VTT Brand Portal privacy notice

Effective date: 23 Sep 2025
Version: 1.0

1. Controller

VTT Technical Research Centre of Finland Ltd (Business ID 2647375-4) 
P.O. Box 1000, FIN-02044 VTT, Finland 
Data protection contact: [email protected]

2. Purposes and legal basis

Personal data are processed in the VTT Brand Portal (Gredi ContentHub) for user authentication and access management, to ensure secure operation of the service, and to prevent misuse. Partner accounts are approved manually by administrators.

The processing is based on VTT’s legitimate interests to operate and protect the brand asset platform and ensure security. Personal data are not used for marketing or profiling.

3. Categories of personal data

  • Partners: first name, surname, email, company/organisation (optional), contact person at VTT
  • VTT staff: identifiers provided by Entra ID (Azure AD) (e.g., name, VTT email) and roles/groups
  • Logs: sign-in, usage and download logs; records of access approvals

Providing the mandatory fields is required to create an account.

4. Sources

  • Data subject (registration form)
  • VTT Entra ID/SSO (staff)
  • System logs

5. Recipients and processors

VTT communications, marketing and IT personnel process data as part of their duties. Gredi Oy acts as VTT’s data processor (ContentHub). Microsoft provides the authentication service (Entra ID/SSO). Users’ names and emails are not visible to other users – only to administrators. No disclosures to third parties unless required by law.

6. International transfers

Data are processed within the EU/EEA. No transfers to third countries occur for this processing.

7. Retention

  • Accounts are deleted 24 months after the last sign-in.
  • Sign-in, usage and download logs are retained for the entire duration of the customer relationship for audit trail purposes.

8. Data subject rights

Data subjects have GDPR rights (access, rectification, erasure, restriction, objection, portability). Requests: [email protected]. If not resolved with VTT, you may contact the Finnish Data Protection Ombudsman.  

9. Security

The portal uses Entra ID/SSO, role-based access control and logging in line with the need-to-know principle. Multi-factor authentication (MFA) is currently not used for partner accounts; access is protected by manual approval and technical controls. VTT applies technical and organisational measures to protect personal data.

10. Cookies

Only strictly necessary cookies are used (session and sign-in). No analytics or marketing cookies are used.

11. Target group

The service is intended for professional users of legal age.  

12. Changes to this privacy notice

We update this notice when the service or legislation changes. Material updates are communicated in the portal.