Privacy policy for the Finnish Innovation Fund’s (Sitra) interest group and marketing register
Updated on 16 May 2023. In the update, information on personal data processing in connection with the newsletter service was added (section 5f) and a clarification was added stating that the standard contractual clauses published by the European Commission in June 2021 are used as the basis for transferring data outside the EU/EEA (section 9).
1 Controller
Controller of the register:
Sitra, the Finnish Innovation Fund (business ID 0202132-3)
Contact person in matters concerning the register:
Mirja Gröhn
Senior Lead, Events and Customer Relations
Sitra, the Finnish Innovation Fund
Address: Itämerenkatu 11-13, PO Box 160, FI-00181 Helsinki
Tel: +358 294 618 991
Email: kirjaamo@sitra.fi
Data Protection Officer:
Janika Skaffari
Administration specialist
kirjaamo@sitra.fi
2 Name of the register
Sitra’s interest group and marketing register.
3 Purpose of personal data processing
Sitra shall process personal data for the purposes laid down as its tasks and objectives in the Act on Sitra, the Finnish Innovation Fund (717/1990) insofar as the data relate to managing, marketing, administering and developing interest group and collaboration relationships.
Sitra shall process personal data for the arrangements concerning events, workshops, meetings and travel that fall within its organisational responsibility and are targeted at interest groups and collaboration partners, as well as for any related communication, including information for the public good and communication targeted at the public.
Sitra shall also process personal data in connection with other communication targeted at interest groups and collaboration partners, such as surveys, informing and reporting (e.g. newsletters), communicating about various competitions and calls for ideas, as well as providing information on them and marketing them to the target audience, and for purposes connected to direct marketing and digital direct marketing. For the aforementioned purposes, personal data shall also be processed concerning the planning, realisation and development of communication, informing and marketing.
In addition, Sitra processes personal data for the purposes of training activities and as part of the administration of social media platforms, electronic collaboration platforms and learning environments. These include Sitra’s Facebook page, the SharePoint workspaces shared with collaboration partners and the electronic collaboration platforms used in courses.
Sitra also processes personal data when gathering different type of research materials, e.g., when executing interest or other group interviews or surveys.
The data subject shall have the right to prohibit direct marketing targeted at him or her.
4 Legal basis for personal data processing
Sitra processes personal data referred to in the privacy policy section 5. subsections (a)-(c), (f)-(g) and (m) to perform its tasks carried out in the public interest. Consent is applied to information provided by persons themselves, which are detailed in section 5. subsections (d) – (e) and (h) – (l).
When a Sitra employee’s employment relationship ends, Sitra enters the employee’s personal data into a register with his or her consent.
Sitra processes personal data to accomplish its task concerning the public interest. Consent is applied to information provided by persons themselves.
Sitra is actively shaping the future by studying, examining and selecting partners from various sectors to participate in open-minded trials and reforms. As part of its operation, Sitra organises events and publishes reports and other publications. For Sitra to be able to accomplish the task that has been prescribed to it by law, it is important to communicate information about these to the correct interest groups.
Sitra therefore targets communication about its activities at those who belong to its interest groups or to the interest groups of its projects. Message recipients may decline the messages targeted at them and the communication does not in any way threaten the fundamental rights or freedoms of the data subject. Participation in the events is voluntary, but participants’ personal data are required in the preparation of the events for reasons such as security.
The information about data subjects’ work or positions may contain information that can, through details such as party membership or participation in organisations (e.g. political views or religion), reveal data belonging to special categories of personal data. In this respect, Sitra only processes data that the data subject has expressly made public.
5 Data content of the register (processed personal data categories)
The register contains the following personal data about Sitra’s collaboration partners and persons belonging to an interest group, including Sitra’s former employees. The data in section (a) are collected about all data subjects and the data in sections (b) to (f) are collected when necessary.
(a) The person’s (data subject’s) basic data, such as name, form of address and contact information (telephone number, email address and/or street address).
(b) Publicly available data on the person’s (data subject’s) work and position, such as title, education, place of work (organisation), photo and job title.
(c) The language used by the person (data subject).
(d) Direct marketing permissions and prohibitions expressed by the person (data subject).
(e) Other data voluntarily provided by the person (data subject) to Sitra’s information system concerning, for example, the participant’s expertise, professional or other background and his or her relationship to Sitra.
(f) Data related to communication between the data subject and Sitra, such as subscriptions to newsletters and other lists, registration for and participation in events and meetings, as well as any correspondence that may be necessary for maintaining the interest group relationship. The data collected by the newsletter service on newsletter recipients opening the newsletter and the related clicks are processed on persons that have subscribed to the newsletter.
In addition to the above-mentioned data, the register may contain the following information about the assistants of collaboration partners or persons belonging to an interest group when these persons’ work or position require that communication with them is carried out through an assistant or some other person providing assistance.
(g) Name and contact information (telephone number, email address and/or street address) of the person’s (data subject’s) assistant or any other person in an assisting position (data subject).
In addition to the aforementioned personal data, the register may contain the following personal data on the persons (data subjects) who participate in an event organised by Sitra (such as seminars and other similar events).
(h) Dietary restrictions/food allergies the participant (data subject) may have and other possible matters that must be taken into account in the preparation of an event.
(i) A photograph(s) and/ or video(s) of the participant (data subject).
In addition to the aforementioned personal data, the register may contain the following personal data on the persons (data subjects) who participate in an excursion or trip abroad organised by Sitra.
(j) A copy of the participant’s (data subject’s) passport, including personal identity code.
