Bylaws and privacy statement

Saastamoinen Foundation is registered in the Finnish Patent and Registration Office’s Register of Foundations. Saastamoinen Foundation is an independent legal entity. The foundation’s privacy policy covers the registers it maintains.

Bylaws

You can obtain the bylaws of Saastamoinen Foundation, as well as other information about the foundation, such as the registration extract and financial statements, from the Finnish Patent and Registration Office’s Virre Information Service.

 

Privacy Policy

This privacy policy statement describes the processing of personal data by Saastamoinen Foundation sr (the “Foundation”) as part of its normal operations.

1. Controller and Data Protection Officer

1.1. Controller
Saastamoinen Foundation sr (Business ID: 0213401-0)

1.2. Data Protection Officer
Saara Lappalainen
Phone: +358 50 5488490
Email: saara.lappalainen@saastamoinenfoundation.fi
Address: Pieni Roobertinkatu 5 B 15, 00130 Helsinki

2. Registers

2.1. Register of persons in employment or other positions of responsibility
Sub-registers:
Register for payroll and compensation purposes
Register for working time monitoring

2.2. Register of persons employed by contractual partners
Sub-registers:
Register of issued keys
Register of access rights

2.3. Contact information register for enabling various functions of the Foundation in cooperation with its network and the people working within it

2.4. Register of grant applications and recipients of grants

2.5. Related party register

2.6. Email address directory for email correspondence

3. Purpose of Processing – Legal Grounds for Processing

Fulfilment of employer obligations

The primary basis for processing personal data is the Foundation’s statutory obligations as an employer. This includes, for example, determining employment conditions, payroll, providing occupational health services, and monitoring working hours and absences.

For instance, the Related Party Register (Section 2.5) contains personal data collected and processed to meet the reporting obligations specified in the Foundations Act (487/2015). The register is maintained in accordance with the Foundation’s related party guidelines and based on declarations submitted by reportable parties. Related parties are periodically asked to complete the declaration.

Performance of contracts

As part of its operations, the Foundation collects and uses personal data to fulfil its contractual obligations toward its partners. Some personal data may also be required to manage such relationships.

Legitimate interest of the Foundation

The Foundation also processes personal data on the basis of its legitimate interests. These interests relate to maintaining and developing employment relationships, organizing work, and fulfilling the Foundation’s purpose. Legitimate interests also include analysing and developing the Foundation’s operations and allocating resources.

4. Content of Registers

– Name and contact information (e.g. phone number, email address, postal address)
– Role or title
– Language
– Any special dietary requirements reported by the data subject (only in the contact register, for event invitations including meals)
– Personal identity code, if necessary
– Business ID and contact person for corporate customers
– Billing and payment information

In the Related Party Register, for the individual or entity classified as a related party:

– Nature of the related party relationship
– Family members and other close relatives (Foundations Act Chapter 1, Section 8, subsections 2 and 3)
– Entities under control

For family members and other close relatives of related parties:

– Name
– Date of birth
– Nature of relationship (e.g. family member, close relative)

For entities under the control of a related party:

– Name
– Business ID
– Basis for control

5. Regular Sources of Data

– The data subject themselves
– Guardians of related parties who are minor
– Information arising in customer relationships, daily administration, ordinary activities fulfilling the Foundation’s purpose, and grant-related processes

6. Retention and Processing Period of Personal Data

Personal data is retained for as long as necessary to fulfill the purposes described in this privacy policy. The retention period depends on the nature of the data and the purpose of processing, and may therefore vary.

We may retain personal data for longer than necessary to fulfill the stated purposes only when required by law or when retention is necessary for the fulfillment of our statutory obligations or legitimate interests.

7. Disclosure of Register Data

Personal data is not disclosed routinely or occasionally to third parties without specific reason. Exceptions:

Statutory obligations
We may share personal data with external parties when reasonably necessary to (i) comply with tax or other applicable laws, regulations, or court orders; or (ii) detect, prevent, or address crime and/or security threats.

