HSL's Privacy Policy

Privacy Statement
Date of compilation: 24.5.2018, 21.1.2019

1. Controller of the data file

The name of the data file is HSL’s customer register (“Customer Register”) and its data subjects consist of individuals who use HSL's services (“Customers”). The controller of the data file is Helsinki Regional Transport Authority (hereinafter HSL) (business ID 22745863).

The contact person for matters related to the data file is Laura Sundell.
HSL’s Date Protection Officer is Antti-Pekka Röntynen.

Address: Opastinsilta 6 A, Helsinki, PO Box 100, 00077 HSL
Telephone: HSL Customer Service, tel. +358 9 4766 4000
E-mail: tietosuojavastaava@hsl.fi

2. Purpose of the processing of personal data

The main purpose of processing the data in HSL's Customer Register is carrying out the tasks of the joint local authority and the provision of transport services.

HSL's Customer Register consists of the following sub-registers for different services:

• Travel Card (HSL card) users
• Users of applications offered by HSL (such as HSL app and Mobile ticket app)
• HSL account users
• Users of HSL's website and the services offered on them
• SMS ticket users
• City bike users
• HSL feedback system users

HSL arranges public transport in accordance with the Act on Cooperation Between Municipalities in the Helsinki Metropolitan Area in Waste Management and Public Transport (829/2009,”yhteistoimintavelvoitelaki“). The various services can be personalized or used anonymously, without personal data. However, the processing of customer data requires the customer to start using one or more of the services specified above. The customer's personal data will be registered in connection with adopting the service. HSL’s various services are partly based on the same technical systems and base data, and customer data is shared by different services in this respect. In addition, other service-specific data can be interconnected.

3. Content of the data file

The Customer Register consists of several types of personal data. More detailed information on the data protection of HSL’s various services is available on the pages of the services.

1. The customer's base data such as the name, address, e-mail address, telephone number, customer identifiers such as customer number and identification information in different extents, from strong electronic authentication (standard data content from the Population Register Centre) to user names and passwords chosen by the users is used by us to identify customers and offer services to them through various media and modes of transport.
2. Identifying information concerning the customer's Travel Card such as card number.
3. Special information provided by the customer such as the “Entitled to a companion” data item and authorization data item.
4. Some data related to HSL's obligations as a service provider are transferred to us in connection with strong authentication, including the municipality of residence, authorization and security prohibition data items.
5. Data related to the customer type such as customer group and category and various account, service use, order and service information.
6. Purchase history by service.
7. Information on content use and communications through the various channels, including the content, identification and technical data on phone calls, cookies and other communications channels.
8. Information saved by the customer in various media such as route and area choices; customer feedback information such as text, images and contact details, and customer-generated content such as customer panel and survey data.
9. Boarding data such as information on validating tickets and getting on board vehicles, collected and stored pseudonymized so that the data can not be attributed to a specific customer. The data is needed for determining the municipal contributions of the joint local authority, as well as for transport planning and research. Travel Card number or any other data attributed to a specific customer shall be stored in the boarding data for as long as necessary for ticket validation and to implement other measures essential for the public transport system. After these functions have been performed, identifying data is removed from the data.
10. Location and travel data (including terminal device location) is only collected subject to the explicit consent of customers and used for service localization (such as the use of the Journey Planner at the customer's location), targeted disruption information, customer communinations and marketing and, possibly, for ticket monitoring, transport planning and research  subject to a separate investigation. Customers give and withdraw their consent for the processing of travel data at their own volition.
11. City bike use data such as use history (station of origin and destination, time/date, kilometers) and the information that the individual is currently using a bike (collection time).
12. Payment data in various channels.
13. Permissions, prohibitions and similar data.
14. Feedback information from customer feedback submitted.

