Privacy notice of customer and stakeholder data
|1. Controller||Natural Resources Institute Finland
|2a. Controller’s responsible person||Communications director Johanna Torkkel|
|2b. Contact person in the matter and contact details of the data protection officer||Contact person:
Marketing specialist Juha Heikkilä
Data protection officer:
|3. Name of register||Customer and stakeholder data|
|4. Purposes and the legal grounds for processing||Customer and stakeholder communication is the primary purpose of use for the personal data contained by the register. We use the personal data register to send electronic notifications, newsletters and invitations and to communicate and market various events and expert services.
We process personal data in matters related to customer account management, such as to measure customer satisfaction and respond to feedback. In addition, we use personal data to post blog comments at the luke.fi website.
We use the register to develop Luke’s website, services and social media channels. With the register, we can target relevant content to different stakeholders.
The right to process personal data is based on consent of the data subject as defined in article 6 section 1(a) of the GDPR (2016/679).
|5a. Type of personal data in the register||We may collect and process the following data:
We may process the following personal data when using or developing services:
We also obtain personal data related to the use of social media services, such as LinkedIn, Facebook, Twitter, YouTube and Instagram. Social media services define what kind of data they offer to their users and at what intervals.
We use Google Analytics and cookies to collect data about visits to the luke.fi website in order to develop the site and target relevant content to visitors. Google Analytics can be disabled by following the service provider’s instructions.
|5b. Regular sources of data||Primarily, we collect personal data from data subjects in conjunction with contact requests and order forms. We may collect data about customers from public sources and registers.|
|5c. Data systems that use the register||The following data systems can use our register:
|6. Regular disclosure of data||We do not disclose any personal data.|
|7. Transfer of data outside the EU/EEA||No personal data is transferred outside the EU or EEA.|
|8. Storage period||Data collected for a register is only stored as long as and to the extent as is necessary in relation to the original purposes, described in Section 4, for which the data was collected. Registered personal data must be erased when there no longer are legitimate grounds for processing.|
|9. Protection principles of register||Manual material is stored in protected and monitored facilities. Servers and active devices are located in protected and monitored facilities. Data is processed in systems with some devices located in Luke’s facilities and some in service providers’.
Registered data is protected against unauthorised viewing, modifying and erasing. Protection is based on access control, personal user IDs and restricted access rights. Rights to view and modify data have been restricted in accordance with the tasks of each employee. Information about any changes can be seen in the revision history. The correctness of data is verified by means of mechanical and manual controls at different stages of data processing. Backup copies and physical security measures are used to ensure that no data is lost.
Any register-related data on paper is protected by means of access control and locked archives.
|10. The data subject’s rights||Data subjects have rights towards their personal data that are based on the legitimate grounds of data processing. More information about the rights of data subjects and their fulfilment is available here.
The rights of data subjects are based on articles 15–22 of the EU GDPR (2016/679).
|11. Using data for automated decision-making, including profiling (articles 13.2(f) and 14.2(g) of the GDPR)||No personal data is used for automated decision-making, including profiling.|