PRIVACY POLICY

Name of register

Customer register of the Espoo Parish Union

Controller

Espoo Parish Union
Kirkkokatu 1
02770 Espoo
+358 (0)9 80501
kirjaamo.espoo(at)evl.fi

Contact person

Person responsible for register

Outi Hakio
Hallintopalvelupäällikkö
Espoon seurakuntayhtymä
Palvelukeskus Henkilöstöpalvelut
outi.hakio@evl.fi
09 8050 2613
Kirkkokatu 1, PL 200
02771 Espoo

Data protection officer’s contact information

tietosuojavastaava.espoo(at)evl.fi

Purpose and legal basis of processing of personal data

The purpose of the processing of personal data is the maintenance of the customer relationships of the parish work, cemetery services and other services provided by the Espoo Parish Union and the Parishes of Espoo, if they do not fall under the field of any other register. Parish work includes church ceremonies, general parish work, diaconal work, early childhood education, youth and confirmation training work. Real property services and family guidance have separate customer registers.

The processing is based on consent given by the data subject, a contract between the controller and the data subject, compliance with the controller’s legal obligation or legitimate interest pursued by the controller (points a, b, c and f of the first subparagraph of article 6 of the EU’s General Data Protection Regulation), as far as it is necessary to process the data in order to realise the rights and duties of the controller that relate to the customer relationship. The customer’s health data is processed with the consent of the customer (point a of paragraph 2 of article 9 of the GDPR).

Person groups and data content of the register

The register contains data about the data subject’s participation in the activities of the joint units of the Espoo Parish Union and the Parishes of Espoo as well as data necessary to organise each activity and customership, including the data subject’s possible guardian or other contact person data.

Person identification data in the register include first name(s), last name, personal identity code or birth date and contact information: address, telephone number, country data and email address. The register also contains data concerning the invoicing of chargeable activities and services, in the case of a separate payer or underaged child, the guardian’s data and data concerning the payment status of said invoices. Sensitive data include the health data of event participants, if the customer has wanted the parish to take them into account in their activities. These include a customer’s special diets and other health data necessary to guarantee safety.

Sources of data

The personal data is collected through the activities of the joint units of the Espoo Parish Union and activities of the individual parishes. The data is received from the data subject themselves, their guardian or other person enrolling them in the activities. The customer data for the cemetery services are received from the customer when contracting for the maintenance of the grave.

The data is entered into the register either by parish union employees or through online enrolment.

Personal data are received through disclosure from the Church’s national member information system Kirjuri as follows: it is possible to search Kirjuri for the data of persons taking part in the activities using their personal identity codes. These data can also be linked to be updated into the register once a day. It is also possible to search Kirjuri for information about those of confirmation training age in the area in order to organise confirmation training.

Disclosures of data

Personal data are regularly disclosed to the Church Service Centre, with which the Espoo Parish Union has a financial administration service agreement. The Church Service Centre is provided with customer data necessary for sales ledgers concerning the payers of invoices created in the ERP system: name, personal identity code (if available), language, invoicing address and other data related to the invoices. As concerns confirmation training, data are transferred into the Church’s national member information system Kirjuri concerning enrolment into confirmation training, completion of confirmation training and confirmation. The following personal data are processed in conjunction with these data transfers: personal identity code, birth date, first names, last name and gender.

Storage period for personal data

In principle, personal data are stored for the duration of the customer relationship. The customer relationship is considered as having ended if the customer has not participated in activities for two years. The data are then erased with the exception of data related to payments, which are stored for a period of 5 years.

As per paragraph 12 of chapter 5 of the Act on Funerary Services (Hautaustoimilaki 457/2003), burial registers must be stored permanently.

Rights of the data subject

The data subject has the right:

• To request from the controller access to and rectification or erasure of personal data concerning the data subject.
• To request from the controller restriction of processing of personal data concerning the data subject or to object to processing as well as the right to data portability.
• Where the processing of personal data is based on consent given by the data subject, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• To lodge a complaint with a national supervisory authority if the data subject feels that the processing of personal data concerning the data subject violates the EU’s General Data Protection Regulation. The use of this right does not limit the means of redress as per the Church Act (Kirkkolaki 1054/1993).

The contact information for the national supervisory authority is:

Office of the Data Protection Ombudsman
P.O. Box 800, Ratapihantie 9, 00521 Helsinki
tel. +358 (0)29 56 66700, tietosuoja@om.fi

www.tietosuoja.fi