Privacy Policy
A DESCRIPTION OF PERSONAL DATA PROCESSING ACTIVITIES BY THE PAAVO NURMI FOUNDATION UNDER THE EU GENERAL DATA PROTECTION REGULATION
1. CONTROLLER AND ITS REPRESENTATIVE
Paavo Nurmi Foundation acts as the controller as intended by the legislation governing the processing of personal data and data protection. The Foundation’s address is P.O. Box 330, 00121 Helsinki, Finland. Petri Manninen, petri.manninen@paavonurmensaatio.fi tel. +358 (0)41 461 7090, acts as the representative and Data Protection Officer of the controller.
2. PURPOSE OF PROCESSING
Paavo Nurmi Foundation processes personal data stored in the register in order to perform its statutory mission, which is to support scientific research on cardiovascular diseases and general work intended to promote national health. The Foundation is committed to compliance with the existing legislation concerning the processing personal data and data protection in its activities. The Foundation does not process delicate personal data. Automated decision-making or profiling is not utilized in processing register data.
3. DESCRIPTION OF REGISTER CATEGORIES AND DATA SUBJECT RIGHTS
Paavo Nurmi Foundation collects and processes personal data within the following personal data registers:
a. Grant system (grant applicants and recipients, awardees)
For grant applicants and recipients, the collection of register data is based on a legitimate interest: without the collection of data, the acceptance and processing of grant applications or the payment and monitoring of grants would not be possible. The data pertaining to grant applicants is collected from the application forms. Supplementary information pertaining to grant recipients is collected from the payment applications. The commencement of the grant application process is notified through newspaper advertisements, on the website of the Foundation and in the Aurora funding database.
The following personal data is collected from grant applicants as they submit their application into the grant system: name, year of birth, gender, degree, mailing address, domicile, email address, and telephone number. Furthermore, descriptive information on the contents of the research project is stored into the grant system. The information is used during the processing of applications, at which time the Foundation’s scientific experts and Board members can access said information using their personal passwords.
The applications are reviewed and scored by the scientific experts and chosen Board members. Under the policy of the Foundation, the scores awarded or comments related to applicants will not be disclosed to the grant applicants or any other outside parties. The Board of the Foundation decides on the awarding of grants based on a proposal. The grant applicants receive notice of the grant decisions made by the Foundation via email sent to the email address provided on the application. In addition to the data mentioned above, the following information will be collected from grant recipients and members of their teams as they submit the payment application: Personal Identity Code and bank details.
Once grant decisions have been made, the Foundation is, under certain conditions, obliged to disclose the personal data of grant recipients and the amount of grant awarded to the pension insurance company and the Finnish Tax Administration. The following personal data will be collected to the grant system for recipients of grants awarded by the Foundation: name, Personal Identity Code, degree, mailing address, domicile, email address, telephone number, and bank details.
Information on grant applications under consideration may be disclosed to other Finnish foundations. The foundation also provides information on the funding awarded to the research.fi service maintained by the Ministry of Education and Culture. Grant applications can be used for scientific research purposes.
Once award decisions have been made, the Foundation is, under certain conditions, obliged to disclose the personal data of awardees and the awarded amount to the pension insurance company and the Finnish Tax Administration. The Foundation also maintains a list of the recipients of awards and other recognitions it has issued. The list comprises the names of the recipients and the awarding date.
The names of grant recipients and awardees along with their degrees, research subjects, and the amount of grant or award are published on the website and annual report of the Foundation. This is based on the public interest and transparency: the society has the right to know how foundations use their assets.
b. Elected officials and employees of the Foundation
As regards elected officials and employees, the collection of register data is based on obligations under the Finnish Foundations Act and other legislation as well as a legitimate interest. The data is collected directly from the data subjects. The following information is collected from elected officials and employees: name, title/occupation, Personal Identity Code, mailing address, place of domicile for taxation purposes, bank details, telephone number, and email address. Data in the register is used for reporting on the activities of the Foundation to the Finnish Patent and Registration Office and other authorities as well as for the payment of attendance allowances (elected officials) and wages (employees).
c. Register of related parties
As regards related parties, the collection of register data is based on obligations under the Finnish Foundations Act. Information pertaining to the related parties of an individual covered by the reporting obligation is collected from the Foundation's elected officials and employees. The following information will be collected from persons who are considered related parties of the Foundation: name, date of birth, and the entities and foundations controlled by the person as well as their business IDs. Data stored in the register of related parties is used to investigate the potential allocation of grants awarded by the Foundation or other payments made by the Foundation to related parties of the Foundation.
d. Contact information register (invitations to celebrations, donor representatives, newsletter, etc.)
For the contact information register, the collection of register data is based on the consent of data subjects. The information is collected based on personal submissions. The following information is collected into the contact information register: name, email address, and/or mailing address. Information in the register is used for sending invitations and letters of thanks and the newsletter of the Foundation.
Rights of the data subject concerning a register that contains information pertaining to them:
- right of access to data
- right of review
- right to correction of data
- right to transfer of data
- right to erasure of data
- right to restrict processing
- right to object to processing
- right not to be subject to automated decision-making with significant impact If a data subject wishes to exercise any of their rights mentioned above, they must contact the Data Protection Officer of the Foundation. The contact information can be found at the beginning of this description.
4. PROCESSORS AND USERS OF PERSONAL DATA
a. Grant system (grant applicants and recipients): the representative of the Foundation and the contact persons of Aspicore Oy who is responsible for the technical implementation grant system (mutual agreement) and the contact persons of Newsec Asset Management Oy who is responsible for the financial administration system (agreement). As regards application information, the information is also handled by the scientific experts used by the Foundation and chosen Board members, and by the Board of the Foundation for grant recipients.
b. Elected officials and employees of the Foundation: the representative of the Foundation and financial administration employees and the contact persons of Newsec Asset Management Oy who is responsible for the financial administration system (agreement).
c. Register of related parties: the representative of the Foundation.
d. Contact information register (invitations to celebrations, donor representatives, etc.): the representative of the Foundation and financial administration employees. The Foundation and the employees who access personal data have committed to compliance with existing legislation concerning the processing of personal data and data protection. As regards operators external to the Foundation, the compliance has been ensured through contractual means. The Foundation does not process delicate personal data.
The register data is stored on a secure server, which can only be accessed by persons who require access to said data based on their duties. The Foundation and the employees who access personal data have committed to compliance with existing legislation concerning the processing of personal data and data protection. As regards operators external to the Foundation, the compliance has been ensured through contractual means. The Foundation does not process delicate personal data.
5. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
Personal data will not be transferred to countries outside of the EU/EEA or to international organizations.
6. PLANNED EXPIRATION PERIODS OF DATA CATEGORIES
a. Grant system information is only stored in an electronic format. In order to facilitate and further develop the grant activities of the controller, store historical information and ensure transparency, and examine the previous grant history of grant applicants, the personal data included in the grant system is stored permanently for awarded grants. Information pertaining to rejected applications will be stored for a maximum of ten years due to the retention of historical data and supervisory reasons.
b. Elected officials and employees of the Foundation: data is stored permanently in order to record historical data pertaining to the Foundation.
c. Register of related parties: data is stored permanently in order to record historical data pertaining to the Foundation.
d. Contact information register: data is stored permanently or until the contact details expire.