Privacy policy of Hoas notification channel
1) Controller
Foundation for Student Housing in the Helsinki Region sr, later on referred to as Hoas
Business ID FI01165149
Pohjoinen Rautatiekatu 29, 00100 Helsinki
P.O. Box 799, 00101 Helsinki
Tel. +358 (0)9 5499 01
Email for privacy matters: privacy@hoas.fi.
2) The purpose of use and grounds for processing personal data
Notification channel can be used to notify detected shortcomings and irregularities. The notification may contain personal data. Personal data is processed through the notification channel in order to clarify the notifications received.
Personal data is processed only for the fulfilment of Hoas’ statutory obligations, for the exercise of the right to supervision and control, and in the processing of received notifications.
With regard to third party data, such as data of persons subject to notification, the processing of personal data is based on the controller’s legal obligation or the controller’s or third party’s legitimate interest, and with regard to the notifier’s data, on consent or the controller’s or third party’s legitimate interest.
With regard to the personal data of the persons processing the notifications, the processing is based on a legal obligation or legitimate interest.
3) Processed personal data and regular data sources
Upon submitting the notification, the notifier shall provide information on the maladministration or violation observed. The notification does not, as a rule, contain personal data concerning the notifier, unless the notifier expressly provides them. Instructions concerning the notification state that the submission of the notification does not require, for example, the submission of the personal data of the notifier. If the notifier provides information about themselves, they are treated as a data subject.
The notification may contain personal data concerning other persons if the notifier considers it necessary for the purposes of the notification. In addition, personal data may be collected in connection with the processing of the notification.
Personal data may include, for example, name, address, telephone number, email address and position and, if necessary, role as a data processor.
The notification channel service does not collect any personally identifiable information about the notifier, such as IP addresses or cookies.
4) Protection of personal data and data security
Notifications are stored in a secure form. Personal data contained in the notification is stored securely in the database of the notification channel service.
Only data processors appointed by the controller are informed about the notifications and can access the notifications in the service. Each processor uses their own unique user IDs when logging into process notifications. The controller may restrict access to notifications on the basis of different types of notifications or the role of designated processors. Person responsible for the technical maintenance of the system does not have the right to access the notification database.
Notifications and related information are archived in a secure format. Archived data can only be accessed by designated notification processors.
5) Regular disclosure and sharing of personal data
Personal data is processed by the controller’s designated data processors. Processors do not disclose personal data to third parties in situations other than those based on the legislation, such as if the processing of the notification results in an investigation by the authorities or if the disclosure is necessary for the implementation of the measures required by the results of the investigation of the notification.
Personal data may also be shared with third parties in situations where the impartiality of the processing of notifications cannot be guaranteed due to the interests of the data processors appointed by the controller. In this case, in order to ensure the impartial processing of the notification, the controller may authorise external processor(s) to process the notification in accordance with the requirements of this policy and the legislation. Such an external processor may be, for example, an auditor, a law firm or another independent expert.
6) The period for which the personal data will be stored
Personal data will be deleted and destroyed five (5) years after receipt of the notification, unless their retention is necessary for the performance of rights or obligations provided by legislation or for the establishment, exercise or defence of legal claims.
The necessity for further storage of the data will be examined no later than three (3) years after the previous review. The check shall be recorded in the database.
Personal data that are clearly not relevant for the processing of the notification will be deleted without undue delay. The notification will remain in the notification channel for one (1) year in the form in which it was sent by the notifier. The retention period in the notification channel may be extended for legal reasons. The notification in the channel will be completely destroyed with the personal data at the end of the retention period. When entering the archive, the processors delete personal data that are not clearly relevant to the notification.
The controller deletes and destroys personal data after the processing of personal data is no longer necessary.
7) Transfer of personal data outside the EU or the EEA
Personal data will not be transferred outside the EU or the EEA.
8) Rights of data subjects
The data subject has rights in relation to the processing of personal data. The rights of the data subject may be restricted on the grounds specified by the legislation. Any restriction of the rights of data subjects shall be based on proportionate and necessary grounds, such as ensuring the accuracy of the notification or protecting the identity of the reporter, and shall not restrict the rights of data subjects more than necessary.
In principle, the data subject has the right of access to their own data, except in situations where the restriction of access is based on the need to protect the necessary rights of the controller or of a third party. This is the case, for example, where access leads to a risk of disclosure of the identity of the notifying person.
The data subject has the right to request the rectification or erasure of the data collected about them. This right of the data subject may also be restricted if the purpose of the restriction is to safeguard a legal obligation of the controller, in particular the obligation to provide a reliable and impartial reporting channel.
The data subject has the right to request the deletion of the personal data collected, provided that one of the following grounds is met and that no other legislation or official regulation imposes an obligation to store the data:
- personal data are no longer required for the purposes for which they were processed;
- data subject objects to the processing on grounds relating to their particular personal situation and there are no legitimate grounds for the processing;
- personal data has been unlawfully processed; or
- personal data must be erased in order to comply with a legal obligation to which the controller is subject under the European Union or Finnish legislation.
The data subject has the right to object to the processing of personal data concerning them. In case the controller processes data on the basis of a legitimate interest, the data subject has the right to object to the processing of personal data concerning them on grounds relating to their particular situation.
In case the right of the data subject has been restricted by legislation to the extent necessary and proportionate to ensure that the accuracy of the notification is ascertained or to protect the identity of the notifier, the data subject has the right to be informed of the reasons for the restriction and to request that the data be disclosed to the data protection authority.
In case only part of the data concerning the data subject is such that the rights of the data subject may be restricted, the data subject shall have the right to obtain other information concerning them.
As a rule, the controller processes the request of the data subject within one month and no later than within three months from the submission of the request.
Concerning your rights, we kindly ask you to contact us at the address mentioned in Section 1 of this privacy policy.
9) Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with the competent supervisory authority (tietosuoja@om.fi) or the supervisory authority of the EU Member State in which the data subject’s place of residence or place of work is located, if they consider that their personal data has not been processed in accordance with the applicable data protection legislation.
10) Amendments to this privacy policy
This privacy policy may be updated from time to time, for example, in the event of changes in legislation. This privacy policy was last updated on 30.3.2023.