The EU’s General Data Protection Regulation (2016/679)
1. Name of the data file
Vantaa City Bike Service Customer Register
2. Controller of the data file
City of Vantaa
PO Box 1100
01030 City of Vantaa
Helsinki Regional Transport Authority (HSL)
PO Box 100
3. Person responsible for the data file
City of Vantaa: Henry Westlin
HSL: Account Manager
4. Contact person for the data file
City of Espoo: Heikki Alkila
HSL: Account Manager
City of Vantaa
PO Box 1100
01030 City of Vantaa
Tel. +358 9 839 11
PO Box 100 (Opastinsilta 6A)
00077 HSL (00520 Helsinki)
Tel. +358 9 4766 4000
5. Purpose and legal basis of the processing of personal data
Personal data is processed in order to manage customer relationships.
Legal basis for processing:
Paragraph b) of Article 6 of the EU's General Data Protection Regulation, processing is necessary for the execution of an agreement to which the data subject is party or for the implementation of preliminary measures for concluding an agreement at the request of the data subject.
The data stored in the City Bike System Customer Register is used for managing customer relations and for service provision. A customer's personal data is used to identify the customer in cases of problems, to contact the customer to deliver messages related to the operation of the system, and to display user information for the users on the service website, where the users can also edit their information. In addition, the data is used to compile statistics about the system. Individual users will not be identifiable in the statistics.
The data stored in the Customer Register is used for direct marketing in accordance with paragraph a) of Article 6 of the EU's General Data Protection Regulation if the data subject have given their consent for the processing of their personal data for one or more specified, explicit purpose(s). The data subject may withdraw their consent for the use of their data for direct marketing at any time.
The EU’s General Data Protection Regulation (679/2016)
Act on the Openness of Government Activities (621/1999)
Administrative Procedure Act (434/2003)
6. Content of the data file
The City Bike Service Customer Register contains the following data on the users (customers) of the city bike service.
Data provided upon registration
- First name
- Last name
- Phone number
- Email address
- Street address
- Country of living
- Age (min 15 years)
- The start and end dates of the pass paid for
- User ID
- Status, is the user currently active
- Travel Card number if the user has added a Travel Card in the system
- The part of the payment card number provided by the payment service, the expiry date of the card and the name of the company that issued the card. This information is used to show the user which card they have linked to the city bike system; the entire payment card number is not stored in the register.
- The customer’s consent to direct marketing, if available.
• Actual use: start and end location, time, city bike use and distance cycled
• Payment transactions
• Information about possible uncharged fees.
Prohibition of use
7. Regular disclosure of personal data
Data on the user’s transactions are disclosed from SharingOS’s system to hsl.fi, where the user can view their own data.
No personal data is transferred from the file to outside the European Union or the European Economic Area.
8. Data storage times
The data will be stored for the time necessary for the management of the contractual relationship.
9. Sources of personal data
Personal data are collected from the data subject, as well as from the transactions generated by the city bike system.
10. Principles of data security
Agreement for securing the Customer Register have been made between the controller and system suppliers. System suppliers manage the register and related storage of data in accordance with good data processing practice and are subject to strict professional secrecy. All employees processing the register data are bound by professional secrecy.
The security of the City Bike Service Customer Register and confidentiality of personal data is ensured through appropriate technical and administrative measures in accordance with good data processing practice.
Only employees whose duties involve processing customer data are authorized to use the system containing the data. Every user logs into the system with personal credentials provided in connection with granting access rights to the system. The access rights will expire when the person is no longer responsible for the tasks for which they were granted. The obligation of confidentiality and professional secrecy will continue to apply after the employee ceases to perform duties involving customer data processing, or after the termination of employment.
The data is compiled into logically and physically secured databases. The databases and their backups are located on locked premises, and only designated personnel are permitted to access the data. The data has been secured in accordance with the Information Society Code and the regulations and guidelines of the Finnish Communications Regulatory Authority.
11. Rights of data subjects
Data subjects have the following rights under the Personal Data Act:
a) The right to know what data has been stored on them in the personal data file, or that the file contains no information on them as well as the regular sources of information and for what purposes the data in the file are used and regularly disclosed.
b) The right to demand the correction, deletion or completion of personal data in the file that is erroneous, unnecessary, incomplete or expired for purposes of processing.
c) The right to prohibit the controller from processing their data for purposes of direct advertising, distance selling and other direct marketing, and for market surveys and polls.
From 25 May 2018, data subjects have the following rights under the EU's General Data Protection Regulation:
d The right obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where such personal data are being processed, access to the personal data and certain data specified in the EU’s General Data Protection Regulation.
e) The right to object data processing for certain purposes specified in the EU’s General Data Protection Regulation, such as direct marketing.
f) The right to withdraw their consent at any time with no impact on the legality of processing performed by virtue of the consent before its withdrawal.
g) The right to demand the controller to correct inaccurate and incorrect personal data concerning the data subject without undue delay, and to have incomplete personal data completed.
h) The right to have the controller delete the personal data concerning the data subject without undue delay in the situations specified in the EU's General Data Protection Regulation.
i) The right to have the controller limit the processing of the personal data in the situations specified in the EU's General Data Protection Regulation.