Privacy statements - FIIA - Finnish Institute of International Affairs

The Finnish Institute of International Affairs (FIIA) informs data subjects about the processing of their personal data in accordance with Articles 12–14 of the EU General Data Protection Regulation (GDPR). This information is provided through privacy policies that describe, among other things, the purposes of personal data processing, regular disclosures of data, data retention periods, and the rights of the data subjects.

The privacy policies are categorized according to their intended purposes and are published on this page to the extent that they apply to the customers of the Finnish Institute of International Affairs.

Privacy policies will be added as they are completed.

Form and instructions for exercising data subject rights

Download the form in PDF format: Privacy Form

1 Purposes and legal basis for processing personal data

The library customer register of the Finnish Institute of International Affairs (FIIA) is maintained for the following purposes:

Managing library customer information and informing customers about their obligations and services related to their customer relationship. The data system used serves as the library system managing all basic library functions, including acquisitions, cataloging, loans, serials management, customer notifications, and compiling statistics.

The personal data in the above-mentioned sub-registers is processed on the following legal bases:

a) The data subject has given consent for the processing of their personal data for one or more specific purposes; and/or

b) Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures preceding the conclusion of a contract at the data subject’s request.

2 Processed personal data

First and last name, email address, phone number, statistical group, customer group, information about borrowed, returned, and reserved materials.

3 Recipients or categories of recipients of personal data

Interpreted broadly under Article 4.9 of the EU General Data Protection Regulation (GDPR), the data controller may “transfer” or “disclose for processing” (e.g., through a technical interface during maintenance tasks) personal data stored in the FIIA library customer register.

Access to personal data contained in the FIIA library customer register is provided to the system provider (private system provider(s)) as necessary.

Personal data will not be disclosed to third parties for marketing purposes.

4 Transfer of data to third countries

Personal data is not transferred outside the EU or EEA.

5 Data retention period

Personal data collected in the FIIA customer register is retained only as long as necessary and to the extent required for the original or compatible purposes for which the data was collected.

Personal data is retained for the duration of the customer relationship and is deleted upon the customer’s explicit request. After the termination of the customer relationship, customer data is deleted as part of regular data purging processes.

6 Rights of the data subject

The data subject has the right to access the personal data stored in the FIIA library customer register concerning them. The controller must respond to a request to exercise the data subject’s rights within 30 days of receiving the request, as per the GDPR.

A form for exercising data subject rights is available on the FIIA website (https://www.fiia.fi/en/introduction/privacy-policy-2). The form must be completed carefully, printed, and signed. The request can be submitted by delivering the completed and personally signed form to the FIIA Registry, where the data subject must verify their identity when presenting the request. The form includes detailed instructions.

A. Right of access to personal data

The data subject has the right to review the personal data stored in the FIIA library customer register concerning them.

Visiting Address of the FIIA Registry:

Finnish Institute of International Affairs
Arkadiankatu 23 B, 6th floor
00100 Helsinki

Opening Hours (FIIA): Monday–Friday, 9:00–16:00

Requests are centrally directed from the FIIA Registry to the FIIA Data Protection Officer (email: tietosuojavastaava@fiia.fi). The response to a request for access is provided by the Data Protection Officer. For further information about the progress of the request or the content of the response, the Data Protection Officer can be contacted.

The data subject must personally collect the extract of their personal data from the FIIA Registry and verify their identity upon collection.

B. Rights to rectification and restriction of processing

The data subject has the right to request the Finnish Institute of International Affairs, as the data controller, to restrict the processing of personal data if one of the following conditions is met:

The data subject contests the accuracy of their personal data (right to rectification). Processing is then restricted for a period enabling the controller to verify the accuracy of the data.
The processing is unlawful, and the data subject opposes the erasure of their personal data and requests restriction of its use instead.
The controller no longer needs the personal data for processing purposes, but the data subject requires the data to establish, exercise, or defend a legal claim.

C. Rights to erasure

The data subject has the right to have their personal data erased from the FIIA library customer register without undue delay if one of the following applies:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
The data subject withdraws consent on which the processing is based, and there is no other legal ground for processing.
The personal data has been processed unlawfully.
The personal data must be erased to comply with a legal obligation under EU law or national legislation.

