Finnish Cultural Foundation's Data Protection Policy

Confirmed by the Board of Trustees, 21 May 2018

Data controller

Finnish Cultural Foundation (Foundation), hereafter the Cultural Foundation
Bulevardi 5 A, 00120 Helsinki
telephone + 358 9 612 810 (switch)
email or

Person responsible for the registers

Susanna Pettersson, CEO
contact information as above

1. Categories of personal data processed

The Cultural Foundation has registers relating to

a. grants
b. partners and communication 
c. donations and bequests.

In addition, the Cultural Foundation maintains a personal data file relating to employment contracts.

2. Legal basis for and purpose of processing personal data

In grants, the basis for processing personal data stored in the register is the data controller’s legitimate interest. With regard to partners, the basis is ordinarily consent, and with regard to donations and testaments the basis for processing is the law. The separate register description for each register is available to data subjects on request, while the register description for employment contracts is available on the Cultural Foundation’s intranet.

3. Regular data sources


The information about applicants, applications and reports of how grants are used stored in the Grants register have been obtained from grant applicants themselves through the Cultural Foundation’s own grant system.

Information about external referees and references are obtained at the applicant’s request from the referees themselves through the Cultural Foundation’s own grant system.

The Cultural Foundation’s designated employees use the grant system to store information relating to the administrative processing of grants, decisions to award grants and payment of grants.


The personal data of the Cultural Foundation’s board members, experts, donors,  prize-winners, participants on courses arranged by the Foundation and the personal data of similar persons have been obtained from the persons themselves. The data of persons from the  Foundation’s fields of interest  have been obtained from the organisations’ websites and other sources in the public domain. Information in the Kirpilä Art Collection customer register has been obtained from the data subjects themselves.

Donors and testators

The information has been obtained from the data subjects themselves.

4. Use of cookies

A cookie is a small file that is sent from a website and stored on the user’s device when visiting a website and which the user’s browser then offers the website each time the user visits the site. The Cultural Foundation uses cookies to monitor traffic on the Foundation’s website and in the grant system operating in conjunction with the website. Cookies are not used for marketing or advertising purposes. Cookies can be disabled or the browser can be set to alert to the use of cookies.

5. Disclosure of personal data

The Cultural Foundation uses the services of third parties to process and store data that may contain personal data. However, these third parties act purely as data processors who have been authorised to process such information solely to the extent required by the services agreed and the Cultural Foundation remains the sole data controller of such data.

Separate written consent is required from the person concerned to allow the transfer of personal data in the Donor and Bequest register to the General Partner Organisation Data register.

During the processing of grant applications, the data controller may exchange the information required with other funding bodies to ensure the total level of funding and to avoid awarding overlapping grants.

Personal data are not transferred to third parties outside of the EU or European Economic Area. The Cultural Foundation might have to transfer certain information to the authorities or those applying the law where this is required by legal provision.

6. Personal data protection

As the data controller, the Cultural Foundation is responsible for the proper protection of the personal data it controls including the technical and organisational protection mechanisms required for that purpose.

The Cultural Foundation has instructed its employees who process personal data on the correct processing of data and on data confidentiality. Care is taken to ensure employees have the requisite expertise and that their competence is maintained. Only individuals designated in advance and whose work so requires have access to data for processing purposes. Each designated user has a personal user ID and password. Personal data are protected against external use and access.

The data network and hardware of the Cultural Foundation and its subcontractors on which the personal data are located are protected by firewalls, passwords and other relevant technical measures. The databases and their backups are stored in locked premises to which there is appropriate access control and limited access.

Manual documents are stored in locked premises to which only the relevant individuals have access.

7. Personal data storage

The Cultural Foundation has specified a separate storage period for each personal data as shown in the register description. In addition, the data processing description specifies how the data are securely destroyed after the storage period.

8. Data subject’s rights

The data subject has the right to have access to the data concerning him or her stored on the Cultural Foundation’s register. This right does not extend to access to evaluations of grant applicants given by experts and referees. In addition, the data subject has the right to have any inaccurate information rectified. Also the data subject has the right at any time to request that his or her data be removed. Where personal data have been given based on consent, the data will be removed immediately. Where data are registered on the basis of a legal obligation or the Cultural Foundation’s legitimate interest, a separate written decision will be made prior to any removal. The data subject has the right to file a complaint to the supervisory authority (Data Protection Ombudsman).

9. Amendments to the Data Protection Policy

When the Cultural Foundation amends this Data Protection Policy, notice of the amendment will be posted on the website at

10. Availability of Data Protection Policy and register descriptions

The Cultural Foundation’s Data Protection Policy is available at the Foundation’s office and on its website at

Descriptions of the following data registers are available on request: Grants, Partners (Here), Donors, Testators, and the Kirpilä Art Collection register. In addition, the personal data register description relating to employment contracts is available on the Cultural Foundation’s intranet.