1 General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (herein-after the General Data Protection Regulation) and the national data protection law for a data subject, such as for the controller’s customer, employees and for the supervisory authority.

2 Controller and its contact information

OP Research Foundation sr
Postal address: P.O. BOX 308, 00101 HELSINKI
Street address: Gebhardinaukio 1, 00510 HELSINKI
Controller’s contact person: Mirja Laine
Telephone: +358 (0)40 760 9183
Email address: mirja.laine@op.fi

3 Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: dataprotection@op.fi

4 Name of the personal data file and data subjects

OP Research Foundation´s data file for grants

Data subjects in the data file include grant applicants and grantees of OP Research Foundation as well as the referees of applicants.

5 Purposes of personal data processing and legal basis for processing

5.1 Purposes of processing

OP Research Foundation distributes grants. Applying for and giving grants require the processing of personal data of grant applicants and grantees and the referees of the grant applicants. OP Research Foundation is the controller which process data included in the data file to prepare grant applications for decisionmaking of the Foundation’s Board of Directors, to give grants based on the decision by the Board of Directors as well as for payout of grants and related monitoring, and to send statutory notifications to the authorities. Below you can find more detailed information on how personal data is used in the data file.

The purposes of personal data use include:

– processing grant applications and payout of grants, including communication related to grants
– production and delivery of grant application services, and development and quality assurance of grant services
– fulfilling statutory obligations and any other official rules and regulations
– ensuring the security of services and investigating abuses

5.2 Legal bases of processing

The table below describes the legal bases of processing personal data used by the data file and provides examples of processing performed on each basis.

Legal basis
Contractual relationship or actions pre-ceding the conclusion of a contract

Example
The controller processes data subject’s personal data in the data file based mainly on an agreement relating to applying for, giving and paying the grant as well as sending notifications to an authority.

Legal basis
Statutory obligation

Example
The controller, or the grantor, notifies the tax office of the grant electronically and Farmers’ Social Insurance Institution Mela of giving the grant.
In respect of payment of the grant, the controller provides payee details accompanied by tax information.
For Farmers’ Social Insurance Institution Mela, the controller notifies of detailed information related to the grantee and the grant.

Legal Basis
Legitimate interest

Example
The controller processes data on staff and referees based on the Foundation’s legitimate interest. Likewise, the names of grantees are published by the Foundation based on the Foundation’s legitimate interest.

6 Categories of personal data

Category of personal data
Basic information Name

Data content of the category
Date of birth
Contact details, or street address, email address and telephone number
Degree

Category of personal data
Applicant details

Data content of the category
Applicant number of grant applicant and grantee
Information pertaining to research

Category of personal data
Referees

Data content of the category
Name
Email address

Category of personal data
Agreement information

Data content of the category
The controller’s and grantees’ agreement information

Category of personal data
Event information related to grant applications

Data content of the category
Tasks and events related to managing grant applications: applying for a grant, giving a grant, paying a grant, monitoring payout and sending grant notifications to the authority.

The controller saves to the data file the information provided in the grant application and information related to the payout of given grants (bank account details, personal ID code, grant amount, payout date, document number and description).

The personal ID code is registered for the purpose of sending the supervision material of the Tax Administration and for sending material to the Farmers’ Social Insurance Institution Mela.

7  Recipients and recipient groups of personal data

7.1 Data recipients

Personal data may be disclosed to authorities, such as the Finnish Tax Administration and the Farmers’ Social Insurance Institution Mela, only within the limits permitted by law. The controller notifies the Tax Administration of detailed information on the grantee and the grant as annual notifications and the Farmers’ Social Insurance Institution Mela in accordance with §141 b of the Farmers’ Pensions Act.

7.2 Transfer of data to suppliers

The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers.

7.3 International transfers of data

As a rule, the controller does not transfer data in this data file outside of the EU / EEA.

8 Personal data retention period or criteria for determining the period

Grantees
The controller will process the grantees’ personal data as long as the research project lasts and retain the data for at least ten years after the end of the grant payout. Thereafter, the controller will erase or anonymise the data in accordance with the erasure processes it follows.

Grant applicants
Unless a grant is given, the controller will process the personal data of grant applicants and their referees for no more than one year from the date when the data subject filed his/her grant application with the Foundation.

9 Personal data sources and updates

Personal data is collected from grant applicants or grantees as well as from the referees indicated by the applicant.

10 Data subject’s rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machinereadable format.

All of the above requests must be submitted to the abovementioned contact person of the controller.

If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.

11 Protection methods regarding the data file

The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:

– Protection of equipment and files
– User identity verification
– Access rights
– Registration of usage events
– Processing guidelines and supervision

The controller also requires that its suppliers and other partners ensure appropriate protection of the personal data to be processed.