Privacy policy: Juoni case management system

Updated 4 November 2020

Controller Geological Survey of Finland
P.O. Box 96, FI-02151 Espoo, Finland
Tel. +358 29 503 0000,
Contact person for register matters Heikki Olander
Contact details of the data protection officer
Register name Juoni case management system
Purpose of and legal grounds for processing personal data The Juoni case management system manages the outcome of matters handled by the GTK and documents attached to them until the conclusion of the case and the filing of the case.
The case management system enables verification and monitoring of cases and promotes good information management and activities in accordance with the Publicity Act and Administrative Law.

Fulfilling the data controller’s statutory obligations (article 6.1c), exercising the public authority belonging to the data controller (article 6.1e).

Data content of the register and groups of personal data Cases processed by GTK, different processing stages and activities and documents.

GTK’s personnel: Name, contact information, organisation and profit centre or any other user group, title.

Party outside GTK that has initiated the case or to which GTK sends document data: Name, contact information, organisation and profit centre or any other use group, title.

Personal identity code or other identification of both parties, if its use is justified considering case management processes.

Storage period for personal data or, if this is not possible, criteria for defining the storage period In the case management system, personal data is saved as part of the case management process in accordance with the Administrative Procedure Act. The storage period of personal data depends on the process or task to which the personal data is related. A record is a register for cases received to be processed by an authority or cases initiated by an authority. Personal data in record cards is stored permanently, because records are stored permanently. Documents attached to record cards are stored or destroyed following the storage period defined in the data control plan.
Regular sources of data Active Directory user management maintained by Valtori includes user data about GTK employees. In addition, GTK employees can edit their data and cases and documents they process.
Recipients of personal data or groups of recipients Personal data stored in the case management system is processed by those GTK employees who have been provided, by means of record cards, with access rights to case-specific data and documents.

Triplan Oy, the supplier of the Juoni system and the service provider of TWeb, can access personal data to the extent permitted by GTK when it carries out specific activities in GTK’s name.

Information about the transfer of data to third countries and protection used (including information about the existence or nonexistence of the Commission’s decision on the sufficiency of data protection), and opportunities to obtain a copy or information about content. No data is transferred from the case management system to third countries.
Principles of register protection (manual material and electronic processing) The register is only processed in a secure technical environment provided by Valtori. Technical data protection methods provided by Triplan Oy are used in the register. Persons who process data in the system must process the data in accordance with permanent guidelines on case management within GTK and on the publicity and classification of GTK’s material and documents.

Access rights are decided on by the responsible party and those designated employees whose data is included in basic information in record cards. In practice, the preparing party defines access rights. Recipients of data depend on the process, i.e. which employees are defined as responsible persons in each process, as defined in job descriptions.

Rights of data subjects

  • Right to access personal data
  • Right to have data rectified
  • Right to have data erased
  • right to restrict processing,
  • right to object,
  • right to transfer data from one system
    to another
When an external party contacts GTK, a case management process starts in GTK’s case management system. Regarding personal data generated in the system, GTK has a statutory right to process and store. Data subjects cannot have their data erased, but they have the right to obtain an electronic or paper summary of the cases and documents in which they are mentioned. This data can be obtained in accordance with the provisions of the Act on the Openness of Government Activities.

Any errors in personal data will be rectified so that any corrections will leave a trace in the case processing history, indicating what data was rectified, by whom, why and when.

GTK has the right to transfer data later to a similar internal case management system within GTK, an internal archiving system or an external electronic archive of the Government.

Right to file a complaint with the supervisory authority Data subjects have the right to file a complaint with the supervisory authority of the member state in which their permanent place of residence or business is or in which the suspected breach of the GDPR has taken place.

If the data controller refuses the right of data subjects to access personal data or have the data rectified, data subjects have the right to file a complaint with the Finnish Data Protection Ombudsman.

Information about the existence of automated decision-making, including profiling, and significant information about the processing-related logic, at least in these cases, and the significance of specific processing and any consequences for data subjects No automated decision-making or profiling is used in the case management system.