CSC customer register privacy policy

Updated 25.5.2018

1. Registrar 

CSC - Finnish IT Сentre for Science Ltd
P.O. Box 405 (Keilaranta 14)
FI-02101 Espoo
tel. 09 457 2821 (operator)

Business ID: 0920632-0

(hereinafter referred to as "we" or "CSC")

2. Contact person for register-related matters

CSC Service Desk
tel. 09 457 2821 (operator)


Data Protection Officer Marita Pajulahti

3. Name of register

CSC customer register

4. What are the legal bases and purpose for processing personal data?

The basis for processing personal data is CSC's entitlement based on either a customer relationship or other relevant connection, or the requirements for implementing a contract.

The purpose of processing the personal data is to:

  • produce and develop our products and services
  • fulfil our commitments and obligations from contracts or other sources
  • process our customer relationships
  • administering contact information for stakeholder networks, as we have been assigned to
  • organise events
  • analyse the customer's or other data subject's use of services
  • create statistics and reports to meet the needs of the owners, customers and funders
  • carry out direct digital marketing, conducting of opinion and market surveys
  • specify content for the online services of both our company and other organisations
  • fulfil our statutory obligations.

5. What data do we process?

The customer register holds and processes the following personal data of customers or other registered persons:

  • data subject's basic details, such as name*, customer number, user ID and/or other unique identifier, password, gender and language of communication;
  • data subject's contact details, such as email address*, telephone number* and physical address*;
  • professional and research-related information for users of Services for Research, such as home organisation*, department or institution, job title, scientific field*, nationality* and level of education*;
  • information regarding use of Services for Research, such as data subject's project memberships, resource applications and use of resources;
  • any direct marketing blocks or approvals
  • participant data for events and any event-related data, such as dietary restrictions
  • contact person data related to customer relationships, organisations and contracts, such as business IDs and the names and contact details of contact persons, information on previous and current contracts and orders, and other data from customer interactions
  • information about  the use of the services generated by technical systems, such as logs, online identifiers and
  • any other data collected with specific agreement from the data subject.

The personal data marked with an asterisk is data that is required for establishing a contract relationship and/or a customer relationship. Without this necessary personal data, we are unable to provide products and/or services. For specific services, we may collect only some of this necessary data, depending on what data is essential for providing the service. Also, we may only gather some of the optional data, depending on what is needed for improving service quality and user experiences.

6. Where do we get the data from?

We acquire data primarily from the following sources

  • Data provided by the data subject
  • Data obtained through providing and maintaining the service
  • Data provided by the data subject's home organisation

In addition, personal data may be collected and updated – for use in the ways described in this privacy policy – based on data obtained from publicly available sources, authorities or other third parties within the bounds of the applicable legislation. The updating of this kind of data is carried out either manually or using automated methods.

7. To whom do we hand over and transfer the data, and do we transfer the data outside of the EU or EEA?

Upon request, we hand over the personal data for statistical and reporting purposes and for fulfilling our commitments and obligations contained in contracts or other agreements for Ministry of Education and Culture, Finnish institutions of higher education and research funders. 

In addition, personal data will also be disclosed a case-by-case basis also outside the EU/EEA in connection with services provided by third-parties, such as to comply with software license agreements.

We do not transfer personal data outside of the EU/EEA.

8. How do we protect the data and how long do we hold it for?

The only persons authorised to use the systems containing personal data are those employees of our company who have the right to process customer data on the basis of the work they carry out. Each user has their own user ID and password for the systems. The data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and backups of these databases are located in locked facilities and only previously selected individuals have access to this data.

We store the personal data for as long as it is needed for the purposes for which it was acquired.

We regularly assess the need for storing data, taking into account the applicable legislation. In addition, we take reasonable measures to ensure that the personal data about registered persons stored in the register is not contradictory to the data processing purposes, out-of-date or inaccurate. Where such data is identified, it is either corrected or destroyed without delay.

9. What are your rights as a data subject?

As a data subject, you have the right to inspect the data about yourself that has been saved into the customer register and to demand the correction of inaccurate data or its removal, provided that there is a legal justification for its removal. You also have the right to withdrawal your approval or change it.

As a data subject, you have the right under the General Data Protection Regulation (as of 25.5.2018) to oppose the collection of your data or to request that it be restricted and to make a complaint about the processing of personal data to the supervisory authority.

As a data subject, you also have the right, at any time and without cost, to oppose data-processing, wherever it relates to direct marketing.

10. Who should I contact?

All enquiries and requests regarding this privacy policy should be made in writing or in person to the contact person specified in section two (2).

11. Changes to privacy policy

If we make changes to this policy, we will make these accessible by updating this privacy policy document. If the changes are significant, we may inform people about these changes in some other way, such as by email or by publishing a notification on our webpage. We recommend that you visit our webpage regularly and pay attention to any changes to this privacy policy.