The Finnish Institute of International Affairs (FIIA) informs data subjects about the processing of their personal data in accordance with Articles 12–14 of the EU General Data Protection Regulation (GDPR). This information is provided through privacy policies that describe, among other things, the purposes of personal data processing, regular disclosures of data, data retention periods, and the rights of the data subjects.
The privacy policies are categorized according to their intended purposes and are published on this page to the extent that they apply to the customers of the Finnish Institute of International Affairs.
Privacy policies will be added as they are completed.
Form and instructions for exercising data subject rights
Download the form in PDF format: Privacy Form
1 Purposes and legal basis for processing personal data
The library customer register of the Finnish Institute of International Affairs (FIIA) is maintained for the following purposes:
Managing library customer information and informing customers about their obligations and services related to their customer relationship. The data system used serves as the library system managing all basic library functions, including acquisitions, cataloging, loans, serials management, customer notifications, and compiling statistics.
The personal data in the above-mentioned sub-registers is processed on the following legal bases:
a) The data subject has given consent for the processing of their personal data for one or more specific purposes; and/or
b) Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures preceding the conclusion of a contract at the data subject’s request.
2 Processed personal data
First and last name, email address, phone number, statistical group, customer group, information about borrowed, returned, and reserved materials.
3 Recipients or categories of recipients of personal data
Interpreted broadly under Article 4.9 of the EU General Data Protection Regulation (GDPR), the data controller may “transfer” or “disclose for processing” (e.g., through a technical interface during maintenance tasks) personal data stored in the FIIA library customer register.
Access to personal data contained in the FIIA library customer register is provided to the system provider (private system provider(s)) as necessary.
Personal data will not be disclosed to third parties for marketing purposes.
4 Transfer of data to third countries
Personal data is not transferred outside the EU or EEA.
5 Data retention period
Personal data collected in the FIIA customer register is retained only as long as necessary and to the extent required for the original or compatible purposes for which the data was collected.
Personal data is retained for the duration of the customer relationship and is deleted upon the customer’s explicit request. After the termination of the customer relationship, customer data is deleted as part of regular data purging processes.
6 Rights of the data subject
The data subject has the right to access the personal data stored in the FIIA library customer register concerning them. The controller must respond to a request to exercise the data subject’s rights within 30 days of receiving the request, as per the GDPR.
A form for exercising data subject rights is available on the FIIA website (https://www.fiia.fi/en/introduction/privacy-policy-2). The form must be completed carefully, printed, and signed. The request can be submitted by delivering the completed and personally signed form to the FIIA Registry, where the data subject must verify their identity when presenting the request. The form includes detailed instructions.
A. Right of access to personal data
The data subject has the right to review the personal data stored in the FIIA library customer register concerning them.
Visiting Address of the FIIA Registry:
Finnish Institute of International Affairs
Arkadiankatu 23 B, 6th floor
00100 Helsinki
Opening Hours (FIIA): Monday–Friday, 9:00–16:00
Requests are centrally directed from the FIIA Registry to the FIIA Data Protection Officer (email: tietosuojavastaava@fiia.fi). The response to a request for access is provided by the Data Protection Officer. For further information about the progress of the request or the content of the response, the Data Protection Officer can be contacted.
The data subject must personally collect the extract of their personal data from the FIIA Registry and verify their identity upon collection.
B. Rights to rectification and restriction of processing
The data subject has the right to request the Finnish Institute of International Affairs, as the data controller, to restrict the processing of personal data if one of the following conditions is met:
- The data subject contests the accuracy of their personal data (right to rectification). Processing is then restricted for a period enabling the controller to verify the accuracy of the data.
- The processing is unlawful, and the data subject opposes the erasure of their personal data and requests restriction of its use instead.
- The controller no longer needs the personal data for processing purposes, but the data subject requires the data to establish, exercise, or defend a legal claim.
C. Rights to erasure
The data subject has the right to have their personal data erased from the FIIA library customer register without undue delay if one of the following applies:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- The data subject withdraws consent on which the processing is based, and there is no other legal ground for processing.
- The personal data has been processed unlawfully.
- The personal data must be erased to comply with a legal obligation under EU law or national legislation.
D. Right to data portability
This right is not applicable to the FIIA customer registers.
