Privacy Statement

1. Data Controller:

Jyväskylä City, City Board (Jyväskylän kaupunki, kaupunginhallitus)

2. Contact Persons for the Register:

Chief Financial Officer
Vesa Voutilainen

3. Data Protection Officer:

Data Protection Officer for the City of Jyväskylä (Jyväskylän kaupungin tietosuojavastaava):
Liina Kuusela
Address: PL 193, 40101 JYVÄSKYLÄ
Phone: 050 431 4315

4. Register Name

Online Store of the City of Jyväskylä
Ceepos Online Payment

5. Purpose of Processing Personal Data

Personal data is collected for various purposes, including: delivering orders, accurate allocation of payments, identifying the customer and/or the person reported by the customer, verifying the customer’s transaction history and access rights, reporting purposes and marketing activities.

Information about software users is collected to define usage rights and monitor usage. The software also generates log data containing personal information for tracking software usage history and investigating problem cases.

6. Legality of Processing Personal Data

Processing of personal data is based on consent. Guiding legislation: General Data Protection Regulation (GDPR) EU2016/679, Article 6, paragraph 1, subparagraph A

7. Contents of the Register

General Customer Register: Customer number, first name, last name, address, postal code, phone number, email address, order history, and username.
Order Register: Contact details, ordered products, and payment number.
Customer Cards/Tags: Card number and PIN code.
Registrations for Events and Training: Name of the registrant, contact details, and guardian information.

8. Regular Data Sources

External systems that handle payment transactions through connections are integrated into the online store. The primary data source consists of online store customers when they place orders, register for events, and make online payments.

9. Regular Data Disclosures and Data Transfer Outside the EU or EEA

Regular Data Disclosures and Data Transfer Outside the EU or EEA Data is not routinely disclosed.  Depending on the payment service provider, customer contact information may be transmitted to the payment system during order payment to facilitate troubleshooting and refunds. Data is not transferred or disclosed outside the EU or EEA. Information about the data subject may only be disclosed with the data subject’s written consent or as required by law.

10. Retention Period and Its Basis for Register Data

The register data is in digital format.
The register information is retained for one year from the order date. Electronic receipt histories are kept until manual deletions are performed, but for a minimum of six years.

The retention period is based on the city’s archive formation plan.

11. Principles of Register Protection

Register data can only be used for the purposes described in the register description.
The register data is in digital format.
Only employees, officials, or technical administrators whose specific job duties involve data processing are allowed to handle personal data.
Data can only be processed to the extent required by job duties. Access to information is restricted based on personal access rights according to the work role, ensuring that data is protected from unauthorized and incompatible processing. Log entries are made when data is accessed. Manual personal data is stored in a locked area.

Additionally, all city employees are required to maintain confidentiality and familiarize themselves with data protection and security instructions. Regular training is provided to staff, and compliance with guidelines is monitored as part of internal control. Personal user accounts are required for information systems.

12. Rights of the Data Subject

The data subject has the following rights:
-The right to receive information about the processing of personal data.
-The right to access their own data.
-The right to correct information.
-The right to restrict data processing.
-The obligation to notify the data subject of corrections or restrictions related to personal data.
-The right not to be subject to automated decision-making without a legal basis.
If processing is based on the legitimate interest of the data subject or the data controller, the data subject also has the right to:
-Object to data processing.

For more information on the data subject’s rights, visit:

13. Right of the Data Subject to Receive Information on the Processing of Personal Data

This privacy notice serves as an information document on the processing of personal data.

14. Right of the Data Subject to Access Information

The data subject has the right to know whether their information is stored in the personal data register and what information about them is in the register. To exercise this right, the person must submit a request for inspection, specifying the information to be reviewed. Forms for such requests are available at the City of Jyväskylä’s service points and on the city’s website: oikeudet-rekisteritietoihin-ja-tietopyynnön.
If the right to inspection is exceptionally denied, the customer will receive a written refusal certificate. The certificate will indicate the reasons for denying the right to inspection. The data subject can bring the matter to the attention of the Data Protection Ombudsman. The right to inspection is free of charge once a year.

15. Other Rights of the Data Subject

16. Right to Lodge a Complaint with the Supervisory Authority

The data subject has the right to lodge a complaint with the supervisory authority if they believe that the processing of their personal data violates the EU General Data Protection Regulation or national laws and regulations governing data protection. Supervisory authority contact details:

Office of the Data Protection Ombudsman
Mailing address: PL 800, 00521 HELSINKI
Visiting address: Ratapihantie 9, 6th floor, 00520 HELSINKI
Phone: 029 56 66700