Processing of personal data in Sitra’s funding and procurement procedures and other contractual relationships​ 

1 Controller 

The Finnish Innovation Fund, Sitra (business ID 0202132-3).  

Address: Itämerenkatu –11-13, PO Box 160, 00181 Helsinki 
Phone: +358 294 618 991
Email: kirjaamo@sitra.fi 

Data Protection Officer: 

Janika Skaffari 
Administrative Specialist  

2 Purpose of personal data processing 

We process personal data in order to handle funding applications, process funding inquiries, carry out procurement procedures, administer contracts, maintain contractual relations, and pay remuneration or compensation. 

Personal data is not processed by means of automated decision-making.  

3 Legal basis for processing

Personal data is processed primarily on the basis of legitimate interest. 

In the case of a contract between Sitra and a private individual, the personal data of the private individual is processed for the performance of the contract.  

The controller’s legitimate interest is based on the meaningful relationship between the controller and the data subject. The processing ensures the management of financing, procurements, and other agreements, as well as the realisation of the rights of both parties. 

4 Processed personal data 

• name 

• contact details 

• organisation and job title 

• account number and personal identity code where the party is a private individual 

• information related to the procurement procedure, such as a CV and information on the individual’s skills 

• information related to communication and meetings 

• extract from the criminal record, required under procurement legislation 

• technical data stored in connection with the use of the funding portal 

• the personal data processed in connection with strong identification, including the personal identity code of the signatory of the agreement 

5 Source of the personal data 

Personal data is mainly collected from the data subject or the organisation they represent. 

6 Personal data retention period 

Data collected in the register is retained only for as long as necessary and to the extent required in relation to the original or compatible purposes for which the personal data was collected.  

The personal data collected in connection with funding applications and funding inquiries is  retained for two (2) years. 

Personal data processed for the purpose of contract management is processed for as long as necessary for the performance of the contract. 

An extract from the criminal record processed in connection with the procurement procedure is destroyed or returned once the statutory inspection has been carried out. 

The personal identity code collected in connection with strong authentication is retained for thirty (30) days. 

7 Regular disclosure of personal data  

The personal data contained in the register is not regularly disclosed to external parties or organisations. Personal data may be disclosed as part of a request for information based on the Act on the Openness of Government Activities (621/1999). 

8 Transfer of data outside the EU or EEA 

The personal data contained in the register may be transferred outside the EU or EEA. Any such transfer shall comply with the European Commission’s standard clauses or otherwise ensure that the transfer is carried out in accordance with the General Data Protection Regulation.  

9 Data protection principles 

The databases containing personal data are located on servers that are kept in locked, secure facilities and can only be accessed by authorised individuals whose duties require such access. The servers are protected by a  firewall and other appropriate technical safeguards. 

Any physical data material containing personal data is kept in locked, secure facilities and can only be accessed by authorised individuals whose duties require such access, and who process this personal data as part of the performance of their duties. 

The databases and systems can only be accessed with separately issued personal usernames and passwords. Sitra has restricted the access rights and authorisations to data systems and other storage media so that the data can only be accessed and processed by individuals whose duties require it for lawful processing purposes. In addition, the database and system transactions are registered in the logs of Sitra’s IT systems. 

Sitra’s employees and other personnel are bound by a confidentiality obligation and are required to keep confidential any information received in connection with the processing of personal data.  

10 Rights of the data subject 

The data subject has the following rights under the EU General Data Protection Regulation: 

• right to obtain information on the processing of their personal data 

• right of access to their data 

• right to rectification of their data 

• right to erasure of their data 

• right to restrict the processing of their data 

• right to object to the processing of their personal data 

In addition, if personal data is processed for the performance of a contract i.e.  a contract between a private individual and Sitra, the data subject also has the right to request the transfer of their data from one system to another. 

Requests concerning the implementation of the data subject’s rights should be directed to Sitra’s registry by email at kirjaamo@sitra.fi  

The data subject has the right to lodge a complaint with the Office of the Data Protection Ombudsman if they consider that the processing of their personal data infringes the EU General Data Protection Regulation.  

11 Changes to privacy policy 

We reserve the right to update this privacy policy by notifying any changes on our website. The updates may, for example, be based on changes in legislation.