Under articles 12–14 of the EU General Data Protection Regulation, the Finnish Institute of International Affairs (“Institute”) maintains privacy policies to inform data subjects of the processing of their personal data. The policies explain, among other things, the purpose of the processing, to whom data are generally disclosed, for how long the personal data are stored and what the rights of the data subject are.

The privacy policies are categorised according to the various purposes of use, and the sections that concern customers of the Finnish Institute of International Affairs are available on this website.

Privacy policies will be added as they become available.

Privacy policies

A form with instructions for using the rights of a data subject

Download the form as a PDF file: Privacy Policy Form

Privacy policy for the Finnish Institute of International Affairs’ library register (25 May 2018)

1 The purpose of processing personal data and legal basis of the processing

The customer register for the library at the Finnish Institute of International Affairs (“FIIA library”) consists of the following purposes of use:

The purpose of the customer data and lending system register is to manage the library’s customer data and inform customers of the obligations and services related to the customer relationship. The data system in use functions as a library system that is used to take care of all of the basic functions of the library, such as acquisitions, lending, control of arriving periodicals, sending customer notifications, and collecting statistics.

Personal data in the above sub-registers are processed according to the following legal bases:

  1. a) the data subject has consented to the processing of their personal data for one or more specific purposes; and/or
  2. b) the processing is necessary to implement an agreement to which the data subject is a party, or to implement measures that necessitate an agreement as per the data subject’s request.

 

2 Processed personal data

First and last name, email address, telephone number, statistical group, customer group, as well as information of lent, returned and reserved materials.

 

3 Recipients or recipient groups of the data

According to a broad interpretation of article 4(9) of the EU General Data Protection Regulation, the controller can “transmit” or “disclose for processing” (e.g., maintenance carried out with a technical interface) personal data stored in the Institute’s customer registers.

Access to personal data in the FIIA library’s customer register is granted, where necessary, to the system provider (private system provider(s)).

Personal data are not disclosed to third parties for marketing purposes.

4 Transferring data to third countries

Data are not transferred outside the EU or EEA.

 

5 Storage period of the personal data                  

Data collected in the Institute’s customer register are stored only for the period and to the extent necessary for the original or compatible purpose for which the personal data were collected.

Personal data are stored for the duration of the customer relationship. The data are removed as per the customer’s explicit request. After the customer relationship has ended, the customer data will be removed as a consequence of regular removal.

6 Rights of the data subject     

The data subject has the right to verify which personal data about them have possibly been stored in the FIIA library’s customer register. According to the General Data Protection Regulation, the controller must respond to the data subject’s request to execute their rights within 30 days of receiving the request.

The Institute’s website has a form (https://www.fiia.fi/instituutti/tietosuoja) for the purpose of executing the data subject’s rights. Carefully complete the applicable sections of the form, print it, and sign it. The request can be made by submitting the carefully completed and personally signed form to the Institute’s registry, where the data subject must verify their identity in connection with making the request. The form includes more detailed instructions.

  1. Right of access to personal data

The data subject has the right to verify which data about them have been stored in the FIIA library’s customer register.

FIIA library’s visiting address:

Finnish Institute of International Affairs

Arkadiankatu 23 B, 6th floor

00100 Helsinki

Opening hours (Finnish Institute of International Affairs): Monday–Friday 9 a.m.–4 p.m.

The Institute’s registry directs the request in a centralised manner to the Institute’s data protection officer (email: tietosuojavastaava@fiia.fi). The Institute’s data protection officer answers the right of access request. If necessary, you can request more information about the progress of the request or the contents of the response from the data protection officer.

The data subject must collect the personal data extract in person from the Institute’s registry, where the data subject must also verify their identity.

  1. Right to have data rectified and restrict processing

The data subject shall have the right to obtain from the controller (the Institute) the restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject (right to have data rectified) for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  1. Right to erasure

The data subject shall have the right to obtain from the controller the erasure of personal data concerning them from the FIIA library’s customer register without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • the personal data have been unlawfully processed; or
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  1. Right to data portability

Does not apply to the Institute’s customer registers.

