Data protection

Foundation for Finnish Inventions sr, hereinafter referred to as the “Foundation” Business ID 0201458-82

 

Registry and Privacy Statement

This is the Foundation’s General Data Protection Regulation (GDPR) compliant registry and privacy statement. Prepared on June 2, 2022. Last modified on October 7, 2022.4

 

1. Controller

Foundation for Finnish Inventions sr c/o MM Yrityspalvelut Oy

Vartiotie 3

FI-45100 Kouvola

 

2. Person responsible for the register

Chairman of the Board. Contact information above.

 

3. Names of the registers

  1. Foundation’s customer register (persons and companies that have applied for and received funding and services)
  2. Employee and trustee register
  3. Marketing and stakeholder register
  4. Partner register
  5. Web service user register

 

4. Legal basis and purpose of processing personal data

The legal basis for processing personal data under the General Data Protection Regulation is

  • consent of the individual (documented, voluntary, specific, informed, and unambiguous)
  • contract in which the data subject is a party
  • performance of a public task or
  • legitimate interest of the controller (e.g. customer relationship before contract, employment, membership).

The purpose of processing personal data is to maintain contact with data subjects, maintain customer relationships, marketing, etc. The purpose of the customer register is to manage the funding granted by the Foundation and to provide services. The purpose of the employee and trustee register is to manage events related to employment and trustee duties. The purpose of the marketing and stakeholder register is to communicate about the Foundation’s services and activities. The purpose of the partner register is to maintain and promote cooperation with individuals and organizations in the partner network. The purpose of the web service user register is to enable the provision of web services, as well as the statistical analysis and measurement of service use. The register data is collected on the basis of legitimate interest. The purpose of the information register is to enable communication with stakeholders.

 

5. Contents of the registers

The registers mainly record contact information such as the person’s name, position, company/organization, contact information (phone number, email address, postal address), website addresses, IP address of the network connection, and IDs/profiles in social media services. In addition, the customer register and the employee and trustee register record detailed personal data including personal identification number, information on ordered services and their changes, billing information, and other information related to ordered services and customer and trustee relationships.

IP addresses of website visitors and cookies necessary for the operation of the service are processed on the basis of legitimate interest, for example, to ensure information security and to collect statistical data on website visitors in cases where they can be considered personal data. Consent is requested separately for third-party cookies if necessary.

Customer register data is permanently stored. Data in other registers is periodically reviewed and outdated data is deleted.

 

6. Regular sources of information

The data recorded in the register is obtained from the customer through, for example, messages sent via web forms, email, mail, telephone, social media services, contracts, customer meetings, and other situations where the customer or other cooperation partner provides their information.

 

7. Regular disclosures of data and transfer of data outside the EU or the EEA

Data is not regularly disclosed to other parties. Data may be published to the extent agreed with the customer.

Data may also be transferred outside the EU or the EEA by decision of the controller. For cost reasons, the Foundation uses Google’s free services for organizations, where the location of data storage cannot be chosen.

 

8. Principles of register protection

Care is taken in the processing of the register and data processed by information systems is appropriately protected. When register data is stored on Internet servers, the physical and digital security of their hardware is taken care of appropriately. The controller ensures that stored data, server access rights, and other critical data for the security of personal data are handled confidentially and are only accessible to those Foundation employees and trustees whose job description or duties include it. Representatives of stakeholders and customers have access to some data on the server, for example, in connection with project preparation. All persons handling the data have an appropriate confidentiality obligation or commitment with the Foundation.

 

9. Right of inspection and right to demand correction of information

Every person in the register has the right to check the data recorded in the register and to demand the correction of any incorrect information or the completion of incomplete information. If a person wishes to check the data recorded about them or to request their correction, the request must be sent in writing to the controller. The controller may, if necessary, request the person making the request to prove their identity. The controller will respond to the customer within the time specified in the EU Data Protection Regulation (usually within one month).

 

10. Other rights related to the processing of personal data

The person in the register has the right to request the deletion of their personal data from the register (“right to be forgotten”). This right does not apply to a person or company that has received funding from the Foundation. Similarly, data subjects have other rights under the General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations. Requests must be sent in writing to the controller. The controller may, if necessary, request the person making the request to prove their identity. The controller will respond to the customer within the time specified in the EU Data Protection Regulation (usually within one month).