Service providers and other partners
The Foundation may share personal data with service providers acting on its behalf or other partners. These may include IT service providers, accounting firms, or other grant-awarding bodies (e.g. other foundations) that cooperate with us to assess the overall level of funding and avoid overlapping grants.

Consent of the data subject
The Foundation may share personal data with third parties outside the organization for other reasons if it has the data subject’s consent. The data subject has the right to withdraw their consent at any time.

Related party register
Data from the Related Party Register is not disclosed. It is used to fulfil the Foundation’s reporting obligation as part of the annual report, as required by the Foundations Act.

Personal data is not transferred outside the EU or EEA. However, in some cases we may transfer or access personal data outside the European Economic Area. In such cases, we ensure adequate safeguards through standard contractual clauses or other appropriate safeguards, such as the EU-U.S. Data Privacy Framework.

8. Data Subject Rights

Data subjects have the right to access their personal data held by the Foundation and to obtain information about its processing.

Data subjects may at any time request correction, updating, or deletion of their personal data. However, data that is necessary for the purposes outlined in this policy or that must be retained by law cannot be deleted.

In certain circumstances, the data subject has the right to request restriction of processing.

The data subject also has the right to object to processing based on the Foundation’s legitimate interests, as permitted by applicable law.

The data subject has the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

If personal data is processed based on the data subject’s consent, they may withdraw their consent at any time. The Foundation will no longer process the data unless another legal basis applies.

If a data subject believes their data is not being processed lawfully, they have the right to lodge a complaint with the Data Protection Ombudsman.

If a data subject wishes to exercise their rights or has questions about the processing of their data, they may contact the Foundation’s Data Protection Officer.

Website Privacy Policy

This Privacy Policy outlines the practices of Saastamoinen Foundation sr (hereafter referred to as “the Foundation”) regarding the processing of personal data of website visitors.

The Foundation complies with the provisions of the EU General Data Protection Regulation (“GDPR”) and other applicable legislation in Finland regarding the processing of personal data.

1. Data Controller and Data Protection Officer

The Foundation acts as the data controller when processing the personal data of its website visitors.

Contact information:
Saastamoinen Foundation sr
Business ID: 0213401-0
Address: Pieni Roobertinkatu 5 B 15, 00130 Helsinki, Finland

For data protection matters, please primarily contact the Foundation’s Data Protection Officer:

Contact details:
Saara Lappalainen
Email: info@saastamoinenfoundation.fi
Phone: +358 50 548 8490

2. Personal Data Processed by the Foundation

The Foundation processes the following personal data:

Data collected during website usage, such as information collected via cookies (e.g., user’s IP address, time of access, pages visited, browser type, referring URL, server, and domain origin);
Any consent-related information;
Other data collected with the data subject’s consent.

 

3. Regular Sources of Information

The Foundation primarily receives personal data directly from the website visitors when they interact with the Foundation’s website.

Some personal data may also be generated as a result of the Foundation’s processing, such as correspondence between the Foundation and the data subject.

4. Purposes and Legal Bases for Processing Personal Data

The Foundation processes personal data primarily to pursue its legitimate interests, such as fulfilling its mission, improving its services, and developing its website. When processing personal data on the basis of legitimate interests, the Foundation assesses its interests in relation to the privacy rights of data subjects and, for instance, provides an easy option to opt out of marketing communications. Where possible, the Foundation uses pseudonymised or non-personal data.

In some cases, the Foundation may request the data subject’s consent for processing personal data. The data subject has the right to withdraw consent at any time.

5. Recipients of Personal Data

The Foundation does not share personal data with external third parties unless one of the following conditions is met:

Legal Requirements
The Foundation may disclose personal data to external parties if access to such data is reasonably necessary to comply with laws, regulations, or court orders.

Service Providers and Other Business Partners
The Foundation may share personal data with service providers who perform services on behalf of the Foundation, such as IT service providers.

With Consent
The Foundation may share personal data with third parties outside the organisation for purposes other than those mentioned above if it has the data subject’s consent. The data subject may withdraw such consent at any time.

6. Transfer of Data Outside the EU or EEA

Personal data is primarily processed within the European Economic Area (EEA).

