Privacy notice for VTT’s events management

1. Subject of personal data processing

The personal data processed in VTT’s events management
 

2. Controller, Data Protection Officer and contact person

Controller:

Technical Research Centre of Finland Ltd. (”VTT”), Business ID: 2647375-4,
Tekniikantie 21, 02150 Espoo

VTT Group companies include VTT Ventures Ltd., VTT Holding Ltd. and VTT International Ltd. The companies operate either as an independent controller or a joint controller with VTT (for example shared events) under this privacy notice.

In case of a joint event with VTT and another organisation for common purposes (e.g., a joint event of research partners), a joint controllership can be applicable. We notify the event organisers in the event invitation.

VTT’s Data Protection Officer:

Address: VTT Technical Research Centre of Finland Ltd., Register Office, P.O. Box 1000, FI-02044 VTT, Finland
E-mail: [email protected] (Data Protection Officer and information security manager and their substitutes)

Contact person for the event management systems:

E-mail: [email protected]
 

3. The categories of personal data and data subjects

The data subjects are persons who are invited or register and participate in events organised and managed by VTT, including VTT’s current or potential customers, representatives of stakeholder organisations (such as funders, influencers), partners, subscribers to VTT’s publications, VTT’s employees, service providers and other interest groups.

The processing of personal data can include the following categories of personal data depending on the event:

• Basic information, such as first name, last name, organisation, title, prefix
• Contact information, such as e-mail address, phone number, address, city
• Additional information relating to the event, such as voluntary information about allergies or dietary requests, as well as other relevant information related to the event (stored only for the duration of organising and managing the event in question)
• Possible photos or videos from events, where the person may appear (photographing will be announced separately in each event)
• Possible payment or invoice details, in case of a paid event
• Status of consent, including potential marketing permission, information related to how the consent was collected or recoded, and possible information of objection to processing

If the person does not provide the necessary information required to register for the event, VTT cannot accept registration and commit to a contract between the person and VTT regarding participation in the event.
 

4. The purposes for processing personal data

Personal data is processed for organising and managing of events, internal development, reporting, collecting of feedback, and marketing and other various event-related communication with the person and event invitations. Events can also be organised in cooperation with VTT’s partners. VTT also organises events and training sessions for its employees.

Personal data is also processed to enable networking. In connection with the event, the person can be offered an opportunity to network with other participants, for example, by a mobile application, provided that the person has consented that the information entered by him or her is visible to other users in the application.

5. The lawful bases for processing

The processing of personal data is based on a contractual relationship, controller’s legitimate interest, compliance with a legal obligation or consent.

Contract

The lawful basis for the processing of personal data can be the performance of a contract or to take the steps prior to entering into the contract at the request of the data subject. In event management, the processing of personal data can be based on the performance of a contract and, where applicable, consent (e.g., filming for commercial use, processing of special categories of personal data in special circumstances). When VTT organises internal events or training sessions for its employees, the processing is based on VTT’s legitimate interest or the obligations of the employment contract.

Legitimate interest

In connection with the events, it is possible to record and present recordings for the purposes of internal and external communication based on controller’s legitimate interest. Possible photographing will be informed in connection with the event, in which case the person can choose whether to participate in the activity in question. VTT can also send event invitations to its relevant contacts based on a legitimate interest.  

Personal data is also processed for marketing based on controller’s legitimate interest. The controller’s legitimate interest is the right to exercise justified marketing and business activities. More information about processing of personal data for sales and marketing purposes: Privacy notice for VTT’s stakeholders, customer relationship management and marketing.

Legal obligation

The lawful basis for the processing of personal data is a legal obligation in accordance with the data protection regulation when the processing is necessary to comply with the legal obligations of the controller. This is the case, for example, when personal data is processed for invoicing and accounting purposes.

Consent

The lawful basis for the processing of personal data is consent when a person actively provides his or her consent for the specific processing activity, such as permission for direct marketing. Consent can be requested, e.g., when filming for commercial use, for processing of special categories of personal data in special circumstances, and for sharing personal information (such as contact details, photo, profile information) for other event attendees (e.g., when person is filling in information in the mobile application for matchmaking). If the lawful basis for the processing is consent, this is informed to the data subject separately with information on how the consent can be revoked.
 

6. Regular sources of information

Personal data is primarily collected from the person directly. In addition, information from VTT's marketing register and VTT’s customer information can be used. Information can also be collected as part of group registrations for events.
 

7. The recipients or groups of recipients of personal data

VTT uses external service providers to process personal data, such as system providers and event agencies. The service providers process personal data on behalf of VTT, including sales, marketing and event management platforms (e.g., Salesforce, Hubspot, Lyyti), event and webinar platforms, mobile applications, event organisation partners and service providers, such as event agencies, catering, accommodation and transportation providers and other similar service providers.

