JA Finland privacy policy:

1. Controller

Controller          Nuorten yrittäjyys ja talous NYT ry (hereinafter also referred to as “NYT” or “the Association”)
Business ID                      0202391-9
Address                          Eteläranta 10, 00130 Helsinki
Tel.                       +358 (0)400 888 999
Contact person            Data Protection Officer Ville Salo, ville.salo@nuortennyt.fi

2. Name of the register

Customer register of Nuorten yrittäjyys ja talous NYT ry.

3. Legal grounds and the purpose of processing personal data

The purpose of using the customer register is to maintain NYT’s customer register and manage the customer relationship. The data in the customer register is also processed and archived in order to comply with the statutory obligations of the Association (incl. the obligations of the Accounting Act (1336/1997)). The personal data will also be used to develop the Association’s operations, investigate the effectiveness of NYT’s services and to produce more personalised targeted content on our online services. Personal data is processed within the limits of the European Union’s General Data Protection Regulation (EU 2016/679) and other applicable data protection legislation.

The data in the register can be used in the Association’s own registers to target advertising without disclosing personal data to third parties, for example. The Association may use partners to maintain the customer and service relationship, in which case some of the personal data in the register may be transferred to the partner’s servers due to technical requirements (see section 5). In this case, the data will only be processed for the maintenance of the Association’s customer relationship through technical interfaces. The Association has the right to publish the information contained in the customer register as an electronic or written list, unless the customer specifically prohibits it. Here, a list means, for example, address stickers for direct mail or the like. The customer has the right to refuse the publication of their data by notifying the Association by email (tietosuoja(a)tat.fi) or the customer register contact person.

Personal data is not used for automated decision-making or profiling.

The processing of the personal data of users who have signed up for digital services is based on an agreement.

The processing of personal data in training and events or for their purpose, as well as the processing of the personal data of the contact persons of corporate customers is based on a legitimate interest.

The processing of personal data concerning special diets and any non-essential cookies is based on consent.

4. Grounds for legitimate interest

The legitimate interest of the processing of personal data in the customer register is based on enabling and effectively conducting of the activities of the Association in accordance with the law and regulations. The grounds for the processing of personal data are always based on a legal basis defined individually for each register, and the legitimate interest has been assessed and its existence has been verified by way of a balancing test.

5. Recipients and groups of recipients

• Sarkain Oy (3180183-9) acts as the processor of personal data with regard to the technical data processing environment of the Duunikoutsi application’s customer data.
• Into-Digital Oy (2241331-6) acts as the processor of personal data with regard to the technical data processing environment of the Yrityskylään application’s customer data.
• TriMedia (2007948-1) and Into-Digital Oy (2241331-6) act as the processors of personal data with regard to the technical data processing environment of the Opeportaali customer data.
• TalentAdore (2657117-8), Zef Oy (0640379-1) and Meta (WhatsApp) act as the processors of personal data with regard to the technical data processing environment of the Summer entrepreneur programme data.
• Mediamaisteri (2660036-2) acts as the processor of personal data with regard to the technical data processing environment of the Business Course and Investor customer data.
• CRM-Service Oy (2132453-0) acts as the processor of personal data with regard to the technical data processing environment of the contact persons of corporate customers.
• Zef Oy (0640379-1) acts as the processor of personal data with regard to the technical data processing environment in conjunction with surveys and event registrations.
• Microsoft’s
  O365 environment is also used as the basic data processing environment of personal data, with Elisa Corporation (0116510-6) acting as the processor

Other outsourcing partners (especially financial administration) also act on behalf of the controller, where applicable.

Outsourcing partners in the implementation of financial administration are:

• Accountor Finago Oy (0836922-4), accounting and invoicing software Procountor
• Accountor Services Oy (0932167-9), HR and payroll software Mepco, as well as the processing of personal data related to accounting, the payment of expenses and other invoices and compensation for work

An agreement on the processing of personal data is concluded with all outsourcing partners that process personal data.

