Privacy notice for VTT’s stakeholders, customer relationship management and marketing

The privacy notice is based on the EU General Data Protection Regulation (2016/679, “data protection regulation”) and applicable national legislation. This privacy notice was last updated on 22.12.2022 (original version 21.6.2018).

The privacy notice is updated as necessary, for example due to changes in systems, service providers or legislation.

1. Subject of personal data processing

The personal data processed in VTT’s customer and stakeholder management, sales, marketing and event management
 

2. Controller, Data Protection Officer and contact person

Controller:

Technical Research Centre of Finland Ltd. (”VTT”), Business ID: 2647375-4,
Tekniikantie 21, 02150 Espoo

VTT Group companies include VTT Ventures Ltd., VTT Holding Ltd. and VTT International Ltd. The companies operate either as an independent controller or a joint controller with VTT (for example shared events) under this privacy notice.

VTT’s Data Protection Officer:

Address: VTT Technical Research Centre of Finland Ltd., Register Office, P.O. Box 1000, FI-02044 VTT, Finland
E-mail: [email protected] (Data Protection Officer and information security manager and their substitutes)

Contact person for the customer and marketing systems:

E-mail: [email protected]
 

3. The categories of personal data and data subjects

The data subjects are persons who represent or act as contact persons for VTT’s current or potential customers, other stakeholder organisations (such as funders, influencers), partners or other interest groups. The subscribers to VTT’s publications and persons registered for stakeholder events are also data subjects.

The processing of personal data can include the following categories of personal data:

  • Basic information, such as first name, last name, organisation, title, prefix
  • Contact information, such as e-mail address, phone number, address, city
  • Contractual information, such as the basis of invoicing, invoice amount and due date, invoicing terms; information about sales transactions and meetings
  • Status of consent, where consent is relevant to the processing, including information related to how the consent was collected or recoded, and possible information of objection to processing
  • Additional information relating to the event, such as voluntary information about allergies or dietary requests, as well as other relevant information related to the event (stored only for the duration of organising and managing the event in question)
  • Other information related to the relationship between the person and the controller, such as link to VTT and possible VTT contact, origin of the information, data subject’s areas of interests and content preferences, the subject regarding why the person contacted (free text field), information about marketing communications sent to the person, and information about website usage collected based on consent 
  • Other possible additional information, such as language information, log data about processing operations (such as creation and update time, change and processing logs), information about activities concerning the person in accordance with the data protection regulation.
     

4. The purposes for processing personal data

Personal data is processed for the following purposes:

  • Customer and stakeholder relationship management
  • Sales, sales preparation and sales promotion activities (e.g., customer cooperation in sales)
  • Marketing and communication activities, including direct marketing, e.g.,
    • Press releases and publications
    • Newsletter communications
    • Webinar participation, arrangements and communication
    • Event invitations
    • Other VTT sales, marketing and advertising activities
  • Organising and managing of events (More information: Privacy notice for VTT’s events management)
  • Preparation of contracts and contract management and execution
  • Sales ledger, invoicing, debt collection and management of other receivables, and accounting, auditing, taxation and the related activities
  • Export control and sanction list checks, know-your-customer -procedure and other similar activities related to ensuring the lawfulness of transactions
  • Collecting and processing of customer feedback
  • Business development, quality functions, internal forecasting, reporting and monitoring
  • Providing services and project operations
  • Fulfilling the data subject according to the EU General Data Protection Regulation, such as identifying and contacting the data subject for the purposes of managing the consents and objections to processing
     

5. The lawful bases for processing

The processing of personal data is based on a contractual relationship, controller’s legitimate interest, compliance with a legal obligation or consent.

Contract

The lawful basis for the processing of personal data can be the performance of a contract or to take the steps prior to entering into the contract at the request of the data subject. This is the case, for example, when personal data is processed in connection with customer relationship management and sales preparation, preparation of contracts, contract management and execution, as well as sales ledger, invoicing, debt collection and managing of other receivables. In event management, the processing of personal data can be based on the performance of contract and, where applicable, consent (e.g., filming for commercial use, processing of special categories of personal data in special circumstances).