D. Right to data portability

This right is not applicable to the FIIA customer registers.

7 Right to object

Under Article 21 of the GDPR, the data subject has the right to object to the processing of their personal data on grounds relating to their particular situation when the processing is based on Article 6(1)(e) of the GDPR (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller). This includes profiling based on these provisions.

The controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or the data is necessary for the establishment, exercise, or defense of legal claims.

The request to object to the processing of personal data collected in the FIIA library customer register can be made by submitting the request to the FIIA Registry, where the data subject must verify their identity when presenting the request.

8. Right to withdraw consent

The data subject has the right to withdraw their consent for the processing of personal data at any time without affecting the lawfulness of processing based on consent before its withdrawal.

The withdrawal request related to the processing of personal data in the FIIA customer register can be submitted to the FIIA Registry. If required, the data subject must verify their identity upon submission.

9 Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates applicable data protection regulations.

Contact Information for the Data Protection Ombudsman’s Office:

Data Protection Ombudsman’s Office
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PO Box 800, 00531 Helsinki

Switchboard: +358 29 566 6700
Registry: +358 29 566 6768

Email (registry): tietosuoja(at)om.fi

10 Data subject’s right to object

Is the provision of personal data a statutory or contractual demand or is it necessary in order to enter into contract, must the data subject provide personal data, and what are the consequences of not providing personal data (information about where the personal data has been acquired from)?

The processing of personal data in the FIIA library’s customer register in relation to whether the provision of personal data is a statutory or contractual demand or contractual requirement, and whether the data subject is obliged to provide personal data and the consequences of not providing personal data. Personal data have been acquired directly from the data subject and entered in the register with the data subject’s consent.

11 Automated decision-making and profiling

Personal data contained in the FIIA library customer register is not used for automated decision-making or profiling.

Updated: 16 December 2025

This Privacy Policy describes how the Finnish Institute of International Affairs processes personal data to manage communications and stakeholder relations, as well as to organise events.

1. Data Controller

FINNISH INSTITUTE OF INTERNATIONAL AFFAIRS (FIIA)
Address: Arkadiankatu 23 B, FI-00100 Helsinki
Business ID: FI20627214

2. Contact information for data protection matters and for requests from data subjects

As the data subject, please use the following contact details in data-protection-related matters:

Visiting address for the FIIA registry:

Finnish Institute of International Affairs
Arkadiankatu 23 B, 6th floor
00100 Helsinki

Opening hours (Finnish Institute of International Affairs): Monday–Friday 9 a.m.–4 p.m.

Email address for the FIIA registry: kirjaamofiia@fiia.fi

Postal address of the FIIA registry:

Finnish Institute of International Affairs (registry)
P.O. BOX 425
00100 Helsinki

3. Contact information for FIIA’s Data Protection Officer

Email: tietosuojavastaava@fiia.fi

4. Purpose and legal basis for processing personal data

Personal data are processed in the Finnish Institute of International Affairs customer register based the legitimate interest of the Finnish Institute of International Affairs:

to manage communication and stakeholder relations
to organise events
to conduct feedback surveys
for statistical and reporting purposes

The Institute’s customer register consists of the following sub-registers, created based on their various purposes of use:

stakeholder and communication register
participant registers for third-party funded project events

The purpose of the stakeholder and communication register is to collect and process personal data related to the organisation of events and meetings, as well as to communicate the activities of the Institute. Personal data are used for stakeholder communications such as sending newsletters, bulletins and event invitations, as well as in event reporting.

The purpose of the participant registers of third-party funded project events is to collect personal data about the participants of the Institute’s events when required by the third-party funding provider.

FIIA’s newsletter and event invitations are sent based on consent from the data subject in a situation where the data subject has subscribed to the newsletter or invitations.

Personal data in the Institute’s customer register are not used for automated decision-making or profiling.