 

  1. Data subject’s right to object               

According to Article 21 in the EU General Data Protection Regulation, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out for reasons of public interest or in the exercise of official authority vested in the controller), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The request to object to the processing of personal data collected in the FIIA library’s customer register can be made by submitting a request to the Institute’s registry, where the data subject must also verify their identity in connection with making the request.

  1. Right to withdraw consent

The data subject shall have the right to withdraw their consent for the processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The request to withdraw the consent related to the processing of personal data collected in the FIIA library’s customer register (request to withdraw consent) can be made by submitting a request to the Institute’s registry, where the data subject must also verify their identity in connection with making the request.

 

9 Right to lodge a complaint with a supervisory authority                     

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes data protection regulations.  

Data Protection Ombudsman office, contact details:

Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland

Switchboard: +358 29 566 6700
Registry: +358 29 566 6768

E-mail (registry): tietosuoja(at)om.fi

  1. Data subject’s right to object

Is the provision of personal data a statutory or contractual demand or is it necessary in order to enter into contract, must the data subject provide personal data, and what are the consequences of not providing personal data (information about where the personal data has been acquired from)?                 

The processing of personal data in the FIIA library’s customer register in relation to whether the provision of personal data is a statutory or contractual demand or contractual requirement, and whether the data subject is obliged to provide personal data and the consequences of not providing personal data. Personal data have been acquired directly from the data subject and entered in the register with the data subject’s consent.

11 Automated decision-making and profiling

Personal data in the Institute’s customer register are not used for automated decision-making or profiling.

 

Privacy policy for the Finnish Institute of International Affairs’ customer register (25 May 2018)

1 The purpose of processing personal data and the legal basis for the processing

The Institute’s customer register consists of the following sub-registers, created on the basis of their various purposes of use:

  • Communications register
  • Event invitation register
  • Subscription register for the Ulkopolitiikka (Finnish Journal of Foreign Affairs) magazine

The purpose of the communications register is to manage customer data and inform customers by using newsletters and publication announcements.

The purpose of the event invitation register is to manage customer data and seminars, send invitations to events, as well as to receive and maintain sign-ups.

The purpose of the subscription register for the Ulkopolitiikka magazine is to maintain subscribers’ customer data, post the magazine, grant electronic access rights, and maintain the member register of the UP club.

Personal data in the above sub-registers are processed according to the following legal bases:

  1. the data subject has consented to the processing of their personal data for one or more specific purposes, and/or
  2. the processing is necessary to implement an agreement to which the data subject is a party or to implement measures that necessitate an agreement as per the data subject’s request.

2 Processed personal data

The following personal data are saved in sub-registers of the Institute’s customer register:

Communications register: name, email, which research topics the customer is interested in

Event invitation register: name, title, organisation, office location, municipality, email, phone number, which research topics the customer interested is in, yes/no for publication announcements, yes/no for newsletters

Subscription register for Ulkopolitiikka: name, address, postal code, municipality, job description, organisation, email, phone number, educational institution, and student ID.

3 Recipients or recipient groups of the data

According to a broad interpretation of article 4(9) of the EU General Data Protection Regulation, the controller can “transmit” or “disclose for processing” (e.g., maintenance carried out with a technical interface) personal data stored in the Institute’s customer registers.

Access to personal data in the Institute’s customer registers is granted, where necessary, to the system provider (private system provider(s)).

Personal data are not disclosed to third parties for marketing purposes.

4 Transferring data to third countries

Data are not transferred outside the EU or EEA.

5 Storage period of the personal data                  

Data collected in the Institute’s customer register are stored only for the period and to the extent necessary for the original or compatible purpose for which the personal data were collected.

Personal data are removed from the Institute’s customer register in the following manner:

Communications register: personal data are removed as per the customer’s explicit request.

Event invitation register: personal data are removed as per the customer’s explicit request.

Subscription register for Ulkopolitiikka: personal data are removed six years after the end of the accounting period during which the subscription ended (Finnish Accounting Act, 2015/1620).

6 Rights of the data subject     

The data subject has the right to verify which data about them have possibly been stored in the Institute’s customer register. According to the General Data Protection Regulation, the controller must respond to the data subject’s request to execute their rights within 30 days of receiving the request.

