Privacy policy for the Finnish Innovation Fund Sitra’s register of people who order publications
Register updated 2.11.2022: Added the right to use personal data to collect feedback on the publications.
1 Controller
The controller of the register is:
The Finnish Innovation Fund Sitra (business ID 0202132-3).
Contact person in matters concerning the register:
Päivi Jabbi
Assistant, Publishing and Library Services
Finnish Innovation Fund Sitra
Address: Itämerenkatu 11-13, PO Box 160, FI-00181 Helsinki
Tel: +358 294 618 991
Email: kirjaamo@sitra.fi
Data Protection Officer:
Janika Skaffari
Administration specialist
kirjaamo@sitra.fi
2 Name of the register
Sitra’s register of people who order publications
3 Purpose of personal data processing
Sitra’s printed publications can be ordered via the Sitra website. Personal data is processed for the purpose of delivering the publication to the address provided by the orderer and for collecting statistical information on orders. In addition, Sitra may use personal data to collect feedback on the publications it has delivered.
4 Legal basis for personal data processing
The legal basis for the processing of personal data is the consent given by the orderer when placing an order for a publication with Sitra. The ordered publication cannot be delivered without address details.
5 Data content of the register (processed personal data categories)
The register contains the data subject’s (the person who places the order) basic information as requested on the order form: name, title and contact details, i.e. telephone number, email address and postal address.
6 Regular data sources
Personal data is collected from the data subjects (people who order publications) themselves.
7 Personal data retention period
The data collected in the register is retained for one year from the most recent order.
8 Recipients of personal data (recipient categories) and the regular disclosure of data
Personal data contained in the register is not disclosed to third parties.
Personal data may be disclosed as part of an information request pursuant to the Act on the Openness of Government Activities (621/1999).
9 Transferring data outside of the EU or the EEA
Sitra uses, among others, Microsoft’s cloud services, in which the personal data included in the register is stored in the EU/EEA, but it may be transferred outside of the EU or EEA in connection with, for example, a support request or to avoid service disruptions. When transferring personal data, Sitra shall observe the model contract clauses approved by the European Commission concerning the transfer of personal data to third countries.
10 Register protection principles
Any physical data material containing personal data shall be retained in a locked facility that can only be accessed by appointed persons whose duties require access authority and who process this personal data as part of the performance of their duties.
The databases containing personal data are on servers which are kept in locked facilities that can only be accessed by appointed persons whose duties require access authority. The servers are protected by an appropriate firewall and other technical protection.
The databases and systems can only be accessed with separately granted personal user IDs and passwords. Sitra has restricted the access rights and the authorisations to access the data systems and other mediums in such a way that the data can only be accessed and processed by persons who need to access the data with regard to lawful processing. In addition, the database and system transactions are registered in the logs of Sitra’s IT systems.
Sitra’s employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.
11 Rights of the data subject
The data subject shall have the following rights laid down in the EU’s General Data Protection Regulation.
(a) The right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, when that is the case, access to the personal data and a more detailed description of the personal data processing activities.
(b) The right to cancel consent at any time without this affecting the lawfulness of the processing performed based on the consent.
(c) The right to demand that the controller rectify without undue delay any inaccurate and erroneous personal data on the data subject and the right to have incomplete personal data completed.
(d) The right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds defined in the EU’s General Data Protection Regulation applies, provided that: (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the personal data has been unlawfully processed; or (iii) the personal data must be erased for compliance with a legal obligation in EU or national law to which the controller is subject.
(e) The right to obtain from the controller restriction of processing if: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing on grounds relating to his or her particular situation, pending the verification of whether Sitra’s legitimate grounds override those of the data subject.
(f) The right to receive the personal data concerning him or her, which the data subject has provided to Sitra, in a structured, commonly used and machine-readable format, and the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, if such processing is based on consent and the processing is carried out by automated means.
(g) The right to file a complaint with the supervisory authority if the data subject considers that the processing of the personal data concerning him or her violates the EU’s General Data Protection Regulation.
Requests concerning the realisation of the data subject’s rights shall be addressed to Sitra’s contact person mentioned in Section 1.
12 Amendments to this privacy policy
We reserve the right to amend this privacy policy by communicating such amendments on our website. Such amendments may be based on regulatory changes, for example. We recommend that those concerned read the content of this privacy policy regularly.