Finnish innovation fund Sitra’s privacy policy on its customer and contract partner register
1 Controller
The controller of the register is the Finnish Innovation Fund Sitra (business ID 0202132-3).
The contact person in matters relating to the register is:
Mirja Gröhn
Specialist, Communications and Public Affairs
Finnish Innovation Fund Sitra
Address: Itämerenkatu 11–13, PO Box 160, FI-00181 Helsinki
Telephone: +358 294 618 991
Email: kirjaamo@sitra.fi
Data Protection Officer:
Janika Skaffari
Administration specialist
kirjaamo@sitra.fi
2 Name of the register
The name of the register is Sitra’s customer and contract partner register
3 Purpose of personal data processing
Sitra shall process personal data for the purposes laid down as its tasks and objectives in the Act on Sitra, the Finnish Innovation Fund (717/1990) in so as far as they relate to the management of contractual relationships; implementation of Sitra’s tasks, obligations and rights related to them; and fulfilment of the obligations related to contractors, service providers and contract partners.
Furthermore, personal data is processed for the purposes related to the payment of a remuneration or compensation to a person who is not an employee of Sitra, but who provides services to Sitra against compensation. Personal data is processed in connection with procurement and funding applications, during contractual relationships and after the termination of such relationships to the extent it is necessary in order to realise the purpose referred to.
Relating to procurement, personal data is processed in connection with the implementation of the procurement procedure, when requesting for tenders and when responding to them. The data is processed as part of the decision-making related to the procedure, the related communications and for other purposes related to the implementation of the procedure.
In connection with funding applications, personal data is processed in a similar manner as in procurements.
Personal data is not processed by means of automated decision-making.
Sitra processes data itself and uses subcontractors operating on behalf of Sitra for the processing of some personal data.
4 Legal basis for personal data processing
The legal basis for personal data processing shall include the following grounds laid down in the EU’s General Data Protection Regulation:
(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(b) processing is necessary for compliance with a legal obligation to which the controller is subject;
(c) data controller’s legitimate interests
The following also applies in relation to recipients of compensations:
(d) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
5 Data content of the register (processed personal data categories)
Principally, the register contains the following personal data collected of all data subjects:
(a) basic data, such as name and contact information;
(b) data related to the person’s (data subject’s) work and position, such as place of work (organisation), and professional/job title and potential other representative (data subject) of the organisation;
When the party to a contract is a private individual, the register contains the following personal data on the data subjects:
(c) Account number and personal identity code.
The register contains the following personal data to the extent Sitra has received them as part of a tender:
(d) the person’s (data subject’s) CV, including data on the person’s competence, work experience and background;
(e) the person’s (data subject’s) photo;
(f) the person’s (data subject’s) references, other members (data subjects) of the work team, and the data describing the work team’s competence;
(g) Data in accordance with the procurement legislation and other applicable legislation, such as the extract from the criminal record as required by procurement legislation.
The register contains the following personal data of the document signatory when using strong authentication:
(a) name
(b) personal identity code
(c) date of birth
(d) time of signature, IP address, and other technical information
6 Regular data sources
Personal data shall be primarily collected from the data subject or from the organisation they represent.
Personal data shall also be collected from generally available sources within the limits of the applicable legislation and from other third parties with which or through which Sitra implements its obligations related to the tendering and procurement procedure.
7 Personal data retention period
The collected data shall be retained only for the duration and in the extent necessary for the original or compatible purposes for which the data was compiled.
In addition, the data listed below shall be retained as per the following retention periods:
(a) the basic data on the data subjects contained by the register shall be retained for as long as is necessary for successful completion of the funding application, tendering and procurement procedure, performance of the assignment, service or contractual relationship, as well as for fulfilling the potential obligations following the termination of a contract;
(b) the personal data, including sensitive personal data, contained by the register shall be retained for as long as is necessary for the establishment, exercise, defence or resolution of a legal claim concerning a contractual relationship, procurement or funding application;
(c) the extract from the criminal record shall be deleted or returned once the legally required check has been performed.
(d) the personal identity code collected during strong authentication is retained for 30 days.
Sitra shall regularly assess the need to retain the data as per the internal Code of Conduct. Furthermore, Sitra shall perform all possible and required measures to ensure that such personal data that are too inaccurate, erroneous or outdated for the purposes of processing are deleted or corrected without delay.
8 Recipients of personal data (recipient categories) and the regular disclosure of data
There is no regular disclosure of personal data contained in the register to third persons or organisations. Personal data may be disclosed as part of an information request based on the Act on the Openness of Government Activities (621/1999).
9 Transferring data outside of the EU or the EEA
Personal data contained in the register may be transferred outside of the EU or the EEA. When transferring personal data, Sitra shall comply with the standard contractual clauses approved by the EU Commission concerning the transfer of personal data to third countries.
10 Register protection principles
Possible physical data material containing personal data shall be retained in a locked facility that can only be accessed by appointed persons whose duties require access authority.
The databases containing personal data are on servers which are kept in locked facilities that can only be accessed by appointed persons whose duties require access authority. The servers are protected with an appropriate firewall and technical protection.
The databases and systems can only be accessed with separately granted personal user IDs and passwords. Sitra has restricted the access rights and the authorisations to access the data systems and other mediums in such a way that the data can only be accessed and processed by persons who are needed with regard to lawful processing. In addition, the database and system transactions are registered in the logs of Sitra’s IT systems.
Sitra’s employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.
The processing of sensitive personal data shall only be permitted and technically enabled by means of user administration to a particularly selected and limited group of persons, who have to process such data because of their work duties.
11 Rights of the data subject
The data subject shall have the following rights laid down in the EU’s General Data Protection Regulation:
(a) the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data has been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to its source; (viii) the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
(b) the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her, and the right to have incomplete personal data completed, including by means of providing a supplementary statement, taking account of the purposes for which the data was processed;
(c) the right to obtain from the controller the erasure of personal data concerning him or her without undue delay provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the personal data have been unlawfully processed; or (iii) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(d) the right to obtain from the controller restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing on grounds relating to his or her particular situation, pending the verification whether the legitimate grounds of Sitra override those of the data subject;
(e) right to receive the personal data concerning him or her, which the data subject has provided to the controller, in a structured, commonly used and machine-readable format
(f) the right to file a complaint with the supervisory authority if the data subject considers that the processing of the personal data concerning him or her violates the EU’s General Data Protection Regulation.
Requests concerning the realisation of the data subject’s rights shall be addressed to Sitra’s registry office at kirjaamo@sitra.fi.