1 Introduction
Protecting privacy and the transparency of the processing of personal data are important to the Fintraffic Group. The purpose of this privacy statement is to inform the data subject of the processing of their personal data in connection with Traffic Management Centres’ call management. We process personal data in accordance with the EU General Data Protection Regulation (EU) 2016/679 and national data protection legislation.
This privacy statement may be amended whenever the controller’s practices or legislation are modified. The up-to-date version of this privacy statement can be found on Fintraffic Ltd’s website.
2 Controller
Fintraffic Road Ltd (2945247-3)
P.O. Box 71, 00241 Helsinki
Telephone switchboard: +358 29 450 7000
Controller's representative: Anne Saaranen(at)fintraffic.fi, +358 29 450 7000
Group Data Protection Officer: privacy(at)fintraffic.fi, +358 29 450 7000
3 Categories of data subjects and personal data we process
Fintraffic collects and records data on persons using the telephone service. Such persons may include Fintraffic Group employees, personnel of contracting partners, road maintenance contractors, the police and rescue authorities and road authorities, as well as media representatives and road users.
The following call data will be recorded:
· phone number, call time and call duration;
· the conversation in its entirety, including the name of the caller and the recipient and the workplace, if these are mentioned during the call;
· location data if the call is made through the 112 application.
For partners, we will record the name, workplace, work task, e-mail address and telephone number in the register if necessary.
4 Data sources
Data collected from the data subject
We collect personal data from incoming and outgoing calls. The data are recorded in our system during calls.
Data collected from other sources
In order to fulfil our statutory obligation, we record the contact information separately provided to us by our partners.
5 Purpose and legal basis for processing
The purpose of recording calls and contact information is to secure communications related to traffic control tasks.
Recording calls and contact information is essential for revisiting the data, taking the necessary measures based on calls and ensuring the legal protection of all parties.
Oikeusperuste henkilötietojen käsittelyyn
Personal data referred to in this privacy statement are processed pursuant to Article 6(1)(c) of the EU General Data Protection Regulation in order to fulfil the controller’s statutory obligation. Additionally, personal data are processed on the basis of Article 6(1)(f) of the EU General Data Protection Regulation, i.e., the legitimate interest of the controller.
Fintraffic Group’s statutory task is to maintain the monitoring of the traffic situation on routes, i.e., the traffic situation picture and the service for reporting and providing information on accidents, incidents and traffic flow. Fintraffic is also obliged to produce and share traffic-related information. Such information includes data on the weather and conditions, information on traffic flow and busyness, information on the condition and usability of devices serving road maintenance and traffic, and other information related to road safety, traffic flow and the safe transport, control and management of vehicles. Provisions on the tasks are laid down in sections 137 and 141 of the Act on Transport Services (320/2017).
The road traffic control and management service provider shall report any essential matters relating to accidents and incidents, route maintenance, traffic safety, environmental protection, rescue operations or regional or customs control that it has observed or that have been reported to it:
- traffic, rescue, environmental, regional control, police or customs authorities, the Finnish Border Guard and the Emergency Response Centre Agency;
- traffic infrastructure network managers;
- harbour operators or other terminals;
- a traffic manager referred to in Chapter 3 of the Road Traffic Act (267/1981) and a traffic controller referred to in Chapter 7;
- other operators whose activities may prevent a hazard or damage or mitigate them.
Calls are also compiled into statistics, which are used to monitor the volumes and response times of calls. In addition, recordings are used for call quality control. In this case, personal data are processed on the basis of Article 6(1)(f) of the EU General Data Protection Regulation, i.e., the legitimate interest of the controller.
| LEGAL BASIS | PROCESSING PURSUANT TO THE BASIS |
| Compliance with a legal obligation to which the controller is subject | Act on Transport Services (320/2017): Article 137: The road traffic control and management service provider’s task is to maintain the monitoring of the traffic situation on routes (the traffic situation picture) and the service for reporting and providing information on accidents, incidents and traffic flow. Article 141: The road traffic control and management service provider shall report any essential matters relating to accidents and incidents, route maintenance, traffic safety, environmental protection, rescue operations or regional or customs control that it has observed or that have been reported to it. |
| Legitimate interest pursued by the controller | Contact information is stored for the required period of use, and the information is deleted when the purpose for which the information is used (relevant to the person’s task) becomes void. Calls are also compiled into statistics, which are used to monitor the volumes and response times of calls. Call quality control. |
6 Disclosure of data and data recipients
The controller uses instructions and written data processing agreements to ensure that each recipient complies with the regulations related to the processing of personal data. The processor of personal data may only process data in accordance with instructions issued by the controller.
