Data protection at Cupore

Everyone has the right to know what information has been stored in different registers concerning them. The right of access to personal data, the use of this right, and the rectification of data are provided for in the Finnish Data Protection Act (1050/2018).

Cupore maintains a stakeholder register containing the contact information of its stakeholders for communication and marketing purposes. In Cupore’s research projects, project-specific personal data files are created. The privacy policy statement for each project is drawn up as part of the project’s data management plan. The project-specific privacy policy statements are held at Cupore’s offices and can be accessed upon request.

On this webpage, you will find Cupore’s general privacy policy statements for the stakeholder register and all research projects.

 

Privacy policy statement: Cupore’s stakeholder register

 

1. Controller:

 Center for Cultural Policy Research Cupore, maintained by the Foundation for Cultural Policy Research (1771249-3)

 Pitkänsillanranta 3B, 00530 Helsinki

 This email address is being protected from spambots. You need JavaScript enabled to view it.

 

2. Contact person of the register:

Anu Oinaala, Marjo Mäenpää

Pitkänsillanranta 3B, 00530 Helsinki

This email address is being protected from spambots. You need JavaScript enabled to view it.; 050 577 2246

 

3. Name of register

Stakeholder Register of the Center for Cultural Policy Research Cupore

 

4. Purpose of processing personal data

To store and maintain the contact information of the stakeholders of the Center for Cultural Policy Research Cupore, maintained by the Foundation for Cultural Policy Research. The data is used in Cupore’s communication and marketing activities.

 

5. Data content of the register

The person’s name, title, place of work, postal and email addresses and telephone number.

 

6. Regular sources of information

Data in the register are regularly collected from the data subjects themselves in meetings, by telephone, on the internet or in other similar ways. Personal data may be collected and updated from publicly available data sources, such as the webpages of organisations, the Trade Register and other public registers.

 

7. Regular disclosures of information

Personal data are not disclosed without a basis provided by an Act. The Center for Cultural Policy Research Cupore, maintained by the Foundation for Cultural Policy Research, may also use the services of its partners in its communication and marketing activities, in which case data may be disclosed to the partner for the purpose of carrying out Cupore’s communication and marketing activities. In such a case, the protection of personal data is subject to a separate agreement.

 

8. Transfer of data outside the EU or the EEA

Data in the register are not transferred outside the EU or the EEA.

 

9. Security principles of the register

The register does not contain manual data. Cupore’s stakeholder register is stored and updated in the contact information management service. Access to the service is restricted to those of Cupore’s employees who need the data to fulfil their duties. Access to data is by user name and password. Logs are kept of the use of the registered information. The data are protected by a firewall and other technical means.

 

10. Right of access

Data subjects may access their personal data stored in the system by contacting Cupore.

 

11. Right to request the rectification of data

Data subjects may request the rectification of data stored in the register by contacting Cupore.

 

12. Other rights regarding the processing of personal data

Personal data are retained for an indefinite period. Data subjects may at any time withdraw their consent to the processing of their personal data and have the data removed from the address register.

 *

 

Privacy policy statement: Cupore’s research projects

 

This is the general privacy policy statement for the Center for Cultural Policy Research Cupore’s research projects. The purpose of this document is to provide general information on how Cupore processes personal data in connection with research projects.

 

1. Controller

The controller of research projects is the Center for Cultural Policy Research Cupore, maintained by the Foundation for Cultural Policy Research (1771249-3). Its address is Pitkänsillanranta 3 B, 00530 Helsinki.

If you have general questions regarding data protection, you can contact the person responsible for data protection at Cupore (Director Marjo Mäenpää). In questions regarding a specific research project, please contact the principal investigator.

 

2. Data processed in research projects

In some of Cupore’s research projects, personal data may be collected in order to carry out scientific research. Personal data are processed when it is relevant for the on-going project. Cupore only processes data necessary for scientific research. The personal data collected are listed in the project-specific privacy policy statement.

