Privacy notice for the user and travel register for M2 Blue travel and expense management system

EU General Data Protection Regulation (2016/679)

1. Controller Finnish Meteorological Institute P.O. Box 503, Erik Palménin aukio 1, FI-00101 Helsinki, Finland tel. +358 29 539 2141, kirjaamo@fmi.fi 2. Register contact person Milla Salminen il.taha@fmi.fi 3. Data Protection Officer Jaana Palmunoksa tel. +358 29 539 2310, jaana.palmunoksa@fmi.fi 4. Name of the register User and travel register for M2 Blue travel and expense management system 5. Purpose of processing personal data The personal data stored in the user and travel register of the travel and expense management system (M2 Blue) is processed for the following purposes: to prepare travel plans, to itemise and justify travel-related and other expenses, to post travel and expense invoices and check their content, to approve the invoices for payment and for the use of the system, and to manage the access rights of the system. For individuals other than public officials, the processing of personal data is based on the consent of the data subjects. In these cases, too, the processing is carried out for the purpose of approving, posting and paying per diem allowances, travel expenses, travel reimbursements and other expenses, and for the purpose of managing the access rights of the system. 6. Legal basis for the processing Statutory obligation of the controller, Article 6(1)(c) of the General Data Protection Regulation, section 2 of the travel policy and instructions of the Finnish Meteorological Institute (reg. no. 11/011/2019), and sections 4 and 5 of the financial regulations of the Finnish Meteorological Institute (reg. no. 16/011/2019).

7. Data content of the register The data subjects are individuals working in the Finnish Meteorological Institute or individuals in an employment relationship with the agency (including those doing non-military service in the agency) or individuals from outside the agency who receive travel or other reimbursements. The following details of the data subjects are entered in the registers of the Finnish Meteorological Institute: - first name(s), last name, personal identity code, personal identity number, home address, email address, and telephone number - first and last day of the employment relationship, organisational details of the individual (for posting travel expenses), bank account, and country - M2 or Virtu user ID, travel, expense and driving details, purchases made with the charge card, use of the travel account, user role, and the manner of submitting annual notifications 8. Regular sources of information The data is received directly from the data subject or the parties acting on behalf of the data subject. Data sources when the data has not been received from the data subject: Personal data and the organisational data on the individual are retrieved from the information system of the HR administration. The details of the use of charge cards and travel accounts are retrieved from the banking system. Access rights data pertaining to travel rights of individuals other than public officials is collected on the basis of the access rights request submitted by the data subject’s supervisor. 9. Recipients or recipient groups of the personal data Data can only be disclosed in accordance with the obligations and restrictions set out in the legislation in force or with the controller’s consent. Payment data is transferred to the payer’s and payee’s banks, payroll systems or to other payers. Tax-exempt compensations paid to the individual are reported to the tax authorities once a year. Data on the individual is transferred to the travel agency (name, personal identity number, country, work email address, work phone number, and organisational data). Data is also entered into the Handi archive. 10. The transfer or personal data outside the EU or EEA No data is disclosed outside the EU or EEA or to third parties. 11. Register protection principles Description of technical and organisational security measures A. Manual data Manual data is handled by specially trained personnel in a space secured to the level required by data protection. B. Digital data The information kept in the register is protected against inappropriate viewing, altering and disposal. The protection consists of access rights management, technical protection of databases and servers, physical protection of the premises, access control, protection of telecommunications and data backup. Access to data and its processing is granted in accordance with professional duties. Access to the service requires a personal user identification. Administrative control is used to ensure that the activities are appropriate. 12. Retention period and criteria for determining personal data The retention periods of the personal data contained in the user and travel register of the M2 system are based on the legislation setting out the retention periods of accounting material. The retention period of the personal data contained in this register is the responsibility of Palkeet. 13. The rights of a data subject The data subject has the right to receive from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, if processing takes place, the data subject must be granted access to his or her personal data. The data subject has access to the travel and expense data through the M2 Blue system. Concerning personal data that the data subject cannot access through the M2 Blue system, the data subject can submit an inspection request to the controller’s representative (section 2 of this privacy notice). If less than one year has passed since the data subject last made use of their right of inspection, the controller may charge a fee based on the administrative costs arising from the provision of the information (Article 12(5)(a)). The information contained in the register is not used for profiling or for automated decision making. Right to rectification under Article 16 The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject can update their own data by submitting a data update request to their agency’s HR manager or the controller’s representative (section 2 of this privacy notice). 14. The right to submit a complaint to the supervisory authority The data subject has the right to submit a complaint to the supervisory authority if the data subject believes that the processing of the personal data concerning him or her is in violation of the applicable data protection legislation.