Disclosure to other controllers
Data will only be disclosed to authorities against a request for mutual assistance between authorities when the authority has the right to be informed. Data will be disclosed to the authorities to the extent permitted and required by law.
Disclosure of personal data to processors
The telecommunications operator and, if necessary, the service provider responsible for technical maintenance, also have limited access to the data in tasks related to the technical maintenance and development of our systems and call statistics.
The controller uses instructions and written data processing agreements to ensure that each recipient complies with the regulations related to the processing of personal data. The processor of personal data may only process data in accordance with instructions issued by the controller.
Luovutukset kolmansille osapuolille
Any reports related to the condition of the road network and the contact information of the registered user are regularly disclosed to the Finnish Transport Infrastructure Agency (FTIA). Under the agreements between the FTIA and regional contractors, a contractor may directly contact the registered user who sent the feedback.
Data will only be disclosed to authorities against a request for mutual assistance when the authority has the right to be informed. Data will be disclosed to the authorities to the extent permitted and required by law.
Transfers of personal data outside the EU or EEA countries
Personal data referred to in this privacy statement will not be transferred outside the EU or EEA.
7 Data storage
Personal data will only be processed for the period and to the extent necessary for the purposes listed in this privacy statement. When the legal basis for processing no longer exists or personal data is no longer needed, the data will be properly destroyed.
Telephone recordings will be stored for 18 months. Records may be retained for a longer period of time if the data are required for an ongoing investigation or trial.
Contact information will be stored for the required period of use, and the information will be deleted when the purpose for which the information is used (relevant to the person’s task) no longer exists.
8 Protection of personal data
The controller has use of appropriate technical and organisational personal data protection measures. With these measures, the controller ensures that the data subject’s personal data are not accidentally or unlawfully destroyed, lost or altered. The controller also ensures that the data are not disclosed without authorisation and cannot be accessed by anyone who does not have the right to process the data. The protection of the data subject’s personal data is safeguarded by measures such as the following:
Data can only be accessed using personal user rights, and user rights management is ensured. Call data shall only be accessible to personnel of the controller, telecommunications operator or subcontractor who have the right and need to process call data based on their work tasks.
Each person processing data is given instructions on the legal and secure processing of the data. Any security breaches will be responded to immediately.
9 Data subject’s rights
The data subject has the right to receive information from the controller on whether personal data concerning them are being processed. If personal data concerning the data subject are being processed, they have the right to receive a copy of their personal data and information on the purposes of the processing and other matters related to the nature of the processing.
If the personal data are incomplete or otherwise incorrect, the data subject has the right to demand that the controller rectify the data concerning them.
The data subject may demand the controller to delete personal data concerning them, for example, in situations where the controller no longer needs the data subject’s personal data for the original purpose, the personal data are processed unlawfully, or the data subject withdraws their consent that formed the legal basis for the processing of their data. However, if the retention of personal data is necessary to establish, present or defend a legal claim, the controller is not under any obligation to delete the data.
The data subject may require that the controller restrict the processing of the personal data to only include its storage, for example when it is unclear whether the personal data are accurate or being lawfully processed.
When the legal basis for the processing of data is the legitimate interest of the controller or the public interest or the exercise of public authority, the data subject has the right to object to the processing of their data on the basis of their special personal situation. However, if there is a significant and justified reason for processing that overrides the data subject’s rights, the processing may continue.
Exercise of the data subject's rights
In order to exercise their rights, the data subject may contact the controller’s contact person by e-mail.
The measures taken by the controller following the data subject’s request are, as a rule, free of charge for the data subject. However, fulfilling the data subject’s request for their rights will require that the data subject can be reliably identified. Therefore, if necessary, the controller may require the data subject to prove their identity at the time of the request.
The controller will respond to the data subject’s request without undue delay and, as a rule, within one month of receiving the request.
Referral to the Data Protection Ombudsman
If the data subject feels that their personal data have been processed in a manner that does not comply with data protection legislation, they have the right to lodge a complaint with the supervisory authority. The Office of the Data Protection Ombudsman acts as the competent supervisory authority in Finland:
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland
Telephone switchboard: +358 29 566 6700
Registry: +358 29 566 6768
Email (Registry): tietosuoja(at)om.fi
The controller would appreciate it if the data subject would first inform the controller of the issue. For further information on the data subject’s rights, please see https://tietosuoja.fi/en/private-persons
This privacy statement is valid as of 20 November 2023.