The information is only used by the association, except when using an external service provider either to provide a value-added service or to support a credit decision. Personal data in the customer register may also be disclosed to other personal data registers of the Association, for example, in order to send newsletters.

6. Data content of the register

The data to be stored in the register is:

• First and last name
• Organisation and position (where applicable, with regard to the contact persons of corporate customers)
• Email
• Address
• Phone number
• Date of birth
• URL (where applicable, with regard to the contact persons of corporate customers)
• IP address
• Information on the content of the cooperation, such as the use of the training and services provided by the Association, acting as a partner in a service, funding the Association or other supporting activities
• Special diets, only for use for a specific occasion and its catering. The information is collected with the person’s consent and, if necessary, relayed to an external restaurant service provider.
• All information relating to competence and education, such as professional experience, education, skills and strengths, courses taken and qualifications
• Gender
• Age and year of birth
• Employment and study situation
• Cookies in connection with the use of websites

7. Regular sources of information and the nature of the provision of personal data

Information is obtained from registrations made by the customer and from notifications made by the customer during the customer relationship. The Association also collects customer data from, for example, websites, other customers or other persons who, otherwise, know customers.  Updates to name and contact information are also obtained from the authorities and companies that provide update services, such as the YTJ information service or Fonecta.

There is no legal obligation to provide personal data to the Association, but certain personal data is required in order for the Association and the data subject (or the background community of the data subject) to enter into and act in accordance with agreements.

If the data subject does not provide personal data to the Association, the conclusion and performance of agreements between the Association and the data subject (or the registered background community) may be partially or completely prevented.

8. Retention period of personal data

The personal data will be stored in the customer register for as long as the customer relationship or cooperation is valid. After the termination of the customer relationship, the data is retained for 10 years.

However, for obligations under the Accounting Act, personal data is stored for the retention periods laid down in chapter 2, section 10 of the said Act.

If the personal data is no longer needed or has expired, it is deleted. The timeliness and necessity of personal data is reviewed at regular intervals.

Personal data will also be deleted if the processing (incl. storage) no longer serves a purpose.

9. Regular transfer of data outside the EU or the European Economic Area

Personal data is not regularly disclosed outside the Association. Irregular transfers are described in section 5 above.

Personal data is not transferred outside the European Union or the European Economic Area.

10. Register security principles

Manual data: Contact information collected at customer events and other documents containing customer information that are processed manually are stored in locked and fireproof storage facilities after initial processing. Only designated employees of the Association have the right to process manually stored customer information. The protection and processing of data in the customer register comply with data protection legislation, principles, regulations issued by the authorities and good data processing practice.

Digital data: Employees of the Association and the companies acting on its behalf have the right to access the customer register and maintain its data only to the extent that the use of data is absolutely necessary in order to carry out services relating to the customer relationship in performing the employee’s work duties. Each designated user has their own personal username and password. The systems used for maintaining customer registers are protected by appropriate modern technical solutions protecting external connections to the system. The protection and processing of data in the customer register comply with data protection legislation, principles, regulations issued by the authorities and good data processing practice.

11. Cookies

Our website uses cookies. A cookie is a small text file that is sent to a user’s computer and stored there. Cookies do not harm users’ computers or files. The primary purpose of the use of cookies is to improve and customise the visitor’s user experience on the website, as well as to analyse and improve the functionality and content of the website.

The information collected through cookies can also be used to target communications and marketing, as well as to optimise marketing measures. The visitor cannot be identified by cookies alone. However, the information obtained through cookies may be linked to information obtained from the user in other contexts, such as when the user fills in a form on our website.

12. Right of the data subject to object to the processing of personal data

The data subject has the right to object to the processing of personal data based on the legitimate interest of the Association or a third party. However, there is no right to object if the Association can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if the processing is necessary for the establishment, exercise or defence of legal claims.

The data subject also has the right to object at any time to the processing of their personal data for the purposes of direct marketing (including profiling for the purposes of direct marketing). In this case, the Association must stop processing the data subject’s personal data for this purpose.

