Privacy Policy

(updated 1 February 2024)

1. Data collected and how it is used

Collection of personal data

The Foundation collects the following data from registered users of its online courses (hereinafter “Course” or “Courses”):

  • First and last names
  • Job information
  • Name of the organisation/company/association (and department)
  • Contact details
  • Country of residence and postcode
  • Language
  • Information about course completion (including information on attendance in different courses, statistics and analysis data on courses, information on exercises and assignments)
  • User actions (including questions answered, data uploaded and data shared from the course platform to external media) and completed modules in the courses
  • Whether written communication is permitted or prohibited (email and post)
  • Other information provided by course attendees when contacting the Foundation
  • Other voluntary information

If an individual contacts the Foundation by email or phone, the Foundation may process the following personal data:

  • First and last names
  • Job information
  • Name of the organisation/company/association (and department)
  • Contact details
  • Country of residence and postcode
  • Language
  • Communication between an individual and the Foundation, customer history
  • Whether written communication is permitted or prohibited (email and post)
  • Other information provided when contacting the Foundation

Technical data, such as analytics data (Google Analytics), may be collected from users. In order to keep information up to date, the Foundation may update personal information using public records, update services or subscription information.

Basis for processing personal data and purpose of processing personal data

The Foundation collects personal data on the basis of its legitimate interest. The legitimate interest is based on enabling and developing course functionality and carrying out the activities mentioned in the Foundation’s by-laws, improving the partner and visitor experience, and implementing direct marketing to fund its activities. However, the Foundation does not use personal data for direct marketing purposes without explicit consent.

The Foundation processes personal data based on the personal data registries presented below. The Foundation does not retain data for longer than is necessary to fulfil the purposes described in this privacy policy and to comply with any other compelling legislation, such as accounting law.

Purposes of the register

The primary purposes of the register are to enable the smooth use of courses by registered users, record course completion data, improve courses, and communicate course-related information.

Secondarily, the register allows for communication with those who register for courses. Communication can include feedback, analysing ideas for development, other surveys, and new discussions related to events, networks and discussions with course attendees and organisations related to courses.

Rights and restrictions of users of the register

The use of the register is limited to those employees and volunteers of the Foundation whose jobs are directly or indirectly related to courses. The Foundation’s employees and volunteers are entitled to process personal data only for the purpose for which it was collected and to the extent necessary. Each individual’s right to access the said databases and systems depends on the tasks of the employee or volunteer in the Foundation.

2. Storage, transfer and disclosure of data

The stored personal data are protected by passwords or other means that prevent parties outside the Foundation from accessing them. The register is stored in electronic format protected by an appropriate database. The Foundation has the right to transfer the register to a new database if it is justified in terms of the course or the Foundation’s activities. If the register is transferred to a new database, the personal data must be erased from the previous database without delay. The Foundation has the right to take printouts or electronic copies of the register as extracts and reports containing personal data. The copies should be stored with the same level of security as the register itself. When there is no urgent need for extracts or reports containing personal data, the copies should be destroyed.

Personal data may only be disclosed or transferred to third parties to the extent permitted by law. Generally, the Foundation only uses personal data for internal purposes and does not transfer personal data to third parties without explicit consent, unless otherwise stated below.

We reserve the right to disclose Personal Data to those third parties working for the Foundation to provide the services for which the personal data was originally collected. The Foundation may use third parties to administer and maintain the courses. In this case, the third party has the right to process personal data to the extent necessary to ensure the functionality of the courses. The Foundation and the service provider enter into a written agreement on the sharing and use of data in advance. The Foundation obligates third parties to keep personal data confidential and handle data protection appropriately. Third parties must not disclose the personal data they receive to other parties or use it for other purposes.

Personal data may also be transferred and disclosed to the competent supervisory and other authorities where required by law or the competent authority. If personal data is transferred outside the EU/EEA, the Foundation ensures that appropriate contractual measures are applied to the transfer (for example, by using the European Commission’s standard contractual clauses), that there is an appropriate legal basis for the transfer, and that the processing and confidentiality of the data meet the requirements of the applicable laws. The Foundation does not disclose personal data to other parties, except in the following circumstances:

  • The person has consented to the disclosure
  • The disclosure is based on law
  • The data is disclosed to an authorised service provider of the Foundation and the processing of personal data has been agreed upon with the service provider

Erasure of data

An individual may unsubscribe from the email list and refuse to receive electronic communications from the Foundation at any time. The Foundation will erase such data as quickly as possible after the request is made. The recommendations of the Finnish Data Protection Ombudsman are followed for the other personal data registers mentioned above. Otherwise, personal data will be retained for as long as necessary to defend legal claims or comply with accounting and other legal obligations. The Foundation may retain data following an erasure request if there is a legitimate reason to retain it, such as a legal obligation.

3. Rights of the individual

Right of access

An individual has the right to know what information about them is being processed by the Foundation. In addition, an individual may demand an explanation of:

  • Why the data is processed
  • To whom the information has been or will be disclosed; and
  • How long the data will be retained.

If it is not possible to specify the exact retention period, the Foundation provides an explanation of the criteria for determining the retention period of the data. The criteria may be based on a specific law or industry-specific guidance, for example.

Right to rectification

If the data is incorrect, an individual has the right to demand the rectification of the data. The individual may request the rectification of the data by contacting the Foundation. The contact details are in the last section of this privacy policy and on the Foundation’s website at www.bsag.fi./en

Right to object to and restrict processing

An individual has the right to object to the processing or profiling of their data when it is processed for direct marketing purposes. An individual has the right to demand the restriction of processing of their personal data, including when the information about them is not accurate. In addition, an individual has the right to object to the processing of their personal data in certain circumstances where the grounds are a special personal situation. An individual may invoke their right to object to and restrict processing by contacting the Foundation. The contact details are in section 4 of this privacy policy.

Right to lodge a complaint

An individual has the right to lodge a complaint with the national data protection supervisory authority if they feel that the processing of personal data violates the data protection legislation.

4. Contact details

Controller:

Foundation for a Living Baltic Sea sr (2177822-5),
Keilaranta 5, 02150, Espoo;
 www.bsag.fi

Person in charge:
Ville Wahlberg, Managing Director of the Foundation
ville.wahlberg@bsag.fi
tel. +358 45 125 1322

Any individual wishing to submit a request, notification or question regarding the processing of personal data may contact the Foundation’s Managing Director.