How does the National Archives process your personal data, when you use the services of the National Archives
The purpose of processing the personal data
Why do we process your personal data?
We process your personal data in connection with the following purposes:
- To carry out our services, for example to deliver documents stored at the National Archives to you for reading at the reading room or as copies to your home
- To invoice any services subject to a fee
- To process access permit applications
- To authenticate customer transactions
- To ensure the realisation of the rights and obligations of all parties
- To develop and analyse the services of the National Archives
- To prevent and investigate any misconduct.
We do not use personal data for statistical purposes.
Do we make decisions based on automatic profiling?
The National Archives does not use automated decision-making or profiling.
An automated decision refers to a decision related to assessing personal attributes, made solely based on automatic data processing and resulting in legal effects or other significant outcome for the data subject. Examples of automated decision-making include decisions on a person’s creditworthiness. A data subject has the right not to be subjected to automated decision-making.
Why do we have the right to process your personal data?
The National Archives needs to process personal data to fulfil its statutory assignment. The justification is mainly provided in the following laws:
- National Archives Act (1145/2016)
- Archives Act (831/1994)
- Act on the Openness of Government Activities (621/1999)
Personal data can also be processed based on consent; examples include newsletters or recording camera surveillance. In any case, we always make sure that legal and valid justification exists for any processing of personal data.
The controller and contact information
The controller responsible for the processing of your personal data:
The National Archives of Finland
P.O. Box 258, 00171 Helsinki
email@example.com, +358 (0)29 533 7000
Representative of the controller (the Astia service)
Satu Kantola, Senior Research Officer
P.O. Box 258, 00171 Helsinki
firstname.lastname@example.org, +358 (0)29 533 7236
Representative of the controller (Tweb processing system)
Kaisa Kohvakka, Senior Officer
P.O. Box 258, 00171 Helsinki
email@example.com, +358 (0)29 533 7184
Data protection officer for the National Archives of Finland
Vuokko Joki, Director
P.O. Box 258, 00171 Helsinki
firstname.lastname@example.org, tel. +358 (0)29 533 7231
The personal data being processed
What personal data do we process?
The content and amount of the personal data saved in our systems depend on which of our services and service channels you have used. We only gather the personal data that we need to provide and develop each service, to fulfil our statutory obligations and to secure our legal protection.
The Astia service of the National Archives saves the following data:
- Basic customer information: The customer's first and last name, address, telephone number, e-mail address, language identifier and the home archive, which is the National Archives location selected by the customer as their place of access. The customers shall ensure that their contact information is correct.
The Tweb processing system contains the personal data required for processing the matter:
- Information related to issues opened or decided at the National Archives, including name, identification number or date of birth, the authority/company/organisation that the person represents, postal address, country, language identifier, telephone number, fax number, invoicing address, e-mail address, and any other identification information required for processing the matter, as well as information concerning the process and the decision.
- Information about who has processed the matter at the National Archives.
Digital archives: service users
- Information about the customers who have access to restricted digital archive materials: name, user ID, and the materials for which access has been granted.
Recording camera surveillance in the facilities of National Archives
- Digital visual material of people who have accessed the facilities where surveillance is used.
How long do we retain the personal data?
The document retention periods have been defined in the National Archives’ Information management plan.
After the customer relationship ends, we retain data to fulfil our statutory obligations, to solve any disputes and to control any misconduct. The data to be retained include personal data related to payments and the use of archived materials. The retention obligation for such data is typically 6–10 years. Data that is no longer necessary for its intended purpose, outdated data and any data for which justification for processing no longer exists will be safely disposed of.
Personal data stored in the user management system of the digital archive is removed when the access right ends.
Recorded camera surveillance materials are kept for a maximum of 14 days unless a particular reason exists for retaining the materials for longer. The materials are destroyed by recording new materials over them.
The diary data of the Tweb processing system, including information of who has opened the issue (for example, the name of the person who has filed a request) will be permanently retained.
Where do we get the personal data that we need to process the matters?
We receive the data from you when you file an order or request or when you access the National Archives facilities that have camera surveillance. When necessary, we confirm the personal data from the population information system or another official registry.
Transfer or hand-over of data
Regular transfer or hand-over of data
The National Archive transfers to the Government Shared Services Centre for Finance and HR the personal data that is required for invoicing. There is no other regular transfer of personal data. No data are handed over to third parties for marketing purposes.
Any other hand-over of data is only possible if prerequisites for handing over data as defined in the Act on the Openness of Government Activities (621/1999) exist.
Transfer of personal data to countries outside the EU or to an international organisation
No data are transferred to countries outside the EU or to international organisations.
Information systems, cookies and protection of data
Which information systems do we use to process your personal data?
The personal data of the customers of the National Archive are processed using the following information systems:
- Astia online service
- Astia reading room interface (an interface used in the reading room when ordering documents without an authentication process; the customer enters their name and optionally their telephone number and e-mail address)
- Astia order management (management of orders for the reading room and inter-library loans filed in the Astia online service and its reading room interface)
- Astia user management (Astia’s customer register and management of access rights to restricted materials)
- Tweb, or the National Archive diary, is a processing system for storing the matters processed by the National Archive, including requests for information, which are responded to by sending copies or certificates. The preparation and decision documents generated in the course of this process are archived into the system. The system is used to track the processing of matters under work in the National Archive and to provide information on progress, processing stages and decisions in compliance with the Act on the Openness of Government Activities (621/1999) and other legislation as well as guidelines and orders issued based on these.
- Digital archive user management
- Recording camera surveillance in the facilities of National Archives
How do we protect your personal data?
The National Archive protects the privacy of the personal data that it saves, and complies with the data protection legislation and appropriate data protection practices in all its operations.
The data have been protected against unauthorized viewing, editing and deleting. The protection is based on physical protection of the facilities, physical access control and restriction of access.
Right to access and process information is granted based on an employee’s task description. Data are only processed by persons who need to process them as part of their work.
The facilities and the data are physically located in Finland.
Administrative controls are used to ensure appropriate procedures.
Rights of the data subject
What are the rights of the data subject?
You have the right to
See the information concerning yourself. You can personally view and correct the following information in the Astia online service of the National Archive: address, telephone number, e-mail address, home archive (the National Archive facility that you normally visit) and language identifier. You can also view your name data, the orders for the reading room and inter-library loans filed in the Astia online service, information requests, access permit applications and current access rights.
- Ask to see your own information.
- Request the correction of your own information.
- Demand that your information is removed.
- Demand the processing of your personal data to be restricted.
- Object to the processing of your personal data.
- Request that personal data that you have submitted be transferred from one controller to another.
- Cancel the consent that you have provided, when personal data is processed based on consent.
- Not to be subjected to automated decision-making.
To exercise these rights, submit a written request to the registrar of the National Archive at email@example.com or by post to P.O. Box 258, 00171 HELSINKI, Finland.
Submission of a request for viewing the data and processing of the request are normally free of charge.
A decision is issued within one month from the request being received.
You have the right to file a complaint at the Office of the Data Protection Ombudsman if you believe that your personal data has been processed in breach of the currently valid data protection legislation. Contact information: Office of the Data Protection Ombudsman, P.O. Box 800, 00521 Helsinki, Finland, firstname.lastname@example.org.