In order to exercise the right to object, the data subject must submit a request in writing to the Association (incl. electronically to the address tietosuoja(a)tat.fi) or to the contact person of the register. The request must specify which personal data the request concerns and on what grounds.

If the Association does not take action on the basis of the data subject’s request for objection, the Association informs the data subject of the reasons without delay and at the latest within one month of receiving the request, and informs the data subject of the possibility to lodge a complaint with the supervisory authority (see section 13) and to use other legal remedies.

The actions of the Association for the establishment, exercise or defence of legal claims or other grounds arising from compelling legislation (including any adverse effects on the rights or freedoms of third parties) may, on a case-by-case basis, prevent or restrict the exercise of the data subject’s right of objection.

13. Other rights of the data subject

Right to withdraw consent: The data subject has the right to withdraw their consent regarding the processing of personal data at any time. In this case, the Association will terminate the processing of the personal data unless the Association has other applicable legal grounds for the processing of personal data.

Right of access to personal data:The data subject has the right to access their personal data in the customer register and obtain a copy of it, if they so wish.

Right to transfer data from one system to another: If the processing of personal data is based on consent or an agreement, the data subject has the right to receive the personal data that they have provided to the Association in a structured, commonly used and machine-readable format, and has the right to transmit the data to another controller.

Right to erasure of personal data: The data subject has the right to have their personal data deleted from the customer register if:

• the personal data is no longer needed for the purposes for which it was collected or otherwise processed;
• the data subject withdraws the consent on which the processing was based and there are no other legal grounds for the processing;
• the data subject has objected to the processing based on the legitimate interest of the Association or a third party (see section 12) and there is no justified reason for the processing;
• the data subject objects to the processing for direct marketing purposes (see section 12 above) – in this case, the right of erasure only applies to data that is used exclusively for direct marketing;
• the personal data has been unlawfully processed; or
• the personal data has been collected from the child in connection with the provision of an information society service (for example, the Duunikoutsi service).

Right to rectification of personal data: The data subject has the right to have incorrect, unnecessary, outdated or incomplete personal data in the register corrected, deleted or supplemented. The Association will inform the party to which the incorrect information was transferred of the rectification of the error.

Right of restriction: The data subject has the right to request the processing of personal data to be restricted if:

• they contest the accuracy of the personal data, in which case the processing is restricted for the period during which the Association can verify the accuracy of the personal data;
• the processing is unlawful and the data subject objects to the erasure of the personal data and, instead, requests the restriction of its use;
• the Association no longer requires the personal data for the purposes of the processing, but the data subject requires it for the establishment, exercise or defense of legal claims; or
• they object to the processing based on the legitimate interest of the Association or a third party for the time necessary to determine whether the legitimate interest of the Association or a third party overrides the grounds of the data subject.

Right to lodge a complaint with a supervisory authority: The data subject has the right to lodge a complaint with the supervisory authority regarding the processing of personal data, in particular if they consider that the processing violates the General Data Protection Regulation of the European Union. Besides Finland, the complaint may also be lodged in the member state in which the data subject has a permanent place of residence or employment.

The contact details of the Finnish national supervisory authority are:

The Office of the Data Protection Ombudsman
P.O. Box 800
00531 Helsinki
(street address: Lintulahdenkuja 4, 00530 Helsinki)

tel. +358 (0)29 56 66700
tietosuoja@om.fi
www.tietosuoja.fi

In order to exercise these rights, the data subject must submit a request in writing to the Association (incl. electronically to the address tietosuoja(a)tat.fi) or to the contact person of the register. The request must specify which personal data the request concerns and on what grounds.

If the Association does not take action on the basis of the data subject’s request for objection, the Association informs the data subject of the reasons without delay and, at the latest, within one month of receiving the request, and informs the data subject of the possibility to lodge a complaint with the supervisory authority and to use other legal remedies.

The actions of the Association for the establishment, exercise or defence of legal claims or other grounds arising from compelling legislation (including any adverse effects on the rights or freedoms of third parties) may, on a case-by-case basis, prevent or restrict the exercise of the data subject’s right.