Controller
Lentorata Oy
Business ID: 3176750-3
Postal address: Lentäjäntie 3, 01530 Vantaa
E-mail: toimisto@lentorata.fi
Data Protection Officer
Lentorata Oy
Lentäjäntie 3
01530 Vantaa
Purpose and legal basis of the processing of personal data
Lentorata Oy is a state and municipality owned special purpose company that develops and produces rail transport infrastructure plans for the needs of society, the authorities and its shareholders, and estimates of the related benefits, defects and other impacts.
Lentorata Oy processes personal data in order to carry out the planning task provided for in the Railway Act (2 February 2007/110). The primary purpose of the planning task is not the collection of personal data, but in connection with the planning, Lentorata Oy processes the data of the design stakeholders and contractual partners or the natural persons acting on their behalf, real estate data and the personal data of the natural persons who own the real estate, in which case the question is of the processing of personal data as referred to in the EU’s General Data Protection Regulation1(hereinafter the “GDPR”). In the course of the planning process, personal data may also be processed for the purpose of communicating and providing information about the planning task to different target groups and for the purpose of preparing and implementing legal obligations relating to the implementation of the planning, such as contracts. Personal data are also processed in order to fulfil the consultation obligations relating to planning, in which case the subject matter of the processing is the personal data of natural persons who are consulted or who give or leave feedback, reminders or other similar contacts with regard to the planning, or of the representatives of other stakeholders.
1REGULATION (EU) 2016/679 of the EUROPEAN PARLIAMENT and of the COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The processing of personal data is based on Article 6(1), subsections a, b, c, e and f of the GDPR.
The processing of personal data is based on the consent of the data subject (subsection a) when the data subject has given their consent to Lentorata Oy for the processing of their personal data for one or more specific purposes. Where processing is based on the data subject’s consent, the data subject may at any time withdraw that consent.
The processing of personal data is based on subsection b when the processing is necessary for the implementation of an agreement in which Lentorata Oy and the data subject are contractual partners or otherwise as parties to the agreement, or for the implementation of measures prior to the conclusion of such an agreement at the request of the data subject.
The processing of personal data is based on subsection c when personal data is processed in order to prepare a railway plan in accordance with the planning task provided for the controller in the Railway Act.
The processing of personal data may also be based on subsection e when the question is of the implementation of the aforementioned planning task by Lentorata Oy and the processing is necessary for the performance of a task of public interest or the exercise of public authority in connection with the performance of this task.
The processing of personal data is based on the legitimate interest of the controller or a third party (subsection f) where there is a material link between the data subject and the controller. Such a connection may be formed, for example, when the data subject is in contact with the controller on their own initiative in connection with the planning task of Lentorata Oy.
Groups of data subjects and categories of personal data processed
Lentorata Oy processes the personal and contact data of natural persons acting as the representatives of its cooperation and contractual partners. Such data includes names, postal addresses, telephone numbers, e-mail addresses and information describing the person’s position or role in the company, as well as information on agreements and communications. Lentorata Oy processes real estate data in connection with its planning task as well as related natural persons’ data connected with the ownership and possession of real estate.
Regular sources of data
In the case of consent-based processing of personal data, data are obtained from the data subject themselves and the provision of data is voluntary. In the case of the implementation of agreements or the preparation of agreements or other pre-contractual measures, data are obtained from the contractual partner or their representative and in addition from public registers (such as the trade register). The data subject themselves also provide information regarding planning-related feedback, reminders or other contacts. In such situations, the data subject may decide to what extent they will provide information about themselves. If the person does not provide their contact details, the controller cannot contact them regarding planning matters.
In the case of information on the ownership or possession of real estate, information is obtained from the information systems or registers maintained by the authorities in which such information is legally stored and maintained. The information is obtained from such registers or information systems under specific legislation applying to them as well as rights of access provided for in them.
Recipients or categories of recipients of personal data
Lentorata Oy does not regularly disclose personal data to third parties. Lentorata Oy may disclose personal data to the authorities if specifically provided for by law.
According to Section 22b of the Railway Act, the plan must be made publicly available. The plan made publicly available may include personal data relevant to the plan, such as the property identifiers included in plan maps.