However, in some cases, the Foundation may transfer or access personal data outside the EEA. In such instances, the Foundation ensures adequate protection for such transfers through agreements with service providers based on standard contractual clauses or other appropriate safeguards, such as the EU-U.S. Data Privacy Framework.

7. Retention of Personal Data

Personal data is retained for as long as necessary to fulfil the purposes described in this Privacy Policy. The retention period depends on the nature of the data and the purpose of processing, and may vary accordingly. Cookie data may be retained for up to one year, depending on the type of cookie. More information on cookie retention is available via the cookie banner on our website.

The Foundation may retain personal data longer than necessary for the purposes described in this Privacy Policy only when required by law or for compliance with legal obligations or to safeguard legitimate interests.

8. Cookies

The website www.saastamoinenfoundation.fi uses cookies. Cookies are small text files placed on your device to collect and remember useful information. We use cookies and analytics tools on our website to improve usability, enable functionality, and for statistical purposes to enhance user experience. Functional cookies are essential for the website to operate and do not require user consent. Optional cookies require the user’s consent, which is collected via the website’s cookie banner. You may change your preferences later. Restricting cookies may affect website usability.

9. Principles of Personal Data Protection

The Foundation processes personal data with care and safeguards data handled via IT systems through appropriate technical and organisational measures, taking into account the risks, nature of the data, and cost considerations. Measures are taken to prevent data loss or unauthorised access. Backup copies of data are geographically distributed to ensure durability.

The Foundation ensures that stored data, server access rights, and other critical information related to personal data security are handled confidentially and only by authorised personnel. Access to server facilities is restricted to administrators with sufficient security clearance.

Should a data security breach occur despite these measures, the Foundation aims to investigate and resolve the matter promptly and report it to the relevant authorities where necessary.

10. Data Subject Rights and How to Exercise Them

10.1 Rights of the Data Subject

Right of Access
Data subjects have the right to obtain information on the personal data held by the Foundation and how it is processed. They also have the right to receive a copy of the processed personal data.

Right to Rectification
Data subjects have the right to request correction of inaccurate or outdated data, or the completion of incomplete data. Please note that the controller is not obligated to provide or correct data it no longer holds.

Right to Withdraw Consent and Object to Processing
Where processing is based on consent, data subjects have the right to withdraw consent at any time. Withdrawal of consent means the data can no longer be used for that purpose.

Data subjects also have the right to object, on grounds relating to their particular situation, to the processing of their personal data based on legitimate interests. Objection does not automatically lead to deletion, but the controller will assess whether the objection is justified or whether the controller has the right to continue processing the data despite the objection.

Right to Erasure
Data subjects have the right to request erasure of their personal data under certain conditions. They may request deletion particularly if the data is no longer necessary for the original purpose, has been unlawfully processed, or must be erased to comply with legal obligations.

The Foundation may refuse the request if the data is necessary for compliance with legal obligations or to protect its rights.

Other Rights
Instead of erasure, the data subject may have the right to restrict processing under Article 18 of the GDPR in certain situations.

Under Article 20 of the GDPR, data subjects also have the right to receive the data they have provided to the controller in a structured, commonly used and machine-readable format, and to transmit those data to another controller where the processing is automated and based on consent.

 

10.2 Submitting Requests

The Foundation asks that all data access or rectification requests be made in writing to the Data Protection Officer listed in Section 1 (by post or email).

The identity of the requester will be verified before fulfilling any request. The Foundation will respond within the timeframe set out in the GDPR (generally within one month).

Requests are handled free of charge. However, in the case of manifestly unfounded or excessive requests, a reasonable fee may be charged, or the request may be refused (GDPR Article 12(5)).

 

10.3 Supervision of Personal Data Processing

If the data subject is dissatisfied with the handling of their request or other aspects of personal data processing, they have the right to contact the supervisory authority—the Office of the Data Protection Ombudsman. However, the Foundation asks that you contact the Foundation’s Data Protection Officer first to resolve the matter.

The latest contact details and guidance from the Office of the Data Protection Ombudsman are available at: https://tietosuoja.fi/