Storage of personal data
Hoas pays specific attention to the protection of the client's privacy and personal data. The prerequisite for establishing a contractual relationship and maintaining the tenant relationship is that our applicants and tenants provide us with the necessary personal data.
The information may be processed in various registers, for example in housing application and tenant databases. Check our Privacy Policy to see how we collect and handle your personal data at the different stages of your custom journey, whether you are an applicant or a tenant. As a controller, Hoas processes data in accordance with the law, with care and following good data processing practices and otherwise ensuring that the privacy of the registered persons is not compromised.

1) Controller
Foundation for Student Housing in the Helsinki Region sr, later on referred to as Hoas
Business ID FI01165149
Pohjoinen Rautatiekatu 29, 00100 Helsinki
P.O. Box 799, 00101 Helsinki
Tel. +358 (0)9 5499 01
Contact person
Riitta Sorjonen, riitta.sorjonen[at]hoas.fi
2) The purpose of use and grounds for processing personal data
The prerequisite for establishing a contractual relationship and maintaining the tenant relationship is that our applicants and tenants provide us with the necessary personal data. Failure to provide personal data may lead to a situation where we cannot manage our responsibilities and commitments as a lessor, due to which we may not be able to sign a tenancy agreement or continue a tenancy agreement that has already been signed.
The purposes of processing personal data are rental services of apartments and parking spaces, tenant support and tenant democracy as well as management and development of related matters, management and development of customer relationships, management of tenancy agreements and management of lessor’s rights and obligations.
We use camera surveillance data in order to ensure safety and legal protection at the Hoas office and buildings and the areas surrounding them, such as nearby entrances, waste collection points and parking lots. This information will be used for reviewing criminal activities and accident situations. The premises and areas with camera surveillance have been marked with signs.
Processing personal data is based on a contract relationship, legal requirement or a legitimate interest of Hoas or the client.
3) Processed personal data
We will process the personal data of the applicant/tenant, their possible guardian, co-applicant(s) and other security deposit payer, other rent payer or trustee that are essential for achieving the processing purposes we have defined.
Read more about the processed personal data by clicking this link (the complete document).
4) Regular data sources
We will receive the data about the applicant/tenant, their possible guardian and co-applicant/co-tenants directly from the applicant, excluding the information concerning a person subletting the apartment which we will receive from the main tenant and credit information, which we will verify from the register of Suomen Asiakastieto Oy. Personal data concerning the exchange students of the University of Helsinki we will receive from the universities.
Read more about the regular data sources by clicking this link (the complete document).
5) Protection of personal data and data security
Personal data are stored in supervised and guarded premises. The telecommunication connections to any databases containing personal data will be protected with encrypted connection and appropriate authentication. Databases and the systems using them have been protected with technical and administrative measures.
Using the personal register always requires a login and a password. User rights will be determined based on a person’s role according to what is necessary for that employee’s duties. The staff has been trained to process data in a protected manner and they operate under confidentiality. Third party organisations in the roles of personal data processors are bound by confidentiality agreements between the two parties.
6) Regular disclosure of register data
We do not disclose the data concerning applicants to other parties. Data concerning tenants is disclosed to Kela, social welfare office, educational institutes, Svea Perintä Oy, Telia Oyj, DNA Oyj, Securitas Oy, Tehomen Oy, the partners determined in our building management and maintenance agreements and the municipalities.
7) The period for which the personal data will be stored
The period for which the personal data are stored is based on instructions concerning state-subsidised and interest-subsidised apartments, the act concerning deb collection of receivables, the act on changing the act concerning debt collection of receivables and the Accounting Act.
Read more about the storing times of personal data by clicking this link (the complete document).
8) Transfer of personal data outside the EU or the EEA
In the event of transfer of personal data outside the EU or the EEA, processors receiving personal data are required to process the personal data in accordance with the EU General Data Protection Regulation, and the adequate level of protection is ensured by appropriate safeguards. The data subject has the right to contact the Hoas contact person mentioned at the beginning of this Privacy Policy for further information on the transfer of personal data to third countries and the appropriate safeguards in place.
9) Rights of the data subject
- Right to review data concerning oneself
- Right to rectification and erasure of data and right to have the controller restrict the processing of one’s personal data
- Right to object to processing
- Right to transfer data from one system to another
The data subject may exercise their rights by presenting a request about the rights to Hoas in person or in writing. We request that you deliver any written requests concerning exercising these rights to our customer service by email: privacy[at]hoas.fi or by mail to address Hoas, Privacy, P.O. Box 799, 00101 Helsinki. Exercising these rights requires the data subject to prove their identity and they can be asked to specify their requests.
