Privacy Policy: Customer and Stakeholder Data

Updated 22.4.2024


Geological Survey of Finland
P.O. Box 96, 02151 Espoo, Finland
tel. +358 29 503 0000, gtk(at)

Contact persons for register matters

Antti Nummi (customer relations)
Pauli Vartia (web pages)
Taina Järvinen (communication and marketing)
P.O. Box 96, 02151 Espoo, Finland
tel. +358 29 503 0000, gtk(at)

Contact details of the data protection officer

tel. +358 29 503 0000

Purpose of and legal grounds for processing personal data

The maintenance of customer and stakeholder functions, stakeholder communication, customer relationship management, development monitoring and reporting. The data is used for maintaining GTK’s customer register and for planning and implementing customer activities, such as targeting contacts and communications and marketing, and for collecting customer feedback. The data is also used for delivering documents, such as individualising and sending tender documents, contracts and other documentation.

The legal basis for processing is Article 6(1)(e) of the EU General Data Protection Regulation (GDPR) (2016/679) and section 4 of the Finnish Data Protection Act (1050/2018): processing is necessary for the performance of a task carried out for reasons of public interest, and the data describe the position of a person, the person’s duties or the performance of these duties in a public sector entity, business and industry, activities of civil society organisations, or other corresponding activities, and the processing is of public interest and proportionate to the legitimate aim pursued.

In the case of customer contracts, the legal basis for processing is Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

In sales and marketing events and on websites, data can be collected with the unambiguous consent of the person concerned (Article 6(1)(a) of the GDPR).

Data content

Data content of the register and categories of personal data

GTK’s customer and stakeholder data and data about contact persons and measures taken, e.g. related to received invitations to tender, tenders submitted and contracts concluded, are stored in the register.

The personal data processed may include: email address and other contact details, the name of the organisation represented by the person, place of business, position in the organisation, summary of the content and measures of meetings/contacts, possible cooperation projects or agreements and their progress.

The following data is also maintained in the register:

  • Language in which the person wants to receive content
  • Data on requests to send communications or marketing communications ordered by the person
  • Data on marketing authorisations and prohibitions
  • Data entered on contact, order and registration forms
  • Customer feedback data
  • Visitor data on the website
  • Customer’s interests in GTK’s service offering
  • Participant information related to events we organise and media material resulting from any recording of the event (e.g. photographs or recordings) and dietary information if the event includes catering. Dietary information is not disclosed in a form that identifies the person and is deleted after each event.

Regular sources of data

Data accumulated from customer/stakeholder activities, meetings, contacts, invitations to tender, data disclosed by the contact person of a customer relationship or other stakeholder (business cards, meetings) and data collected by sales and marketing personnel in connection with customer meetings and other events. Data can also be obtained from the persons themselves, for example through contact forms, invitations to tender, order forms and registration forms.

We may also collect stakeholder data from public sources and registers in accordance with section 4 of the Data Protection Act.

Storage period for personal data

Personal data shall only be stored for as long as and to the extent necessary for the purpose stated above. Customer data will be deleted no later than 5 years after the last contact, unless otherwise required by a possible contractual situation or the customer has not updated their data during the period in question.

If GTK has an existing customer relationship, the maintenance of data is based on GTK’s operations and related interests. However, if the data is based on consent, the provision of data is entirely voluntary.

Data processing

Recipients or categories of recipients of personal data (to whom data may be disclosed)

The data is processed by GTK personnel whose tasks include the processing of customer and stakeholder data.

Personal data is not regularly disclosed to third parties. Any disclosure of data is always notified separately. The Finnish Act on the Openness of Government Activities (621/1999) applies to the operations of the Geological Survey of Finland.

Processing of personal data on behalf of the controller

Personal data can be accessed by system suppliers (Twoday, Valve, Webropol, Mediasignal and Lyyti) and the Government ICT Centre Valtori in maintenance tasks. The register is primarily maintained in a data system provided by an external service provider.

Transfer of personal data to third countries outside the EU/EEA

The data will not be transferred to countries outside the European Union or the European Economic Area.

Automated decision-making and profiling

No automated decision-making and profiling.

Rights of the data subject

Exercise of rights

The data subject may exercise their rights by submitting a request to the controller (Geological Survey of Finland) by email to the address stated in the “Controller” section above. To speed up the processing of the request, please indicate the register to which the request relates.

Right to file a complaint with the supervisory authority

If the data subject considers the processing of his or her personal data to be incompatible with the law, they may lodge a complaint with a supervisory authority in the Member State of his or her habitual residence, place of work or place of the processing of personal data in breach of the law. In Finland, the matter can be referred to the Office of the Data Protection Ombudsman:

Postal address: P.O. Box 800, FI-00521
Email: tietosuoja(at)
Tel.: +358 29 56 66700

Right to access personal data

The data subject has the right to obtain confirmation from the controller as to whether personal data concerning them is processed, and if such personal data is processed, the right to access the personal data.

Right to rectification

The data subject has the right to demand that the controller rectify without undue delay any inaccurate or incorrect personal data concerning them.

Right to restriction of processing

The data subject has the right to demand that the controller restricts the processing of their personal data if:

  • the data subject disputes the accuracy of their personal data;
  • the processing is unlawful, but the data subject opposes the erasure of their personal data and requests the restriction of its use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of a legal claim;
  • the data subject has objected to the processing of their personal data, pending verification of whether the legitimate grounds of the controller override those of the data subject.

Right to object

In situations where the processing of personal data is based on public interest, the data subject has the right to object to the processing of their personal data. If the data subject exercises their right to object, the controller shall cease the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing that override the rights and freedoms of the data subject or if the processing is necessary to establish, exercise or defend a legal claim.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds.

In situations where data is processed for statistical or research purposes, the data subject may object to the processing of data on grounds relating to their particular situation, in which case the controller shall cease the processing, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to erasure

In situations where the processing of personal data is based on a legal basis other than compliance with a legal obligation of the controller or the performance of a task carried out for reasons of public interest, the data subject has the right to request the erasure of their personal data. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to store the data.

Right to withdraw consent

If personal data is processed on the basis of the data subject’s consent, the data subject has the right to withdraw their consent at any time by informing the controller/controller’s contact person (see contact details at the beginning of this policy).

The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.