Legitimate interest

The controller’s legitimate interest in the applicable processing purposes of this privacy notice is the right to exercise and advertise legitimate, justified and appropriate business activities, and to develop it’s business operations based on the customer feedback. This is the case, for example, when processing personal data related to customer service and contacts from customers, sales, marketing, sales preparation as well as business development, internal forecasting, reporting and monitoring. In connection with events, recordings can be recorded and presented for the purposes of internal and external communications based on the controller’s legitimate interest. In addition, personal data is processed based on the controller’s legitimate interest in certain situations to ensure the lawfulness of transactions (e.g., know-your-customer procedure).

Legal obligation

The lawful basis for the processing of personal data is a legal obligation in accordance with the data protection regulation when the processing is necessary to comply with the legal obligations of the controller. This is the case, for example, when personal data is processed for accounting and auditing purposes, legally required export control and sanctions list checks, and other similar measures related to ensuring the lawfulness of business transactions.

Consent

The lawful basis for the processing of personal data is consent when a person actively provides his or her consent for the specific processing activity, such as permission for direct marketing. Consent can be requested, e.g., when filming for commercial use, for processing of special categories of personal data in special circumstances, and for sharing personal information (such as contact details, photo, profile information) for other event attendees (e.g., when person is filling in information in the mobile application for matchmaking). If the lawful basis for the processing is consent, this is informed to the data subject separately with information on how the consent can be revoked.
 

6. Regular sources of information

Personal data is primarily collected from the person directly, for example, as part of customer contacts, event registrations, customer registrations and in connection with sales and contract preparations. Information can also be collected from other sources, such as customer or stakeholder organisations, partners of the controller and public sources. Company information services (such as Suomen Asiakastieto Oy) are used in company company background checks (e.g., export control and sanction checks).
 

7. The recipients or groups of recipients of personal data

VTT uses external service providers to process personal data, such as system providers. The service providers process personal data on behalf of VTT. The recipients of personal data include particularly the following types of entities providing services to the controller, which may change from time to time, e.g., due to reasons in the procurement legislation:  

  • Sales, marketing and event management platforms (e.g., Salesforce, Hubspot, Lyyti, Eventos)
  • Services such as sales ledger, payment processing, invoicing and debt collection
  • Auditing, accounting and related professional services
  • Delivery and maintenance of electronic archival and sales ledger system
  • Financial service and banking functions
  • Legal services and other expert services

VTT can outsource processing of personal data or disclose personal data to partners for events management purposes during registration and events. In case of a joint controllership, the joint controllers can process personal data as required by the event and the processing purpose. Personal data will not be disclosed for third parties or partners for other purposes.

Controller can disclose information to competent authorities and other relevant bodies that perform statutory duties in order to fulfil statutory obligations, for instance in connection with accounting and auditing.
 

8. Transfers of personal data outside EU or EEA

Personal data is transferred outside EU and EEA. The data transfers are compliant with the requirements as set out in the data protection regulation, assessing the risks appropriately. If European Commission has not deemed the data protection level of a destination country as adequate, VTT can use, among other mechanisms, the standard contractual clauses for international data transfers as approved by authorities and other additional measures to safeguard data. More information about transfers of personal data can be inquired from the controller.
 

9. The existence of automated decision-making, including profiling

Personal data can be processed for profiling based on the user’s consent for the purposes of targeted marketing, communication and sales activities according to the person’s interests and preferences, especially for direct marketing. No automated decision-making or profiling that would involve significant decision-making or decisions producing legal effects concerning a person is made. See VTT’s Cookie policy for further information.
 

10. The retention period or criteria for determining retention period for personal data

Personal data is retained only as long as it is necessary for the purposes of personal data processing or to comply with the controller’s statutory or contractual obligations. The retention periods take into account, for example, the contractual requirements of funders and other contractual partners, as well as the limitation periods set out in legislation.

