Stakeholder register privacy policy

Updated: 15.6.2018

1. Registrar

CSC – Finnish IT Сenter for Science Ltd
P.O. Box 405 (Keilaranta 14)
FI-02101 Espoo
tel. +358 9 457 2821 (operator)

Business ID: 0920632-0

(hereinafter referred to as "we" or "CSC")

2. Contact person for register-related matters

Minna Lappalainen
tel. +358 9 457 2821 (exchange)


Data Protection Officer Marita Pajulahti

3. Name of register

CSC stakeholder register

4. What are the legal bases and purpose for processing personal data?

The basis for processing personal data is CSC's legimate interest based on a customer relationship, supplier relationship, cooperation relationship or other relevant connection.

The purpose of processing the personal data is to:

  • produce and develop our products and services
  • fulfil our contractual and other commitments and obligations
  • manage our customer relationships
  • administrate the contact details of stakeholder networks assigned to us
  • organise events
  • analyse the customer's or other data subject's use of services 
  • create statistics and reports to meet the needs of the owners, customers and funders
  • carry out advertising and marketing
  • carry out electronic direct marketing as well as opinion polls and market surveys, and
  • target content at stakeholders on the company's electronic channels.

A data subject has the right to block direct marketing targeted at him or her.

5. What data do we process?

We process the following personal data of customers or other data subjects in the stakeholder register:

  • data subject's basic details such as name*, customer number, and/or other unique identifier;
  • data subject's contact details such as email address*, telephone number* and physical address*;
  • professional and research-related information about users of CSC's services such as home organisation*, department or institution, job title, scientific field*, nationality* and the data subject's role as a member of his/her organisation*;
  • information about the data subject as a CSC customer or other stakeholder such as the stakeholder the data subject represents, the data subject's stakeholder history, and information related to billing and collection;
  • any direct marketing blocks or approvals
  • participant data for events and customer trainings and any event-related data such as dietary restrictions
  • contact person data related to customer relationships, organisations and contracts, such as business IDs and the names and contact details of contact persons; information on previous and current contracts and orders; and other data on customer interactions
  • service use data generated by technical systems such as log data, online identifier data, source address of network traffic, website use, session duration, IP address and customer information derived from these data, more detailed analyses of the data, and
  • any other data collected subject to the data subject's specific consent.

The personal data marked with an asterisk is data required for establishing a contractual relationship and/or a customer relationship. Without this necessary personal data, we are unable to provide products and/or services. For specific services, we may collect only some of this data, depending on what data is a) essential for providing the service, or b) in the case of optional data, needed for improving service quality and user experiences.

6. Where do we get the data from?

We acquire data primarily from the following sources:

  • data provided by the data subject
  • data obtained through providing and maintaining the service, and
  • data provided by the data subject's home organisation.

In addition, personal data may be collected and updated – for use in the ways described in this privacy policy – based on data obtained from publicly available sources, authorities or other third parties within the bounds of the applicable legislation. The updating of this kind of data is carried out either manually or using automated methods.

7. To whom do we hand over the data? Do we transfer the data to outside the EU or EEA area?

Your personal data will not be handed over.

We also use companies located in countries outside the European Union or European Economic Area, including the United States, to process your personal data. These companies process personal data to, for example, offer infrastructure and IT services, communication technology services or other services. In these cases, the EU-U.S. Privacy Shield arrangement will be applied to ensure adequate data security and register processing, or a contract consisting of standard clauses approved by the European Commission will be in place.

As the stakeholder relationship ends, the person's data will be removed from the register as soon as processing it becomes unnecessary.

8. How do we protect the data and how long do we hold it for?

The only persons authorised to use the systems containing personal data are those employees of our company who have the right to process personal data on the basis of the work they carry out. Each user has their own user ID and password for the systems.

We store the personal data for as long as it is needed for the purposes for which it was acquired.

We regularly assess the need for storing data, taking into account the applicable legislation. In addition, we take reasonable measures to ensure that the personal data on data subjects stored in the register is not contradictory to the data processing purposes, out of date or inaccurate. Where such data is identified, it is either corrected or destroyed without delay.

9. What are your rights as a data subject?

As a data subject, you have the right to inspect the data about yourself that has been saved to the stakeholder register and to demand the correction of inaccurate data or its removal, provided that there is a legal justification for its removal. You also have the right to withdraw your consent or change it.

As a data subject, you have the right under the General Data Protection Regulation (as of May 25, 2018) to object to the collection of your data or to request that it be restricted and to make a complaint about the processing of personal data to the supervisory authority.

As a data subject, you also have the right, at any time and without cost, to object to data processing, wherever it relates to direct marketing.

10. Who should I contact?

All enquiries and requests regarding this privacy policy should be made in writing or in person to the contact person specified in section two (2).

11. How do we use cookies on our website?

Under the Information Society Code (917/2014), cookies are used on this website without violating the service user's protection of privacy.

Cookies are used to collect metrics and for research purposes in order to study the type and volume of use. Cookies are not used to link website visitors to personal data or contact details. Cookies are not used to examine or copy the user's terminal equipment data.

Data collected by cookies include:

  • visits to the site
  • browsers used
  • time and duration of visits

Our website uses Google Analytics cookies. The data collected by these cookies is transferred to and saved on Google servers, some of which may be located outside the EU.

Should they wish, users can disable cookies in their browser settings, but this may interfere with site function and is not recommended.

12. Changes to privacy policy

If we make changes to this policy, we will display the changes in this privacy policy document, including the dates on which they were made. If the changes are significant, we may inform people about these changes in some other way, such as by email or by publishing a notification on our website. We recommend that you visit our website regularly and pay attention to any changes to this privacy policy.