration. Personal data is also processed for communication related to client and cooperation relationships. With regard to camera surveillance, personal data is processed in order to protect property, prevent crimes and help with criminal investigations, and to ensure and increase security. With regard to log information and other system user information, personal data is processed in order to detect and investigate any unauthorised use or misuse of systems provided by the controller’s cooperation partners and designated for client use by the controller, or problems related to the use of a system.

Additionally, personal data is processed for communication and information provision between persons belonging to stakeholder groups. The controller is also legally obligated to process personal data. The legal obligation can be based on provisions such as the Accounting Act, company law, the Damages Act, the Act on Contractor’s Obligations and Liability, the Land Use and Building Act, occupational safety obligations and the Tax Procedure Act. We may record the personal identity code of our lease or other agreement partner or other person needed in leasing operations based on the Data Protection Act (1050/2018).

The controller, any joint controllers or agreement partners and companies belonging to the same group may, to the extent permitted by law, have the right to use personal data for opinion or customer satisfaction polls or other similar addressed deliveries, such as direct marketing based on factors such as legitimate interest. The aforementioned procedures are not in conflict with the rights and freedoms of individuals, nor do they pose major risks to the fulfilment of said rights and freedoms. The data subject always has the right to prohibit direct marketing and addressed deliveries concerning themselves. However, despite this prohibition, information concerning the data subject’s client relationship may be delivered to the data subject if necessary for the fulfilment of a service or legally prescribed obligation.

4. Transfer of the register data

Personal data may be transferred or disclosed, to the extent permitted and obligated by legislation in force, to third parties, such as authorities.

We share personal data only within the Helsinki City Group organisation and only in a manner that is reasonably necessary based on the intended purposes presented in this statement.

We have made agreements that involve the processing of personal data with our selected cooperation partners. Therefore, personal data may be disclosed and transferred to subcontractors, such as different service providers and their subcontractors, that process personal data on behalf of the controller in accordance with their obligation of confidentiality and binding data protection legislation and agreements.

For operations such as lease management (conclusion of lease agreements, lease monitoring and invoicing for the lease), the controller uses the CGI Koki360 property management ERP system service, in which personal data is processed. More information can be found in Finnish here: https://www.cgi.com/fi/fi/tietosuoja/yritysta-koskevat-sitovat-saannot-bcr. For communication with lessees, the controller uses the Falcony Tenant Portal service (more information: https://www.falcony.io/privacy-statement). For agreement management and electronic agreement signing, the controller uses the Visma Sign service (more information in Finnish: https://vismasolutions.com/tietosuoja/henkilotietojen-kasittely-visma-signissa/). In the aforementioned situations, the data subject usually interacts directly with the appointed cooperation partners in data protection matters as well. Clarifying additional information is always provided by the controller if needed.

We will not disclose your personal data to third parties outside the organisation or outside the EU/EEA. However, if personal data is stored in the electronic services of the controller’s cooperation partners, it may in some situations also be stored on servers located outside Europe. In such cases, the data processing has been agreed upon separately to apply data protection mechanisms approved by the European Commission and deemed to meet the minimum requirements set in the EU data protection regulations.

Camera surveillance data is not statutorily disclosed to site lessees or other third parties.

If the controller is a party in a merger, asset deal or other acquisition, we may disclose and transfer personal data to third parties involved in said acquisition. However, in such cases, we ensure that the personal data remains confidential.

No automatic decision-making is carried out based on personal data.

5. Retention period

The controller will not retain personal data any longer than is legally allowed and necessary for our services or essential parts thereof. The length of the retention period will depend on the nature of the data and the purpose of its processing. Therefore, the maximum period may vary based on the intended purpose of the data.

Personal data will only be retained for as long as the law requires or is otherwise reasonably necessary in order for us to fulfil our agreement obligations or other legal requirements or legitimate interests, such as the processing of compensation claims, accounting and internal reporting.

Personal data is processed primarily for the duration of the client relationship or cooperation and for a reasonable time after them, or legally prescribed accounting information related to agreement relationships is processed for the time prescribed in accounting legislation. Data collected based on agreements can usually be retained for ten years starting from the end of the agreement relationship and the fulfilment of obligations arising from it.

Lease-related data is processed for the time prescribed in law for the management of the lease. This data includes i) information related to lease agreements and property administration invoicing: at least six (6) years from the end of the year during which the financial year has ended, and ii) information related to lease agreements and property administration invoicing that is related to taxation: at least ten (10) years from the end of the financial year. With regard to land leasing, the data is retained permanently.

Surveillance camera recordings are retained in the systems of the controller’s cooperation partner primarily for 14 days. After that, the data is regularly deleted and replaced with a new recording. However, surveillance camera recordings can be stored for up to two (2) months. If there is reason to suspect that such a crime has occurred or such an authority process has been initiated during the aforementioned data retention period that it requires for the data to be retained longer than the regular retention period, the data is retained for the time required for the process.

The individual IP address of a device connected to the controller’s guest network, the name of the device and the unique device address are retained in the online device log information record for no longer than one month.

6. Data security and protection of the register

Personal data can only be accessed by persons serving under the controller and other designated persons who need the data in their work duties. They have user IDs and passwords for the register.

