Privacy notice of customer and stakeholder data
On this page
1. Controller |
Natural Resources Institute Finland Postal address: |
2a. Controller’s responsible person | Communications director Johanna Torkkel |
2b. Contact person in the matter and contact details of the data protection officer | Contact person: Marketing specialist Juha Heikkilä kirjaamo@luke.fi Data protection: tietosuoja@luke.fi |
3. Name of register | Customer and stakeholder data |
4. Purposes and the legal grounds for processing | Customer and stakeholder communication is the primary purpose of use for the personal data contained by the register. We use the personal data register to send electronic notifications, newsletters and invitations and to communicate and market various events and expert services.
We process personal data in matters related to customer account management, such as to measure customer satisfaction and respond to feedback. In addition, we use personal data to post blog comments at the luke.fi website. We use the register to develop Luke’s website, services and social media channels. With the register, we can target relevant content to different stakeholders. The media material collected when recording events can be used for communication and marketing purposes in brochures and social media content and on websites, among others. The material can also be used in Luke’s other contexts, such as cooperation projects, publications and presentations. The right to process personal data is based on consent of the data subject as defined in article 6 section 1(a) of the GDPR (2016/679). |
5a. Type of personal data in the register | We may collect and process the following data:
Event-related data:
We may process the following personal data when using or developing services:
We also obtain personal data related to the use of social media services, such as LinkedIn, Facebook, Twitter, YouTube and Instagram. Social media services define what kind of data they offer to their users and at what intervals. We use Google Analytics and cookies to collect data about visits to the luke.fi website in order to develop the site and target relevant content to visitors. Google Analytics can be disabled by following the service provider’s instructions. |
5b. Regular sources of data | Primarily, we collect personal data from data subjects in conjunction with contact requests and order forms. We may collect data about customers from public sources and registers. |
5c. Data systems that use the register | The following data systems can use our register:
|
6. Regular disclosure of data |
We do not disclose any personal data. Media material can be published or disclosed to third parties, such as partners and media representatives, in Luke’s contexts, including marketing and communication purposes, and in Luke’s other contexts, including cooperation projects, publications and presentations. Dietary data collected for events can be disclosed to catering service providers. |
7. Transfer of data outside the EU/EEA | No personal data is transferred outside the EU or EEA. |
8. Storage period | Data collected for a register is only stored as long as and to the extent as is necessary in relation to the original purposes, described in Section 4, for which the data was collected. Registered personal data must be erased when there no longer are legitimate grounds for processing. |
9. Protection principles of register |
Manual material is stored in protected and monitored facilities. Servers and active devices are located in protected and monitored facilities. Data is processed in systems with some devices located in Luke’s facilities and some in service providers’. Registered data is protected against unauthorised viewing, modifying and erasing. Protection is based on access control, personal user IDs and restricted access rights. Rights to view and modify data have been restricted in accordance with the tasks of each employee. Information about any changes can be seen in the revision history. The correctness of data is verified by means of mechanical and manual controls at different stages of data processing. Backup copies and physical security measures are used to ensure that no data is lost. Any register-related data on paper is protected by means of access control and locked archives. |
10. The data subject’s rights | Data subjects have rights towards their personal data that are based on the legitimate grounds of data processing. More information about the rights of data subjects and their fulfilment is available here.
The rights of data subjects are based on articles 15–22 of the EU GDPR (2016/679). |
11. Using data for automated decision-making, including profiling (articles 13.2(f) and 14.2(g) of the GDPR) | No personal data is used for automated decision-making, including profiling. |
12. Changes to this privacy notice | We may change this privacy policy, for example, if there are changes in our operating methods or systems or in general data protection recommendations. We may also need to make changes as a result of legal amendments. Any changes enter into force after we have published our revised privacy policy. |