Lentorata Oy discloses the personal data contained in the plans to the party whose task is to approve the plan and implement the railway project based on the plan, as provided for in law.
Lentorata Oy uses the services of third parties in the production of IT services, such as the maintenance of information systems. Such third parties act as processors of personal data on behalf of the controller. The lawful processing of personal data is governed by an agreement between the controller and the processor or processors. The processors process personal data only in accordance with the agreement and the instructions given by the controller.
Transfer of personal data to third countries
Lentorata Oy processes personal data in the EU/EEA area and does not transfer personal data to third countries.
Data retention periods
Lentorata Oy processes personal data as long as it carries out the planning task described in Section 4.
The validity of the plans is provided for in Section 26 of the Railway Act. The personal data contained in the plans are processed as long as the plans are in force and thereafter as provided for separately for the archiving of the plan documents.
Other personal data processed by Lentorata Oy, such as personal data related to planning-related stakeholder cooperation and communications, will be disposed of when there is no longer any need to process them for the implementation of the plan, for example, unless the data are subject to a longer retention period specified elsewhere in the law.
Profiling
Personal data are not used for profiling.
Principles of personal data protection, technical and organisational measures
The protection of personal data is based on generally well-known and accepted information security mechanisms and controls.
The following means, among others, are used to protect the data:
- access and authorisation management and access control,
- technical means of protection of databases, servers and other technical infrastructure, such as encryption techniques,
- physical protection and access control of premises used for the provision of services,
- protection of telecommunication, firewalls,
- protecting data by backing up and ensuring that data can be restored.
The data are only processed by persons who need to process them as part of their duties.
The equipment and facilities used for data processing are located in Finland.
Administrative controls are used to monitor the adequacy of operations. Responsibility for implementing data protection principles lies with Suomi-rata Oy.
Rights of the data subject
In accordance with the General Data Protection Regulation, the data subject has the following rights:
- Right of access to personal data (right of inspection)
The data subject has the right to verify which data concerning them are stored in the register or to obtain confirmation that data concerning them are not stored in the register. The data subject has the right to receive information as specified in Article 15 of the General Data Protection Regulation. The exercise of the right of inspection may be subject to restrictions provided for by law. The exercise of the right of inspection is, in principle, free of charge. However, the controller may charge a reasonable fee from the data subject, reflecting the administrative costs incurred in responding to the request, if the data subject requests more than one copy of the data or if the request by the data subject is manifestly unfounded or unreasonable. The exercise of the right of inspection presupposes, in principle, that the person requesting the exercise of the right of inspection can be identified. - Right to rectification, erasure or restriction of processing
The data subject has the right to obtain rectification or erasure of such information contained in the register that is incompatible with the purpose of the register, incorrect, unnecessary, incomplete or outdated. The data subject also has the right to request restriction of the processing of their personal data in accordance with Article 18 of the General Data Protection Regulation. - Right of objection
The data subject has the right at any time to object to the processing of personal data concerning them in relation to their particular situation, as provided for in Article 21 of the General Data Protection Regulation. The data subject also has the right to object to the processing of their personal data for direct marketing purposes.
- Right to data portability
In accordance with Article 20 of the General Data Protection Regulation, the data subject has the right to transfer data from one system to another when the conditions set out in the Article are met.
The exercise of the data subject’s rights may have been restricted by other legislation. If the data subject wishes to exercise the aforementioned rights, they must contact the controller. The contact details of the controller are indicated in Section 1.
Right to lodge a complaint with the supervisory authority
The data subject has the right to submit a request for action to the supervisory authority if the data subject considers that the processing of personal data related to them is in breach of legislation on the processing of personal data, such as the EU’s General Data Protection Regulation or the Data Protection Act (1050/2018).
The supervisory authority in Finland is the Data Protection Ombudsman.
Contact details of the Data Protection Ombudsman:
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: P.O. Box 800, FI-00531 Helsinki
Telephone switchboard: +358 29 566 6700
Registry: +358 29 566 6768
E-mail: tietosuoja@om.fi
Website: https://www.tietosuoja.fi
Lentorata Oy