7 Right to object
Under Article 21 of the GDPR, the data subject has the right to object to the processing of their personal data on grounds relating to their particular situation when the processing is based on Article 6(1)(e) of the GDPR (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller). This includes profiling based on these provisions.
The controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or the data is necessary for the establishment, exercise, or defense of legal claims.
The request to object to the processing of personal data collected in the FIIA library customer register can be made by submitting the request to the FIIA Registry, where the data subject must verify their identity when presenting the request.
8. Right to withdraw consent
The data subject has the right to withdraw their consent for the processing of personal data at any time without affecting the lawfulness of processing based on consent before its withdrawal.
The withdrawal request related to the processing of personal data in the FIIA customer register can be submitted to the FIIA Registry. If required, the data subject must verify their identity upon submission.
9 Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates applicable data protection regulations.
Contact Information for the Data Protection Ombudsman’s Office:
Data Protection Ombudsman’s Office
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PO Box 800, 00531 Helsinki
Switchboard: +358 29 566 6700
Registry: +358 29 566 6768
Email (registry): tietosuoja(at)om.fi
10 Data subject’s right to object
Is the provision of personal data a statutory or contractual demand or is it necessary in order to enter into contract, must the data subject provide personal data, and what are the consequences of not providing personal data (information about where the personal data has been acquired from)?
The processing of personal data in the FIIA library’s customer register in relation to whether the provision of personal data is a statutory or contractual demand or contractual requirement, and whether the data subject is obliged to provide personal data and the consequences of not providing personal data. Personal data have been acquired directly from the data subject and entered in the register with the data subject’s consent.
11 Automated decision-making and profiling
Personal data contained in the FIIA library customer register is not used for automated decision-making or profiling.
1 Purpose and legal basis for processing personal data
The Finnish Institute of International Affairs’ customer register consists of the following sub-registers, created on the basis of their various purposes of use:
• Communications register
• Event invitation register
• Register for event participants in externally funded projects
• Subscription register for the Ulkopolitiikka (Finnish Journal of Foreign Affairs) magazine
The purpose of the communications register is to manage customer data and inform customers by using newsletters and publication announcements.
The purpose of the event invitation register is to manage customer data and seminars, send invitations to events, as well as to receive and maintain sign-ups.
The purpose of the register for event participants in externally funded projects is to collect personal data on event participants when required by the external funder.
The purpose of the subscription register for the Ulkopolitiikka magazine is to maintain subscribers’ customer data, post the magazine, grant electronic access rights, and maintain the member register of the UP club.
Personal data in the above sub-registers are processed according to the following legal bases:
1.the data subject has consented to the processing of their personal data for one or more specific purposes, and/or
2. the processing is necessary to implement an agreement to which the data subject is a party or to implement measures that necessitate an agreement as per the data subject’s request.
2 Processed personal data
The following personal data are saved in sub-registers of the Institute’s customer register:
Communications register: name, email, which research topics the customer is interested in
Event invitation register: name, title, organisation, office location, municipality, email, phone number, which research topics the customer interested is in, yes/no for publication announcements, yes/no for newsletters
Register for event participants in externally funded projects: name, signature, country of residence, gender, age.
Subscription register for Ulkopolitiikka: name, address, postal code, municipality, job description, organisation, email, phone number, educational institution, and student ID.
Event photography and video
Please be aware that we may take photographs and video material at our events and we may use these materials on the FIIA website and social media channels (YouTube, Facebook, LinkedIn, Twitter) to enhance awareness of our events. If you are not comfortable with any material published containing your image, you can inform us accordingly and we will refrain from using such image in the future. Please also note that our event recordings may contain mentions of those individuals who have participated in the Q&A session of the event either in person or through the chat.
3 Recipients or categories of recipients of personal data
Interpreted broadly under Article 4.9 of the EU General Data Protection Regulation (GDPR), the data controller may “transfer” or “disclose for processing” (e.g., via a technical interface during maintenance tasks) personal data stored in the customer registers of the Finnish Institute of International Affairs (FIIA).
Access to personal data contained in the customer registers of the Finnish Institute of International Affairs (FIIA) is provided to the system provider (private system provider(s)) when necessary.
