Privacy policy: Security register
1 Controller
Vantaa Energy Group
Vantaa Energy Ltd and
Business ID: 0124461-3
Postal address: P.O. Box 95, 01301 Vantaa, Finland
Telephone: 09 829 01
Website: www.vantaanenergia.fi
Vantaa Energy Electricity Networks Ltd
Business ID: 2038408-0
Postal address: P.O. Box 95, 01301 Vantaa, Finland
Telephone: 09 829 01
Web service: www.vantaanenergiasahkoverkot.fi
2 Person responsible for register matters
Vesa Hynninen
vesa.hynninen@vantaanenergia.fi
Postal address: P.O. Box 95, 01301 Vantaa, Finland
Street address: Peltolantie 27, 01300 Vantaa, Finland
3 Contact details of the data protection officer
Heidi Itkonen
Postal address: P.O. Box 95, 01301 Vantaa, Finland
Street address: Peltolantie 27, 01300 Vantaa, Finland
4 Data protection enquiries
https://tietopalvelu.vantaanenergia.fi/tietosuojavastaavalomake
5 Name of register
The security register of the Vantaa Energy Group
6 Purpose and legal basis of the processing of personal data
The purpose of the processing of personal data is to protect property, to prevent crime, disturbance, harassment, and inappropriate behaviour and to assist in the investigation and establishing the facts of cases of crime, disturbance, harassment and inappropriate behaviour or other situation that has posed a risk or a threat, which have already taken place. In addition, the purpose is to safeguard the operation of the distribution processes of energy products and increase the level of occupational safety. Personal data may also be processed in order to comply with the obligations related to the applicable laws, and official regulations and guidelines. In addition, the personal data of data subjects may be processed in connection with self-monitoring or error investigation.
The processing is necessary for the purposes of the legitimate interests pursued by the Vantaa Energy Group (hereinafter VE) and to comply with the statutory obligations.
7 Data content of the register
The picture material recorded by cameras pertaining to the recording surveillance system in the premises and outside areas subject to supervisory control and the data produced by other systems concerning the person’s movements in VE’s premises.
VE collects the data it needs as the user of VE’s premises and the party being responsible for the premises in order to prevent crime against the personnel, property and customers and to investigate issues concerning the liability for damage caused. With the data, VE can take care of personal safety and the maintenance of the property’s condition and order and prosecute those who have caused damage. The data is collected only on areas that are necessary in order to manage the issues. The data is used to take care of personal safety and the maintenance of the property’s condition and order and to prosecute those who have caused damage.
- basic data of the data subject (such as names, date of birth, personal identity code, company)
- contact details (such as address details, telephone number and email address)
- data concerning the contact persons of companies (such as information about the employer and the professional status of the data subject);
- camera recordings (such as picture material and video recordings, as well as car registration number)
- access control data
- access pass data
- Result of security clearance
8 Regular sources of data
Data concerning data subjects is regularly received from
- VE’s surveillance cameras, which are informed of with stickers or signs notifying of camera surveillance
- VE’s access control systems
- VE’s time-tracking systems
- VAP reservations of persons (persons exempted from military service to carry out certain duties in emergencies) applied for and obtained from the Finnish Defence Forces
- In connection with self-monitoring
- From the data subject themselves
Personal data can also be collected and updated from the authorities and other third parties within the limits of applicable legislation for the purposes described in this privacy policy.
9 Regular disclosure of data
As a rule, personal data is not shared outside the Group. However, if criminal activity is suspected, data shall be shared with the police and, for example, with the authorities within the limits permitted and obliged by effective legislation, regulations imposed by the authorities and the guidelines of the trade associations in force at any time. In contractual disputes, information about access control and the electronic key system may be shared with the contractual partner.
10 Data retention period
The data shall be retained only for as long as it is necessary in order to fulfil the purposes defined in this Privacy Policy. After that, the data shall be erased unless we are obliged to retain the data according to the rights and obligations based on legislation or an agreement between the parties.
As a rule, the retention periods are as follows:
-
- Access data from the access control system is retained for 400 days.
- Employees’ clocking-in data is retained for about 5 years.
- The access register of an electronic key is retained for as long as the person has the right to use the key.
- Once the security clearance has been completed, the associated personal identification number will be deleted. Information on the completion of the clearance shall be retained for the duration of the employment relationship or contract for the provision of the service. Security clearances are renewed every 5 years. A person’s data will be completely erased when the employment or service provision contract for the person covered by the clearance ends.
- Data recorded in camera systems is automatically retained for as long as it is necessary in order to fulfil the purpose of camera surveillance, however, for a maximum of 30 days. Due to a specific reason (e.g. major accident, occupational accidents, etc.) the recordings can be retained for a longer period, however, for a maximum of one (1) year. This recording is made manually.
- VAP reservations of persons (persons exempted from military service) in relation to the Finnish Defence Forces and the Centre for Non-Military Service shall be retained for as long as the VAP register of persons replaces an earlier reservation list.
All data shall be erased by destroying the material.
11 Transfer of data outside the EU or the EEA
Vantaa Energy does not transfer the data outside the EU or EEA countries.
12 Principles of register protection
Personal data is protected in the industry by generally acceptable and reasonable technical means, such as access passes, training, firewalls and passwords. The databases can be accessed and processed only by the persons assigned for the task.
A database in a digital format (in the hard drive of a computer or similar) is protected with a password. Every person entitled to have access to processing the database has been given an individual password, the use of which can be supervised.
The users of databases are under the obligation of confidentiality.
13 Right of inspection, prohibition and rectification
By virtue of the General Data Protection Regulation, the data subject has the right to inspect the data that has been recorded of them. An electronic request to inspect this data shall be submitted at https://tietopalvelu.vantaanenergia.fi/turvallisuusrekisterilomake
A request for an inspection may also be made in person in the controller’s office by proving the identity of the data subject. Vantaa Energy Ltd is entitled to charge a reasonable fee for providing the data if the data subject uses their right of inspection more often than once a year.
Everyone has the right according to the General Data Protection Regulation to inspect the personal data concerning themselves in the controller’s personal register, also recordings, images and sound collected, e.g. in connection with camera surveillance. A request concerning the right of inspection where the person notifies the place and time when the images have been taken must be submitted to the controller. The controller must react to the request concerning the right of inspection within one (1) month. Only the recordings concerning the person themselves may be shown if the person appears in the images.
By virtue of the General Data Protection Regulation, data subjects have the right to request VE to rectify, erase or complement any personal data in the register that is incorrect, irrelevant, incomplete or out-of-date with respect to the purpose of processing the data.
No personal data is shared from the register for the purpose of direct marketing, market research or opinion polling, or vital records and genealogy without the data subject’s consent.
The data subjects also have the right to restrict the processing of personal data or its transfer to another controller by virtue of the General Data Protection Regulation.
14 Lodging a complaint with the supervisory authority
Should the data subject believe that the processing of personal data infringes the applicable law or their legal rights, the data subject may lodge a complaint with the Data Protection Ombudsman, the contact details of which are found at the following address: www.tietosuoja.fi/en.
16.6.2024