4. Processing of personal data

The main purpose of processing personal data is carrying out the tasks of the joint local authority and the provision of transport services to customers. This includes the following functions in which personal data is processed:

• Service provision including the sale, use, validation and inspection of tickets/travel services and corresponding tasks related to the journey (ticket data, payment data, base data and mode-specific data).
• Account management such as customer service, agreement management, clearing up ambiguities and other use of personal data for administrative purposes.
• Customer communications such as disruption alerts, bulletins and newsletters and related subscriptions (location and travel data, if permitted by the user).
• Marketing communications subject to the customer's consent (data subjects who have given a marketing permission). Customers have the right to prohibit the use of their data for direct marketing by notifying HSL's customer service and customers can withdraw their electronic marketing permissions themselves.
• Municipality of residence data related to public transport duties such as determining the municipal shares of ticket revenue and operating expenses, verification of tariff subsidy rights and the compilation of statistics in accordance with the charter referred to in the Local Government Act (410/2015).
• Development of services including load studies and the analysis of total trips and trip chains, the development of the transport system, routes and route networks, and digital service development.

Where possible, municipality of residence data and data related to the development of services will be processed in a form that prevents the identification of individuals.

5. Service personalization and profiling

As part of processing the personal data saved in the Customer Register, HSL can use the data collected on customers for profiling and personalization purposes. 

Personalization is based on defining the customer's segment on the basis of various criteria known about the customer (e.g. what services the customer uses). Customer segments can be created for different purposes related to business operations. Such purposes based on personalization include the personalization of marketing communications and traffic event information based, for example, on location or the residential area reported.

The data created by profiling is not disclosed to third parties outside the service chain without the customer's explicit consent. Customers always have the right to prohibit the processing of their personal data created by profiling, for purposes related to direct marketing. Customers can withdraw their direct marketing consent without limitations. 

6. Legal basis for processing

The personal data is processed on the following legal basis in line with the EU’s General Data Protection Regulation (GDPR):

1. Processing is necessary for the execution of an agreement to which the data subject is party or for the implementation of preliminary measures for concluding an agreement at the request of the data subject (GDPR Article 6/1b):

• Service delivery to customers.
• The installation and appropriate use of HSL's applications, along with registration for and appropriate use of browser-based online services.
• The use of HSL's various websites by unregistered users.

2. The explicit consent of the data subject (that can be withdrawn by the customer at any time) (GDPR Article 6/1a):

• For individual services, the further use of travel data beyond what is required for the implementation of payment transactions and the execution of the agreement and immediate measures connected to such implementation (such as the validation of tickets). Such further use may include, for example, the use of use history data between service-specific sub-registers.
• Direct marketing.
• Collection and use of location and travel data.
• The guardian's consent for the processing of the personal data of children.

3. Processing is necessary for the controller to comply with a legal obligation (GDPR Article 6/1c).

4. Processing is necessary to perform a task in the public interest or for the exercise of official authority (GDPR Article 6/1e).

5. Processing is necessary for the controller’s legitimate interests, except where such interests are overridden by the interests, rights or freedoms of the data subject (GDPR Article 6/1f).

7. Regular sources of information

Personal data is primarily collected directly from the customer, and the collection takes place in connection with the adoption of, registration for and customer service related to the services specified in section 2.

Other regular sources of data for the HSL Customer Register include:

• Data related to mobile service use and the identification of third parties: Data on customers can also be obtained in connection with the use of HSL's online and mobile services, including data related to the use of third-party identification and authentication tools and services.
• Base data updates from services that offer them: Personal data can also be collected, stored and updated from controllers that offer address, update or other such services, and information on residential areas and accounts can be obtained from services that offer them. Personal data is obtained from the population information system in connection with checking the municipality of residence.
• Actual usage data is collected according to the use of each service.
• Data obtained from the city bike service such as city bike use data.
• Location and travel data is collected using, for example, card readers, location data and DTE.
• Boarding data is collected on passengers boarding vehicles, e.g. from the Travel Card reader.
• Data related to mobile is received from operators.
• Data transferred to HSL from the customer registers of MaaS partners.

8. Personal data storage period

HSL applies the following principles to the storage period:

1. Order, delivery, purchase and payment information will be stored for the period required by applicable law.
2. Base account data will be stored for the duration of the customer relationship and after that, for as long as necessary to fulfill the rights and obligations of the parties.
3. Data specific to individual services will be stored in accordance with service-specific principles.
4. Pseudonymized boarding data is storred for as long as necessary to determine the municipal contributions of the joint local authority, and for transport planning and research purposes.