Personal data in the participant registers of externally funded research projects at the Finnish Institute of International Affairs (FIIA) may be disclosed on a project-specific basis for processing outside the institute to project management and funding entities for project reporting purposes.
Personal data will not be disclosed to third parties for marketing purposes.
4 Transferring data to third countries
Data are not transferred outside the EU or EEA.
5 Storage period of the personal data
Data collected in the Institute’s customer register are stored only for the period and to the extent necessary for the original or compatible purpose for which the personal data were collected.
Personal data are removed from the Institute’s customer register in the following manner:
Communications register: personal data are removed as per the customer’s explicit request.
Event invitation register: personal data are removed as per the customer’s explicit request.
Register for event participants in externally funded projects: personal data are removed 5 years after the end of the project or as per the customer’s explicit request.
Subscription register for Ulkopolitiikka: personal data are removed six years after the end of the accounting period during which the subscription ended (Finnish Accounting Act, 2015/1620).
6 Rights of the data subject
The data subject has the right to verify which data about them have possibly been stored in the Institute’s customer register. According to the General Data Protection Regulation, the controller must respond to the data subject’s request to execute their rights within 30 days of receiving the request.
The Institute’s website has a form (https://www.fiia.fi/instituutti/tietosuoja) for the purpose of executing the data subject’s rights. Carefully complete the applicable sections of the form, print it, and sign it. The request can be made by submitting the carefully completed and personally signed form to the Institute’s registry, where the data subject must verify their identity in connection with making the request. The form includes more detailed instructions.
A. Right of access to personal data
The data subject has the right to verify which data about them have been stored in the Institute’s customer register.
FIIA library’s visiting address:
Finnish Institute of International Affairs
Arkadiankatu 23 B, 6th floor
00100 Helsinki
Opening hours (Finnish Institute of International Affairs): Monday–Friday 9 a.m.–4 p.m.
The Institute’s registry directs the request in a centralised manner to the Institute’s data protection officer (email: tietosuojavastaava@fiia.fi). The Institute’s data protection officer answers the right of access request. If necessary, you can request more information about the progress of the request or the contents of the response from the data protection officer.
The data subject must collect the personal data extract in person from the Institute’s registry, where the data subject must also verify their identity.
B. Right to have data rectified and restrict processing
The data subject shall have the right to obtain from the controller (the Institute) the restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject (right to have data rectified), for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
C. Rights to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning them from the Institute’s customer register without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the personal data have been unlawfully processed; or
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
D. Right to data portability
Does not apply to the Institute’s customer registers.
7 Data subject’s right to object
According to Article 21 in the EU General Data Protection Regulation, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out for reasons of public interest or in the exercise of official authority vested in the controller), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The request to object to the processing of personal data collected in the Institute’s customer register can be made by submitting a request to the Institute’s registry, where the data subject must also verify their identity in connection with making the request.
8 Right to withdraw consent
The data subject shall have the right to withdraw their consent for the processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The request to withdraw the consent related to the processing of personal data collected in the Institute’s customer register (request to withdraw consent) can be made by submitting a request to the Institute’s registry by email: kirjaamo@fiia.fi.
Removal from the subscription register for Ulkopolitiikka occurs according to section 8.
9 Right to lodge a complaint with a supervisory authority
The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes data protection regulations.
Data Protection Ombudsman office, contact details:
Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland
Switchboard: +358 29 566 6700
Registry: +358 29 566 6768
E-mail (registry): tietosuoja(at)om.fi
10 Automated decision-making and profiling
Personal data in the Institute’s customer register are not used for automated decision-making or profiling.
1 The purpose of processing personal data and legal basis of the processing
The purpose of the archival register is to store and maintain permanently stored documents and other archival materials that are valuable for historical and research-related reasons.
The purpose of the registry’s diary register is to monitor the processing of the Institute’s matters throughout the entire process with the help of an administrative diary. A document’s arrival time can be indicated with the help of the registration, which ensures the customer’s legal protection. The registration is based on Section 18 of the Finnish Act on the Openness of Government Activities (621/1999), Sections 5 and 6 of the Finnish Decree on the Openness of Government Activities and on Good Practice in Information Management (1030/1999), as well as on the Finnish Archival Act (831/1994) and provisions and stipulations set on the basis of the act.