The Institute’s website has a form (https://www.fiia.fi/instituutti/tietosuoja) for the purpose of executing the data subject’s rights. Carefully complete the applicable sections of the form, print it, and sign it. The request can be made by submitting the carefully completed and personally signed form to the Institute’s registry, where the data subject must verify their identity in connection with making the request. The form includes more detailed instructions.

  1. Right of access to personal data

The data subject has the right to verify which data about them have been stored in the Institute’s customer register.

FIIA library’s visiting address:

Finnish Institute of International Affairs

Arkadiankatu 23 B, 6th floor

00100 Helsinki

Opening hours (Finnish Institute of International Affairs): Monday–Friday 9 a.m.–4 p.m.

The Institute’s registry directs the request in a centralised manner to the Institute’s data protection officer (email: tietosuojavastaava@fiia.fi). The Institute’s data protection officer answers the right of access request. If necessary, you can request more information about the progress of the request or the contents of the response from the data protection officer.

The data subject must collect the personal data extract in person from the Institute’s registry, where the data subject must also verify their identity.

  1. Right to have data rectified and restrict processing

The data subject shall have the right to obtain from the controller (the Institute) the restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject (right to have data rectified), for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  1. Right to erasure

The data subject shall have the right to obtain from the controller the erasure of personal data concerning them from the Institute’s customer register without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • the personal data have been unlawfully processed; or
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  1. Right to data portability

Does not apply to the Institute’s customer registers.

  1. Data subject’s right to object               

According to Article 21 in the EU General Data Protection Regulation, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out for reasons of public interest or in the exercise of official authority vested in the controller), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The request to object to the processing of personal data collected in the Institute’s customer register can be made by submitting a request to the Institute’s registry, where the data subject must also verify their identity in connection with making the request.

  1. Right to withdraw consent

The data subject shall have the right to withdraw their consent for the processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The request to withdraw the consent related to the processing of personal data collected in the Institute’s customer register (request to withdraw consent) can be made by submitting a request to the Institute’s registry by email: kirjaamo@fiia.fi.

Removal from the subscription register for Ulkopolitiikka occurs according to section 8.

9 Right to lodge a complaint with a supervisory authority                       

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes data protection regulations.  

Data Protection Ombudsman office, contact details:

Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland

Switchboard: +358 29 566 6700
Registry: +358 29 566 6768

E-mail (registry): tietosuoja(at)om.fi

  1. Data subject’s right to object

Is the provision of personal data a statutory or contractual demand or is it necessary in order to enter into contract, must the data subject provide personal data, and what are the consequences of not providing personal data (information about where the personal data has been acquired from)?                 

The processing of personal data in the Institute’s customer register in relation to whether the provision of personal data is a statutory or contractual demand or contractual requirement, and whether the data subject is obliged to provide personal data and the consequences of not providing personal data. It has also been explained per sub-category where the personal data have been acquired from:

Communications register

  • data have been acquired directly from the data subject and entered in the register with the data subject’s consent

Event invitation register

  • data have been acquired directly from the data subject and entered in the register with the data subject’s consent

Subscription register for the Ulkopolitiikka

  • data have been provided directly by the data subject in the subscription agreement

11 Automated decision-making and profiling

Personal data in the Institute’s customer register are not used for automated decision-making or profiling.

Privacy policy for the archive and diary register of the Finnish Institute of International Affairs (25 May 2018)

1 The purpose of processing personal data and legal basis of the processing

The purpose of the archival register is to store and maintain permanently stored documents and other archival materials that are valuable for historical and research-related reasons.

The purpose of the registry’s diary register is to monitor the processing of the Institute’s matters throughout the entire process with the help of an administrative diary. A document’s arrival time can be indicated with the help of the registration, which ensures the customer’s legal protection. The registration is based on Section 18 of the Finnish Act on the Openness of Government Activities (621/1999), Sections 5 and 6 of the Finnish Decree on the Openness of Government Activities and on Good Practice in Information Management (1030/1999), as well as on the Finnish Archival Act (831/1994) and provisions and stipulations set on the basis of the act.