5. Processed personal data

The following personal data may be processed in the register:

Name, contact details (such as email address), language selection, place of residence (country)
Organisation and job title
Information related to the implementation, targeting and development of communication. Such information includes, in particular:
- Information about subscribing to or cancelling FIIA’s newsletter or other communications related to the Institute’s activities
- The data subject’s communication preferences (e.g. newsletter/event invitations, communication topics and areas)
- Contact details for communication (e.g. name and email address)
- Data on communications use, processed as high-level analytics to develop our content (e.g. data regarding the opening of a newsletter and clicking its sections)
Communication can be targeted by dividing data subjects into groups (segmentation) based on interests (topics, areas), for example. Segmentation is not used for automated decision-making or profiling that would have legal effects on the data subject. The data subject may unsubscribe from the newsletter or other communications to which they have subscribed at any time, as well as from the related segmentation, as described in the Privacy Policy.
Event attendance and event-specific information for organising them (e.g. dietary requirements), as well as information required for events in third-party funded projects (e.g. RSVP and attendance details such as name, gender, place of residence)
Photos and videos of events
Personal data necessary for carrying out feedback surveys, statistics and analytics
Any other personal data provided by the data subject that are necessary for the purpose of the register

6. Sources of personal data

Personal data are collected from the data subjects themselves, for example, via event invitations, newsletter subscription forms or in connection with event registration. Personal data may also be collected and updated from public and private registers.

7. Storage period of personal data

Personal data collected in the Institute’s customer register are stored only for the period and to the extent necessary for the original or compatible purpose for which the personal data were collected.

Data collected for an event, such as special diets or passport details, are stored only for as long as necessary to carry out that event.

Personal data are deleted from the Institute’s stakeholder and communications register at the explicit request of the data subject or after the contact information has expired, for example.

For third-party funded project events, personal data are deleted 5 years after the end of the research project or at the explicit request of the participant.

8. Disclosure and transfer of personal data outside the EEA

If necessary, personal data may be disclosed to stakeholders involved in the event to enable its organisation. In addition, personal data in the Institute’s participant registers for third-party funded research project events may be disclosed for processing outside the Institute to the project management and funding body for project reporting on a project-by-project basis.

Personal data are not disclosed to third parties for marketing purposes.

The Institute uses the services of third-party service providers to maintain newsletter mailing lists and information, as well as to process the data of event participants, for example. In accordance with the personal data processing agreement, each service provider processes personal data only to the extent necessary for the provision of the service in question.

Personal data such as event attendance lists (e.g. job title, organisation) may be transferred outside the EU/EEA. The level of data protection outside the EEA may be lower than in the EEA. If the country in question does not have an adequacy decision from the European Commission, we apply other appropriate safeguards to ensure the protection of personal data, for example, by applying the European Commission’s standard contractual clauses for the transfer of personal data to third countries (available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en).

9. Protection of personal data

Databases containing personal data are on servers located in locked premises. Only designated persons have access to the servers. The servers are protected by appropriate technical protection.

Any physical materials containing personal data are stored in locked premises, which can only be accessed by persons designated and authorised to do so because of their duties. Databases and systems can only be accessed with separately granted personal user IDs.

FIIA’s employees and other persons have undertaken to observe a duty of confidentiality and to keep the information they receive in connection with the processing of personal data confidential. The processing of personal data is permitted only for selected and limited individuals who, due to their duties, need to process data on behalf of FIIA in connection with the organisation of the event.

10. Rights of the data subject in relation to the processing of personal data

A request regarding the rights of the data subject, such as a data review request, can be made through the following channels: At the registry of the Finnish Institute of International Affairs, by post or by email. Section 2 of the Privacy Policy contains more detailed contact information. In addition, the data subject can update their details and interests related to newsletter and invitation subscriptions, or cancel those subscriptions, by using the link in the newsletter.

The data subject can use the form on the website of the Finnish Institute of International Affairs (fiia.fi/en/privacy-statements) to file a request regarding the use of their personal data and submit the form to the registry of the Finnish Institute of International Affairs. If necessary, we may ask the data subject to clarify the request. For security reasons, we need to verify the identity of the requester before processing the request. If necessary, we may ask for additional information or ask the data subject to verify their identity with an identity document, for example.

The data subject has the following rights related to the processing of personal data in accordance with the EU General Data Protection Regulation:

Right to be informed about the processing of their personal data and to inspect their personal data

The data subject has the right to inspect the data concerning them and to receive information about the processing of their personal data. By describing our privacy practices and having privacy policies, we aim to provide a comprehensive picture of the processing of personal data in our operations. In addition, the data subject has the right to ask further questions about the processing of their personal data.

