The EU’s General Data Protection Regulation (2016/679)

  1. Name of the data file
    Helsinki and Espoo City Bike Service Customer Register

     

  2. Controller of the data file

    Helsinki City Transport Public Utility (HKL)
    PO Box 1400
    00099 City of Helsinki

    City of Espoo
    PO Box 1
    02070 City of Espoo

    Helsinki Regional Transport Authority (HSL)
    PO Box 100
    00077 HSL
     

  3. Person responsible for the data file

    HKL: Managing Director

    City of Espoo: Head of Traffic Management

    HSL: Account Manager
     

  4. Contact person for the data file

    HKL: Project Engineer
    City of Espoo: Head of Traffic Management
    HSL: Account Manager

    Contact details: 
    City of Helsinki (HKL)
    Registry
    PO Box 10 (Pohjoisesplanadi 11-13)
    00099 City of Helsinki
    kirjaamo@hel.fi

    City of Espoo
    PO Box 1
    02070 City of Espoo
    Switchboard 09 816 21
    kirjaamo@espoo.fi

    HSL
    PO Box 100 (Opastinsilta 6A)
    00077 HSL (00520 Helsinki)
    Tel. +358 9 4766 4000
    hsl@hsl.fi
     

  5. Purpose and legal basis of the processing of personal data

    Personal data is processed in order to manage customer relationships. 

    Legal basis for processing:
    Paragraph b) of Article 6 of the EU's General Data Protection Regulation, processing is necessary for the execution of an agreement to which the data subject is party or for the implementation of preliminary measures for concluding an agreement at the request of the data subject.

    The data stored in the City Bike System Customer Register is used for managing customer relations and for service provision. A customer's personal data is used to identify the customer in cases of problems, to contact the customer to deliver messages related to the operation of the system, and to display user information for the users on the service website, where the users can also edit their information. In addition, the data is used to compile statistics about the system. Individual users will not be identifiable in the statistics.

    Card payments are made safely with a secure payment form via Stripe Payments Europe Ltd. HKL, HSL, the City of Espoo, Smoove and CityBike Finland Oy do not have access to the card information and payment card information is not stored in our systems as such. The only card information stored are the part of the payment card number provided by the payment service, the expiry data of the card and the name of the company that issued the card. This information is used to show the user which card they have linked to the city bike system. We are only authorized to charge the User the fees in accordance with the Terms of Use

    Other use:
    The data stored in the Customer Register is used for direct marketing in accordance with paragraph a) of Article 6 of the EU's General Data Protection Regulation if the data subject have given their consent for the processing of their personal data for one or more specified, explicit purpose(s). The data subject may withdraw their consent for the use of their data for direct marketing at any time. 

    Key legislation:
    The EU’s General Data Protection Regulation (679/2016)
    Act on the Openness of Government Activities (621/1999)
    Administrative Procedure Act (434/2003)
     

  6. Content of the data file

    The City Bike Service Customer Register contains the following data on the users (customers) of the city bike service.

    Customer information

    Data provided upon registration
    •    Name
    •    Address
    •    Date of birth
    •    The start and end dates of the pass paid for
    •    Email address
    •    Phone number
    •    User ID
    •    PIN code
    •    Language
    •    Postcode or country of living
    •    Status, is the user currently active
    •    Travel Card number if the user has added a Travel Card in the system
    •    The part of the payment card number provided by the payment service, the expiry date of the card and the name of the company that issued the card. This information is used to show the user which card they have linked to the city bike system; the entire payment card number is not stored in the register.
    •    The customer’s consent to direct marketing, if available.

    Transactions

    •    Actual use: start and end location, time, city bike use and distance cycled
    •    Payment transactions
    •    Information about possible uncharged fees.

    Prohibition of use

    A user may be banned from using the service according to the Terms of Use.
     

  7. Regular disclosure of personal data

    Data on the user’s transactions are disclosed from Smoove’s system to hsl.fi, where the user can view their own data.

    No personal data is transferred from the file to outside the European Union or the European Economic Area.
     

  8. Data storage times

    The data will be stored for the time necessary for the management of the contractual relationship.

     

  9. Sources of personal data

    Personal data are collected from the data subject, as well as from the transactions generated by the city bike system.

     

  10. Principles of data security

    Agreement for securing the Customer Register have been made between the controller and system suppliers. System suppliers manage the register and related storage of data in accordance with good data processing practice and are subject to strict professional secrecy. All employees processing the register data are bound by professional secrecy.

    The security of the City Bike Service Customer Register and confidentiality of personal data is ensured through appropriate technical and administrative measures in accordance with good data processing practice.

    Only employees whose duties involve processing customer data are authorized to use the system containing the data. Every user logs into the system with personal credentials provided in connection with granting access rights to the system. The access rights will expire when the person is no longer responsible for the tasks for which they were granted. The obligation of confidentiality and professional secrecy will continue to apply after the employee ceases to perform duties involving customer data processing, or after the termination of employment.
     
    The data is compiled into logically and physically secured databases. The databases and their backups are located on locked premises, and only designated personnel are permitted to access the data. The data has been secured in accordance with the Information Society Code and the regulations and guidelines of the Finnish Communications Regulatory Authority.

     

  11. Rights of data subjects

    Data subjects have the following rights under the Personal Data Act:
    a) The right to know what data has been stored on them in the personal data file, or that the file contains no information on them as well as the regular sources of information and for what purposes the data in the file are used and regularly disclosed.
    b) The right to demand the correction, deletion or completion of personal data in the file that is erroneous, unnecessary, incomplete or expired for purposes of processing.
    c) The right to prohibit the controller from processing their data for purposes of direct advertising, distance selling and other direct marketing, and for market surveys and polls.

    From 25 May 2018, data subjects have the following rights under the EU's General Data Protection Regulation: 
    d The right obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where such personal data are being processed, access to the personal data and certain data specified in the EU’s General Data Protection Regulation.
    e) The right to object data processing for certain purposes specified in the EU’s General Data Protection Regulation, such as direct marketing.
    f) The right to withdraw their consent at any time with no impact on the legality of processing performed by virtue of the consent before its withdrawal.
    g) The right to demand the controller to correct inaccurate and incorrect personal data concerning the data subject without undue delay, and to have incomplete personal data completed.
    h) The right to have the controller delete the personal data concerning the data subject without undue delay in the situations specified in the EU's General Data Protection Regulation.
    i) The right to have the controller limit the processing of the personal data in the situations specified in the EU's General Data Protection Regulation.