Processing of personal data in connection with a cooperation project between TIEKE and the Office of the Data Protection Ombudsman

GDPR2DSM is a two-year joint project between the Office of the Data Protection Ombudsman and TIEKE The Finnish Information Society Development Centre (TIEKE), which aims to improve the data protection competence of SMEs and develop tools for ensuring data protection. The two-year project is funded by the European Union’s Rights, Equality and Citizenship Programme. More information on the project can be found at https://tieke.fi/en/projects/gdpr2dsmeng/

Purpose of processing 

Newsletters 

In the project newsletters, the Office of the Data Protection Ombudsman and TIEKE send up-to-date information on the project, such as the progress of the tool and the events carried out in connection with the project. Letters will be sent by e-mail to those who ordered it. The email address, name and organisation will be saved from the subscribers of the letter. Of this information, only an email address and first name is required. The information is used to deliver the newsletter. 

The newsletters are implemented with Liana Technologies and Lime Technologies services. We do not collect or store information about the openings or clicks of our newsletters. Subscribers are not subject to monitoring or tracking when subscribing to or receiving the newsletter. 

Events 

Webinars, workshops and other events will be organised during the project. In connection with the registration, the registered person’s e-mail address, first and last name and organisation are collected. Of this information, it is only mandatory to provide an email address, first name and surname. 

The information is reported to the European Union’s Fundamental Rights, Equality and Citizenship programme, which is the funder of the project. The reporting shall include the names of the participants in each event. 

Event registrations are carried out with Eventilla and Webropol services. 

Surveys 

The purpose of the initial survey is to map the competence and needs of companies in the field of data protection. We use the results of the survey to develop data protection materials and tools. 

The responses to the first part of the survey are collected anonymously and the results of the survey are compiled into a summary, from which individual responses cannot be broken down. Personal data will not be collected in connection with the first part of the responses, unless the person himself/herself provides personal data or other information from which the person is identifiable. 

No personal data belonging to special categories of personal data is collected in connection with the survey. It is recommended that the person completing the survey does not place data belonging to special categories of personal data in the open fields of the survey. 

At the end of the survey, we collect contact information from respondents interested in participating in the project pilot. We use contact information to communicate with respondents interested in the pilot. The provision of information is voluntary. Contact details are not included in the data collected in the first part of the survey. 

Queries are compiled using Webropol’s query tool. When completing a survey, Webropol collects information about a cookie (so-called session cookie), which is a necessary technical cookie to answer the query. However, information about the cookie will not be stored, as it will be removed from the user’s terminal device at the latest when the browser is closed. Therefore, it is recommended that the browser be closed after participating in the survey. 

Grounds for processing 

The basis for the processing of personal data by the Office of the Data Protection Ombudsman is the performance of a task carried out in the public interest (Article 6(1)(e) of the GDPR and Section 4(2) of the Data Protection Act). The duties and powers of the Data Protection Ombudsman are laid down in Articles 55 to 59 of the GDPR and Sections 8, 14 and 16-17 of the Data Protection Act. According to Article 57 GDPR, one of the tasks of the DPA is to promote the knowledge of controllers and processors of their obligations under the GDPR. 

TIEKE’s basis for the processing of personal data is the data subject’s consent (Article 6(1)(a) GDPR). Providing contact details for participation in the pilot is voluntary. Subscription to the newsletter is voluntary. Consent can be withdrawn at any time. 

Disclosure of information 

Lists of participants in webinars and events will be handed over to the project funder (Fundamental Rights, Equality and Citizenship of the European Union) for reporting on the project. 

TIEKE or the Office of the Data Protection Ombudsman will not otherwise disclose the personal data they process to third parties. 

Data processors Liana Technologies, Lime Technologies, Eventilla or Webropol may use subcontractors as part of providing services to the controller. 

As a rule, personal data is processed within the EU or the EEA. If personal data is processed outside the EU or the EEA, the controller will ensure that there is a legal basis for doing so. 

Information on the subcontractors of data processors can be obtained from the joint register keepers. 

Retention of data 

Personal data collected in connection with the survey will be stored for the duration of the project and deleted at the end of the project. 

Personal data collected for the purpose of sending the newsletter will be stored until the subscription is cancelled or the newsletter service ceases to exist. The personal data of those who unsubscribe from the newsletter will be deleted without delay. 

Your rights to the processing of personal data 

Right to information about the processing of personal data 

Right of access to data 

  • You have the right to know whether we process your personal data. If we do, you have the right to receive a copy of this information, unless we have legitimate grounds for refusing to exercise the right. 

Right to rectification 

  • If the personal data we process about you are inaccurate, you can ask us to rectify the data. 
  • If we rectify data on the basis of your request, we are obliged, to the extent possible, to inform all those to whom the information has been previously disclosed. 
  • Additional information on the right to rectification 

Right to erasure of data 

Right to object to processing of personal data 

  • Upon receipt of each newsletter, the subscriber has the opportunity to unsubscribe. You can also cancel the order via the project website. 
  • You have the right to object to the processing of your personal data by us. You can do so at any time on the basis of your specific situation. 
  • We will no longer process your personal data in the event of compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. 
  • Further information on the right to object to processing 

Right to restriction of processing 

  • If you think the information we process about you is inaccurate, unlawfully processed or if you have objected to the processing of your data, you can ask us to restrict the processing of your data. 
  • In this case, we may only process your data with your consent 
    • if we need information for the establishment, exercise or defence of legal claims 
    • for reasons of public interest, or 
    • protecting someone else’s rights 
  • If we restrict the processing of data on the basis of your request, we are obliged, to the extent possible, to inform all those to whom the information has been previously disclosed. 

The GDPR2DSM project does not make decisions based on automated decision-making and respondents are not profiled on the basis of personal data. 

You can request your rights by contacting TIEKE or the Office of the Data Protection Ombudsman using the contact details mentioned below. 

If you consider that your personal data has been processed unlawfully, you have the right to lodge a complaint with the Data Protection Ombudsman. The lawfulness of the operations of the Office of the Data Protection Ombudsman is supervised by the supreme legal guardians, i.e. the Parliamentary Ombudsman and the Chancellor of Justice. 

Data controllers 

The joint controllers of personal data are TIEKE The Finnish Information Society Development Centre Ry and the Office of the Data Protection Ombudsman. 

TIEKE The Finnish Information Society Development Centre 
Small Roobertinkatu 9, MOW  
00130 Helsinki  
tieke(at)tieke.fi  
No, no, no. + 358 9 4763 0400 

Office of the Data Protection Ombudsman 
PO Box 800, 00531 Helsinki  
privacy Policy(at)om.fi  
029 566 6700 

History of Change: 

Updated on 9 September 9.9.2021: 

  • Eventilla and Lime Technologies added as data processors. 
  • For newsletters, first name has been added for mandatory information. 
  • For events, first name and surname have been added as mandatory information. Eventilla- and Webropol services added as data processors. 
  • Added that the list of participants in webinars and events will be handed over to the project funder (Fundamental Rights, Equality and Citizenship of the European Union) for project reporting purposes. 
  • Information added about data transfers. As a rule, personal data is processed within the EU or the EEA. If personal data is processed outside the EU or the EEA, the controller will ensure that there is a legal basis for doing so. 

The content of this page represents only the views of the author and the author is solely responsible for them. The European Commission is not responsible for any information contained on this page or for its use.