In accordance with EU General Data Protection Regulation (2016/679, "GDPR"). Version 1.0, dated 23 May 2018.
This information may be subject to changes from time to time due to i.a. technical reasons and/or change of VTT Expert Services services providers, applicable legislation and legal interpretations.
1. Name of the register
VTT Expert Services Ltd Customer contact information
2. Controller, data protection officer and contact person
Name: VTT Expert Services Ltd, Business ID: 2297513-2
Address: Kemistintie 3, 02150 Espoo, Finland
Contact person concerning the register:
Name: Mervi Sevula
Address: VTT Expert Services Ltd, Kemistintie 3, 02150 Espoo, Finland
3. Categories of the personal data
The categories of the personal data contained in the register are:
Contact information, such as:
first name, last name,
The data subjects are natural persons representing VTT Expert Services potential and current customers.
4. Purposes of the processing and the legal basis for the processing
The personal data is primarily processed for the following purposes:
1. Co-operation related to execution of assignments
2. Reporting of the assignment
3. Invoicing of the assignments
4. Collecting assignment related customer feedback
The personal data is processed on the basis of contractual relationship with the data subject created when the contract is signed or in the order of the assignment is made. The legitimate interest of the data controller is the right to conduct well-grounded, justified and legitimate sales, advertising and marketing activities, including profiling in this purpose.
5. Regular sources of information
Contact information and other basic information is collected either from the data subject or from the organization that data subject represents.
6. Recipients or categories of recipients of the personal data
VTT Expert Services may provide third parties with such personal data which is needed by a third party (i) in order to (i) execute the assignment, (ii) report the assigment , (iii) invoice the assignment or (iv) send the customer feedback survey. The personal data may be provided to subcontactors, financial service provider or service provider for customer feedback collection. Each provision of data is done in accordance with requirements of GDPR and applicable legislation.
7. Transfer of data outside the European Union or the European Economic Area
The personal data is not regularly but may exceptionally be transferred outside the EU or EEA if this is necessary to ensure appropriate and cost-effective implementation of the processing purpose, such as in case of technical reasons related to VTT Expert Services service provider. In such cases, the transfer is done in accordance with requirements of GDPR and applicable legislation.
In case of absence of European Commission ("EC") adequacy decisions, EC standard contractual clauses are used as appropriate or suitable safeguards for these data transfers. Whenever EC adequacy decisions are applicable VTT Expert Services may rely on them.
8. The existence of automated decision-making, including profiling
9. The period for which the personal data is stored or the criteria used to determine that period
The personal data is processed as long as it is needed for the purpose of any processing purpose set forth above. In VTT Expert Services marketing system, personal data is mainly processed only until two (2) years have lapsed from the latest other message that the data subject has opened or read. In case of VTT Expert Services newsletter subscription, the personal data is processed as long as the data subject has a valid subscription at VTT expert Services. For other purposes, the data may be processed longer but only to the extent it is necessary for the processing purpose. After this or in case the data subject withdraws his or her relevant consent earlier, the data subject's personal data is either anonymised or deleted unless other applicable legal basis for processing remains.
10. Principles of protection of the register
Personal data is stored in a technically secure location. Physical access to the data is restricted by means of access control and other security measures. Access is also prevented by means of e.g. firewalls and other technical protection measures. At VTT Expert Services, only named persons have the right to process personal data contained in the register. These persons are bound by confidentiality obligations.
11. Rights of the data subject
The data subjects have the following rights that the data subject can always establish by contacting VTT Expert Services in writing, preferably by email, or as detailed below. Some of the rights may be subject to limitations, in accordance with GDPR and applicable legislation.
The data subject is requested to contact VTT Expert Services from an email address which VTT Expert Services presumably has in its register(s). VTT Expert Services may also request further information or documentation in order to verify person's identity.
Right to withdraw consent
The data subjects have the right to withdraw their consent on which the processing is based, by contacting VTT expert Services in writing, preferably by email to the following address: firstname.lastname@example.org.
Right of access
The data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and access to his or her personal data and information concerning the processing.
Right to rectification
The data subjects have the right to obtain from the controller rectification of inaccurate personal data concerning him or her, and the right to have incomplete personal data completed.
Right to erasure
The data subjects have the right to obtain from the controller the erasure of personal data concerning him or her, to the extent permitted by law.
Right to restriction of processing
The data subjects have the right to obtain from the controller restriction of processing, as set forth in GPDR.
Right to data portability
Where the processing is based on the data subject's consent or contractual relationship and is carried out by automated means, the data subjects have the right to receive the personal data concerning him or her, which he or she has provided to the controller and have the right to transmit those data to another controller.
Right to object
Where the personal data is processed on the basis of legitimate interest of the controller, the data subjects have the right to object at any time to processing of personal data concerning him or her for such purpose. This may be relevant mainly in the following cases:
Direct marketing: The data subject may object to the processing of his or her personal data for direct marketing purposes by notifying this objection in writing to VTT Expert Services, preferably by email to the following address: email@example.com.
Right to lodge a complaint with a supervisory authority
The data subjects have a right to lodge a complaint with a supervisory authority (Finnish Data Protection Ombudsman) if the data subject considers that the processing of personal data breaches the data subject's rights pursuant to GDPR.