VTT can outsource processing of personal data or disclose personal data to partners for events management purposes during registration and events. In case of a joint controllership, the joint controllers can process personal data as required by the event and the processing purpose. Personal data will not be disclosed for third parties or partners for other purposes.
 

8. Transfers of personal data outside EU or EEA

Personal data is transferred outside EU and EEA. The data transfers are compliant with the requirements as set out in the data protection regulation, assessing the risks appropriately. If European Commission has not deemed the data protection level of a destination country as adequate, VTT can use, among other mechanisms, the standard contractual clauses for international data transfers as approved by authorities and other additional measures to safeguard data. More information about transfers of personal data can be inquired from the controller.
 

9. The existence of automated decision-making, including profiling

Personal data is not processed for automated decision-making or profiling for events management purposes.

Personal data can be processed for profiling based on the user’s consent for the purposes of targeted marketing, communication and sales activities according to the person’s interests and preferences, especially for direct marketing. No automated decision-making or profiling that would involve significant decision-making or decisions producing legal effects concerning a person is made. See VTT’s Cookie policy for further information.
 

10. The retention period or criteria for determining retention period for personal data

Personal data is retained only as long as it is necessary for the purposes of personal data processing or to comply with the controller’s statutory or contractual obligations.

As a general rule, the personal data stored in the VTT’s marketing and event management systems is not retained for longer than two (2) years from the most recent activity involving the data subject. The event-specific additional information is deleted or anonymised no later than two (2) months from the latest event to which the person was invited or participated unless there another lawful basis for processing thereafter. 
 

11. Principles for protection of the register

Personal data is protected against unauthorized processing and access by appropriate technical and organisational measures. Security measures are system-specific, but these always include limited access rights, access control and information security measures, such as firewalls. In addition, information is protected by physical access management and other physical security arrangements of the premises. At VTT, only the persons who require access in order to perform their work duties may process the personal data described in this privacy notice, and the persons are committed to confidentiality.
 

12. Rights of the data subject

Data subjects have the following data protection rights depending on the applicable lawful basis of the processing. The data subject can exercise these rights by contacting the controller in writing, preferably via e-mail, or in other ways as described below. The data subject is advised to send an e-mail from the address he or she assumes that is stored about him or her by VTT. If necessary, VTT can also request additional information or clarification in order to verify identity.

Right to withdraw consent

If the processing is based on consent, the data subject has the right to withdraw his or her consent to the processing of personal data at any time. Consent can be revoked by informing VTT, preferably via email to: [email protected]. A person can also manage his or her consents at the subscription page.

Right of access

The data subject has the right to receive a confirmation if personal data concerning him or her is processed and the right to access the personal data accompanied with the information about processing according to the data protection regulation.

Right of rectification

The data subject has the right to have inaccurate and incorrect personal data rectified and incomplete information completed without undue delay.

Right to deletion

The data subject has the right to request controller to delete personal data concerning him or her within the limits of the data protection regulation.

The data controller can request deletion of his or her personal data, e.g., in the following circumstances: (i) personal data is no longer necessary for the purposes for which they were collected or otherwise processed; (ii) data subject withdraws consent and there is no other lawful basis; (iii) personal data has been processed unlawfully; (iv) controller needs to delete personal data in order to comply a legal obligation; or (v) data subject restricts processing based on controller’s legitimate interest and the controller does not have other justified reason to continue processing.

Right to restrict processing

The data subject has the right to request restriction on the processing of personal data in the circumstances detailed in the data protection regulation.

The data subject has the right to demand restriction to personal data processing, e.g., in the following circumstances: (i) data subject contests the accuracy of information; (ii) processing is unlawful but data subject opposes deletion of personal data and instead demands restriction of their use; (iii) controller does not require such information for the purposes of processing but the data subject needs them for preparation, presentation or defence of a legal claim; (iv) data subject has already objected to the processing of personal data.

Right to data portability

The data subject has the right to receive personal data concerning him or her that he or she has provided to the controller, and the right to transfer such data to another controller to the extent the processing is based on consent or a contract, and the processing is carried out automatically.

Right to object processing

When the processing of personal data is based on the controller’s legitimate interest, the person has the right to object to processing of his or her personal data at any time.

Direct marketing: The person may object to the processing of his or her personal data for direct marketing purposes by notifying this objection in writing to VTT, preferably by email to the following address: [email protected].

Profiling: In case the person wishes not to be profiled, the data subject is advised to see Cookie policy. It is also advised to inform any objection relating to profiling to VTT in writing, preferably by email to the following address: [email protected]

Right to lodge a complaint

The data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that his or her rights under the data protection regulation have been violated. The contact details for the Finnish Data Protection Ombudsman: https://tietosuoja.fi/en/contact-information