Privacy statement for the Fintraffic Road Ltd camera system

Privacy statement for the Fintraffic Road Ltd camera system

EU General Data Protection Regulation (EU) 2016/679 

1 Introduction 

Protecting your privacy and the transparency of the processing of your personal data is important to the Fintraffic Group. The purpose of this privacy statement is to provide you with information on the Fintraffic Road Ltd (hereinafter "Fintraffic") camera system and how your personal data is processed in the system. We process your personal data will in accordance with the EU General Data Protection Regulation (EU) 2016/679 and national data protection legislation. .

2 Controller 

Name: Fintraffic Road Ltd 
Business ID: 2945247–3 
Address: Palkkatilanportti 1, 00240 Helsinki 
Switchboard: +358 29 450 7000 

Controller's representative: harri.seppinen(at)fintraffic.fi, +358 29 450 7000     

Group data protection officer: privacy(at)fintraffic.fi, +358 29 450 7000 

3 3 Categories of data subjects and personal data we process

Categories of data subjects 

Categories of data subjects comprise persons who use the state road network, such as citizens, maintenance workers and Fintraffic's own employees. 

However, you as the data subject, should only be identified in special and exceptional situations, for example when investigating accidents. 

Personal data we process

The road network’s cameras record a panoramic image of the traffic and weather conditions and situation. The image is then zoomed in and limited more precisely only when it is necessary to prevent or investigate hazardous situations and accidents and to ensure the smooth running of traffic. 

However, the image may show the registration plate number and identifying information, such as the colour and make of the vehicle, for vehicles of deviating quality or those that are very unique. In addition, it is possible that the face of the driver or passengers of the vehicle may stand out from the image. 

Contractors and Fintraffic employees are visible in the camera image when performing their tasks. In this case, processing may focus on such things as their facial image and organisational data. 

4 Purpose and legal basis of processing 

Purpose of processing 

The purpose of the Fintraffic camera system is to maintain an up-to-date image of traffic and weather conditions and a situational picture of traffic. In this way, we ensure the general safety and smooth running of road transport throughout Finland. 
     
The cameras are owned by Fintraffic, but they can be used by the police. The police act as an independent controller, and the police have their own specific purpose for the image material. The image signal is branched to two different locations on the network, even though the camera itself is the same. You can read more on data protection practices of the police and the processing of personal data by the police on their own websites (link is external)

Legal basis for the processing of personal data 

Fintraffic's statutory task is to maintain the monitoring of the traffic situation on transport routes, i.e. the traffic situation picture and the service for reporting and providing information on accidents, incidents and traffic flow.  Fintraffic is also obliged to produce and share traffic-related information. Such information includes data on the weather and conditions, information on traffic flow and busyness, information on the condition and usability of devices serving road maintenance and traffic, and other information related to road safety, traffic flow and the safe transport, control and management of vehicles. Provisions on the tasks are laid down in sections 137 and 141 of the Act on Transport Services (320/2017). 

As a rule, your personal data referred to in this privacy statement is processed pursuant to Article 6(c) of the EU General Data Protection Regulation in order to comply with Fintraffic's statutory obligation. 

In addition, Article 6(f) of the EU General Data Protection Regulation, i.e. the legitimate interest of the controller, is used as the legal basis for intra-group transfers when image material is disclosed to Traffic Management Company Fintraffic's Digitraffic service to create fixed images. Processing in the Digitraffic service is based on section 146 of the Act on Transport Services (320/2017). 

Based on Fintraffic's legitimate interest, the created fixed images are also processed for internal training, monitoring the life cycle of cameras and monitoring the impacts of winter maintenance. 

5 Disclosure of data and data recipients 

Disclosure of personal data to processors 

Your data will be disclosed, when necessary, to the contractors for the maintenance of traffic control equipment for the purpose of carrying out maintenance measures and to consultants carrying out tunnel inspections laid down in law. 

The processor of personal data may only process your personal data in accordance with instructions issued by Fintraffic. 

Disclosure to third parties 

Your data will be disclosed on a case-by-case basis to the tunnel manager whose task is laid down in Directive 2004/54/EC on minimum safety requirements for tunnels in the trans-European road network. 

Your data may also be disclosed to the authorities to the extent permitted and required by law. 

