Register Description relating to Finnish Cultural Foundation's Grants

Register description

EU’s General Data Protection Regulation, 2016/679, entry into force 25 May 2018
Appendix to the Data Protection Policy

Board of Trustees 21 May 2018

Data controller

Finnish Cultural Foundation (Foundation), hereafter the Cultural Foundation
0116947-3
Bulevardi 5 A, 00120 Helsinki
telephone + 358 9 612 810
email yleisinfo@skr.fi or firstname.familyname@skr.fi

Person responsible for the registers

Antti Arjava, Secretary General
contact information as above
email firstname.familyname@skr.fi

Legal basis

The data controller carries out its statutory duties by awarding grants on application. Data processing in the register is based on the data controller’s legitimate interest.
A balance of the rights of the data controller and data subjects has been ensured by the following means:

a. no sensitive personal data is processed in the register; and
b. information, such a personal identity code and bank account number, which involves particular risks in processing, is processed as restrictively as possible and is stored only for as long as is strictly necessary (data minimisation and storage limitation principles).

Purpose of processing

Personal data are processed to enable the receipt and processing of grant applications and the payment and monitoring of grants awarded.

Register content

The following lists the type of information concerning the applicant or the applicant’s contact person generally provided by the applicant himself or herself that has been stored in the register electronically or printed out on paper:

  • name
  • qualification / title
  • occupation
  • contact information
  • place of work
  • language used in communication
  • name of head of research team
  • field of specialization
  • classification of grant
  • purpose of grant
  • amount of grant
  • duration of grant
  • type of grant
  • work plan
  • place where work is performed
  • applicant’s earlier and pending grants
  • attachments, such as CV, list of publications and website links
  • applicant’s scientific or cultural activities to date
  • consent for processing of notifications sent by email
  • evaluation of the applicant provided by external referee

If the applicant is a natural person, in addition to the information listed above, the following information is stored in the register electronically or printed out on paper

  • personal identity code*
  • gender
  • place of residence
  • place of birth
  • nationality
  • place of study
  • applicant’s doctoral school
  • applicant’s working hours during the grant period

If a grant is awarded, the following information about the grantee, in addition to the applicant’s/contact person’s personal data, is stored in the register electronically:

  • bank account number*
  • payments and payment transactions
  • fund from which the grant is awarded
  • changes and cancellations concerning the grant
  • information about notification to the tax authority and to the Farmers’ Social Insurance Institution Mela
  • information about the publicity of the grant
  • information about the university compensation agreement
  • information about the salaried doctoral candidate’s position
  • deadline for reporting on how the grant is used
  • grantee’s report on how the grant is used

A person under the age of 15 years completes the application with his or her guardian.

Storage of personal data

Information marked with an asterisk (*)

The information marked with an asterisk is stored until the grant has been paid in full and the grantee’s report on how the grant has been used has been approved, subject, however, to compliance with the retention period imposed by legislation for accounting material.

The basis for data storage is to ensure the legal protection of the data subject and the data controller, which requires the unambiguous identification of the data subject, as well as to execute payments, monitor the use of grants, and submit information to the tax administration and to the Farmers’ Social Insurance Institution Mela (Act 1280/2006, section 141 b).

Other personal data

To enable, develop and ensure the transparency of the data controller’s grant activities as well as to ascertain the applicant’s earlier grant history, other personal data are stored as follows:

 1. Attachments to decision records

From all applications, the following information is stored permanently as printouts:

  • name
  • field of specialization
  • purpose of grant
  • amount of grant
  • place of residence
  • year of birth

2. Information stored as paper printouts

a. The full information of accepted applications can be stored permanently as printouts.
b. The full information of rejected applications can be stored as printouts for a maximum of ten years.

For scientific or historical research purposes

  • all accepted applications
  • all rejected applications for which the year of application ends in the numeral 5

may be transferred to the National Archives of Finland once every five years when at least ten years have elapsed since the application was made.

3. Information stored electronically

a. The full information of accepted applications can be stored permanently electronically.
b. The full information of rejected applications can be stored electronically for a maximum of ten years. After this the applicants’ contact information is stored so that applicants can later be asked to take part in the Cultural Foundation’s long-term follow-up surveys.

4. Anonymised information

The data controller stores some information permanently for statistical or research purposes in such a way that the data subject can no longer be identified.

Personal data transfer

Applications printed out on paper may be transferred to the National Archive of Finland (see above). The data controller does not transfer data for other purposes.

Use of personal data in assessing applications

The data controller uses outside experts to evaluate applications. These experts have access to the information required for their evaluation work and are bound by confidentiality.

During the processing of grant applications, the data controller may exchange the information required with other funding bodies to ensure the total level of funding and to avoid awarding overlapping grants.

Publicity of personal data and the grounds of decision-making

The data controller publishes the following information about all grantees:

  • name
  • qualification / title
  • purpose of grant
  • amount of grant
  • place of residence

The basis for publication is to uphold public confidence enjoyed by a statutory grant system and to avoid awarding overlapping grants.

The data controller protects the right to privacy of applicants, referees and experts and does not  disclose statements and evaluations relating to applications.

Restriction of processing

Rights to update and view personal data are restricted temporally and personally by means of the data controller’s internal, centrally administered access rights.

Rights of the data subject

The data subject has the right to request access to personal data concerning him or her, but not the right to obtain information about references or their content. The confidentiality of information protects the referee’s right to privacy and to ensure the reference’s value to the data controller.

The data subject has the right to request the rectification of inaccurate information, the restriction of processing, and the right to object to the processing of his or her personal data. The data controller has the right to request further information it may deem necessary to verify the identity of the data subject making the request. Requests will be responded to within one month of having been received. Any protraction of the time allowed and the reasons for the delay will be notified in the same context.

Right to withdraw consent

Processing of personal data in the grant register is not based on consent.

Right to file a complaint

The data subject has the right to file a complaint to the supervisory authority should he or she consider that processing his or her data is in breach of the EU’s General Data Protection Regulation.

Compulsion

The transfer of the data subject’s personal data to the data controller is a prerequisite for  the receipt and processing of the application.

Consequences of failure to submit information

Failure to transfer the data subject’s personal data or restricting its processing before decision-making takes place will result in revoking  of the application.

Automated decision-making

The register is not used for automated individual decision-making without explicit consent being requested for this purpose.

Principles of register protection

Electronic application data are stored on the Cultural Foundation’s own server placed in a locked equipment room. The server room has access control, video recorder surveillance, a UPS back-up system, back-up cooling system and a burglary and fire alarm system with certified alarm transmission. The servers are protected with a firewall and the appropriate protection technologies. Only designated technical maintenance people can access the equipment room.

Paper printouts of applications are stored in locked premises.