Stakeholder register for Sitra’s Democracy Drinks series of events

1 Controller

The controller of the register is:
The Finnish Innovation Fund Sitra (business ID 0202132-3).

Contact person in matters concerning the register:
Joel Lindqvist
Project Co-ordinator, Digital Power and Democracy

Finnish Innovation Fund Sitra (hereinafter referred to as “Sitra”)
Address: Itämerenkatu 11-13, PO Box 160, FI-00181 Helsinki
Tel: +358 294 618 991

Data Protection Officer:
Janika Skaffari

2 Name of the register

Stakeholder register for Sitra’s Democracy Drinks series of events.

3 Purpose of personal data processing

Sitra processes personal data for the purposes defined in the act on the Finnish Innovation Fund (717/1990) as part of its tasks and objectives as they relate to the Democracy Drinks series of events organised within the democracy and participation theme of the digital power and democracy project and the related newsletter.

Democracy Drinks is a series of events that Sitra organises together with its partners. Events are held approximately once per month and the responsibility for the organisation is rotated among the organisers. All partners may send out invitations to an individual event. Each partner sends out the invitations independently to their own customers and stakeholders without the personal data of the invitees being shared with Sitra or other partners. Sitra will mainly invite to the events parties listed in its stakeholder and marketing register and processes this personal data in accordance with the register’s privacy policy. Parties invited to the Democracy Drinks events are not required to respond to the invitations and, as such, participants’ personal data is not collected or shared between the organising parties.

Recipients of the invitations to the Democracy Drinks events are offered the opportunity to join a Democracy Drinks mailing list maintained by Sitra. A newsletter is sent out at regular intervals and it includes information on future Democracy Drinks and possibly other democracy-related topics. Subscribing to the newsletter is done using a digital platform used by Sitra with a link provided in the invitation. This register comprises the personal data related to the subscription and sending of the newsletter and the data is processed in accordance with this privacy policy.

Sitra will review the personal data identified in section 5 of the privacy policy on the basis of consent. Consent for processing the personal data is requested in connection with subscription to the Democracy Drinks mailing list.

5 Data content of the register (processed personal data categories)

The register includes the following personal data of the data subjects
(a) name and email address (of the data subject);
(b) language used (by the data subject);
(c) Data accrued by the tracking function included in the newsletter service (tracking opens and clicks (by the data subject));
(d) possible organisation and title (of the data subject);
(e) any other information the data subject has offered to store in Sitra’s information system regarding their competencies and professional and other background.

6 Regular data sources

Personal data is collected from the data subject in connection with subscription to the newsletter related to the Democracy Drinks series of events.

7 Personal data retention period

The personal data related to the implementation of the newsletter are retained for the duration of the Democracy Drinks series of events.
In other respects, the collected data will only be retained for the duration and to the extent necessary for the original or compatible purposes for which the personal data was compiled.

Sitra regularly assesses the necessity of data retention through its internal code of conduct. In addition, Sitra shall perform all possible and required measures to ensure that such personal data that are inaccurate, erroneous or outdated for the purposes of processing are deleted or corrected without delay.

8 Recipients of personal data (recipient categories) and the regular disclosure of data

Personal data from the register are disclosed to Sitra’s subcontractors, which process the personal data Sitra’s behalf in order to produce the service comprising the subscription and implementation of the newsletter.
Outside of this, personal data contained in the register is not disclosed to third parties.

9 Transferring data outside of the EU or the EEA

The personal data contained in the register will be transferred outside of the EU or the EEA. When transferring personal data, Sitra will follow the standard contractual clauses approved by the European Commission concerning the transfer of personal data to third countries, implement other appropriate safeguards as necessary, and ensure that the third country guarantees an adequate level of data protection.

10 Register protection principles

Any physical data material containing personal data shall be retained in a locked facility that can only be accessed by appointed persons whose duties require access authority.

The databases containing personal data are on servers which are kept in locked facilities that can only be accessed by appointed persons whose duties require access authority. The servers are protected by an appropriate firewall and technical protection.

The databases and systems can only be accessed with separately granted personal user IDs and passwords. Sitra has restricted the access rights and the authorisations to access the data systems and other mediums in such a way that the data can only be accessed and processed by persons who need to access the data with regard to lawful processing. In addition, the database and system transactions are registered in the logs of Sitra’s IT systems.

Sitra’s employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.

11 Rights of the data subject

The data subject shall have the following rights laid down in the EU’s General Data Protection Regulation:

(a) the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, when that is the case, access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or recipient groups to whom personal data have been disclosed or will be disclosed;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source; and
  8. performance of automated decision-making and relevant information about the logic of this kind of a processing as well as significance of the said processing and its envisaged consequences for the data subject;

(b) the right to cancel consent at any time without this affecting the lawfulness of the processing performed based on the consent;

(c) the right to demand that the controller rectify without undue delay any inaccurate and erroneous personal data on the data subject and the right to have incomplete personal data completed;

(d) the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds defined in the EU’s General Data Protection Regulation applies;

(e) the right for the controller to restrict the processing in situations defined in the General Data Protection Regulation;

(f) the right to receive the personal data concerning him or her, which the data subject has provided to Sitra, in a structured, commonly-used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if such processing is based on consent as defined in the regulation and the processing is carried out by automated means;

(g) the right to file a complaint with the supervisory authority if the data subject considers that the processing of the personal data concerning him or her violates the EU’s General Data Protection Regulation.

Requests concerning the realisation of the data subject’s rights shall be addressed to Sitra’s contact person mentioned in Section 1.

12 Amendments to this privacy policy

We reserve the right to amend this privacy policy by communicating such amendments to the data subjects via email. Such amendments may be based on regulatory changes, for example. We recommend that those concerned read the content of this privacy policy regularly.