In addition to the principles stated above, HSL will, as a rule, store personal data for a maximum of three (3), unless there are justified grounds for a longer storage period.

HSL reviews the necessity of storing data on an annual basis and deletes data if there are no grounds for storing it. In addition, HSL will implement all reasonable measures for ensuring the immediate deletion or correction of data that is inaccurate, erroneous or obsolete for purposes of processing.

9. Recipients of personal data and regular disclosure of data

HSL can use contract partners working on behalf of HSL for the technical, commercial or operational implementation of data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. Such contract partners include, for example, system suppliers within the EU.

When required, personal data contained in the register will be disclosed to external persons or organisations as follows:

1. For the provision of services to payment service partners;
2. In the case of city bikes, to HKL and the City of Espoo, which are joint controllers of the city bike register;
3. For the delivery of feedback to parties responsible for making the corrections related to the feedback received by HSL.
4. HSL can disclose customer data to authorities as permitted and required by legislation.
5. Information required for an authorization to act on another person’s behalf for the authorized party.
6. For conducting studies on behalf of HSL.

10. Transfer of data to outside the european union or the european economic area

No personal data is transferred from the register to outside the European Union or the European Economic Area. HSL reserves the opportunity to make such transfers in accordance with the requirements of the latest data protection legislation on data transfers outside the EU or the EEA, subject to appropriate safeguards.

11. Principles of data security

The data of customers is secured as follows:

1. Agreements for securing the Customer Register have been made between the controller and system suppliers.
2. The controller's employees and other personnel have undertaken to maintain professional secrecy and the confidentiality of the data they have obtained in connection with the processing of personal data.
3. System suppliers manage the register and related storage of data in accordance with good data processing practice and are subject to strict professional secrecy.
4. The security of the controller’s Customer Register and confidentiality of personal data is ensured through appropriate technical and administrative measures in accordance with good data processing practice.
5. The controller has restricted the access rights and authorizations to data systems and other storage platforms, so that only the personnel required for the legal processing of the data is able to view and process it. Only employees whose duties involve processing customer data are authorized to use the system containing the data. Every user logs into the system with personal credentials provided in connection with granting access rights to the system. The access rights will expire when the person is no longer responsible for the tasks for which they were granted.
6. The data is compiled into logically and physically secured databases. The databases and their backups are located on locked premises, and only designated personnel are permitted to access the data.

12. Rights of data subjects

Data Subjects have the following rights under the EU's General Data Protection Regulation:

1. The right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where such personal data are being processed, access to the personal data and certain data specified in the EU’s General Data Protection Regulation (GDPR Article 15).
2. The right to object data processing for certain purposes specified in the EU’s General Data Protection Regulation (GDPR Article 21), such as direct marketing.
3. The right to withdraw their consent at any time with no impact on the legality of processing performed by virtue of the consent before its withdrawal (GDPR Article 7).
4. The right to demand the controller to correct inaccurate and incorrect personal data concerning the data subject without undue delay, and to have incomplete personal data completed (GDPR Article 16).
5. The right to have the controller delete the personal data concerning the data subject without undue delay in the situations specified in the EU's General Data Protection Regulation (GDPR Article 17).
6. The right to have the controller limit the processing of the personal data in the situations specified in the EU's General Data Protection Regulation (GDPR Article 18).
7. In certain cases specified in the EU’s General Data Protection Regulation (GDPR Article 20), the right to access to personal data concerning them, which they provided to a controller in a structured, commonly used and machine-readable format and to transmit this data to another controller without hindrance from the controller to which the personal data have been provided.
8. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of his or her personal data is in violation of the EU's General Data Protection Regulation (GDPR Article 77).

Detailed instructions on the exercise of the rights of data subjects are available at https://www.hsl.fi/en/privacy. Data subjects are entitled, upon request and free of charge, to obtain a copy of their personal data once a year.

13. Amendments

HSL's data protection policy constitutes a part of the services offered by HSL and the other terms and conditions between the customer and HSL. HSL can make amendments to this privacy statement by announcing the changes through application notifications, announcements published on websites, by e-mail or by notifications provided at service points or in connection with updates.