Right of access
An individual has the right to know whether their personal data is being processed, and what data is stored about them.
The City of Helsinki will provide the information without undue delay, at the latest within one month of receiving the request. If necessary, this period may be extended by a maximum of two months if the request is of exceptional scope and complexity. If the time limit is extended, the city will inform the person requesting the information of this within one month of receiving the request, as well as of the reasons for the delay.
Each person has the right to receive their data free of charge. However, if a person requests more than one copy, the city may charge a reasonable fee based on administrative costs. If the requests are manifestly unfounded or unreasonable, and if they are repeatedly made, the city may charge a reasonable fee or refuse to perform the requested action. In such cases, the city will demonstrate that the request is manifestly unfounded or unreasonable.
The right of access is not without limits. For example, a data subject does not have the right of access to data collected concerning them if the provision of such data could harm national security, defence, or public order and security, or hinder the prevention or detection of criminal offences. The right also does not exist if the provision of the information may pose a serious risk to the health or treatment of the data subject, to the rights of the data subject or to the rights of another person.
If the municipality does not provide information based on the request, it will inform the data subject without delay, at the latest within one month of receiving the request, of the reasons for not doing so and of the possibility of lodging a complaint with the supervisory authority and seeking other legal remedies.
(Data Protection Regulation: Article 12, Article 15 and the Data Protection Act: Section 34)
Right to rectification
A person has the right to demand that the city rectify imprecise and inaccurate personal data concerning them without undue delay. In addition, they have the right to the supplementation of incomplete information. Any incompleteness of the data will be resolved by taking into account the purpose of the processing of personal data in the register.
If the city does not accept the person’s demand for rectification, it will issue a written certificate stating the reasons the demand was not accepted. The possibility of lodging a complaint with a supervisory authority and of seeking other remedies is also mentioned in connection with the certificate.
(Data Protection Regulation: (Article 12, Article 16)
Right to erasure, right to be forgotten
In some exceptional cases – for example, if the processing of data has been based on the person’s consent and the person withdraws their consent – the person has the right to have their data erased, or in other words, to be forgotten.
If the city does not accept the person’s demand for erasure, it will issue a written certificate stating the reasons the demand was not accepted. The possibility of lodging a complaint with a supervisory authority and of seeking other remedies is also mentioned in connection with the certificate.
The right to erasure does not exist if the processing is based on compliance with the city’s statutory obligation, or it is related to the performance of a task carried out in public interest or the exercise of public authority vested in the city.
(Data Protection Regulation: Article 17)
Right to restriction of processing
In certain situations, a person may have the right to request that the processing of their personal data be restricted until their data has been duly checked and corrected or supplemented. Such situations include a person denying the accuracy of their data, in which case the processing of their data is restricted for the time the city checks their accuracy.
(Data Protection Regulation: Article 18)
Right to data portability
A person has the right to transfer their personal data from one controller to another if they have themselves provided the controller with their personal data, and the processing of the data is based on consent or a contract, and the processing is carried out automatically.
This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the city.
(Data Protection Regulation: Article 20)
Right to object
A person has the right to object at any time on grounds related to their personal situation to the processing of their personal data where the processing is based on the performance of a task carried out in the public interest or in the exercise of an official authority vested in the city. In this case, the data may be further processed only if there is a substantial and justified reason for the processing that can be demonstrated by the city. The processing may also continue if the processing is necessary for the establishment, exercise or defence of legal claims.
(Data Protection Regulation: Article 21)
Right to contest an automated individual decision
A person has the right not to be subject to a decision based on automated processing of personal data if the decision has legal effects on them or affects them in a similarly significant manner. Automated decision-making means that a decision is not made by a human being but solely by machine based on personal data.
(Data Protection Regulation: Article 22)
Right to lodge a complaint with an authority
A person has the right to lodge a complaint with the supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if they consider that the processing of personal data concerning them infringes the EU General Data Protection Regulation. In Finland, this supervisory authority is the Data Protection Ombudsman. In addition, a person has the right to exercise other administrative and judicial remedies.
(Data Protection Regulation: Article 77)
How to exercise your rights
Requests for access and demands for rectification of personal data
If you want to view your personal data that you cannot find in electronic services (for example, the Helmet service (Link leads to external service)or MyKanta service(Link leads to external service)), you can submit a request for verification to the City of Helsinki. You also have the right to request that your inaccurate data be corrected, and that incomplete data be supplemented.
You can make a verification request or a demand for the rectification of personal data through the city’s e-service:
Request to verify personal information in Suomi.fi website(Link leads to external service)
Demand to rectify personal data in Suomi.fi website(Link leads to external service)
The verification and rectification of personal data can also be requested in person. If you wish to make an on-site visit for this purpose, please bring a valid identity card with you. Verification requests and rectification demands for all the city’s business sectors can be made at the City Registrar’s Office:
In addition, verification requests and rectification demands can be made at the following service points, if the request or demand concerns the relevant division:
- Education Division: Töysänkatu 2 D and schools and daycare centres
- Urban Environment Division: Työpajankatu 8
- Social Services and Health Care Division: All service points
- Occupational Health Helsinki: Helsinginkatu 24, 2nd floor
In-person requests are made using the following forms:
Request to access personal data (PDF, the link opens in a new tab)
Demand for rectification of personal data (PDF, the link opens in a new tab)
Requests for verification and demands for rectification of personal data by a power of attorney
The verification and rectification of personal data can also be requested through a power of attorney. In the case of attorneys-at-law, licensed legal counsel or public legal aid attorneys, a general power of attorney with the date and name and signature of the assignor will be accepted. The city will verify that the person in question is an attorney-at-law, licensed legal counsel or a public legal aid attorney.
In the case of agents other than those mentioned above, the power of attorney must include:
- details of the authorised person and the assignor of the authorisation
- information about what the authorisation concerns (request for verification of the authoriser’s personal data or demand for rectification of the authoriser’s personal data)
- the name and signature of the authoriser and the date.
e-Services: The authorised person identifies themselves in the city’s e-services and makes a personal data verification request or rectification demand on behalf of the authoriser (links can be found above). The authorised person will attach a power of attorney to the request.
The process on site: The authorised person presents the power of attorney either at the Registrar’s Office or at the service desk of the branch and proves their own identity. The authorised person fills in the Request to access personal data form or the Demand for rectification of personal data form (the forms can be found above).