Right to rectification of personal data

If the personal data concerning the data subject are inaccurate, the data subject has the right to demand rectification of the inaccurate data. If we rectify a data subject’s personal data at their request, in accordance with the General Data Protection Regulation, we will also inform all parties to whom incorrect data have previously been disclosed of the rectification if possible.

Right to erasure of personal data

For example, the data subject may request the erasure of their personal data in accordance with the General Data Protection Regulation if the data have been used illegally or are no longer needed. However, there is no right to erasure if the processing of data is based on law or the data are needed for the establishment, exercise or defence of a legal claim, for example. The data controller may refuse to carry out the erasure of data on grounds prescribed by law.

Right to withdraw consent and to prohibit direct marketing

The data subject may withdraw their consent at any time to electronic direct marketing and other purposes by notifying us of the withdrawal by email, post or at the registry (more detailed contact information is provided in section 2 of the Privacy Policy). Withdrawal of consent does not affect the lawfulness of data processing carried out before the withdrawal.

The data subject may also cancel the newsletter or other communication from FIIA, for example, event invitations, to which the data subject has subscribed by using the link in the newsletter or event invitation.

Right to object to the processing of personal data

For specific reasons related to the personal situation of the data subject, the data subject also has the right to object to processing activities concerning the personal data of the data subject, where the processing of personal data is based on a legitimate interest, the performance of a task carried out in the public interest or the exercise of official authority vested in the controller. In connection with the request, the data subject must specify the particular situation based on which they object to the processing. In this case, the controller shall no longer process the personal data of the data subject unless they have compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. The data controller may refuse to carry out the request for objection on grounds prescribed by law. Direct marketing can always be cancelled without justification.

Right to restriction of processing of personal data

If the data subject considers that the controller processes the personal data of the data subject unlawfully, that the data are incorrect, or that they have objected to the processing of their data, they may request that the processing of their personal data be restricted in accordance with the General Data Protection Regulation. In this case, the controller may process the data only in limited situations, such as with the consent of the data subject; for the establishment, exercise or defence of legal claims; for the public interest; for the protection of another person. In the event of a restriction to the processing of the data, the controller shall, in accordance with the law, inform all parties to whom the data have previously been disclosed of the restriction where possible.

Right to transfer personal data to another controller

The data subject has the right to receive the personal data provided to the controller in a structured, commonly used and machine-readable format, as well as the right to transfer such data to another controller if technically possible. The request may only be directed at personal data that are processed automatically and the processing of which is based either on the consent of the data subject or a contract. The transfer of data must not adversely affect the rights and freedoms of third parties.

Right to lodge a complaint with a supervisory authority regarding the processing of personal data

The data subject has the right to lodge a complaint with the competent supervisory authority, in particular in the EU Member State where the data subject has their habitual residence or place of work, or where the alleged infringement has occurred, if the data subject considers that the processing of personal data concerning them infringes data protection law. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (P.O. Box 800, FI-00531 Helsinki, email: tietosuoja@om.fi). The Office of the Data Protection Ombudsman will also provide you with more information about issues related to the processing of personal data and your rights.

11. Changes to the Privacy Policy

We are developing our operations and privacy practices, and reserve the right to update this Privacy Policy. Where required by applicable law, we may contact the data subject to inform them of changes or updates that have a material impact on the data subject.

1 The purpose of processing personal data and legal basis of the processing

The purpose of the archival register is to store and maintain permanently stored documents and other archival materials that are valuable for historical and research-related reasons.

The purpose of the registry’s diary register is to monitor the processing of the Institute’s matters throughout the entire process with the help of an administrative diary. A document’s arrival time can be indicated with the help of the registration, which ensures the customer’s legal protection. The registration is based on Section 18 of the Finnish Act on the Openness of Government Activities (621/1999), Sections 5 and 6 of the Finnish Decree on the Openness of Government Activities and on Good Practice in Information Management (1030/1999), as well as on the Finnish Archival Act (831/1994) and provisions and stipulations set on the basis of the act.

