PRIVACY POLICY
Kiinteistö Oy Helsingin Iso Paja 29.11.2023
Employees, visitors, and other staff of the tenant
1 GENERAL
This Privacy Policy describes how Kiinteistö Oy Helsingin Iso Paja (the
“Controller”) processes personal data, what personal data is collected, the purposes for which personal data is processed, to which parties
personal data may be disclosed, and how you can influence the processing of your personal data. This Privacy Policy also providesinformation on the obligations that apply to the processing of personal data. This Privacy Policy applies in the context of the lease agreement between the Controller and the tenant and the provision of related services and the processing of personal data in connection with the services. The Controller shall process personal data in accordance with data protection legislation. Data Protection Legislation refers to the applicable data protection legislation, such as the General Data Protection Regulation of the European Union (2016/679) (“GDPR”), the National Data Protection Act (5.12.2018/1050) and the guidelines and regulations of the supervisory authority. Any data protection terms not defined in this Privacy Policy shall be interpreted in accordance with the Data Protection Legislation.
2 REGISTER NAME
Kiinteistö Oy Helsingin Iso Paja Rental Premise and Access Control Register.
3 CONTACT FOR REGISTER MATTERS
Mari Mannila mari.mannila@trevian.fi
4 REGISTER CONTENTS
The Controller processes personal data of the employees, visitors, and other staff of the tenant within the Register. The processed personal data includes the following:
- Access control system-assigned personnel number
- First and last name
- Unit of the individual
- Start and end date of employment
- Access card number
- Video footage from surveillance cameras
- Access control and locking system log data
5 PURPSOE AND LEGAL BASIS OF PERSONAL DATA PROCESSING
The Controller or their authorized (acting on behalf of the data controller) partner uses the personal data in the register for the following purposes in accordance with the Data Protection Legislation:
- Access control in common areas of the property
- Maintaining access card information for tenant employees,
visitors, and other staff - Maintaining and creating groups for access areas
- Key management
- Surveillance in the property
- Providing lobby services and associated tasks
- Performing tenant and property security related tasks, in addition
to verifying and confirming events - Receiving and recording guests and visitors (Q-park)
- Receiving and notifying recipients of shipments and mail
- Opening meeting rooms (Unison)
- ILOQ key management tasks (creating, configuring, and issuing
and returning keys) - Holding lost and found items
- Ordering taxis
- Receiving and processing maintenance requests
- Issuing keys to maintenance companies (RTK, Caverion, Stanley,
Schindler, 4Business)
The Controller has the following legal basis for personal data processing:
- Contract Basis: The data controller processes the personal data of
the staff of the tenant according to the employment contracts
between the tenant and its employees. - Consent: The data controller processes the personal data of
visitors based on the consent of the visitors. - Legitimate interest: The data controller processes the personal
data of guests and unauthorized visitors to the property to prevent
crimes.
6 REGULAR DATA SOURCES
The tenant supplies the information from its register. The Controller acts as an independent data controller for the information provided in accordance with this Privacy Policy, which it collects into its own Register. The tenant acts as an independent data controller for the register containing the personal data which is to be provided for the Register of the Controller, in addition to the own register of the tenant. The tenant is obligated to inform its staff about the transfer of personal data. The tenant is also responsible for ensuring that it has the appropriate legal rights and grounds under applicable legislation to transfer personal data to the Controller.
Video data is captured using the surveillance camera system. Access control and locking system log data are stored in the systems as these systems are used.
7 DATA PROCESSORS AND OTHER DATA RECIPIENTS
In principle, personal data is not disclosed to external parties, excluding the security subcontractor of the Controller (Avarn Security Oy), which provides lobby services on behalf of the Controller. Personal data may be disclosed as required by competent authorities or other entities in accordance with applicable and valid legislation
8 DATA TRANSFER OUTSIDE THE EU OR ETA ZONE
Personal data is not transferred outside of the EU or ETA zone.
9 PRINCIPLES OF PERSONAL DATA STORAGE
Personal data is stored as long as the Controller utilizes the data for the purposes described in Section 5. Personal data recorded in the Register is deleted once there is no longer a legal basis for the processing of personal data. Personal data is stored for a maximum of three (3) months after the termination of the lease agreement or until the tenant or the data subject requests the deletion of the data. Personal data may need to be retained for a longer duration if applicable legislation or contractual obligations binding the Controller to third parties require an extended retention period.
10 PRINCIPLES OF REGISTER SECURITY
The security of the Register, as well as the confidentiality, integrity, and availability of personal data, is ensured through appropriate technical and organizational measures. Access to the information is restricted to individuals employed by the Controller or authorized agents whose job responsibilities require the processing of personal data. Registry data is protected with personal usernames and passwords. Staff and collaborators are required to commit to maintaining the confidentiality of personal data in the register.
11 RIGHTS OF THE DATA SUBJECT
The data subject has rights as stipulated by Data Protection Legislation. Please note that the precise application of these rights in individual circumstances depends on the purpose and context of the processing of personal data. Requests concerning these rights should be submitted by the data subject via email to the following address: aulapalvelu@isopaja.fi In principle, the Controller will not charge a fee for processing registry concerns of the corresponding data subjects. However, if the requests are evidently unfounded or excessive, such as when presented repeatedly, the Controller may impose a reasonable fee based on administrative costs incurred in processing the request.
11.1 The Right to Access Personal Data and to Receive an Extract of Personal Dat
The data subject has the right to receive confirmation if their personal data is being processed and the right to receive the information related to the processing of personal data as stipulated in Data Protection Legislation. In addition, the data subject has the right to receive an extract of their processed personal data.
11.2 The Right to Verify and Rectify Registry Data
The data subject has the right to verify the data pertaining to themselves
and the right to request the rectification of any false or inaccurate
information pertaining to themselves.
11.3 The Right to Have Personal Data Deleted
The data subject has the right to have the data pertaining to themselves
deleted without undue delay provided that:
- Personal data is no longer needed for the purposes for which it
was collected or otherwise processed; or - Personal data has been processed unlawfully; or
- Personal data must be erased to comply with a legal obligation
under union or national legislation.
11.4 The Right to Restrict Data Processing
The restriction of data processing entails that the restricted data, in addition to storage, may only be processed:
- With the consent of the data subject
- To establish, exercise, or defend legal claims
- To protect the rights of another natural or legal person
- For important reasons of public interest for a union or member
state.
The data subject has the right for the Controller to restrict data
processing if:
- The data subject disputes the accuracy of the personal data, in
which case processing is restricted until the Data Controller
verifies the accuracy of the information; or - Processing is unlawful, and the data subject opposes the deletion
of personal data, instead requesting the limitation of their use; or - The Data Controller no longer needs the respective personal data
for the purposes of processing, but the data subject requires them
to establish, exercise, or defend a legal claim.
11.5 The Right to Withdraw Consent
If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of the processing based on the consent before its withdrawal. However, compliance with a legal obligation imposed on the Controller may require the retention of the personal data of the data subject.
11.6 The Right to Have Personal Data Transferred to Another System
The data subject has the right to have the information provided to the Controller in a structured, commonly used, and machine-readable format, and the right to transfer this data to another data controller, if technically feasible.
11.7 The Right to Appeal to a Supervisory Authority
The data subject has the right to appeal to a supervisory authority if they deem that the processing of their personal data is in violation with applicable Data Protection Legislation.
12 AMENDMENTS TO THE PRIVACY POLICY
Due to changes in services and the development of leased spaces, it may be necessary to modify and update this Privacy Policy. Changes may also be based on amendments to applicable legislation. The latest version of the Privacy policy will always be provided after any updates or modifications, or upon request.
