Privacy Notice on VTT Procurements

The privacy notice is based on the EU’s General Data Protection Regulation (2016/679, “GDPR”) and the Data Protection Act (1050/2018). Version February 2023. The privacy notice can be updated. The data subject can check the up-to-date information by regularly visiting the website where the privacy notice is available.

1. Name of the purpose of processing

VTT supplier and tenderer register.

Personal data are processed for the following purposes:  

  • supplier relations management,
  • market consultations,
  • tenders and the processing of tenders,
  • contract preparation, contract management and implementation,
  • electronic archiving of contract materials,
  • during the contract period, monitoring of the financial status of the contracting partner (and any subcontractor of the partner),
  • background checks, identification and management of company-specific risks
  • compliance with statutory obligations related to the procurement procedure (e.g. ensuring the tenderer's eligibility and reports pursuant to the Act on the Contractor's Obligations and Liability when Work is Contracted Out (1233/2006))
  • processing of complaints and legal claims
  • accounts payable, processing of purchase invoices, accounting, auditing and taxation
  • checks on export controls and sanctions lists and other measures required to ensure the legality of the transaction (know-your-supplier procedure),
  • business development, quality functions, internal forecasting, reporting and monitoring
  • project management and activities

The processing of data ensures, such things as the lawful implementation of the procurement process and smooth cooperation during the contract period. Data is used for working with the tenderer and the contracting partner and for communicating with them. 

2. Controller(s), data protection officer and contact person(s)

VTT Technical Research Centre of Finland Ltd (“VTT”), business ID: 2647375-4, Tekniikantie 21, 02150 Espoo

Contact details of the data protection officer: 

Address: Data Protection Officer, VTT Technical Research Centre of Finland Ltd, Kirjaamo, Kivimiehentie 3, 02150 Espoo, e-mail: [email protected] (data protection officer and information security manager and their substitutes)

3. Personal data to be processed and categories of persons

The personal data to be processed are: 

Name and other information on a person such as their organisation, title, CV information, employer contact information such as street address, email and phone number

Procurement-related extracts from the criminal records of key tenderers are checked in statutory situations. These extracts are not saved, but record entries are made on their examination (e.g. whose extract was checked and details of the observations made).

The persons represent e.g. the following groups: 

Representatives of the tenderer/supplier, other persons appointed by the tenderer/supplier (e.g. persons participating in the provision of the service, invoicing contact persons), reference contact persons. 

4. Legal basis

Contractual relationship or preparation of the contractual relationship

In certain situations, the legal basis for the processing of personal data is the performance of the contract or the implementation of pre-contractual measures at the request of the data subject. This is the case e.g., when personal data is processed in connection with supplier relationship management and contract preparation, for contract management and performance, and for accounts payable and purchase invoice management. 

Legal obligation

VTT is a contracting entity as referred to in the Act on Public Procurement and Concession Contracts (1397/2016,  hereinafter "Procurements Act"). The basis for the processing of personal data is the VTT’s statutory obligation to fulfil the requirements laid down in the Act in question. This is the case, for example, when reviewing extracts from the criminal record concerning procurement procedures and when assessing the eligibility of tenderers in accordance with the Procurements Act.

A statutory obligation also applies to the processing of personal data for the purpose of carrying out statutory measures related to accounting, auditing and checking the export control and sanctions lists laid down in the Act and other similar measures related to ensuring the legality of the transaction.

Legitimate interest

The legal basis for the processing of personal data is the controller's legitimate interest to the extent that the processing of personal data is otherwise necessary in order to complete the procurement process, perform contracts, manage risks and facilitate cooperation during the contract period. The controller's legitimate interest includes such things as the processing of personal data for market consultation, business development, quality measures, internal forecasting, reporting and monitoring, as well as for project management and project activities.  

5. Personal data sources

For the purpose of market consultation and the determination of potential suppliers, information is collected from company websites and other public sources.

