Privacy statement on reporting for the Transparency Register

Personal data processed at VTT due to the reporting requirements of the national Transparency Register

VTT Technical Research Centre of Finland Ltd (“VTT”), business ID: 2647375-4, Tekniikantie 21, 02150 Espoo

Contact details of the data protection officer: 

Address: Data Protection Officer, VTT Technical Research Centre of Finland Ltd, Kirjaamo, Kivimiehentie 3, 02150 Espoo  

Email: [email protected] (data protection officer and information security manager and their substitutes)

Contact details of the contact person responsible for the purpose of processing:
Vice President, International Affairs and Policy, [email protected]

The personal data to be processed are:

First name, last name, organisation, title, email and phone number.

The persons represent the following groups:

Persons working in ministries and Parliament (e.g. civil servants, state secretaries, MPs, special advisers).

The right to process personal data is based on the Transparency Register Act (23.3.2023/430). The purpose of the processing is to keep a record of the persons in Parliament and ministries whom VTT has been in contact with, including related instances of contact, contact methods and topics, so that VTT can report on its lobbying activities twice a year as required by law.

Legal basis for the processing of personal data¹:

Statutory obligation (Article 6(c) of the GDPR)

¹ GDPR Article 6 and Section 4 of the Data Protection Act.

Personal data is obtained from public sources, such as the websites of Parliament and ministries, and directly from individuals themselves.  

VTT has the right to change the service providers used in the processing of personal data, for example in connection with competitive tendering. These will be notified by updating the privacy notice.

Yes. VTT uses cloud service providers whose parent companies are based in the United States. VTT’s data is processed in data centres located in Europe. Data can potentially be transferred outside the EU/EEA, for example when opening a technical service connection.

Personal data is not processed for automated decision-making or profiling.

As a rule, the data is retained for five (5) years from the last activity to which the data subject has joined. After that, the data will then be deleted or anonymised. 

Protection of personal data processed in an information system:

• User ID
• Password
• Registration of access (logging)
• Access control

Protection of personal data in data transfer:

• Data transmission encryption: In certain AI-based (GPT) solutions, personal data is encrypted and subsequently destroyed.

The data subject has the following rights, however, which may be derogated from and/or restricted in accordance with applicable legislation. If the controller cannot identify the data subject, the rights of the data subjects are in principle not applicable unless the data subject provides additional information for identification.² Any restriction and derogation are checked on a case-by-case basis.

The data subject may exercise the above rights by contacting the controller using the contact details specified in item 2, preferably by e-mail.

• right to receive information on the processing of personal data, unless otherwise provided in legislation
• right to access own data
• right to rectify data
• right to restrict the processing of data
• right to not be subject to automated decision-making without legal justification
• This may be achieved by means of legislation which sets out appropriate measures to protect the data subject’s rights and freedoms as well as legitimate interests

Further information on the data subject’s rights:

The data subject’s right to access data

The data subject has the right to obtain confirmation from the controller as to whether personal data concerning them are processed. In addition, the data subject has the right to access personal data concerning themselves and information on the processing of personal data.

Right to rectification

The data subject has the right to have inaccurate and incorrect personal data concerning the data subject rectified and incomplete personal data completed without undue delay.

Right to erasure, so-called “right to be forgotten”

The data subject has the right to have the controller erase personal data concerning the data subject without undue delay.

Right to restriction of processing

In certain situations, the data subject has the right to demand that the controller restrict the processing.

Right to object to the processing

In certain situations, the data subject has the right to object to the processing of personal data concerning them.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with supervisory authorities if the data subject considers that their rights have been violated in the light of the EU General Data Protection Regulation. Contact details of the Data Protection Ombudsman: https://tietosuoja.fi/en/contact-information