Privacy notice of customer and stakeholder data

1. Controller Natural Resources Institute Finland

Postal address:
Natural Resources Institute Finland (Luke)
P.O. Box 2, 00791 Helsinki, Finland
Tel. +358 29 532 6000

2a. Controller’s responsible person Communications director Johanna Torkkel
2b. Contact person in the matter and contact details of the data protection officer Contact person:
Marketing specialist Juha Heikkilä

Data protection officer:
Heidi Krootila
+358 295 322 420

3. Name of register Customer and stakeholder data
4. Purposes and the legal grounds for processing Customer and stakeholder communication is the primary purpose of use for the personal data contained by the register. We use the personal data register to send electronic notifications, newsletters and invitations and to communicate and market various events and expert services.

We process personal data in matters related to customer account management, such as to measure customer satisfaction and respond to feedback. In addition, we use personal data to post blog comments at the website.

We use the register to develop Luke’s website, services and social media channels. With the register, we can target relevant content to different stakeholders.

The right to process personal data is based on consent of the data subject as defined in article 6 section 1(a) of the GDPR (2016/679).

5a. Type of personal data in the register We may collect and process the following data:

  • Work/regular email address
  • First and last name
  • Name of the employer organization
  • Native language (or the language in which the data subject wants to receive content)
  • Work address, telephone number and title
  • Information about requests to send regular or marketing messages
  • Information about any requests not to receive communication and marketing material
  • Classification data provided by data subjects (e.g. areas of interest)
  • Data entered in contact forms
  • Data entered through blogs
  • Customer feedback
  • Data subjects may be processed on the basis of their email addresses so that they receive relevant content from Luke

We may process the following personal data when using or developing services:

  • IP address or other identification
  • Data collected through cookies
  • Data collected about the use of the website as offered by Google Analytics

We also obtain personal data related to the use of social media services, such as LinkedIn, Facebook, Twitter, YouTube and Instagram. Social media services define what kind of data they offer to their users and at what intervals.

We use Google Analytics and cookies to collect data about visits to the website in order to develop the site and target relevant content to visitors. Google Analytics can be disabled by following the service provider’s instructions.

5b. Regular sources of data Primarily, we collect personal data from data subjects in conjunction with contact requests and order forms. We may collect data about customers from public sources and registers.
5c. Data systems that use the register The following data systems can use our register:

  • Google Analytics and Google AdWords
  • Systems of Koodiviidakko Oy (ePressi news distribution service, Postiviidakko, ViidakkoMonitor)
  • fi (WordPress system)
  • Luke’s social media channels
  • Lyyti event system
  • Microsoft Dynamics CRM system
6. Regular disclosure of data We do not disclose any personal data.
7. Transfer of data outside the EU/EEA No personal data is transferred outside the EU or EEA.
8. Storage period Data collected for a register is only stored as long as and to the extent as is necessary in relation to the original purposes, described in Section 4, for which the data was collected. Registered personal data must be erased when there no longer are legitimate grounds for processing.
9. Protection principles of register Manual material is stored in protected and monitored facilities. Servers and active devices are located in protected and monitored facilities. Data is processed in systems with some devices located in Luke’s facilities and some in service providers’.

Registered data is protected against unauthorised viewing, modifying and erasing. Protection is based on access control, personal user IDs and restricted access rights. Rights to view and modify data have been restricted in accordance with the tasks of each employee. Information about any changes can be seen in the revision history. The correctness of data is verified by means of mechanical and manual controls at different stages of data processing. Backup copies and physical security measures are used to ensure that no data is lost.

Any register-related data on paper is protected by means of access control and locked archives.

10. The data subject’s rights Data subjects have rights towards their personal data that are based on the legitimate grounds of data processing. More information about the rights of data subjects and their fulfilment is available here.

The rights of data subjects are based on articles 15–22 of the EU GDPR (2016/679).

11. Using data for automated decision-making, including profiling (articles 13.2(f) and 14.2(g) of the GDPR) No personal data is used for automated decision-making, including profiling.
12. Changes to this privacy notice We may change this privacy policy, for example, if there are changes in our operating methods or systems or in general data protection recommendations. We may also need to make changes as a result of legal amendments. Any changes enter into force after we have published our revised privacy policy.