The controller uses administrative, organisatory, technical and physical protection means to protect personal data. Examples of the measures used include data encryption, firewalls and secure facilities and systems protected with limited access rights within the scope of the duties of appointed persons. The security measures have been designed to maintain an appropriate security level to ensure the confidentiality, integrity, availability, resilience and recoverability of the data. Agreement partners and their subcontractors are required to apply secure modes of operation.

Data generated in camera surveillance is also processed by the controller’s agreement partner. If necessary, the agreement partner provides supplementary information. For data security reasons, the site and partner list is not public. This information is provided by the controller when the party requesting it has the right to obtain it. Recordings generated through camera surveillance are stored in monitored facilities, in the systems of the controller’s agreement partner.

If a data security breach with probable adverse impacts on a person’s privacy occurs despite the data security measures in place, all parties impacted are informed of the breach in a manner prescribed in applicable legislation. If so required by applicable data security legislation, authorities are also informed of the breach as soon as possible.

7. The data subject’s rights

The data subject’s rights are based on the EU General Data Protection Regulation, and they include, in certain situations, rights such as the right of inspection and the right to have the data corrected or removed. The data subject may exercise their rights in situations determined in legislation. Exercising these rights in full may be subject to limitations.

Any demands concerning the data subject’s rights must be presented in writing to the controller’s contact person. Situations related to exercising the data subject’s rights are always assessed case-specifically, and a separate decision is always issued. Requests concerning the fulfilment of the data subject’s rights are primarily responded to within one (1) month from the reception of the request. The request is free of charge. If the request is plainly groundless or unreasonable, particularly if made repeatedly, a reasonable fee may be charged from the data subject, or the request may be denied.

More information about the data subject’s rights:

The right to access the data subject’s own data

The data subject has the right to request access to data concerning them (right of inspection) to establish whether their data is processed in the member register or that it is not processed. The data subject’s right to access the data can be limited based on legislation or denied if disclosing the data would have an adverse impact on the rights and freedoms of others. Examples of such data to be protected include the controller’s trade secrets or another person’s personal data.

The right to have data corrected or removed

The data subject has the right to demand that the controller correct, without undue delay, any inaccurate and erroneous personal data. When so requested by the data subject, the controller must remove the personal data concerning the data subject, unless the data does not have to be removed, if its processing is necessary for purposes such as fulfilling an obligation imposed on the controller on the basis of applicable legislation or drawing up, presenting or defending a legal claim.

The right to object to the processing of data or request restriction of processing

The data subject has the right to object to the processing of their personal data on the basis of specific personal circumstances when data is processed based on legitimate interest. The data subject has no right to object to the processing of personal data when the processing is based on an agreement between the controller and the data subject. If the data subject has objected to the processing of their data on the basis of specific personal circumstances, the data subject must specify the circumstances based on which they object to processing carried out based on legitimate interest. The controller may continue to process the data despite the data subject’s objection if there is a considerably important and justified reason for the processing that supersedes the data subject’s interests, rights and freedoms, or if the processing is necessary for drawing up, presenting or defending a legal claim. The data subject has the right to, at any time, object to the use of their personal data in direct marketing. If the data subject objects to the use of their personal data in direct marketing, the data may no longer be processed for this purpose.

When so requested by the data subject, the controller must restrict the active processing of the data subject’s personal data, e.g. if the data subject denies the correctness of the personal data, whereby its processing must be restricted until the controller is able to ascertain the correctness of the data. As a rule, the data may only be stored for the duration of the restriction of processing. The data may also be processed for drawing up, presenting or defending a legal claim, to protect the rights of another natural person or legal person, or for equally important reasons pertaining to the public interest. Before the restriction of processing is lifted, the data subject must be notified.

Right to data portability

Insofar as the data subject has themselves provided personal data that is processed through automatic data processing and based on an agreement between the controller and the data subject, the data subject has the right to have access to such data, primarily in a machine-readable format, and to have the personal data transferred directly from the controller to another one if technically possible.

8. Requests related to exercising the data subject’s rights

In matters related to the processing of personal data and situations related to exercising the data subject’s rights, the data subject can contact the controller. The controller will provide additional instructions for taking care of the matter. Any requests concerning the right of inspection or other requests concerning the fulfilment of the data subject’s rights must be submitted in writing by email or post by using the contact details provided in section 2.

In order to ensure that the personal data is not disclosed to anyone other than the data subject when the data subject’s rights are being exercised, the controller may, if necessary, request that the data subject submit the inspection request with their signature. The controller may also request that the person submitting the request verify their identity with an official identification document or through other reliable means.

9. Right to lodge a complaint with the supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the data subject is of the opinion that they were unable to resolve their issue through contacting the controller. However, the aim will be to primarily resolve the issue through discussion between the parties. The local supervisory authority in Finland is the Data Protection Ombudsman. More information online: www.tietosuoja.fi.

10. Updates to the privacy policy

We will update this privacy policy and its supplementary documents when necessary. Changes to the law and its interpretation may also cause amendment needs. We kindly ask that you check our data protection processing practices regularly on our website www.kaupunkitilat.fi.

This privacy policy was last updated on 21.11.2024.