Data Protection Policy

All the personal data we collect is always processed in compliance with the data protection principles specified in data protection legislation.

The data is processed lawfully, fairly and in a transparent manner in relation to the data subject processed confidentially and securely. Only a necessary amount of data is collected and processed for specific, lawful purposes.

Data Protection Description

Version 1.0, date 13.10.2021. This Data Protection Description may be subject to changes from time to time due to i.a. changes of legislation and/or legal interpretations and guidance.

Description of processing

Data is collected for e-mail communications and marketing purposes for Circular Design Innovation Community and Circular Design Network Project.

Controller, data protection officer and contact person

Controller:

Name: VTT Technical Research Centre of Finland Ltd. (”VTT”), Business ID: 2647375-4

Address: Tekniikantie 21, 02150 Espoo, Finland

Data protection officer (DPO): dataprotection@vtt.fi

Contact person concerning the processing:

Name: Tytti Nikunen

Address: VTT Technical Research Centre of Finland Ltd., Tekniikantie 21, 02150 Espoo, Finland

E-mail: tytti.nikunen@vtt.fi

Categories of the personal data

The categories of the personal data are first name, last name, email and company. In addition, topics of interest and consent information may be processed.

The registered persons represent Circular Design Innovation Community’s interest groups, such as representatives of potential and current collaborators, partners and customers of Circular Design Innovation Community.

Purposes of the processing and the legal basis for the processing

The personal data is processed for purposes of communications and marketing, including but not limited to newsletter distribution, event management and webinar arrangements.

The data is being processed on the basis of legitimate interest of the Controller. The legitimate interest is the right to conduct relevant and justified research and innovation activity and there to related communications and marketing to relevant interest groups.

Regular sources of information

Personal data is mainly collected from the data subject. Personal data may also received from collaborators and partners of Smart Otaniemi.

Recipients or categories of recipients of the personal data

The Controller may provide the personal data to third parties who represent the following groups:

  1. Collaborators and partners of Circular Design Innovation Community.
  2. Controller’s services providers concerning Circular Design Innovation Community communication and event management.

The personal data is provided under appropriate contractual arrangements in accordance with requirements of GDPR and applicable legislation.

Transfer of data outside the European Union or the European Economic Area

The personal data is not transferred outside European Union or EEA.

The existence of automated decision-making, including profiling

No automated decision making is made with the personal data.

The period for which the personal data is stored or the criteria used to determine that period

The data is being stored as long as the data subject has a relevant and appropriate relationship to Circular Design Innovation Community.

After this the personal data is either erased or anonymised unless the Controller has other legal basis for processing of such personal data (such as legitimate interest of the data Controller in connection with a legal claim or investigation).

Principles of protection of the register

The data is protected by technical and organizational measures from unauthorized processing and unauthorized access by third parties. Only persons who need access to the personal data for the purpose carrying out tasks related to processing described in this document have access to the personal data, under confidentiality obligations.

Rights of the data subject

The data subject can exercise these rights by contacting the Controller, preferably in writing and by email using an address that is known to the Controller.

The data subjects have the following rights, which may be exempted from in accordance with GDPR and applicable legislation:

Right of access  

The data subjects have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her is being processed and access to his or her personal data and information concerning the processing of his or her personal data.

Right to rectification  

The data subjects have the right to obtain from the Controller rectification of inaccurate personal data concerning him or her. The data subjects have the right to have incomplete personal data completed.

Right to erasure

The data subjects have the right to obtain from the Controller the erasure of personal data concerning him or her if (i) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for processing; (iii) the personal data have been unlawfully processed; (iv) the personal data have to be erased for compliance with a legal obligation in Union or Finnish law.

Right to restriction of processing  

The data subjects have the right to obtain from the Controller restriction of processing in cases set forth in GDPR.

Right to data portability  

Where the processing is based on the data subject’s consent and carried out by automated means, the data subjects have the right to receive the personal data concerning him or her, which he or she has provided to the Controller and have the right to transmit those data to another Controller.

Right to object

The data subject’s may object to the processing of personal data, especially in cases processing is carried out on the basis of legitimate interest of the Controller. If the data subject objects to newsletter distribution, this can be made with unsubscribing from the list.

Right to lodge a complaint with a supervisory authority

The data subjects have a right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data breaches the data subject’s rights pursuant to GDPR.

The data subject can exercise these rights by contacting the Controller with information set forth in section 2, preferably in writing and by email.