Under the General Data Protection Regulation (GDPR), the controller is obliged to clearly inform the data subjects.
This notice fulfils that obligation to inform the data subjects.
1. Name of the controller and register
The European Centre of Excellence for Countering Hybrid Threats (“Hybrid CoE”), business ID 2841395-8
Unioninkatu 20–22, 00130 Helsinki
Contact details in register matters:
Unioninkatu 20–22, 00130, 00531 Helsinki
European Centre of Excellence for Countering Hybrid Threats website data protection notice
2. Data subjects
The data subjects whose personal data are processed are visitors to the Hybrid CoE website and subscribers to the Hybrid CoE’s newsletter or press releases.
3. Legal basis and purpose for personal data processing
In the first instance, processing is based on the Hybrid CoE’s legitimate interest of ensuring its website functions well, is safe and may be developed.
With the consent of a data subject, the Hybrid CoE may also install non-essential cookies, for example, to monitor visitor numbers and to compile statistics about website usage.
Processing of personal data of subscribers to the Hybrid CoE’s newsletter and/or press releases is based on the data subject’s consent.
4. Personal data stored in the register
The following data, among others, about the data subject may be stored:
- IP address
- Cookie data
The following data are only collected from subscribers to the Hybrid CoE ’s newsletter:
- Email address
- Areas of interest
5. Data subject’s rights
The data subject has the following rights. Requests regarding exercise of these rights should be sent to:
Hybrid CoE, Unioninkatu 20–22, 00130 Helsinki
Or by email:
Right of inspection
The data subject may inspect the personal data which the Hybrid CoE has stored.
Right to request rectification
The data subject may request rectification of inaccurate and/or deficient personal data.
Right to object
The data subject may object to processing of his or her personal data if he or she considers that his or her personal data have been processed unlawfully.
Objection to direct marketing
The data subject has the right to forbid the use of his or her data for direct marketing.
Right to demand data erasure
The data subject has the right to request erasure of his or her data if processing of the data is unnecessary. The Hybrid CoE will process the erasure request and then either erase the data or supply legitimate grounds for not erasing the data.
It should be noted that the controller may have a legal or other right not to erase the data. The controller is obliged to store accounting materials for the time (10 years) laid down by the Accounting Act (1336/1997, Chapter 2 Section 10). For this reason, accounting-related material may not be erased before the end of this period.
Withdrawal of consent
If processing of the data subject’s personal data is based on consent alone, the data subject may withdraw that consent.
Right to demand limitation of processing
The data subject has the right to demand the Hybrid CoE limit the processing of disputed data until the matter is resolved.
Data subject’s right to data portability
Insofar as the data subject has personally submitted data to the register, which are processed on the basis of consent, the data subject has the right to receive the data, as a general rule in machine readable format, and transfer them to another controller.
Right to complaint
The data subject has the right to make a complaint to the Data Protection Ombudsman if he or she considers that the Hybrid CoE has breached data protection legislation while processing personal data:
Data Protection Ombudsman contact details:
6. Regular data sources
The Hybrid CoE collects personal data from the data subject when he or she uses the Hybrid CoE’s website or when he or she subscribes to the Hybrid CoE’s newsletter or press releases.
7. Regular data disclosures
Data are not disclosed outside the Hybrid CoE. In exceptional cases, however, they may be disclosed to partners performing a certain task for the Hybrid CoE (e.g. completion of email lists or development of data systems). These partners are bound by a non- disclosure obligation and have committed to abiding by the requirements of the GDPR and processing personal data in accordance with the Hybrid CoE’s instructions and this data protection notice.
Key parties to whom processing tasks have been outsourced:
- Lyyti Oy (subscription to email list)
- Google Analytics (service provider of Hybrid CoE’s website analytics)
8. Storage time of personal data
The Hybrid CoE stores personal data for no more than 14 months, after which they are erased. For newsletter subscribers, personal data are stored for the duration of the subscription to the newsletter and for 14 months after the end of subscription.
9. Data protection
The Hybrid CoE’s employees process the customer register. The Hybrid CoE instructs employees on data use, and use is limited by user authorizations. Paper material is stored in a locked room and electronic material is protected by a firewall. Personal data protection in accordance with European and Finnish data protection notification, this data protection notice and in a generally appropriate fashion by the Hybrid CoE’s third-party processors named in section 7 is guaranteed through contractual arrangements.
10. Transfer of data outside the EU
As a general rule, the Hybrid CoE does not transfer or disclose personal data in this register outside the EU or EEA. However, some Hybrid CoE service providers may operate outside the EU or EEA, in which case the Hybrid CoE ensures a sufficient level of personal data protection via the European Commission’s Standard Contractual Clauses or other legal transfer mechanism.
11. Automatic decision-making and profiling
The Hybrid CoE does not use data for automatic decision-making or profiling.