Privacy Notice
1. Data Controller
Data Controller: Aue-stiftelse sr (hereinafter “Data Controller”)
Business ID: 0747391-9
Address: Munkkiniemen Puistotie 18 B 47, 00330 Helsinki
Phone: +358 50 408 9416
2. Contact Details for Data Protection Matters
Name: Johanna Hovilainen
Email: hovilainen@aue-stiftung.org
Phone: +358 50 408 9416
3. Purpose and Legal Basis for the Processing of Personal Data
The processing of personal data is carried out for the purposes of applying for, awarding, paying, and monitoring grants after payment (including related communications), as well as for the publication of research and the delivery of statutory deposit copies, to support decision-making by the Board, to submit notifications to authorities, and for the organisation of various events. The primary legal basis for processing is the Data Controller’s legitimate interest in managing, operating, and developing the foundation’s activities.
The processing of personal data is also carried out on the basis of legitimate interest for the distribution of statutory deposit copies of publications and for the organisation of events.
Personal data is not used for automated decision-making that would produce legal effects or similarly significant effects on data subjects.
4. Personal Data to be Collected
In connection with grant applications, the awarding of grants, and the publication of research, the following personal data may be processed, among others:
- Information relating to prohibitions, restrictions, consents, and other choices expressed by the data subject concerning the use of their personal data.
- Contact details (including name, email address, date of birth, telephone number, place of residence, and postal address), as well as information included in grant applications (such as research group members, referees, bank account and banking details for grant payments, and information relating to grants paid, including amount, payment date, receipt number, and description).
- Categorisation data, such as marketing opt-outs, event participation, and feedback.
5. Retention of Personal Data
Personal data is retained only for as long as necessary.
6. Sources of Personal Data
Personal data is obtained primarily from the data subject themselves in connection with grant applications and other communications.
7. Disclosure of Personal Data and Categories of Recipients
Personal data is not disclosed to parties other than the Data Controller or those acting on its behalf who are involved in the production, development, or maintenance of services and communications, except where such disclosure is based on a contract, separate consent, and/or explicit statutory provisions.
The Data Controller has a statutory obligation to report information relating to grants, including details of grant recipients, to the Finnish Tax Administration as part of tax reporting.
Third parties may act as data processors on behalf of the Data Controller. Such parties are permitted to process personal data only in accordance with the terms agreed in a data processing agreement.
8. Data Transfers Outside the EU or EEA
Personal data is not transferred outside the European Union or the European Economic Area.
9. Rights of Data Subjects
Right of access: The data subject has the right to access the personal data concerning them that are stored in the register. Exercising this right is generally free of charge.
Right to rectification: The data subject has the right to request that the Data Controller rectifies any inaccurate, incomplete, or incorrect personal data concerning them.
Right to erasure: In the circumstances specified in Article 17 of the General Data Protection Regulation, the data subject has the right to request that the Data Controller erases personal data concerning them. The data subject may request the erasure of their personal data, for example where the personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
Right to restriction of processing: In the circumstances specified in Article 18 of the General Data Protection Regulation, the data subject has the right to request a restriction of processing. The data subject may request the restriction of the processing of their personal data, for example where the data subject has objected to the processing of their personal data and is awaiting verification as to whether the legitimate interests of the Data Controller override those of the data subject. Where processing is restricted, the Data Controller may retain the personal data but may not, as a rule, otherwise process it.
Right to object to the processing of personal data: On grounds relating to their particular situation, the data subject has the right to object to profiling and other processing activities relating to them, where such processing of their personal data is based on the Data Controller’s legitimate interest. Where the data subject objects to the processing, the Data Controller may no longer process the personal data unless the Data Controller can demonstrate that the processing is justified.
Where personal data is processed for direct marketing purposes on the basis of legitimate interest, the data subject has the right to object at any time to such processing for direct marketing purposes (including profiling related to direct marketing). Where the data subject has objected to the processing of their personal data for direct marketing purposes, the personal data must no longer be processed for that purpose.
Right to data portability: Insofar as the data subject has provided their personal data themselves and such data is processed on the basis of the data subject’s consent or a contract, the data subject has, as a rule, the right to receive the data in a machine-readable format and the right to transfer such data to another data controller.
Right to withdraw consent: Where personal data is processed on the basis of the data subject’s consent, the data subject has the right to withdraw their consent by notifying the Data Controller. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.
Right to lodge a complaint with a supervisory authority: The data subject has the right to lodge a complaint with the competent supervisory authority (www.tietosuoja.fi) if the data subject considers that the Data Controller has not complied with applicable data protection legislation in its activities.
10. Contact and Exercise of Data Subject Rights
For all questions relating to the processing of personal data and the exercise of their rights, the data subject should contact the Data Controller using the contact details provided at the beginning of this Privacy Notice.
11. Changes to this Privacy Notice
The Data Controller may make changes to this Privacy Notice if the methods or purposes of processing personal data change. Data subjects are nevertheless advised to review the content of this Privacy Notice regularly.