Processing personal data from ESF projects
Register controller and contact information
Diaconia University of Applied Sciences, P.O. Box 12, 00511 Helsinki
https://www.diak.fi/diak/contact/
Data protection officer’s e-mail: tietosuojavastaava@diak.fi
What is the purpose of processing personal data?
The Diaconia University of Applied Sciences (Diak) collects and saves data for those people who participate in projects coordinated by Diak and financed by the European Union’s European Social Fund (ESF) during the programming period 2014-2020 (so-called old programming period). The data is saved in the ESF Person service. The project financier, the Ministry of Economic Affairs and Employment, requires this data to be collected and is also the controller of the personal data register. You can read the privacy statement of the ESF Person service here and read more about the personal data collected in Finnish here.
The personal data is processed so that the Ministry of Economic Affairs and Employment and auditors of the ESF project can monitor, assess and audit the achievement of each project’s objectives and financial management. Personal data is not used or disclosed for any other purpose than monitoring and auditing ESF projects.
Additionally, personal data is processed in order to ensure that the actions of the projects in question are aimed at those people who are due to receive programme funding.
During the 2021-2027 programme period (so-called new programming period), the dedicated ESF personal data register will no longer be used for collecting data. Follow-up data for those people who participate in ESF+ projects during the 2021-2027 period will be saved and processed in the EURA 2021 system, which is controlled by the Ministry of Economic Affairs and Employment. Participants can enter their data in the system themselves using a mobile device or computer. Paper copies of initial notifications and final notifications are not collected. Questions regarding sensitive data belonging to certain special personal data groups are not asked of the participants at all.
What is the basis for processing the data?
Personal data from ESF projects is processed as required by the Ministry of Economic Affairs and Employment and in a manner required by the ministry. The Ministry of Economic Affairs and Employment’s requirements for processing are based on the ESF regulation (EU 1304/2013) and general regulation (EU 1303/2013).
Processing the personal data entered into the ESF Person system is based on legal obligations (ESF Regulation (EU) No 1304/2013 and Regulation (EU) No 1303/2013). The register is controlled by the Ministry of Economic Affairs and Employment.
Diak has a duty to comply with the Government Decree on the eligibility of costs part-financed by the Structural Funds (358/2014). The Decree states that the grant beneficiary must be able to verify actual costs and preserve all accounting materials and other materials so that use of the grant can be monitored.
Whose personal data does the register contain?
The ESF projects personal data register contains personal data about people who have participated in ESF projects.
Where was the data collected?
The personal data contained in the ESF projects personal data register is provided by the data subjects, meaning the project participants themselves. Data from the so-called old programming period was collected using a paper form and was then saved in the ESF Person system (electronic register) controlled by the Ministry of Economic Affairs and Employment.
What personal data does the register contain?
The ESF Person register for the old programme period contains the following data:
- Person’s identification and contact details: first name, last name, personal identification number, address, email address, phone number, gender and age.
- Employment status: employment details, duration of unemployment or inactivity (neither employed nor unemployed).
- Level of completed education.
- Other background information (sensitive data, person has a right to refuse to answer questions about these): belonging to a minority, being foreign born, disability or having a weak position in the labour market.
- Additionally, in some project types: person’s assessment of their ability to work and/or effects of the project.
The new programme period’s e-service for participating people saves a project code for the project that the person participated in and the following personal data:
1) Personal identification number
2) Age
3) Gender
4) Names
5) Contact details
6) Order of non-disclosure for personal safety
7) Highest degree completed in education
8) Degree or other professional qualifications completed during the project
9) Information on whether the person is unemployed, long-term unemployed or employed, an entrepreneur or self-employed, studying, applying for work or inactive.
10) Dates when the person started and ended their participation in the project.
The identity of the person registering as a participant will be verified.
How long is personal data stored in the register?
Old programme period (2014-2020)
Paper materials: Forms are stored for a period as decreed in Section 30 of the Government Decree on the eligibility of costs part-financed by the Structural Funds (358/2014), that is a minimum of ten years after the project has ended. After the storage period has ended, the forms are put into a locked waste paper container for disposal.
