1. Name of the register
VTT Marketing Register
2. Controller, data protection officer and contact person
Name: VTT Technical Research Centre of Finland Ltd. (”VTT”), Business ID: 2647375-4
Address: Vuorimiehentie 3, 02150 Espoo, Finland
Data Protection Officer:
Name: Seppo Viinikainen
Address: VTT Technical Research Centre of Finland Ltd., Koivurannantie 1, 40400 Jyväskylä, Finland
Email: firstname.lastname@example.org (DPO, cybersecurity manager and legal counsel) or Seppo.Viinikainen@vtt.fi (DPO)
Contact person concerning the register:
Name: Tiina Torvinen
Address: VTT Technical Research Centre of Finland Ltd., Kivimiehentie 3, 02150 Espoo, Finland
3. Categories of the personal data
The categories of the personal data contained in the register are:
- Contact information, such as:
- first name, last name,
- title, company,
- e-mail address,
- address, city.
- Other basic information, such as:
- language selection,
- possible VTT contact,
- link to VTT,
- origin of the information,
- data subject’s areas of interest and content preferences.
- Status of consent where consent is relevant, and date and the manner how consent was recorded or collected, and possible objections to processing.
The data subjects are natural persons representing VTT’s potential and current customers and other interest groups, and subscribers of VTT publications.
4. Purposes of the processing and the legal basis for the processing
The personal data is primarily processed for the following purposes:
- Identifying and contacting the data subject for purposes of registering the data subject’s consents and objections to processing
- Marketing and communication activities, including direct marketing, such as: Newsletter communication
- Webinar participation, arrangements and communication
- Email communication
- Event invitations
- Webinar invitations
- Other VTT sales, marketing and advertising activities
- Business development, other internal development and reporting
- Profiling (see paragraph 8)
The personal data is processed on the basis of 1) legitimate interest of the data controller, 2) contractual relationship with the data subject and/or 3) legal obligation of the data controller. Also 4) consent of the data subject may be requested and constitute legal basis for the processing, as applicable. The legitimate interest of the data controller is the right to conduct well-grounded, justified and legitimate sales, advertising and marketing activities, including profiling in this purpose.
5. Regular sources of information
Contact information and Other basic information is collected either from the data subject or filled in on the basis of public sources or from other VTT registers, such as VTT CRM. Certain information is automatically collected from VTT Event Management register.
Status of consent for processing purposes, where consent is relevant, is acquired when the data subject has provided its consent in connection with registration or otherwise and may thereafter be changed by the data subject (i) in the subscription centre and/or by (ii) other means listed in paragraph 11.
6. Recipients or categories of recipients of the personal data
VTT may provide third parties with such personal data which is needed by a third party (i) in order to provide VTT with marketing and/or technical services related to VTT Marketing Register or other similar processing purposes and/or (ii) for collaboration with VTT which requires joint efforts in marketing and communication. Each provision of data is done in accordance with requirements of GDPR and applicable legislation.
7. Transfer of data outside the European Union or the European Economic Area
The personal data is not regularly but may exceptionally be transferred outside the EU or EEA if this is necessary to ensure appropriate and cost-effective implementation of the processing purpose, such as in case of technical reasons related to VTT’s service provider. In such cases, the transfer is done in accordance with requirements of GDPR and applicable legislation.
In case of absence of European Commission (“EC”) adequacy decisions, EC standard contractual clauses are used as appropriate or suitable safeguards for these data transfers. Whenever EC adequacy decisions are applicable VTT may rely on them.
8. The existence of automated decision-making, including profiling
9. The period for which the personal data is stored or the criteria used to determine that period
The personal data is processed as long as it is needed for the purpose of any processing purpose set forth above. In VTT’s marketing system, personal data is mainly processed only until (i) two (2) months from the first invitation sent from the system if the data subject has not reacted to said invitation, or (ii) two (2) years have lapsed from the latest other message that the data subject has opened or read, whichever is longer. In case of VTT publication subscription, the personal data is processed as long as the data subject has a valid subscription at VTT. For other purposes, the data may be processed longer but only to the extent it is necessary for the processing purpose. After this or in case the data subject withdraws his or her relevant consent earlier, the data subject’s personal data is either anonymised or deleted unless other applicable legal basis for processing remains.
10. Principles of protection of the register
Personal data is stored in a technically secure location. Physical access to the data is restricted by means of access control and other security measures. Access is also prevented by means of e.g. firewalls and other technical protection measures. At VTT, only named persons have the right to process personal data contained in the register. These persons are bound by confidentiality obligations.
11. Rights of the data subject
The data subjects have the following rights that the data subject can always establish by contacting VTT in writing, preferably by email, or as detailed below. Some of the rights may be subject to limitations, in accordance with GDPR and applicable legislation.
The data subject is requested to contact VTT from an email address which VTT presumably has in its register(s). VTT may also request further information or documentation in order to verify person’s identity.
Right to withdraw consent
The data subject may change the status of subscriptions in the subscription centre. The data subjects have the right to withdraw their consent on which the processing is based, by contacting VTT in writing, preferably by email to the following address: email@example.com.
Right of access
The data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and access to his or her personal data and information concerning the processing.
Right to rectification
The data subjects have the right to obtain from the controller rectification of inaccurate personal data concerning him or her, and the right to have incomplete personal data completed.
Right to erasure
The data subjects have the right to obtain from the controller the erasure of personal data concerning him or her, to the extent permitted by law.
Right to restriction of processing
The data subjects have the right to obtain from the controller restriction of processing, as set forth in GPDR.
Right to data portability
Where the processing is based on the data subject’s consent or contractual relationship and is carried out by automated means, the data subjects have the right to receive the personal data concerning him or her, which he or she has provided to the controller and have the right to transmit those data to another controller.
Right to object
Where the personal data is processed on the basis of legitimate interest of the controller, the data subjects have the right to object at any time to processing of personal data concerning him or her for such purpose. This may be relevant mainly in the following cases:
The data subject may object to the processing of his or her personal data for direct marketing purposes by notifying this objection in writing to VTT, preferably by email to the following address: firstname.lastname@example.org
Right to lodge a complaint with a supervisory authority
The data subjects have a right to lodge a complaint with a supervisory authority (Finnish Data Protection Ombudsman) if the data subject considers that the processing of personal data breaches the data subject’s rights pursuant to GDPR.