Privacy Policy: Customer and Stakeholder Data

Updated 22 May 2018

Controller Geological Survey of Finland
P.O. Box 96, FI-02151 Espoo, Finland
Tel. +358 29 503 0000,
Contact person for register matters Pauli Vartia
Contact details of the data protection officer
Register name Customer and Stakeholder Data
Purpose of and legal grounds for processing personal data The maintenance of customer and stakeholder functions, monitoring the development of customer relationships and preparing reports on the development.

Article 6.1e of the EU General Data Protection Regulation (GDPR) provides legal grounds for processing: Processing is necessary in order to carry out tasks concerning public interests, and processing concerns data about a person’s position, tasks and their carrying out in a public organisation, business association or other similar entity, and processing is in line with public interests and correctly proportional to the purpose of processing.

During sales and marketing events, data is only collected with the explicit consent of the person (article 6.1a of the GDPR).

Data content of the register and groups of personal data GTK’s customer and stakeholder data and data about contact persons and actions carried out are saved in the register. The register is mainly maintained in a data system provided by an external service provider. Data can also be processed using other communication tools (e.g. Lyyti, Webropol, newsletters sent via email).

Data collected about contact persons: Location, contact information, name, profession, the content of meetings/messages and activities briefly, possible cooperation projects and their progress. All data is based only on professional interaction. No data about personal traits and other such qualities is collected.

Storage period for personal data or, if this is not possible, criteria for defining the storage period Personal data will be erased after five years, provided that it was not updated during this time.
Regular sources of data Data accumulated from customer and stakeholder activities, meetings, contact. Data provided by the contact person of a customer relationship (business cards, meetings) and data collected by sales and marketing personnel during customer meetings and other such events.
Recipients of personal data or groups of recipients Data is processed by those GTK employees who work in the customer interface and monitor and report customer and stakeholder data. In addition, the supplier of the data system can access data in conjunction with maintenance.
Information about the transfer of data to third countries and protection used (including information about the existence or
non-existence of the Commission’s decision on the sufficiency of data protection), and opportunities to obtain a copy or information about content.
No data is transferred from the register outside the EU or EEA.
Principles of register protection (manual material and electronic processing) The system supplier ensures the technical protection of data in cooperation with GTK. The use of the system is protected with a username and password, and only appointed persons of the organisation can use the system. All data is processed confidentially.
Rights of data subjects Data subjects have the right to access their data and request their data to be rectified. On grounds related to a specific personal situation, data subjects have the right to object to the processing of their personal data. Nevertheless, the data controller can continue to process data on significant and justified grounds.

If the aforementioned grounds do not exist, data subjects can request their personal data to be erased. If a data subject considers their data to be inaccurate, processing can be restricted in order to verify the accuracy of the data.

If processing is based on consent (article 6.1a) or explicit consent (article 9.2a), information about the right to withdraw consent at any time If personal data is processed with the explicit consent of data subjects, they have the right to withdraw their consent at any time by sending a notification to the data controller via email (
Right to file a complaint with the supervisory authority Data subjects have the right to file a complaint with the supervisory authority of the member state in which their permanent place of residence or business is or in which the suspected breach of the GDPR has taken place. If the data controller has refused the right to access personal data or have the data rectified, data subjects can file a complaint with the Finnish Data Protection Ombudsman.
Is the provision of personal data a statutory or contractual requirement or a requirement needed to enter into an agreement? Do data subjects need to provide personal data? What are the consequences of any nonprovision of personal data? If GTK has an existing customer relationship, the processing of personal data is based on GTK’s operations and related interests. If the processing of personal data is based on consent, the provision of data is fully voluntary.
Information about the existence of automated decision-making, including profiling, and significant information about the processing-related logic, at least in these cases, and the significance of specific processing and any consequences for data subjects. No automated decision-making is used.