Read more about the data subject’s rights by clicking this link (the complete document).
10) Right to file a complaint to a supervisory authority
The applicant or the tenant has the right to file a complaint to the competent supervisory authority (Tietosuojavaltuutettu, Ratapihantie 9, PL 800, 00521 Helsinki or tietosuoja@om.fi) or to the supervisory authority of the EU member state in which the data subject’s official place or residence or workplace is located, if the data subject feels that their personal data has not been processed in accordance with the applicable data protection legislation.
11) Changes to this privacy policy
This privacy policy can be updated from time to time, for example when legislation changes. This privacy policy has last been updated on 14th of April 2020.

1) Data controller
Foundation for Student Housing in the Helsinki Region sr (later Hoas)
Business ID FI01165149
Pohjoinen Rautatiekatu 29, 00100 Helsinki
P.O. Box 799, 00101 Helsinki
Tel. +358 (0)9 5499 01
Contact person
Riitta Sorjonen, riitta.sorjonen[at]hoas.fi
2) Purpose of use of personal data and legal basis for processing
In Hoas Match, the purpose of processing personal data is to match two or more housing applicants to the same apartment in the Hoas housing application process by generating a common flatmate application code for the applicants.
The processing of personal data is based on the data subject’s consent or a legitimate interest of Hoas.
Read more about the purposes of processing personal data and the legal grounds of processing by clicking this link (the compelete document).
3) Processed personal data
The personal data processed in the Hoas Match service: first name, last name, sex, profile picture, date of birth, spoken languages, information on pets, information on smoking, place and location of studies, current place of residence, email address, informal introduction of the person, wishes related to the apartment, personality and habits, wishes related to the flatmate, search machine criteria.
Read more about the processed personal data by clicking this link (the complete document).
4) Regular data sources
Personal data are collected directly from the data subject when they are using the service or from a third party (Facebook). The registration to the service occurs via Facebook, and in this context Facebook provides us with certain data you have entered in Facebook (your name and profile picture) and some technical information. In addition, data concerning the user are collected from the user themself as they use the service.
5) Protection of personal data and data security
Hoas Match data is stored at Microsoft Azure in the EU area. Telecommunications to any databases containing personal data have been protected using encrypted connections and appropriate authentication. The databases and systems using them have been protected with technical and administrative means. In service reporting, the data has been pseudonymised. User data is accessible only by third party application development experts for development and maintenance of this particular service. Hoas staff does not have access to this data. Log data and metadata accumulating on the server is only used to investigate any technical problems and, by authorities, possible misconduct of the service.
No Hoas Match data is transferred to Hoas Applicant and tenant register except the flatmate code. Use of a personal data register of Hoas always requires login and password. User rights are defined role-specifically according to what is necessary at the time for the employee in question to fulfil their duties. The staff is trained to process data in accordance with good data security practices, and they have a duty to maintain confidentiality. Any third party organisations with the role of personal data processor are bound by bilateral confidentiality agreements.
6) Regular release of register data
No personal data from Hoas Match is released to third parties, nor are any personal data used for marketing purposes.
7) The duration of personal data storage
The personal data of a registered user is stored for one year after the last login. A data subject can, should they so wish, delete their own data immediately by logging in the service and deleting their user account.
8) Rights of the data subject
A data subject can inspect their own personal data by logging in the service. The user may, for their own part, suspend the use of the service. The user may also, at any time, withdraw their consent for personal data processing and completely delete their own user account from the service. If the data is not updated and the service is not used for more than a year, the user’s account and all data therein are permanently deleted.
In certain situations, the data subject may also have the right to object to the processing of their personal data. The right to object is applicable in situations where the processing of personal data is based on Hoas’ legitimate interest, and Hoas is liable to abide by the data subject’s request unless they have compellingly legitimate grounds to override the interests, rights and freedoms of the data subject, or if the processing is necessary for the establishment, exercise or defence of legal claims. In addition, in some situations the data subject has the right to request Hoas to restrict the processing of their personal data.
The user has the right to access their personal data they had submitted to Hoas in a computerised form and the right to transfer the data to another data controller without restriction by Hoas.
Read more about the data subject’s rights by clicking this link (the complete document).
9) The right to lodge a complaint to a supervisory authority
The applicant or tenant has the right to lodge a complaint to a competent supervisory authority (The Data Protection Ombudsman, Ratapihantie 9, POB 800, 00521 Helsinki, Finland or tietosuoja@om.fi) or the supervisory authority of the EU member state where the data subject's domicile or workplace is located, should they deem their personal data not having been processed in accordance to applicable data protection legislation.