Data protection at Cupore
Everyone has the right to know what information has been stored in different registers concerning them. The right of access to personal data, the use of this right, and the rectification of data are provided for in the Finnish Data Protection Act (1050/2018).
The controller of research projects is the Center for Cultural Policy Research Cupore, maintained by the Foundation for Cultural Policy Research (1771249-3). Its address is Pitkänsillanranta 3 B, 00530 Helsinki.
If you have general questions regarding data protection, you can contact the person responsible for data protection at Cupore (Director Marjo Mäenpää). In questions regarding a specific research project, please contact the principal investigator.
2. Data processed in research projects
3. Purpose and legal basis of personal data processing
The purpose of processing personal data in research projects is to produce new scientific data using scientific research methods. Cupore processes personal data for research purposes when processing is essential for the research to be carried out. The processing of personal data in Cupore’s research projects is based on the performance by the controller of a task carried out in the public interest.
4. Data sources
Cupore collects personal data directly from the data subjects in connection with conducting the research (e.g. interviews). In addition, Cupore may collect information from existing registers when conducting register-based research.
5. Personal data processing and data protection principles
Cupore’s research projects are the responsibility of the researcher or research group designated for them. The researchers and research group leaders of each project are named in the project description published on Cupore’s website. For each project, a contact person is designated for matters regarding personal data processing.
All personal data collected for Cupore’s research projects are processed securely in accordance with the data protection practices applicable to the processing of Cupore’s research data.
Personal data are collected and processed and personal data are reported in research results in accordance with the law and in a manner agreed upon with the research subjects in connection with the respective projects.
6. Personal data retention period
Personal data used in research are erased when they are no longer necessary for the performance of research or for the verification of the relevance of the results.
Data containing personal data may be archived for the purpose of later research in accordance with data protection legislation, the appropriate research plan and Cupore’s data protection practices. In such a case, direct identifiers are erased.
7. Transfer/disclosure of data to countries outside the EU/EEA
Personal data are not transferred nor disclosed to countries outside the EU/EEA.
8. Automated decision-making
Personal data collected by Cupore for research projects are not used for automated decision-making.
9. Recipients of personal data
Recipients of personal data include the third parties, controllers and processors to whom the registered data are transferred or disclosed.
Cupore may use subcontractors or service providers for the purpose of processing personal data. These parties process the data on behalf of Cupore as processors or sub-processors. Cupore concludes with them, directly or indirectly, the agreements required by the Data Protection Regulation to ensure the safe and lawful processing of data.
Research data are only disclosed for the purpose of historic or scientific research to partners selected by Cupore and in accordance with data protection legislation.
10. Rights of the research subject
A person participating in a research project has the following rights under the Data Protection Regulation:
- The right to be informed whether and what personal data are processed in a project. The research subject also has the right to request a copy of these personal data.
- The right to request the rectification of inaccurate personal data concerning him or her.
- The right to request the erasure of his or her personal data if they are no longer necessary for the purposes for which they were processed, if the research subject withdraws his or her consent, if he or she objects to such processing, if the personal data have been unlawfully processed or if they have to be erased for compliance with a legal obligation. This right does not apply if the erasure renders impossible or seriously impairs the achievement of the objective of processing in scientific research.
- The right to request the restriction of processing of his or her personal data if he or she contests the accuracy of the personal data, if the processing is unlawful and the research subject requests the restriction of their processing, or if Cupore no longer needs the data but the research subject requires them for the establishment, exercise or defence of legal claims.
- The right to receive the personal data that he or she has provided to Cupore in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, subject to certain conditions.
- The right to oppose the processing of his or her personal data if the processing is based on public interest or legitimate interest. In such a case, Cupore may not use the research subject’s personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or unless it is necessary for the establishment, exercise or defence of legal claims. Cupore may continue to process the research subject’s personal data also when it is necessary for the performance of a task carried out in the public interest.
- The rights of the research subject may be derogated from in individual cases in so far as the rights render impossible or seriously impair the achievement of the objectives of processing for scientific or historical research purposes or statistical purposes. The need to derogate from the research subject’s rights is always assessed on a case-by-case basis.
11. Complaint to the Data Protection Authority
The data subject has the right to lodge a complaint with the supervisory authority if he or she considers that the processing of his or her personal data infringes the applicable data protection legislation. In Finland, the supervisory authority is the Data Protection Ombudsman.
Cupore may update this data protection statement from time to time. It was last updated on 21 April 2020.
Center for Cultural Policy Research Cupore, maintained by the Foundation for Cultural Policy Research (1771249-3)
Pitkänsillanranta 3B, 00530 Helsinki
2. Contact person of the register:
Anu Oinaala, Marjo Mäenpää
Pitkänsillanranta 3B, 00530 Helsinki
3. Name of register
Stakeholder Register of the Center for Cultural Policy Research Cupore
4. Purpose of processing personal data
To store and maintain the contact information of the stakeholders of the Center for Cultural Policy Research Cupore, maintained by the Foundation for Cultural Policy Research. The data is used in Cupore’s communication and marketing activities.
5. Data content of the register
The person’s name, title, place of work, postal and email addresses and telephone number.
6. Regular sources of information
Data in the register are regularly collected from the data subjects themselves in meetings, by telephone, on the internet or in other similar ways. Personal data may be collected and updated from publicly available data sources, such as the webpages of organisations, the Trade Register and other public registers.
7. Regular disclosures of information
Personal data are not disclosed without a basis provided by an Act. The Center for Cultural Policy Research Cupore, maintained by the Foundation for Cultural Policy Research, may also use the services of its partners in its communication and marketing activities, in which case data may be disclosed to the partner for the purpose of carrying out Cupore’s communication and marketing activities. In such a case, the protection of personal data is subject to a separate agreement.
8. Transfer of data outside the EU or the EEA
Data in the register are not transferred outside the EU or the EEA.
9. Security principles of the register
The register does not contain manual data. Cupore’s stakeholder register is stored and updated in the contact information management service. Access to the service is restricted to those of Cupore’s employees who need the data to fulfil their duties. Access to data is by user name and password. Logs are kept of the use of the registered information. The data are protected by a firewall and other technical means.
10. Right of access
Data subjects may access their personal data stored in the system by contacting Cupore.
11. Right to request the rectification of data
Data subjects may request the rectification of data stored in the register by contacting Cupore.
12. Other rights regarding the processing of personal data
Personal data are retained for an indefinite period. Data subjects may at any time withdraw their consent to the processing of their personal data and have the data removed from the address register.