The following retention periods are indicative, from which deviations are possible if justified, and the controller has the possibility to also shorten the retention period as considered necessary:

  • As a general rule, the personal data stored in the VTT’s marketing and event management systems is not retained for longer than two (2) years from the most recent activity involving the data subject. The personal data of subscribers to VTT’s publications is processed as long as the person has an active subscription with VTT. For other communication purposes, information can be processed for a longer period but always only for the time required for the processing purpose.
  • The personal data of customer contact persons and other contacts is generally stored in the customer management system for five (5) years from the last activity involving the data subject.
  • Information related to customer service and customer contacts as well as business development, internal forecasting, reporting and monitoring is generally stored for at least ten (10) years from the last activity involving the data subject or the organisation that he or she represents.
  • Information related to the sales ledger, invoicing, collection of debts and other receivables, accounting, auditins and taxation is retained for at least fifteen (15) years from the last activity involving the data subject or the organisation that he or she represents. Such an activity can be, for example, a project, whereby the retention period is determined from the end time of the project.
  • Information related to contract preparation and contract management and execution is processed at least for twenty (20) years from the termination of the contract and from the last activity involving the data subject or the organisation that he or she represents.

Once confirmed that the information is no longer necessary, the information is anonymised or deleted, unless there is still a lawful basis for processing. The processing period for personal data can be extended within the limits allowed by the data protection regulation and the applicable legislation, for example for the preparation, presentation and defence of a legal claim.
 

11. Principles for protection of the register

Personal data is protected against unauthorized processing and access by appropriate technical and organisational measures. Security measures are system-specific, but these always include limited access rights, access control and information security measures, such as firewalls. In addition, information is protected by physical access management and other physical security arrangements of the premises. At VTT, only the persons who require access in order to perform their work duties may process the personal data described in this privacy notice, and the persons are committed to confidentiality.
 

12. Rights of the data subject

Data subjects have the following data protection rights depending on the applicable lawful basis of the processing. The data subject can exercise these rights by contacting the controller in writing, preferably via e-mail, or in other ways as described below. The data subject is advised to send an e-mail from the address he or she assumes that is stored about him or her by VTT. If necessary, VTT can also request additional information or clarification in order to verify identity.

Right to withdraw consent

If the processing is based on consent, the data subject has the right to withdraw his or her consent to the processing of personal data at any time. Consent can be revoked by informing VTT, preferably via email to: [email protected].

Right of access

The data subject has the right to receive a confirmation if personal data concerning him or her is processed and the right to access the personal data accompanied with the information about processing according to the data protection regulation.

Right of rectification

The data subject has the right to have inaccurate and incorrect personal data rectified and incomplete information completed without undue delay.

Right to deletion

The data subject has the right to request controller to delete personal data concerning him or her within the limits of the data protection regulation.

The data controller can request deletion of his or her personal data, e.g., in the following circumstances: (i) personal data is no longer necessary for the purposes for which they were collected or otherwise processed; (ii) data subject withdraws consent and there is no other lawful basis; (iii) personal data has been processed unlawfully; (iv) controller needs to delete personal data in order to comply a legal obligation; or (v) data subject restricts processing based on controller’s legitimate interest and the controller does not have other justified reason to continue processing.

Right to restrict processing

The data subject has the right to request restriction on the processing of personal data in the circumstances detailed in the data protection regulation.

The data subject has the right to demand restriction to personal data processing, e.g., in the following circumstances: (i) data subject contests the accuracy of information; (ii) processing is unlawful but data subject opposes deletion of personal data and instead demands restriction of their use; (iii) controller does not require such information for the purposes of processing but the data subject needs them for preparation, presentation or defence of a legal claim; (iv) data subject has already objected to the processing of personal data.

Right to data portability

The data subject has the right to receive personal data concerning him or her that he or she has provided to the controller, and the right to transfer such data to another controller to the extent the processing is based on consent or a contract, and the processing is carried out automatically.

Right to object processing

When the processing of personal data is based on the controller’s legitimate interest, the person has the right to object to processing of his or her personal data at any time.

Direct marketing: The person may object to the processing of his or her personal data for direct marketing purposes by notifying this objection in writing to VTT, preferably by email to the following address: [email protected].

Profiling: In case the person wishes not to be profiled, the data subject is advised to see Cookie policy. It is also advised to inform any objection relating to profiling to VTT in writing, preferably by email to the following address: [email protected]

Right to lodge a complaint

The data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that his or her rights under the data protection regulation have been violated. The contact details for the Finnish Data Protection Ombudsman: https://tietosuoja.fi/en/contact-information