Drafted on 28 January 2019
- Data controller
Business Finland Oy/Visit Finland (Business ID: 2725690-3)
Visiting address: Porkkalankatu 1, 00180 Helsinki, Finland
Switchboard: +358 (0)29 50 55000
- Point of contact
Please e-mail: firstname.lastname@example.org
- Name of register
Register for Rent a Finn –Campaign
- Purpose of personal data processing and basis for processing
|Category of data subjects||Data utilised for||Basis for processing|
|Persons participating to Rent a Finn -Campaign||- the launch and execution of Rent a Finn -campaign,
- communication with the participants of Rent a Finn -campaign,
- publishing and distributing information on Rent a Finn-campaign,
- fulfilling Visit Finland’s contractual and other promises and obligations,
- taking care of Visit Finland’s relationship with the participants of Rent a Finn -campaign,
- development of Visit Finland’s services, particularly marketing campaigns
|Contract data controller’s legitimate interest public interest|
Processing tasks may be outsourced to third party service providers in accordance with the data protection legislation and the boundaries imposed by same.
- Data content of register
The following personal data may be processed in relation to in Rent a Finn Campaign:
- basic information of the participants such as name, date of birth, age, nationality, and communication language;
- contact information of the participants such as email address, phone number, address;
- information of the participants provided to Visit Finland such a video material attached to the application, references to portfolios, profiles and other sources on the Internet, language skills, other special skills, description of personal features, and information on participant’s activity and accommodation for his/her visitor(s) and any other information participants have provided to Visit Finland in its application, interviews and video presentations.
- information of the participants provided to Visit Finland during the visit such information of his/her family, friends, home, activities and other information provided by the participant during the visit that will be documented on videos, photographs and written descriptions by Visit Finland.
- information of the participants of events and possible information regarding the event, such as special diets.
- information regarding Visit Finland’s relationship with the participants and the contract such as past and current contracts, campaign profile formed based on the participant’s participation in the Rent a Finn -campaign, call recordings, correspondence with the participant and other contacts, cookies and data related to using them.
- Personal data retention period
Information shall be erased periodically, at least every 3 years, provided that there is no longer any need to process the event information. Photos and videos provided to Visit Finland during the visit can be stored longer period.
The erasing shall take place by means of deleting the information in its entirety, by rendering the data passive so that the data are no longer processed and access to the data is restricted, by means of encrypting or overwriting.
- Regular sources of information
Information shall be collected from the persons themselves.
For the purposes described in this privacy notice, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Such updating of data is performed manually or by automated means.
- Regular disclosures of information and recipient categories
Information may be disclosed within the framework of the Act on Innovaatiorahoituskeskus Business Finland and Business Finland Oy (1146/2017) to Innovaatiorahoituskeskus Business Finland.
Data may be disclosed to Business Finland’s co-operation partners for non-commercial purposes, for the purpose of arranging visits and events and for sending out various event/visit invitations.
- Transfer of data outside of the EU or EEA
Personal data may be transferred outside of the European Union or the European Economic Area in accordance with the data protection legislation and within the boundaries imposed by same. If no decision regarding an adequate level of data protection has been issued in relation to the target country or if the transfer does constitute a transfer to the United States in accordance with the Privacy Shield system, the transfer shall occur by means of employing the standard clauses approved by the European Commission.
The data controller may transfer personal data outside of the EU and the European Economic Area in accordance with the data protection legislation and within the boundaries imposed by same to the employees working in the data controller’s own oversees network, to the data controller’s subsidiaries and subcontractors and to its service providers retained for data processing.
- Principles for protecting the register
Any material to be retained on paper is stored in locked facilities equipped with access control. The data controller’s personnel have undertaken confidentiality obligations.
Data to be processed electronically
Personnel access to the electronic data content of the register has been protected with personal user IDs and passwords. Utilisation of some of the data content of the register has been restricted to a limited group of users. The environment has been protected with appropriate firewalls and other technical safeguards.
The purpose of the above-mentioned measures is to secure the confidentiality, availability and integrity of the personal data to be stored in the register, as well as the implementation of data subjects’ rights.
- Automated decision-making
The information in the register shall not be utilised for decision-making entailing legal effects for the person and that is based on automated data processing, such as profiling.
- Data subject’s right to object to the processing of personal data
The data subject shall have the right, in connection with their personal specific circumstances, to object to profiling pertaining to themselves and to other processing measures directed by the data controller at the data subject’s personal data to the extent the data processing is based upon the data processor’s legitimate interests.
- Data subject’s right to object to direct marketing
The data subject may issue the Data Controller consents or prohibitions pertaining to direct marketing on a channel-specific basis, including profiling taking place for direct marketing purposes.
- Other data subject’s rights pertaining to the processing of personal data
Data subject’s right to obtain access to the information (Right of Access)
Data subject’s right to require the rectification or erasure of data or restriction of processing
To the extent the data subject is able to act for themselves, the data subject shall, without any undue delay, after becoming aware of the error, or, having detected the error themselves, rectify, erase or supplement any piece of information found in the register being contrary to the purpose of the register, erroneous, unnecessary, deficient or outdated.
The data subject shall also have the right to require the data controller to restrict the processing of their personal data, for instance in circumstances where the data subject is awaiting the data controller’s response to their request regarding the correction or erasure of their personal data.
Data subject’s right to lodge a complaint with the supervisory authority
The data subject shall have the right to lodge a complaint with the competent supervisory authority, if the data controller has not complied with the applicable data protection regulation in its operations.
In all questions concerning the processing of personal data and situations related to the exercise of the data subject’s rights, the data subject should contact the data controller. The data subject may exercise their rights by contacting email@example.com
This privacy statement is updated on January 28, 2019.
The data controller follows the developments in legislation and will develop its operations constantly, and consequently, retains the right to update this privacy statement.