Finnish Cultural Foundation's Data Protection Policy
Person responsible for the registers
Antti Arjava, Secretary General
contact information as above
1. Categories of personal data processed
The Cultural Foundation has registers relating to
b. partners and communication
c. donations and bequests.
In addition, the Cultural Foundation maintains a personal data file relating to employment contracts.
2. Legal basis for and purpose of processing personal data
In grants, the basis for processing personal data stored in the register is the data controller’s legitimate interest. With regard to partners, the basis is ordinarily consent, and with regard to donations and testaments the basis for processing is the law. The separate register description for each register is available to data subjects on request, while the register description for employment contracts is available on the Cultural Foundation’s intranet.
3. Regular data sources
The information about applicants, applications and reports of how grants are used stored in the Grants register have been obtained from grant applicants themselves through the Cultural Foundation’s own grant system.
Information about external referees and references are obtained at the applicant’s request from the referees themselves through the Cultural Foundation’s own grant system.
The Cultural Foundation’s designated employees use the grant system to store information relating to the administrative processing of grants, decisions to award grants and payment of grants.
The personal data of the Cultural Foundation’s board members, experts, donors, prize-winners, participants on courses arranged by the Foundation and the personal data of similar persons have been obtained from the persons themselves. The data of persons from the Foundation’s fields of interest have been obtained from the organisations’ websites and other sources in the public domain. Information in the Kirpilä Art Collection customer register has been obtained from the data subjects themselves.
Donors and testators
The information has been obtained from the data subjects themselves.
5. Disclosure of personal data
The Cultural Foundation uses the services of third parties to process and store data that may contain personal data. However, these third parties act purely as data processors who have been authorised to process such information solely to the extent required by the services agreed and the Cultural Foundation remains the sole data controller of such data.
Separate written consent is required from the person concerned to allow the transfer of personal data in the Donor and Bequest register to the General Partner Organisation Data register.
During the processing of grant applications, the data controller may exchange the information required with other funding bodies to ensure the total level of funding and to avoid awarding overlapping grants.
Personal data are not transferred to third parties outside of the EU or European Economic Area. The Cultural Foundation might have to transfer certain information to the authorities or those applying the law where this is required by legal provision.
6. Personal data protection
As the data controller, the Cultural Foundation is responsible for the proper protection of the personal data it controls including the technical and organisational protection mechanisms required for that purpose.
The Cultural Foundation has instructed its employees who process personal data on the correct processing of data and on data confidentiality. Care is taken to ensure employees have the requisite expertise and that their competence is maintained. Only individuals designated in advance and whose work so requires have access to data for processing purposes. Each designated user has a personal user ID and password. Personal data are protected against external use and access.
The data network and hardware of the Cultural Foundation and its subcontractors on which the personal data are located are protected by firewalls, passwords and other relevant technical measures. The databases and their backups are stored in locked premises to which there is appropriate access control and limited access.
Manual documents are stored in locked premises to which only the relevant individuals have access.
7. Personal data storage
The Cultural Foundation has specified a separate storage period for each personal data as shown in the register description. In addition, the data processing description specifies how the data are securely destroyed after the storage period.
8. Data subject’s rights
The data subject has the right to have access to the data concerning him or her stored on the Cultural Foundation’s register. This right does not extend to access to evaluations of grant applicants given by experts and referees. In addition, the data subject has the right to have any inaccurate information rectified. Also the data subject has the right at any time to request that his or her data be removed. Where personal data have been given based on consent, the data will be removed immediately. Where data are registered on the basis of a legal obligation or the Cultural Foundation’s legitimate interest, a separate written decision will be made prior to any removal. The data subject has the right to file a complaint to the supervisory authority (Data Protection Ombudsman).
9. Amendments to the Data Protection Policy
When the Cultural Foundation amends this Data Protection Policy, notice of the amendment will be posted on the website at skr.fi.
10. Availability of Data Protection Policy and register descriptions
The Cultural Foundation’s Data Protection Policy is available at the Foundation’s office and on its website at skr.fi.
Descriptions of the following data registers are available on request: Grants, Partners (Here), Donors, Testators, and the Kirpilä Art Collection register. In addition, the personal data register description relating to employment contracts is available on the Cultural Foundation’s intranet.