2 Processed personal data

The following personal data are stored in the Institute’s archive and diary register:

– Basic data of the case/document: diary number, arrival data, date of the letter, due date, sender/receiver, received/sent, sender’s diary number, description of the case, search words, document language, processor, reference diary number, intermediate measures (document type, sender/receiver, date of intermediate measure, arrival date, due date, measure), the case’s resolution information (decision-maker, number and paragraph of the record, resolution date), final measure, date of final measure, and storage period for documents.

3 Recipients or recipient groups of the data

According to a broad interpretation of article 4(9) of the EU General Data Protection Regulation, the controller can “transmit” or “disclose for processing” (e.g., maintenance carried out with a technical interface) personal data stored in the Institute’s customer registers.

Access to personal data in the Institute’s customer registers is granted, where necessary, to the system provider (private system provider(s)).

Personal data are not disclosed to third parties for marketing purposes.

4 Transferring data to third countries

Data are not transferred outside the EU or EEA.

5 Storage period of the personal data                  

Documents in the Institute’s archive and diary register are stored according to the storage periods in Section 8 of the Finnish Archival Act (831/1994), after which the documents will be removed.

6 Rights of the data subject     

The data subject has the right to verify which data about them have possibly been stored in the Institute’s archive and diary register. According to the General Data Protection Regulation, the controller must respond to the data subject’s request to execute their rights within 30 days of receiving the request.

The Institute’s website has a form (https://www.fiia.fi/instituutti/tietosuoja) for the purpose of executing the data subject’s rights. Carefully complete the applicable sections of the form, print it, and sign it. The request can be made by submitting the carefully completed and personally signed form to the Institute’s registry, where the data subject must verify their identity in connection with making the request. The form includes more detailed instructions.

  1. Right of access to personal data

The data subject has the right to verify which data about them have been stored in the Institute’s customer register.

FIIA library’s visiting address:

Finnish Institute of International Affairs
Arkadiankatu 23 B, 6th floor
00100 Helsinki

Opening hours (Finnish Institute of International Affairs): Monday–Friday 9 a.m.–4 p.m.

The Institute’s registry directs the request in a centralised manner to the Institute’s data protection officer (email: tietosuojavastaava@fiia.fi). The Institute’s data protection officer answers the right of access request. If necessary, you can request more information about the progress of the request or the contents of the response from the data protection officer.

The data subject must collect the personal data extract in person from the Institute’s registry, where the data subject must also verify their identity.

  1. Right to have data rectified and restrict processing

The data subject shall have the right to obtain from the controller (the Institute) the restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject (right to have data rectified), for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  1. Right to erasure

The data subject shall have the right to obtain from the controller the erasure of personal data concerning them from the Institute’s customer register without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • the personal data have been unlawfully processed; or
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  1. Right to data portability

Does not apply to the Institute’s archive and diary registers.

  1. Data subject’s right to object               

According to Article 21 in the EU General Data Protection Regulation, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out for reasons of public interest or in the exercise of official authority vested in the controller), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The request to object to the processing of personal data collected in the Institute’s archive and diary registers can be made by submitting a request to the Institute’s registry, where the data subject must also verify their identity in connection with making the request.

8 Right to withdraw consent

The data subject shall have the right to withdraw their consent for the processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The request to withdraw the consent related to the processing of personal data collected in the Institute’s customer register (request to withdraw consent) can be made by submitting a request to the Institute’s registry by email: kirjaamo@fiia.fi.

Removal from the subscription register for Ulkopolitiikka occurs according to section 8.

9 Right to lodge a complaint with a supervisory authority                       

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes data protection regulations.  

Data Protection Ombudsman office, contact details:

Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland

Switchboard: +358 29 566 6700
Registry: +358 29 566 6768

E-mail (registry): tietosuoja(at)om.fi

10 Is the provision of personal data a statutory or contractual demand or is it necessary in order to enter into contract, must the data subject provide personal data and what are the consequences of not providing personal data (information about where the personal data has been acquired from)?               

The processing of personal data in the Institute’s archive and diary registers in relation to whether the provision of personal data is a statutory or contractual demand or contractual requirement, and whether the data subject is obliged to provide personal data and the consequences of not providing personal data.

Archive and diary registers:

  • data are acquired from documents

11 Automated decision-making and profiling

Personal data in the Institute’s archive and diary registers are not used for automated decision-making or profiling.