INFORMATION NOTICE
Record of Processing Activities
General Data Protection Regulation (2016/679), Articles 13, 14 and 30
Date of drafting: December 4th, 2020
We may update or revise this Information Notice/ Record of Processing Activities at any time, with any notice to you as may be required under applicable law. Your right to data portability and/or restriction of processing, if applicable, will become applicable as of May 25th, 2018.
1. Controller / Company
Orion Research Foundation sr (Company Identification Number: 0564489-2)
c/o Orion Co
Orionintie 1
02200 Espoo Finland
Tel. 010 4261
2. The person in charge / contact person
Anu Imppola
Manager, Orion Research Foundation sr Orion Corporation
Orionintie 1A
02200 Espoo
Tel. 010 426 3803
e-mail: anu.imppola@orion.fi
3. Name of the data file
Recipients of Orion Research Foundation grant
4. The purpose for processing the personal data / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data
The purpose for use of this data file is to manage grant recipients.
We may share your information with third parties, such as for statutory purposes with tax authorities and Mela for arranging pension and occupational accident insurance and those who assist us by performing technical operations such as data storage and hosting.
The legal basis for processing of the personal data is consent of the data subject (EU General Data Protection Regulation Article 6.1.a).
5. Content of the data file
Applicants’ first name and surname, sum of the grant, social security number, gender, post or position, home address, phone number, email address, bank account number.
6. Source of information
When applying a grant via the Internet, the applicant enters data about himself/herself and accepts that data collected is needed in the process to rate grant recipients. In the grant announcements sent by email Foundation asks grant recipients to add his/her social security number and bank account number to the grant application system in order to have grant paid to the account.
7. Transfers of personal data to countries outside the European Union or the European Economic Area
Personal data from the register is not transferred to other countries outside Finland.
8. Protection of the transferred personal data
Personal data from the register is not transferred to other countries outside Finland.
9. Retention period of the personal data
The personal data shall be retained by the controller for a period of six (6) calendar years. / The criteria used for determining the period of retaining of the personal data is the following: Finnish law for accounting (Kirjanpitolaki, KPL, 30.12.1997/1336 10 §).
10. The principles how the data file is secured
Electronic information
The electronic data shall be stored in Datalink Oy´s server with restricted access, available only for the authorized persons who need the data for performing their work.
11. Right of access and right to data portability
The data subject shall have the right of access, after having supplied sufficient search criteria, to the data on himself/herself in the personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information on the sources of the data, on the uses for the data in the file, and the destinations of disclosed data.
The data subject shall have the right to data portability, i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.
The data subject who wishes to have access to the data on himself/herself, as referred to above, shall make a request to this effect to the person in charge at controller by a personally signed or otherwise comparably verified document and by verifying his or her identity by attaching a copy of an official identification document.
12. Right to withdraw consent / Right to object to processing
In case the legal basis for processing the personal data is the consent of the data subject, the data subject has the right to withdraw the consent.
In case the legal basis for processing the personal data is the legitimate interests of the controller, the data subject has the right to object to processing on grounds relating to his or her particular situation. The data subject always has the right to object to processing of the personal data for direct marketing purposes.
In case the data subject wishes to use its above-mentioned rights, he or she shall make a request to this effect to the person in charge at the data controller by a personally signed or otherwise comparably verified document in writing to the representative of the data controller named under section 2. hereinabove.
Withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful.
13. Rectification, restriction of processing and erasure
A controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
Under specific circumstances, the data subject has the right to obtain from the controller restriction of processing of his or her personal data.
If the controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.
The controller shall undertake reasonable measures to notify the erasure to the controllers to whom the data has been disclosed and who are processing the data. However, there is no duty of notification if this is impossible or unreasonably difficult.
Requests for the above uses of data subject’s rights shall be made by contacting the representative of the controller named under section 2 hereof.