2 Processed personal data
The following personal data are stored in the Institute’s archive and diary register:
– Basic data of the case/document: diary number, arrival data, date of the letter, due date, sender/receiver, received/sent, sender’s diary number, description of the case, search words, document language, processor, reference diary number, intermediate measures (document type, sender/receiver, date of intermediate measure, arrival date, due date, measure), the case’s resolution information (decision-maker, number and paragraph of the record, resolution date), final measure, date of final measure, and storage period for documents.
3 Recipients or recipient groups of the data
According to a broad interpretation of article 4(9) of the EU General Data Protection Regulation, the controller can “transmit” or “disclose for processing” (e.g., maintenance carried out with a technical interface) personal data stored in the Institute’s customer registers.
Access to personal data in the Institute’s customer registers is granted, where necessary, to the system provider (private system provider(s)).
Personal data are not disclosed to third parties for marketing purposes.
4 Transferring data to third countries
Data are not transferred outside the EU or EEA.
5 Storage period of the personal data
Documents in the Institute’s archive and diary register are stored according to the storage periods in Section 8 of the Finnish Archival Act (831/1994), after which the documents will be removed.
6 Rights of the data subject
The data subject has the right to verify which data about them have possibly been stored in the Institute’s archive and diary register. According to the General Data Protection Regulation, the controller must respond to the data subject’s request to execute their rights within 30 days of receiving the request.
The Institute’s website has a form (https://www.fiia.fi/instituutti/tietosuoja) for the purpose of executing the data subject’s rights. Carefully complete the applicable sections of the form, print it, and sign it. The request can be made by submitting the carefully completed and personally signed form to the Institute’s registry, where the data subject must verify their identity in connection with making the request. The form includes more detailed instructions.
A. Right of access to personal data
The data subject has the right to verify which data about them have been stored in the Institute’s customer register.
FIIA library’s visiting address:
Finnish Institute of International Affairs
Arkadiankatu 23 B, 6th floor
00100 Helsinki
Opening hours (Finnish Institute of International Affairs): Monday–Friday 9 a.m.–4 p.m.
The Institute’s registry directs the request in a centralised manner to the Institute’s data protection officer (email: tietosuojavastaava@fiia.fi). The Institute’s data protection officer answers the right of access request. If necessary, you can request more information about the progress of the request or the contents of the response from the data protection officer.
The data subject must collect the personal data extract in person from the Institute’s registry, where the data subject must also verify their identity.
B. Right to have data rectified and restrict processing
The data subject shall have the right to obtain from the controller (the Institute) the restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject (right to have data rectified), for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
C. Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning them from the Institute’s customer register without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the personal data have been unlawfully processed; or
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
D. Right to data portability
Does not apply to the Institute’s archive and diary registers.
7 Data subject’s right to object
According to Article 21 in the EU General Data Protection Regulation, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out for reasons of public interest or in the exercise of official authority vested in the controller), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The request to object to the processing of personal data collected in the Institute’s archive and diary registers can be made by submitting a request to the Institute’s registry, where the data subject must also verify their identity in connection with making the request.
8 Right to withdraw consent
The data subject shall have the right to withdraw their consent for the processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The request to withdraw the consent related to the processing of personal data collected in the Institute’s customer register (request to withdraw consent) can be made by submitting a request to the Institute’s registry by email: kirjaamo@fiia.fi.
Removal from the subscription register for Ulkopolitiikka occurs according to section 8.
9 Right to lodge a complaint with a supervisory authority
The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes data protection regulations.
Data Protection Ombudsman office, contact details:
Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki, Finland
Switchboard: +358 29 566 6700
Registry: +358 29 566 6768
E-mail (registry): tietosuoja(at)om.fi
10 Is the provision of personal data a statutory or contractual demand or is it necessary in order to enter into contract, must the data subject provide personal data and what are the consequences of not providing personal data (information about where the personal data has been acquired from)?
The processing of personal data in the Institute’s archive and diary registers in relation to whether the provision of personal data is a statutory or contractual demand or contractual requirement, and whether the data subject is obliged to provide personal data and the consequences of not providing personal data.
Archive and diary registers:
- data are acquired from documents
11 Automated decision-making and profiling
Personal data in the Institute’s archive and diary registers are not used for automated decision-making or profiling.