Privacy notice
1 General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act for data subjects such as the controller’s customers and employees, and for the supervisory authority.
Controller and its contact information
OP Research Foundation
Postal address: P.O. Box 308, FI-00101 HELSINKI
Street address: Gebhardinaukio 1 FI-00510 HELSINKI
The controller’s contact person: Mirja Laine
Email: mirja.laine@op.fi
Phone: 040 760 9183
2 Data Protection Officer’s contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: PL 308, FI-00013 OP
Email: dataprotection@op.fi
OP Research Foundation buys the services of a Data Protection Officer from OP Cooperative
Consolidated.
3 Name of the personal data file and data subjects
OP Research Foundation's data file for grants
Data subjects in the data file include grant applicants and grantees of OP Research Foundation as well as the referees of applicants. The data subjects also include the members of OP Research Foundation's Board and scientific committee.
4 Purposes of personal data processing and legal basis for processing
4.1 Purposes of processing
OP Research Foundation distributes grants. Applying for and giving grants require the processing of personal data of grant applicants and grantees and the referees of the grant applicants. OP Research Foundation is the controller which processes data included in the data file to prepare grant applications for decision making of the Foundation's Board of Directors, to give grants based on the decision by the Board of Directors, as well as for payout of grants and related monitoring, and to send statutory notifications to the authorities. Below, you can find more detailed information about how personal data are utilised in the data file.
The purposes of personal data use include:
- processing grant applications and payout of grants, including communication related to grants
- production of grant application services, and development and quality assurance of grant services
- Fulfilling statutory obligations and any other official rules and regulations
- Ensuring the security of services and investigating abuses
The personal data of the members of the Board and scientific committee is processed to manage statutory requirements and pay attendance fees.
4.2 Legal bases for processing
The table below describes the legal bases for processing personal data contained in the data file, and provides examples of processing performed on each basis.
| Legal basis | Example |
|---|---|
| Contractual relationship or actions preceding the conclusion of a contract |
The controller processes the data subject's personal data in the data file based mainly on an agreement related to applying for, giving and paying the grant, as well as sending notifications to an authority. The processing of the personal data of the members of the Board and scientific committee is also based on an agreement. |
| Legal obligation | The controller, or the grantor, notifies the Tax Administration of the grant and the Farmers' Social Insurance Institution Mela of giving the grant. In respect of payment of the grant, the controller provides payee details accompanied by tax information. For Farmers' Social Insurance Institution Mela, the controller notifies the institution of detailed information related to the grantee and the grant. |
| Legitimate interest | The controller processes data on referees based on the Foundation's legitimate interest. Likewise, the names of grantees are published by the Foundation based on the Foundation's legitimate interest. |
5 Categories of personal data
| Category | Data content |
| Basic information | Name Date of birth Personal ID code Contact details, or street address, email address and phone number Account number Education/Degree |
| Applicant details | Applicant number of grant applicant and grantee Information pertaining to research |
| Referees | Name Employer information Material delivered by the referee |
| Agreement details | The controller's and grantees' agreement information |
| Event information related to grant applications | Tasks and events related to managing grant applications: applying for a grant, giving a grant, paying a grant, monitoring payout and sending grant notifications to the authority. Related correspondence and other communications. The controller saves the information provided in the grant application and information related to the payout of given grants (bank account details, personal ID code, grant amount, payout date, document number and description) in the data file. The personal ID code is registered for the purpose of sending the supervision material of the Tax Administration and for sending material to the Farmers' Social Insurance Institution Mela. |
6 Recipients and recipient groups of personal data
6.1 Data recipients
Personal data may be disclosed to the authorities such as the Tax Administration and the Farmers' Social Insurance Institution Mela only within the limits permitted by law. The controller notifies the Tax Administration of detailed information about the grantee and the grant as annual notifications and the Farmers' Social Insurance Institution Mela in accordance with §141 b of the Farmers' Pensions Act.
Any personal data collected may be disclosed within OP Financial Group.
For the sake of clarity, it should be noted that the members of the scientific committee process data related to applications.
6.2 Transfer of data to suppliers
The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.
The controller’s suppliers provide the controller with information system services, for example. Some of the controller’s suppliers may be OP Financial Group entities.
6.3 International transfers of data
The controller uses subcontractors for data processing, and data may be transferred outside the EU or EEA. When data is transferred outside the EU or EEA, the transfer is done using the European Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Further details on international transfers of personal data and standard contractual clauses are available from OP’s website at https://www.op.fi/dataprotection.
Some of the controller’s subcontractors are other OP Financial Group entities. They provide the controller with items such as IT and other support services.
7 Personal data retention period or criteria for determining the period
Grantees
The controller processes the grantees' personal data (basic information and other unique information) as long as the research project lasts and retains the data for at least ten years after the end of the grant payout. Thereafter, the controller erases or anonymises the data in accordance with the erasure processes it follows.
The grantees' names may also be processed in the Foundation's operations later in annual reports and other summaries, for example.
Grant applicants
Unless a grant is given, the controller processes the personal data (basic information and other unique information) of grant applicants and their referees for no more than one year from the date when the data subject filed their grant application with the Foundation.
Application details
For the sake of clarity, it should be noted that as an exception to the abovementioned retention period, the controller retains the grant applications without direct personal data (basic information and other unique information) as part of its operations. These application details can be used to develop controller operations and for purposes of quality control and statistics, for example.
8 Personal data sources and updates
Personal data is collected from grant applicants or grantees and from the referees indicated by the applicant.
9 Data subject’s rights
Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the GDPR, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data are not being processed legally, they have the right to file a complaint with the competent supervisory authority.
10 Protection methods regarding the data file
The controller is committed to processing personal data securely and in a manner that satisfies the requirements of the applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Protection of hardware and files
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires that its suppliers and other partners engage in appropriate protection of any personal data they process.