As a rule, personal data is obtained from the data subject themselves and 
the organisation (customers and suppliers) represented by the data subject. VTT also receives information from public registers such as the Finnish Patent and Registration Office, Suomen Asiakastieto Oy and Vastuu Group Oy to identify company-specific risks and to comply with statutory obligations.

Business information services (e.g. Suomen Asiakastieto Oy, Orbis) are utilised in company background checks (e.g. export control and sanctions reports).  

6. Recipients or categories of recipients of personal data

VTT uses service providers, such as system service providers, in the processing of personal data. Service providers process personal data on behalf of VTT. In particular, the recipients of personal data represent the following parties, which change from time to time for reasons such as procurement legislation:

  • Legal and other expert services
  • Financial audit, accounting and related expert services
  • Delivery and maintenance of the electronic archiving and accounts ledger system
  • Financial services and systems, and banking
  • Cloud solutions (e.g. Microsoft O365)

VTT has the right to change the service providers used in the processing of personal data, for example in connection with competitive tendering. These will be notified by updating the privacy notice.

In cases required under the Procurements Act, data is only disclosed to the parties required by law, such as the Market Court and the Finnish Competition and Consumer Authority.

7. Transfer of personal data outside the EU or the EEA

Personal data may be transferred outside the EU and EEA. Data is transferred in compliance with the requirements laid down in the General Data Protection Regulation, assessing the risks appropriately. If the European Commission has not considered the level of data protection in the target country sufficient, VTT may use e.g. the standard contractual clauses and other measures prepared for the Commission's international data transfers to protect the data. For more information on the transfer of personal data, please contact the controller separately.

8. Retention of personal data

The retention periods of documents related to the different stages of the procurement procedure and related decisions are specified in the Procurements Act. Personal data shall be stored for as long as it is necessary for the purposes mentioned above. After this, the personal data will be effectively deleted or made anonymous.

9. Principles of personal data protection

Personal data shall be protected against unauthorised processing and access with appropriate technical and organisational measures. Security measures are system-specific, but they always include limited access rights, access control, and security solutions such as firewalls. In addition, access control, facility solutions and other security arrangements are used to protect data. At VTT, only persons who need access to processing in order to perform their duties may process the personal data described in this privacy notice and the persons are committed to secrecy.

10. Rights of the data subject

The data subject has the following rights, however, which may be derogated from and/or restricted in accordance with applicable legislation. If the controller cannot identify the data subject, the rights of the data subjects are in principle not applicable unless the data subject provides additional information for identification. Restriction and deviation are verified on a case-by-case basis.

  • right to access own data
  • right to rectify data
  • right to delete data (so-called “right to be forgotten”)
  • right to restrict the processing of data
  • right to object to the processing of data
  • right to transfer data from one system to another
  • right to lodge a complaint with a supervisory authority

The data subject may exercise the above rights by contacting the controller using the contact details specified in item 2, preferably by e-mail.

Further information on the data subject’s rights:

The data subject’s right to access data

The data subject has the right to obtain confirmation from the controller as to whether personal data concerning them are processed. In addition, the data subject has the right to access personal data concerning themselves and information on the processing of personal data. 

Right to rectification

The data subject has the right to have inaccurate and incorrect personal data concerning the data subject rectified and incomplete personal data completed without undue delay. 

Right to erasure, so-called “right to be forgotten”

The data subject has the right to have the controller erase personal data concerning the data subject without undue delay.

Right to restriction of processing

In certain situations, the data subject has the right to demand that the controller restrict the processing. 

Right to object to the processing

In certain situations, the data subject has the right to object to the processing of personal data concerning them.

Right to transfer data from one system to another

The data subject has the right to receive personal data concerning them that they have provided to the controller and the right to transfer such data to another controller in so far as the processing is based on consent or agreement and the processing is carried out automatically.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with supervisory authorities if the data subject considers that their rights have been violated in the light of the EU General Data Protection Regulation. Contact details of the Data Protection Ombudsman: