1. Castrén & Snellman
  2. The Firm

Privacy Notice– Castrén & Snellman’s 135th Anniversary Scholarship Programme

Date of drafting 15 March 2023

 

1 Controller

Castrén & Snellman

Business ID: 0103602-1

Street address: Eteläesplanadi 14, FI-00130 Helsinki, Finland

Postal address: PO Box 233

 

2 Legal basis and purposes of processing

We process the collected personal data in order to implement the scholarship programme. The purpose of the scholarship programme is to award monetary scholarships to young people who have demonstrated social activism. The scholarships are awarded to support the studies of the chosen recipients.

The processing of personal data in the scholarship application process is necessary for the processing of applications and the implementation of the scholarship programme. When the applicant has filled in the scholarship programme application themselves, the processing of personal data is based on the applicant’s consent. It is also possible to refer another person for a scholarship. When the referee fills in the referral form, the processing of the referee’s personal data is based on the referee’s consent. With respect to the referred person, the processing of personal data is based on the data controller’s legitimate interest. The referred person will receive a notification of the referral via email, together with the referee’s name, a link to review the privacy notice, and the terms and conditions of the scholarship programme.

The data controller may publish the names of the scholarship recipients on its website and marketing channels based on legitimate interest.

 

3 Personal data collected

We collect the following personal data about the applicant:

  • name
  • age
  • address
  • email address
  • phone number
  • educational institution and study programme
  • any other information the applicant includes in the application
    • transcript of studies, personal identification number and bank account details (only for applicants who are chosen as scholarship recipients).

With respect to referees, we only collect their name.

 

4 Retention period of personal data

We store the applicant’s personal data for two years after the end of the scholarship programme. With respect to the paid scholarships, data is stored in accordance with applicable accounting legislation.

We will erase the referees’ personal data after the scholarship programme has ended.

 

5 How data is collected

We collect personal data from the data subject when they fill in the scholarship programme application form. It is also possible to refer another person for a scholarship. Referees are asked to fill in their own name and the name and email address of the referred person in a separate application form, after which the referred person will receive a notification of the referral via email together with the referee’s name and an invitation to fill in the application form and review the privacy notice and the terms and conditions of the scholarship programme.

 

6 Disclose or Transfer of data

Processing tasks may be outsourced to service providers in accordance with and within the limits set by data protection legislation. Surveypal Inc implements the application form functionality on our behalf. We use agreements to ensure that the service providers acting on our behalf process personal data in compliance with the data controller’s instructions and this privacy notice.

 

7 Transfer of data outside the EU/EEA

Personal data may be transferred outside the European Union or the European Economic Area in accordance with and within the limits set by data protection legislation. We have ensured an adequate level of data protection in accordance with the conditions of the EU General Data Protection Regulation, including in situations where data is transferred outside the EU or the EEA, by complying with the adequacy decisions set by the European Commission and using, where appropriate, the new standard contractual clauses adopted by the European Commission and, where appropriate, supplementary safeguards.

 

8 Security measures

The data is stored appropriately in servers located in protected facilities. The technical data security of the servers is controlled by several different means. Access to the data is managed using role-based management of access rights, and the use of the data is monitored constantly.

The purpose of the activities above is to secure the confidentiality of the personal data stored by the data controller, the availability and integrity of the data and the realisation of the rights of the data subjects.

 

9 Automated decision-making

Personal data is not used for automated decision-making that would have legal or similar effects concerning the data subject.

 

10 rights of the data subject

Right to access

Data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. The controller must provide the data subject with a copy of the personal data being processed. The access request must be made in accordance with the instructions given in this privacy notice. Exercising this right is generally free of charge.

Right to request rectification, erasure or restriction of processing of personal data

To the extent that the data subject can act themselves, the data subject must without undue delay after having been informed of an error or after detecting an error on their own initiative rectify, erase or supplement data contained in the register if it is erroneous, unnecessary, incomplete or obsolete with respect to the purpose of the register.

If the data subject cannot rectify or erase the data on their own, they must request rectification or erasure in accordance with section Contacts of this privacy notice.

The data subject also has the right to demand that the data controller limit the processing of their personal data, for example, when the data subject is waiting for the data controller’s response to a request to rectify or erase their data.

Right to object

The data subject has the right to object to profiling and other processing of their personal data by the controller on grounds related to their particular situation if the processing is based on the controller’s legitimate interest.

The data subject can make their objection in accordance with section Contacts of this privacy notice. The data subject must specify the particular situation forming the grounds for the objection when making the demand. The controller can refuse to comply with the objection on the grounds set out in law.

Right to data portability

If the data subject has provided data for the register themselves and such data is processed based on the data subject’s consent, the data subject has the right to receive the data primarily in a machine-readable format and to transmit such data to another data controller.

Right to lodge a complaint with the supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the data subject considers that the controller has not complied with the data protection regulations applicable to its operations.

Right to withdraw consent

If personal data is processed based on the data subject’s consent, the data subject has the right to withdraw their consent by notifying the data controller of this in accordance with section Contacts of this privacy notice. Withdrawal of consent does not affect the lawfulness of the processing carried out prior to the withdrawal of consent.

 

11 Contacts

In all matters relating to the processing of personal data and in situations involving the exercise of rights, the data subject should contact the data controller by sending an email to privacy@castren.fi.