Fixed images are regularly disclosed to Fintraffic Oy's Digitraffic service. These transfers are intra-Group transfers. 

Transfer of personal data outside EU or EEA countries 

Your personal data will not be transferred outside the EU or EEA. 

6 Data storage 

Your personal data will only be processed for the period and to the extent necessary for the purposes listed in this privacy statement. When the legal basis for processing no longer exists or your personal data is no longer needed, your data will be properly destroyed. 

As a rule, the camera image is stored for seven (7) days, after which a new camera image ('ring buffer') is saved on top of the image. The mechanism for deleting material is automatic. The image memory is not backed up. 

In the event of an accident, it may be necessary to save and store part of the camera image for a longer period of time. In these cases, the data will be stored for the time being to investigate the accident and its causes. Backup copies of these images are automatically retained for one (1) year.  

The created fixed images are stored for eighteen (18) months for internal training, camera life cycle monitoring and winter maintenance monitoring. 

7 Protection of personal data 

Fintraffic has use of appropriate technical and organisational personal data protection measures. With these measures we ensure that your personal data is not accidentally or unlawfully destroyed, lost or altered. We also ensure that the information is not disclosed without authorisation and cannot be accessed by anyone who does not have the right to process the information. 

  • Fintraffic facilities are secured with access control, and people can only access the facilities with a personal access ID. 
  • The camera system operates on a closed and encrypted network. 
  • Camera images can only be viewed with personal access rights. Access rights management is organised so that personal data can only be accessed by personnel who have the right and need to process your personal data based on their tasks. 
  • Each person processing personal data is given instructions on the legal and secure processing of the data. 
  • A feature for blurring out fixed objects to the extent possible in the image is in use for camera images (e.g. blur a residential area out from a camera image). 
  • In the event of an accident, the transfer of images to the public is interrupted, i.e. the transfer of fixed images to the Digitraffic service is interrupted. 

8 Rights of the data subject 

Right to receive information on the processing of their own data, right of access to their data and right to request rectification of their data 

You have the right to receive information from Fintraffic on whether personal data concerning you is being processed. If your personal data is being processed, you have the right to receive a copy of your personal data and information on the purposes of the processing and other matters related to the nature of the processing. 

If your personal data is incomplete or otherwise incorrect, you have the right to demand that your data be corrected. 

Right to request the erasure or restricting the processing of data and the right to object to processing 

You may require that we delete your personal data, for example, in situations where we no longer need your personal data for the original purpose or your personal data is processed unlawfully. However, if the retention of your personal data is necessary to establish, present or defend a legal claim, the controller is not under any obligation to delete your data. 

You may require that we restrict the processing of your personal data to only include its storage, for example when it is unclear whether your personal data is accurate or being lawfully processed. 

You have the right to object to the processing of your personal data on the basis of particular personal circumstances if we are processing your data on the basis of legitimate interest However, if there is a significant and justified reason for processing that overrides your rights, the processing of your data can continue. 

Exercise of the data subject's rights 

As a rule, the actions we take due to your request are free of charge to you. However, if the data subject’s requests are unjustified or unreasonable on the basis of their recurrent nature or for some other reason, the register’s controller may charge a fee for the action. In any case, fulfilling the data subject's request for their rights will require that you can be reliably identified. Therefore, if necessary, we may require you to prove your identity when submitting your request. 

We will respond to your request without undue delay and, as a rule, within one month of receiving your request. 

As this involves an image material processed by the police, you should also take into account the possibility of sending a request for the implementation of your rights to the police at kirjaamo.poliisihallitus@poliisi.fi. 

9 Referral to the Data Protection Ombudsman 

If you feel that your personal data has been processed in a manner that does not comply with data protection legislation, you have the right to lodge a complaint with the supervisory authority. The Office of the Data Protection Ombudsman acts as the competent supervisory authority in Finland: 

Street address: Lintulahdenkuja 4, 00530 Helsinki 
Postal address: P.O. Box 800, 00531 Helsinki 
Switchboard: +358 29 566 6700 
Registry: +358 29 566 6768 
Email address (registry): tietosuoja(at)om.fi 

However, we’d appreciate if you’d first inform the controller of the issue. Further information on the data subject's rights can be found at https://tietosuoja.fi/yksityishenkilot(link is external).  

Last modified on 19 May 2023