(k) A photograph(s) of the participant (data subject).
(l) Contact details (telephone number, email address and/or street address) of the participant’s (data subject’s) close relatives (data subjects).
In addition to the above-mentioned personal data, the register may contain the following personal data on persons (data subjects) who use Sitra’s information systems that require identification.
(m) Transactions in electronic information systems for a restricted period of time (opened page/file, time stamp, user ID and IP address).
6 Regular data sources
Personal data shall be collected from public sources, such as organisation websites, from the data subject and in connection with various events or any training organised by Sitra. In addition, with the person’s consent, personal data can be retrieved from Sitra’s other information systems and registers insofar as the personal data are owned by Sitra.
Data are also created as part of Sitra’s activities when a person participates in events and meetings and when communication is targeted at this person.
7 Personal data retention period
The collected data shall be retained only for the duration and to the extent necessary for the original or compatible purposes for which the data was compiled.
In addition, the data listed below shall be retained as per the following retention periods.
(a) The basic data on the data subjects contained by the register shall be retained as long as is necessary for developing and maintaining collaboration partner and interest group relationships. The need to retain the data shall be assessed at regular intervals.
(b) Participants’ (data subjects’) personal data related to the organisation of an event or other similar occasion organised by Sitra for its collaboration partners and/or interest groups shall be retained for the duration of the relevant event and in any case until any payments related to the event have been effected or other measures performed. The data on participants of events organised by Sitra are archived.
(c) Data on the participants (data subjects) of a trip organised by Sitra shall be retained for the duration of the relevant trip and in any case until any payments related to the trip have been effected or other measures related to the trip or its purpose have been performed. In any case the accounting material set out in the first paragraph of the Finnish Accounting Act, Chapter 2, Section 10, Subsection 1, shall be retained, in compliance with the Finnish Accounting Act, Chapter 2, Section 10, for six (6) years from the end of the year in which the accounting period ends, unless a longer retention period has been provided for by law.
(d) Personal data collected by Sitra for the purposes of direct marketing shall be retained as long as is necessary for finishing the related measures
Sitra shall regularly assess the need to retain the data as per the internal Code of Conduct. Furthermore, Sitra shall perform all possible and required measures to ensure that such personal data that are inaccurate, erroneous or outdated for the purposes of processing are deleted or corrected without delay.
8 Recipients of personal data (recipient categories) and the regular disclosure of data
If required, the personal data contained in the register shall be disclosed to third persons or organisations as follows.
(a) Disclosing personal data to a travel agency/airline company as required by the realisation of a trip.
(b) Disclosing personal data to partners for purposes related to the organisation, implementation and/or follow-up communication of an event. The parties are identified on a case-by-case basis in connection with the invitations and/or registration.
9 Transferring data outside of the EU or the EEA
Personal data contained in the register is transferred outside the EU or the EEA. Sitra uses the standard contractual clauses set out in the European Commission Implementing Decision of 4 June 2021 when it transfers personal data to third countries.
10 Register protection principles
Any physical data material containing personal data shall be retained in a locked facility that can only be accessed by appointed persons whose duties require access authority.
The databases containing personal data are on servers which are kept in locked facilities that can only be accessed by appointed persons whose duties require access authority. The servers are protected by an appropriate firewall and technical protection.
The databases and systems can only be accessed with separately granted personal user IDs and passwords. Sitra has restricted the access rights and the authorisations to access the data systems and other mediums in such a way that the data can only be accessed and processed by persons who are needed with regard to lawful processing. In addition, the database and system transactions are registered in the logs of Sitra’s IT systems.
Sitra’s employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.
Processing sensitive personal data shall only be permitted and technically enabled by means of user administration to a selected and limited group of persons, who need to process such data on Sitra’s behalf because of their work duties, for example in connection with travel arrangements.
11 Rights of the data subject
The data subject shall have the following rights laid down in the EU’s General Data Protection Regulation.
(a) The right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(i) the purposes of the processing;
(ii) the categories of personal data concerned;
(iii) the recipients or recipient groups to whom personal data have been disclosed or will be disclosed;
(iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(vi) the right to lodge a complaint with a supervisory authority;
(vii) where the personal data are not collected from the data subject, any available information as to their source;
(viii) the existence of automatic decision-making and relevant information about the logic related to such processing, as well as the relevance of this processing and its possible consequences for the data subject.
(b) The right to cancel consent at any time without this affecting the lawfulness of the processing performed on the basis of the consent.
(c) The right to demand that the controller rectify without undue delay any inaccurate and erroneous personal data on the data subject and the right to have incomplete personal data completed.
(d) The right to obtain from the controller the erasure of the personal data concerning the data subject without undue delay in situations determined in the EU’s General Data Protection Regulation.
(e) The right to obtain from the controller restriction of processing in situations determined in the EU’s General Data Protection Regulation.
(f) The right to receive the personal data concerning him or her, which the data subject has provided to Sitra, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if the processing is based on the consent referred to in the Regulation and the processing is carried out automatically.
(g) The right to file a complaint with the supervisory authority if the data subject considers that the processing of the personal data concerning him or her violates the EU’s General Data Protection Regulation.
Requests concerning the realisation of the data subject’s rights shall be addressed to Sitra’s contact person mentioned in Section 1.
12 Making changes to the privacy policy
We reserve the right to alter this privacy policy by notifying of any changes on our website. The changes may be based on changes in legislation and other similar reasons. We recommend that you read the content of the privacy policy regularly.