 

3. Purpose and legal basis of personal data processing

The purpose of processing personal data in research projects is to produce new scientific data using scientific research methods. Cupore processes personal data for research purposes when processing is essential for the research to be carried out. The processing of personal data in Cupore’s research projects is based on the performance by the controller of a task carried out in the public interest.

 

4. Data sources

Cupore collects personal data directly from the data subjects in connection with conducting the research (e.g. interviews). In addition, Cupore may collect information from existing registers when conducting register-based research.

 

5. Personal data processing and data protection principles

Detailed information on personal data processing is always separately provided in the appropriate research plan and the privacy policy statement for each research project.

Cupore’s research projects are the responsibility of the researcher or research group designated for them. The researchers and research group leaders of each project are named in the project description published on Cupore’s website. For each project, a contact person is designated for matters regarding personal data processing.

All personal data collected for Cupore’s research projects are processed securely in accordance with the data protection practices applicable to the processing of Cupore’s research data.

Personal data are collected and processed and personal data are reported in research results in accordance with the law and in a manner agreed upon with the research subjects in connection with the respective projects.

 

6. Personal data retention period

Personal data used in research are erased when they are no longer necessary for the performance of research or for the verification of the relevance of the results.

Data containing personal data may be archived for the purpose of later research in accordance with data protection legislation, the appropriate research plan and Cupore’s data protection practices. In such a case, direct identifiers are erased.

 

7. Transfer/disclosure of data to countries outside the EU/EEA

Personal data are not transferred nor disclosed to countries outside the EU/EEA.

If data are transferred or disclosed to countries outside the EU/EEA in an individual research project, details of this are given in the appropriate research plan and the research-specific privacy policy statement.

 

8. Automated decision-making

Personal data collected by Cupore for research projects are not used for automated decision-making.

 

9. Recipients of personal data

Recipients of personal data include the third parties, controllers and processors to whom the registered data are transferred or disclosed.

Cupore may use subcontractors or service providers for the purpose of processing personal data. These parties process the data on behalf of Cupore as processors or sub-processors. Cupore concludes with them, directly or indirectly, the agreements required by the Data Protection Regulation to ensure the safe and lawful processing of data.

Research data are only disclosed for the purpose of historic or scientific research to partners selected by Cupore and in accordance with data protection legislation.

 

10.  Rights of the research subject

A person participating in a research project has the following rights under the Data Protection Regulation:

  • The right to be informed whether and what personal data are processed in a project. The research subject also has the right to request a copy of these personal data.
  • The right to request the rectification of inaccurate personal data concerning him or her.
  • The right to request the erasure of his or her personal data if they are no longer necessary for the purposes for which they were processed, if the research subject withdraws his or her consent, if he or she objects to such processing, if the personal data have been unlawfully processed or if they have to be erased for compliance with a legal obligation. This right does not apply if the erasure renders impossible or seriously impairs the achievement of the objective of processing in scientific research.
  • The right to request the restriction of processing of his or her personal data if he or she contests the accuracy of the personal data, if the processing is unlawful and the research subject requests the restriction of their processing, or if Cupore no longer needs the data but the research subject requires them for the establishment, exercise or defence of legal claims.
  • The right to receive the personal data that he or she has provided to Cupore in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, subject to certain conditions.
  • The right to oppose the processing of his or her personal data if the processing is based on public interest or legitimate interest. In such a case, Cupore may not use the research subject’s personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or unless it is necessary for the establishment, exercise or defence of legal claims. Cupore may continue to process the research subject’s personal data also when it is necessary for the performance of a task carried out in the public interest.
  • The rights of the research subject may be derogated from in individual cases in so far as the rights render impossible or seriously impair the achievement of the objectives of processing for scientific or historical research purposes or statistical purposes. The need to derogate from the research subject’s rights is always assessed on a case-by-case basis.

 

11. Complaint to the Data Protection Authority

The data subject has the right to lodge a complaint with the supervisory authority if he or she considers that the processing of his or her personal data infringes the applicable data protection legislation. In Finland, the supervisory authority is the Data Protection Ombudsman.

 

12.  Updates

Cupore may update this data protection statement from time to time. It was last updated on 21 April 2020.