Digital materials: Data is destroyed from the ESF Person system after the ESF programme period and additional duties connected to it come to an end. The Ministry of Economic Affairs and Employment is responsible for destroying the data after the end of the data storage period.
New programme period (2021-2027)
Paper materials: Paper materials are not collected.
Digital materials: The register controller must delete the data no later than five years after the EU regional and structural policy programme has been closed. However, deletion of personal data is prohibited if they are needed to carry out a statutory duty or so that an authority can perform an audit related to the matter.
How is data protected?
Paper materials (old programme period): The participant will fill out a paper copy of an initial notification and a final notification form themselves and return it to the Diak Project Manager. The data is copied from the form into the ESF Person system. After this, the paper forms are stored in locked cabinets at Diak offices, which can only be accessed by those people who process these forms as part of their duties.
Digital materials (new and old programme periods): The ESF Person system requires that the person saving or processing personal data in the system uses strong authentication, has a verified connection to Diaconia University of Applied Sciences and access to data from a password-protected project.
Disclosure of data
Data from the old programme period’s paper forms is saved in the ESF Person system controlled by the Ministry of Economic Affairs and Employment. Representatives of the Ministry of Economic Affairs and Employment have a right to view all data in the ESF Person system within the limits set in current legislation.
Data of participants can be disclosed from the electronic ESF Person system to an external research institute, Statistics Finland or a similar operator in order to conduct a survey study. Target groups of surveys will be selected using random sampling from those who have participated in actions.
Surveys will be used to report to the European Commission on how the ESF projects’ actions have affected participants’ employment status or position in the labour market within six (6) months of the end of the action.
Is the data subject to automatic decision-making?
Systems using the register do not have automatic decision-making functions.
Transfer of data outside of the EU/EEA
Data will not be transferred outside the EU/EEA.
Data is transferred or disclosed outside the EU/EEA, where and to whom:
As a rule, the personal data contained in the register is not transferred outside the European Union or the European Economic Area or to international organisations. However, due to the international nature of the operations, Diak may use resources, applications and servers located outside the EU or EEA when providing the services. In these cases, Diak ensures that there is a legal basis for the transfer of data and that personal data is protected, for example by requiring standard contractual clauses approved by the EU Commission and compliance with appropriate technical and organizational security measures. In addition, where appropriate, a TIA assessment will be carried out in connection with such data transfer, as well as monitoring the overall level of data protection in known countries. In all cases, the data transfer is carried out in accordance with the General Data Protection Regulation and only to the extent strictly necessary.
Rights of data subjects
You have the right to information on how and for what purpose your personal data will be processed. You can also request access to records of your personal data, and request that incorrect information be rectified.
You can also submit a request to delete your data or restrict its use. However, in some cases the data cannot be deleted or its use restricted, for example if the personal data is being processed to fulfil a legal obligation, complete a task in the public interest orexercise public authority vested in Diak.
In certain situations, you also have the right to transfer the personal data you have provided to us to another controller or to object to the processing of your personal data, i.e. to request that we do not process them at all. In addition, you may request that we do not make a decision on your part based solely on automated processing of personal data.
If you would like to know more about the processing of your data or exercise your rights, you can contact Diak’s Data Protection Officer (tietosuojavavavaava@diak.fi) or submit a request using the form found on Diak’s website https://www.vismasignforms.com/form/fa53720e-cc71-4b92-b062-6db43e0d33d3.
You also always have the right to lodge a complaint with a supervisory authority. If necessary, you can also contact the Data Protection Ombudsman, a government official who supervises the processing of personal data in Finland.
Contact information:
Office of the Data Protection Ombudsman
P.O. Box 800, 00531 Helsinki
tietosuoja(at)om.fi
Tel. +358 29 566 6700
www.tietosuoja.fi
General advice for individuals: Tel. +358 29 566 6777