Helsingin ja Espoon kaupunkipyörien rekisteriseloste

1. Name of the data file

Helsinki and Espoo City Bike Service Customer Register

2. Controller of the data file

Helsinki City Transport Public Utility (HKL)
PO Box 1400
00099 City of Helsinki

City of Espoo
PO Box 1
02070 City of Espoo

Helsinki Regional Transport Authority (HSL)
PO Box 100
00077 HSL

3. Person responsible for the data file

HKL: Managing Director

City of Espoo: Head of Traffic Management

HSL: Contact person for HSL’s Customer Register

4. Contact person for the data file

HKL: Project Engineer
City of Espoo: Head of Traffic Management
HSL: Contact person for HSL’s Customer Register

Contact details: 
City of Helsinki (HKL)
Registry
PO Box 10 (Pohjoisesplanadi 11-13)
00099 City of Helsinki
kirjaamo@hel.fi

City of Espoo
PO Box 1
02070 City of Espoo
Switchboard 09 816 21
kirjaamo@espoo.fi

HSL
PO Box 100 (Opastinsilta 6A)
00077 HSL (00520 Helsinki)
Tel. +358 9 4766 4000
hsl@hsl.fi

5. Purpose and legal basis of the processing of personal data

Personal data is processed in order to manage customer relationships. 

Legal basis for processing:
Paragraph b) of Article 6 of the EU's General Data Protection Regulation, processing is necessary for the execution of an agreement to which the data subject is party or for the implementation of preliminary measures for concluding an agreement at the request of the data subject.

Purpose of processing:
The data stored in the City Bike System Customer Register is used for managing customer relations and for service provision. A customer's personal data is used to identify the customer in cases of problems, to contact the customer to deliver messages related to the operation of the system, and to display user information for the users on the service website, where the users can also edit their information. In addition, the data is used to compile statistics about the system. Individual users will not be identifiable in the statistics.

Key legislation:
The EU’s General Data Protection Regulation (679/2016)
Data Protection Act (1050/2018)

6. Content of the data file

The City Bike Service Customer Register contains the following data on the users (customers) of the city bike service.

Customer information

Data provided upon registration:

  • Name
  • Email address
  • Phone number
  • Information that the customer is aged 15 years or over
  • The start and end dates of the pass paid for
  • User ID
  • PIN code
  • Language
  • Status, is the user currently active
  • HSL Card number if the user has added a HSL Card in the system
  • The part of the payment card number provided by the payment service, the expiry date of the card and the name of the company that issued the card. This information is used to show the user which card they have linked to the city bike system; the entire payment card number is not stored in the register.

Transactions

  • Actual use: start and end location, time, city bike use and distance cycled
  • Payment transactions
  • Information about possible uncharged fees.

Prohibition of use

A user may be banned from using the service according to the Terms of Use.

7. Regular disclosure of personal data

Personal data is not regularly disclosed to any third parties.

Personal data is not transferred from the file to outside the European Union or the European Economic Area.

8. Data storage times

The data will be stored for as long as necessary to fulfill contractual obligations. Payment transaction data will be stored for the period required by applicable legislation, i.e. as a rule, the storage period is in accordance with the Accounting Act (1336/1997).

9. Sources of personal data

Personal data are collected from the data subject, as well as from the transactions generated by the city bike system.

10. Principles of data security

Agreement for securing the Customer Register have been made between the controller and system suppliers. System suppliers manage the register and related storage of data in accordance with good data processing practice and are subject to strict professional secrecy. All employees processing the register data are bound by professional secrecy.

The security of the City Bike Service Customer Register and confidentiality of personal data is ensured through appropriate technical and administrative measures in accordance with good data processing practice.

Only employees whose duties involve processing customer data are authorized to use the system containing the data. Every user logs into the system with personal credentials provided in connection with granting access rights to the system. The access rights will expire when the person is no longer responsible for the tasks for which they were granted. The obligation of confidentiality and professional secrecy will continue to apply after the employee ceases to perform duties involving customer data processing, or after the termination of employment.
 
The data is compiled into logically and physically secured databases. The databases and their backups are located on locked premises, and only designated personnel are permitted to access the data. The data has been secured in accordance with the Information Society Code and the regulations and guidelines of the Finnish Communications Regulatory Authority.

Card payments are made safely with a secure payment form via Stripe Payments Europe Ltd. HKL, HSL, the City of Espoo, Smoove and CityBike Finland Oy do not have access to the card information and payment card information is not stored in our systems as such. The only card information stored are the part of the payment card number provided by the payment service, the expiry data of the card and the name of the company that issued the card. This information is used to show the user which card they have linked to the city bike system. We are only authorized to charge the User the fees in accordance with the Terms of Use.

11. Rights of data subjects

Data subjects have the following rights under the Personal Data Act:

a) The right to know what data has been stored on them in the personal data file, or that the file contains no information on them as well as the regular sources of information and for what purposes the data in the file are used and regularly disclosed. The user can view the own personal data via HSL account at hsl.fi.
b) The right to demand the correction, deletion or completion of personal data in the file that is erroneous, unnecessary, incomplete or expired for purposes of processing. The user can update the own personal data via HSL account at hsl.fi.
c) The right to prohibit the controller from processing their data for purposes of direct advertising, distance selling and other direct marketing, and for market surveys and polls.
d) The right obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where such personal data are being processed, access to the personal data and certain data specified in the EU’s General Data Protection Regulation.
e) The right to object data processing for certain purposes specified in the EU’s General Data Protection Regulation, such as direct marketing.
f) The right to withdraw their consent at any time with no impact on the legality of processing performed by virtue of the consent before its withdrawal.
g) The right to demand the controller to correct inaccurate and incorrect personal data concerning the data subject without undue delay, and to have incomplete personal data completed. The user can update the own personal data via HSL account at hsl.fi.
h) The right to have the controller delete the personal data concerning the data subject without undue delay in the situations specified in the EU's General Data Protection Regulation.
i) The right to have the controller limit the processing of the personal data in the situations specified in the EU's General Data Protection Regulation.
j) In certain cases specified in the EU’s General Data Protection Regulation, the right to access to personal data concerning them, which they provided to a controller in a structured, commonly used and machine-readable format and to transmit this data to another controller without hindrance from the controller to which the personal data have been provided.
k) The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of his or her personal data is in violation of the EU's General Data Protection Regulation.

12. Updating of the privacy statement

This privacy statement may be updated as required. An up-to-date Privacy Statement is always available on the city bike service website.