1. Name of the register
VTT Event Management
2. Controller, data protection officer and contact person
Name: VTT Technical Research Centre of Finland Ltd. (”VTT”), Business ID: 2647375-4
Address: Vuorimiehentie 3, 02150 Espoo, Finland
Data Protection Officer:
Name: Seppo Viinikainen
Address: VTT Technical Research Centre of Finland Ltd., Koivurannantie 1, 40400 Jyväskylä, Finland
Email: firstname.lastname@example.org (DPO, cybersecurity manager and legal counsel) or Seppo.Viinikainen@vtt.fi (DPO)
Contact person concerning the register:
Name: Paula Kauppinen
Address: VTT Technical Research Centre of Finland Ltd., Vuorimiehentie 3, 02150 Espoo, Finland
3. Categories of the personal data
The categories of the personal data contained in the register are contact information (such as first name, last name, title, organisation, email address and other contact details) and necessary information provided relating to the event (such as, telephone number, street address, date of birth, information of allergies and special diets, other information relevant to the event).
The data subjects are natural persons representing VTT’s potential and current customers, partners, co-operation partners, subscribers of VTT publications, VTT’s employees, services providers and similar interest groups.
4. Purposes of the processing and the legal basis for the processing
The personal data is processed for purposes of organising and managing events, internal development, reporting and collection of feedback concerning events, marketing and contacting the data subject with respect to events and event invitations.
In event management purposes, the personal data is being processed to implement a contract with the data subject and as applicable, on the basis of consent of the data subject. In terms of marketing and event invitation, the personal data is processed also on the basis of the legitimate interest of VTT to conduct well-grounded marketing activities and justified business.
If the data subject fails to provide mandatory information that is required to register for an event, VTT cannot accept said registration or commit to the contract between VTT and the data subject on participation in the event.
5. Regular sources of information
The personal data is collected directly from the data subject. Information contained in VTT Marketing Register and other VTT customer information and invoicing registers may also be used.
6. Recipients or categories of recipients of the personal data
VTT may provide access to the personal data to third parties if this is necessary for processing of the personal data due to technical reasons related to the processing purposes, or required by applicable legislation. The personal data is provided under appropriate contractual arrangements in accordance with requirements of the GDPR and applicable legislation.
7. Transfer of data outside the European Union or the European Economic Area
Under current technical solutions, the personal data is not transferred outside the EU or EEA. However, the personal data may be transferred outside the EU or EEA if this is necessary for processing of the personal data due to technical reasons. In such cases, the transfer shall be made in accordance with requirements of the GDPR and applicable legislation.
8. The existence of automated decision-making, including profiling
No automated decision-making or profiling is carried out in connection with processing of the personal data.
9. The period for which the personal data is stored or the criteria used to determine that period
The personal data is processed as long as it is necessary for any processing purpose. For event management purposes, the personal data is either removed or anonymisized no later than two (2) months after the latest event where the data subject has been invited to or has participated in, unless other legal basis for processing remains.
10. Principles of protection of the register
Personal data is stored in a technically secure location. Physical access to the data is restricted by means of access control and other security measures. Access is also prevented by means of e.g. firewalls and other technical protection measures. Only named persons at VTT have the right to process personal data contained in the register. These persons are bound by confidentiality obligations.
11. Rights of the data subject
The data subjects have the following rights that the data subject can always establish by contacting VTT in writing, preferably by email, or as detailed below. Some of the rights may be subject to limitations, in accordance with GDPR and applicable legislation.
Right to withdraw consent
The data subjects have the right to at any time withdraw their consent on which the processing is based on.
Right of access
The data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and access to his or her personal data and information concerning the processing of his or her personal data.
Right to rectification
The data subjects have the right to obtain from the controller rectification of inaccurate personal data concerning him or her and the data subjects the right to have incomplete personal data completed.
Right to erasure
The data subjects have the right to request from the controller the erasure of personal data.
Right to restriction of processing
The data subjects have the right to obtain from the controller restriction of processing.
Right to object
Where the personal data is processed on the basis of legitimate interest of the controller, the data subjects have the right to object at any time to processing of personal data concerning him or her for such purpose.
Right to data portability
Where the processing is based on the data subject’s consent or on the basis of a contract implementation and carried out by automated means, the data subjects have the right to receive the personal data concerning him or her, which he or she has provided to the controller, and have the right to transmit those data to another controller.
Right to lodge a complaint with a supervisory authority
The data subjects have a right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data breaches the data subject’s rights pursuant to GDPR.
The data subject can exercise his/hers rights by contacting VTT in writing with contact information provided in section 2.