Rights of data subject

The GDPR provides data subjects with various rights, on the basis of which data subjects can often define how their personal data is processed. Data subjects can exercise the following rights towards Luke, insofar as Luke acts as the data controller of the specific data subject’s personal data. The scope and fulfilment of the rights depend on the grounds why personal data is processed in accordance with the GDPR.

According to the GDPR, data subjects have the right to access their personal data. If you want to check what data about you has been saved in Luke’s registers, complete the attached “Personal data access request” form. A request to view registered personal data can also be sent by other means, provided that it includes the same information as is included in the form.

Personal data access request

Send your completed and signed request to Luke’s registry office by post (Natural Resources Institute Finland (Luke), Latokartanonkaari 9, 00790 Helsinki, Finland) or via secure email (kirjaamo@luke.fi). Please note that regular unprotected email is not secure. You can use the Secure email to send encrypted email.

The identity of data subjects who have sent a request must be verified by using reasonable means. To verify their identity, data subjects must present a photo ID at the registry office, if necessary.

Making a request to view registered personal data and processing such requests are mainly free of charge at Luke. If a request is specifically unfounded or unreasonable, particularly if it is made repeatedly, Luke may collect a reasonable charge, equalling the administrative costs arising from fulfilling a request.

The response is usually given within one month after receiving a request.

You have the right to request us to rectify or complete any incorrect or incomplete data.

You have the right to request us to erase your data from our systems within the scope permitted by the GDPR. The right to have data erased is also known as the right to be forgotten. The data controller must erase your personal data in the following situations:

• The data controller no longer needs your data for the purpose for which it was originally collected/processed
• You withdraw your consent, and there are no other legitimate grounds for processing your data
• You object to the processing of your data, and there are no justified grounds for processing
• You object to the processing of your data for direct marketing purposes
• Your data has been processed unlawfully
• Your data must be erased on the basis of the legislation
• Your data has been collected on the basis of consent given by your guardian in conjunction with providing information society services (e.g. online shops and social media)

However, the data controller does not need to erase your personal data if it has been justifiably necessary for the following purposes:

• Freedom of speech and the transmission of data
• Compliance with law
• Exercise of official authority vested in the controller
• Public interests, such as archiving, research or statistics
• Preparing, presenting or defending a legal claim

In certain pre-defined situations, you have the right to restrict the processing of your personal data. This means that the data controller can only process your data with your consent, for preparing, presenting or defending a legal claim, for public interests or for protecting the rights of another individual.

You can restrict the processing of your personal data in the following situations:

• You believe that your personal data is incorrect
• Your data is processed unlawfully, but you do not want it to be fully erased
• The data controller no longer needs your data for the original purpose, but you need it for preparing, presenting of defending a legal claim
• You have objected to the processing of your data (requested that your data is not processed), but the final decision is still pending

Usually, processing can only be restricted temporarily.

In some situations, you also have the right to object to the processing of your personal data. This means that you have the right to request that your data is not processed.

This is possible if the data controller processes your data on the basis of public interests, official authority or legitimate interests. If personal data is processed for direct marketing purposes, you can object to processing without providing any reasons for it. Otherwise, you can object to the processing of your personal data if you have a specific reason related to your personal situation.

The processing of personal data for direct marketing purposes must be discontinued immediately after the request to object to processing is received. In other situations, processing must be interrupted until the decision on any discontinued processing is made, unless the data controller is able to provide legitimate grounds for continuing the processing.

The right to have data transferred from one system to another gives data subjects the opportunity to obtain their personal data and use it for their own purposes in different services.

This right can be fulfilled regarding data that concerns you or that you have personally provided for us, and that is processed by means of automated data processing on the basis of your consent or the fulfilment of an agreement between us. You have the right to obtain such data in structured, generally available and computer-readable format. The transfer of data cannot have any adverse impact on the rights or freedoms of third parties.

If you, acting as a data subject, consider that your personal data is processed in breach of the GDPR, you have the right to lodge a complaint with a supervisory authority. This is made in the member state in which your permanent place of residence or business is located, or in which the alleged breach has taken place. In Finland, the competent authority is the Data Protection Ombudsman.