Name: Finnish Government Shared Services Centre for Finance and HR
Address: Kauppakatu 40, 80100 Joensuu, Finland
Switchboard: +358 (0)2955 62000
Representative of the controller:
Heikki Asikainen, heikki.asikainen(at)palkeet.fi
Data protection officer:
Sami Nikula, tietosuojavastaava(at)palkeet.fi
2. Purpose of the processing of personal data in analysis services
In the statutory analysis and reporting services provided by the Finnish Government Shared Services Centre for Finance and HR (hereinafter ‘Palkeet’), personal data is processed for the purpose of analysis if necessary with consideration to the subject of analysis. Data is produced for the management needs of customer agencies as well as for the development of the operations of the entire public administration.
The personal data processed in the analysis services provided by the Finnish Government Shared Services Centre for Finance and HR (Palkeet) is not subject to automated decision-making or profiling.
3. Legal basis of the processing of personal data
In the analysis services provided by Palkeet, the lawfulness of the processing of personal data is based on the controller’s statutory obligation in accordance with Subsection c of Section 1 of Article 6 of the General Data Protection Regulation (Act on the Finnish Government Shared Services Centre for Finance and HR, 8 February 2019/179, Subsection 3 of Section 1, according to which Palkeet is tasked with providing analysis and reporting services to its customers in order to support preparation and decision-making).
4. Personal data processed
The data used in the analysis services provided by Palkeet originates from registers maintained by Palkeet, its customer agency or another group operator. The personal data processed contains the personal data of government personnel. In some cases, the personal data processed may contain the personal data of suppliers of requisitions.
The analysis and reporting service operations do not involve processing of special categories of personal data within the meaning of Article 9 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). However, there is an exception to this, as information on the duration of an absence caused by illness, occupational disease or accident at work is processed. This is specifically provided in the Act on the Finnish Government Shared Services Centre for Finance and HR (8 February 2019/179, Subsection 2 of Section 1 b).
Prior to the transfer of the data for analysis, direct personal data is rendered unidentifiable through the pseudonymisation of the data. The results produced for publication in the analysis and reporting operations are anonymised or aggregated in such a way that no individual can be identified from the data, unless the analysis is implemented as a targeted service for a party that is entitled to process the personal data disclosed to it.
5. Sources of personal data
The analysis and reporting services utilise registers maintained by providers of the government’s joint group services that contain data concerning government agencies and departments regarding the planning and monitoring of operations, financial and HR management, common basic information technology, management of requisitions, premises management, centralised training services, project management, and organisational structure. Providers of the government’s joint group services include the Finnish Government Shared Services Centre for Finance and HR (Palkeet), the Government ICT Centre (Valtori), the Digital and Population Data Services Agency, Senate Properties, Hansel Ltd and HAUS Finnish Institute of Public Management Ltd.
The aforementioned registers contain the personal data of government personnel as well as the personal data of suppliers related to requisitions. Other anonymised information necessary for the implementation of analysis and reporting services, as well as other public information, may also be used in the operations.
6. Transfer or disclosure of personal data
In analysis services provided by Palkeet, personal data is not disclosed to third parties. The personal data processed is not transferred outside the EU or EEA.
7. Technical and organisational security measures in the processing of personal data
In the analysis services provided by Palkeet, personal data is only processed by analysts in an environment corresponding to the security level of the data, and at least a basic security check has been carried out by the Finnish Security and Intelligence Service regarding all persons who participate in the processing of the data. The data is protected against unauthorised viewing, alterations and erasure. The protection measures include user authorisation control, technical protection of databases and servers, physical protection of the facilities, access control, protection of telecommunications, and backup copies of the data. A right to access and process the data is granted if required by a work role, and the access to the systems is based on personal user IDs. The physical location of the data centres and data is within the EU or EEA. Furthermore, administrative controls are used in order to ensure that the operations are carried out appropriately.
8. Retention of personal data
As a general rule, the personal data processed in the analysis services provided by Palkeet is retained only for as long as and to the extent necessary for the implementation of the analysis. In the case of customer commissions, the data is retained for a maximum of one year from the end of the commission if no further needs arise for the same customer regarding the same subject.
9. Rights of the data subjects
9.1 Right to be informed of the processing of personal data
9.2 Right to access data (Data subject’s right to check what data is saved about them)
According to Article 15 of the General Data Protection Regulation, data subjects have the right to access their own personal data. In the analysis services provided by Palkeet, data subjects are entitled to receive from Palkeet, i.e. the controller, within a reasonable time a confirmation on whether their personal data is processed, and, if the data is processed, to access their personal data.
9.3 Right to rectification
In the analysis services provided by Palkeet, data subjects have the right to request Palkeet to rectify any inaccurate personal data kept about the data subjects without undue delay in accordance with Article 16 of the General Data Protection Regulation. Depending on the data and the limitations on the right of access, the data may also be rectified by the data subjects themselves, their supervisor by request of the data subject, or an HR management representative of the data subject’s employer agency based on a written personal data notification submitted by the data subject.
9.4 Right to restrict processing
According to Article 18 of the General Data Protection Regulation, data subjects have the right to request the controller, i.e. Palkeet in the case of the analysis services it provides, to restrict processing if:
- the data subject denies the accuracy of their personal data, in which case its processing will be restricted until Palkeet, as the controller, has verified the accuracy of the data;
- the processing violates legislation, and the data subject objects to the erasure of their personal data and instead demands that the use of the data be restricted;
- Palkeet, as the controller, no longer requires said personal data for processing purposes, but the data subject needs the data to establish, file or defend a legal claim.
9.5 Notification obligation regarding rectification or erasure of personal data or restriction of processing
9.6 Right to not be subject to automated decision-making
According to Article 22 of the General Data Protection Regulation, data subjects have the right to not be subject to automated decision-making. In the case of the analysis services provided by Palkeet, this right of the data subjects is implemented as a general rule, as no automated decision-making or profiling is applied to the personal data processed.
9.7 Right to file a complaint with a supervisory authority
Data subjects always have the right to submit the lawfulness of the processing of their personal data to the Data Protection Ombudsman for evaluation.
Office of the Data Protection Ombudsman
Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki
Postal address: PO Box 800, 00521 Helsinki
Switchboard: +358 (0)2956 66700
Fax: +358 (0)2956 66735