2 Processed personal data

The following personal data are stored in the Institute’s archive and diary register:

– Basic data of the case/document: diary number, arrival data, date of the letter, due date, sender/receiver, received/sent, sender’s diary number, description of the case, search words, document language, processor, reference diary number, intermediate measures (document type, sender/receiver, date of intermediate measure, arrival date, due date, measure), the case’s resolution information (decision-maker, number and paragraph of the record, resolution date), final measure, date of final measure, and storage period for documents.

3 Recipients or recipient groups of the data

According to a broad interpretation of article 4(9) of the EU General Data Protection Regulation, the controller can “transmit” or “disclose for processing” (e.g., maintenance carried out with a technical interface) personal data stored in the Institute’s customer registers.

Access to personal data in the Institute’s customer registers is granted, where necessary, to the system provider (private system provider(s)).

Personal data are not disclosed to third parties for marketing purposes.

4 Transferring data to third countries

Data are not transferred outside the EU or EEA.

5 Storage period of the personal data

Documents in the Institute’s archive and diary register are stored according to the storage periods in Section 8 of the Finnish Archival Act (831/1994), after which the documents will be removed.

6 Rights of the data subject

The data subject has the right to verify which data about them have possibly been stored in the Institute’s archive and diary register. According to the General Data Protection Regulation, the controller must respond to the data subject’s request to execute their rights within 30 days of receiving the request.

The Institute’s website has a form (https://www.fiia.fi/instituutti/tietosuoja) for the purpose of executing the data subject’s rights. Carefully complete the applicable sections of the form, print it, and sign it. The request can be made by submitting the carefully completed and personally signed form to the Institute’s registry, where the data subject must verify their identity in connection with making the request. The form includes more detailed instructions.

A. Right of access to personal data

The data subject has the right to verify which data about them have been stored in the Institute’s customer register.

FIIA library’s visiting address:

Finnish Institute of International Affairs
Arkadiankatu 23 B, 6th floor
00100 Helsinki

Opening hours (Finnish Institute of International Affairs): Monday–Friday 9 a.m.–4 p.m.

The Institute’s registry directs the request in a centralised manner to the Institute’s data protection officer (email: tietosuojavastaava@fiia.fi). The Institute’s data protection officer answers the right of access request. If necessary, you can request more information about the progress of the request or the contents of the response from the data protection officer.

The data subject must collect the personal data extract in person from the Institute’s registry, where the data subject must also verify their identity.

B. Right to have data rectified and restrict processing

The data subject shall have the right to obtain from the controller (the Institute) the restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the data subject (right to have data rectified), for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

C. Right to erasure

The data subject shall have the right to obtain from the controller the erasure of personal data concerning them from the Institute’s customer register without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
the personal data have been unlawfully processed; or
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

D. Right to data portability

Does not apply to the Institute’s archive and diary registers.

7 Data subject’s right to object

According to Article 21 in the EU General Data Protection Regulation, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out for reasons of public interest or in the exercise of official authority vested in the controller), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The request to object to the processing of personal data collected in the Institute’s archive and diary registers can be made by submitting a request to the Institute’s registry, where the data subject must also verify their identity in connection with making the request.

8 Right to withdraw consent

The data subject shall have the right to withdraw their consent for the processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The request to withdraw the consent related to the processing of personal data collected in the Institute’s customer register (request to withdraw consent) can be made by submitting a request to the Institute’s registry by email: kirjaamo@fiia.fi.

Removal from the subscription register for Ulkopolitiikka occurs according to section 8.

9 Right to lodge a complaint with a supervisory authority

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes data protection regulations.

Data Protection Ombudsman office, contact details:

Office of the Data Protection Ombudsman

Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland

Switchboard: +358 29 566 6700
Registry: +358 29 566 6768

E-mail (registry): tietosuoja(at)om.fi

10 Is the provision of personal data a statutory or contractual demand or is it necessary in order to enter into contract, must the data subject provide personal data and what are the consequences of not providing personal data (information about where the personal data has been acquired from)?

The processing of personal data in the Institute’s archive and diary registers in relation to whether the provision of personal data is a statutory or contractual demand or contractual requirement, and whether the data subject is obliged to provide personal data and the consequences of not providing personal data.

Archive and diary registers:

data are acquired from documents

11 Automated decision-making and profiling

Personal data in the Institute’s archive and diary registers are not used for automated decision-making or profiling.