Personal data means any information that makes a person identifiable. It may be information that directly identifies a person, such as a name, personal identification number, telephone number, e-mail address or photograph, or information that, when combined with other information, indirectly identifies a person.
The controller is the entity that determines the purposes and means of processing of your personal data. The controller is responsible for ensuring that your personal data is processed lawfully.
The data subject is you, the person whose data is processed.
The Finnish Lifelong Learning Foundation (Kansanvalistusseura sr, 0116589-4) (”Kvs Foundation”), Bulevardi 21, FI-00180 Helsinki.
You can contact us either by email at firstname.lastname@example.org or by phone 040 860 9184. The contact person for data protection and register matters is the Foundation’s Chief Financial Officer. You can find our up-to-date contact details on our website www.kvs.fi.
Name of the register
Customer and stakeholder register.
Purpose and legal basis for processing personal data
We process personal data for the following purposes:
- managing the customer and stakeholder relationship
- delivery and development of services
- meeting our contractual obligations and other promises
- maintaining contact and communications with customers
- direct marketing
- targeting advertising in our own and in third-parties’ online services
- organising events
- conducting research in the context of our operations
We use automated individual decision-making (including profiling) to identify personal profiles, online behavior, age and consumption habits. We use this information, for example, to target marketing and to develop our services.
The Kvs Foundation is a cultural and historical institution, one of the oldest in the country, and its activities have been the subject of much research. For this reason, data can be used for research purposes without the identity of the individuals concerned coming to the attention of the researchers.
The processing of personal data is based on our legitimate interest in the customer relationship and/or other material connection, the performance of a contract, and consent.
Data we collect
We process the following personal data in connection with the customer and stakeholder register:
- basic and contact information, such as first and last name, postal address, telephone number, email address, and username
- information about the organisation and its contact persons, such as the name of the organisation, its business ID and the name, title, position and contact details of the contact person
- information relating to billing and payment transactions, such as information on the payment method chosen and the payment made, as well as information relating to recovery
- customer and contract information, such as information on past and current contracts, correspondence, and other contacts
- possible prohibitions and consents concerning direct marketing, including newsletter subscriptions and the categories of newsletters subscribed to
- information on the participants of events and any other information related to the event, such as special dietary requirements
- information about the technical connection and the terminal device you are using, such as IP address, device ID or other identifying information, and cookies.
Sources of information
Personal data is collected primarily from the data subject him/herself. In addition, personal data may be collected and updated from other registers of the controller, civil registers, credit registers, and other similar public or private registers and data sources providing information services, within the limits of applicable law.
We secure your personal data so that it can only be made available to and processed by persons who based on their duties are required to access the data. Our staff are bound by confidentiality obligations in all matters relating to personal data. We regularly train our staff on changes in legislation as well as principles and practices relating to data protection and data security. Paper records are kept in locked rooms or cabinets. Temporary lists containing personal data are kept in locked filing cabinets and are disposed of after use by service providers specialised in the disposal of confidential material. We ensure the technical security of services and data sets. The databases in which the data are stored are protected by firewalls, passwords, and other technical means. We continuously monitor our data protection and improve our practices.
Disclosures of data and transfers of data outside the European Union or the European Economic Area
In general, we use personal data only in our own activities and do not disclose data to third parties. However, we may disclose personal data to the extent permitted and required by applicable law, for example to public authorities or legal and financial or other similar consultants acting as independent data controllers. Data required for event organisation, such as name and dietary preferences, may be disclosed outside the Foundation, for example to catering and training services providers. Data processed in our invoicing systems is shared with accounting firms and may also be shared with collection agencies. If the business whose communications are sent to the data subject is acquired by a third party, the personal data contained in the register may also be disclosed to that party in the country where the third party is located.
We use subcontractors who process personal data on our behalf. We have outsourced the following IT management functions to external service providers, who take care of the administration and security of the servers storing personal data:
- communications and marketing
- billing and payment information
- credit card and e-commerce purchases
- e-mail and document management
We have taken care of your data protection by entering into personal data processing agreements with our service providers. Due to ongoing development projects, we cannot disclose the names of all our subcontractors, so we have instead chosen to name only the types of subcontractors.
In principle, we do not transfer personal data outside the EU/EEA. However, the IT management systems we use may allow our service provider to access data from outside the EU/EEA. When personal data is processed outside the EU/EEA, we will ensure that the subcontractor is committed to necessary safeguards in accordance with the General Data Protection Regulation, such as the EU Commission’s Standard Contractual Clauses.
We will retain personal data only for as long as necessary, considering the requirements derived from e.g., our contractual relationship or applicable law. For example, pursuant to the Finnish Accounting Act, data relating to payment transactions are stored for 6 or 10 years after the end of the financial year, depending on the type of data in question.
The necessity of storing personal data in the register is assessed regularly, as a rule once a year. The data are deleted immediately when the personal data become no longer relevant for the purpose of the register. In addition, we will at all times attempt to ensure that no outdated or inaccurate data or data that is incompatible with the purposes of the processing are stored in the register. We will correct or delete such data without undue delay.
Your rights as a data subject
The data subject has the right to inspect what data concerning him or her is stored in the register. The request for inspection should be sent either by e-mail or in writing, signed and addressed to the Kvs Foundation. The request for inspection may also be made in person at the controller’s premises. Requests will in principle be answered within one month of the request being made.
Data subjects have the right to request the rectification or erasure of inaccurate, outdated, unnecessary or unlawful data by contacting the controller. As a data subject you also have the right to withdraw or modify your consent.
The data subject has the right to object to or request restriction of processing and to lodge a complaint with a supervisory authority about the processing of personal data.
For specific personal reasons, the data subject also has the right to object to processing operations concerning him or her where the personal data processing is based on legitimate interest. The request must specify the specific situation on the basis of which the processing is opposed. We may refuse to comply with such a request only on grounds stated in the law.