May 2018
According to the General Data Protection Regulation (GDPR), the data controller is obligated to inform the data subjects in a clear manner.
This policy meets the requirement for informing the data subjects.
1. Data controller
The European Centre of Excellence for Countering Hybrid Threats, business ID 2841395-8
Contact information:
PO Box 72
FI-00531 Helsinki, Finland
Contact information for register-related enquiries
PO Box 72
FI-00531 Helsinki, Finland
2. Data subjects
Collaboration partners of Hybrid CoE
3. Intended purpose of personal data processing
Grounds for keeping the register:
- Maintenance of collaboration relationships
- Management of collaboration relationships and marketing
Intended purpose of the register and personal data processing
Personal data shall only be processed for predetermined purposes, which are:
- Management of collaboration relationships
- Provision of information on events
4. Personal data saved in the register
The collaboration register contains the following information:
- Name
- E-mail address
- Organisation
- Phone number
5. Rights of the data subject
The data subject has the following rights, and the requests concerning the exercising of the rights must be made at the following addresses:
By post:
Hybrid CoE, PO Box 72, FI-00531 Helsinki, Finland
Via e-mail:
Right to inspect the data
The data subject has the right to inspect the personal data we have saved about them.
Right to rectification of data
The data subject may request the rectification of the incorrect or insufficient data saved about them in the register.
Right to object
The data subject may object to the processing of their personal data if they feel that the personal data has been processed in an unlawful manner.
Right to forbid direct marketing
The data subject has the right to forbid the use of their personal data for direct marketing purposes.
Right to request the erasure of data
The data subject has the right to request the erasure of their personal data if the processing is not necessary. We will process the erasure request and then either erase the data or provide the data subject with a justified reason for not being able to erase the data.
Attention should be paid to the fact that the data controller may have a statutory or other right not to erase the requested data. The data controller is obligated to store the bookkeeping material for the duration of the period (10 years) stipulated in the Finnish Accounting Act (chapter 2, section 10). For this reason, material related to accounting cannot be erased before the expiry of the said period.
Withdrawal of consent
If the personal data processing concerning the data subject is only based on consent and not, e.g., on clientship or membership, the data subject may withdraw their consent.
The data subject may file an appeal against the decision with the Data Protection Ombudsman.
The data subject has the right to demand that we restrict the processing of the controversial data until the issue is solved.
Right to file a complaint
The data subject has the right to file a complaint with the Data Protection Ombudsman if they feel that we are in breach of the applicable data protection legislation when we are processing personal data.
Contact information of the Data Protection Ombudsman:
6. Regular sources of information
Information concerning the collaboration relationship is regularly acquired from:
- The data subjects themselves at the beginning of the collaboration relationship
- The business cards received from the data subjects themselves
- The data in the client register may be updated with the aid of registers kept by the authorities, such as the trade, association, and foundation registers.
7. Regular release of data
Data shall not be released outside Hybrid CoE, except in the possible case of contractual partners, which are bound by an obligation of professional secrecy and committed to complying with the requirements of the General Data Protection Regulation, performing a certain task (e.g., clientship or service management, monitoring of safety, supplementation of client data, or development of information systems) on behalf of Hybrid CoE.
8. Duration of processing
- Personal data shall mainly be processed for as long as the clientship is in force.
- You can exit our marketing list by requesting the erasure of your contact information by sending an e-mail to
9. Processors of personal data and the protection of data
The content of the client register shall be processed by the employees of Hybrid CoE. The employees have been instructed on the use of personal data, and the use is restricted with the aid of access rights. Manual material shall be stored in a locked facility, and electronic material shall be stored so that it is protected by a firewall. It has been ensured with contractual arrangements with the external processors specified in section 7 that personal data is only processed in accordance with the applicable data protection legislation and in an otherwise appropriate manner.
10. Transfer of data outside the EU
Primarily, the data controller shall not transfer or release the personal data contained by this register outside the EU or the EEA, unless it is necessary for the above-mentioned purposes of personal data processing or the technical implementation of the processing, in which case we will ensure a sufficient level of personal data protection by, e.g., agreeing upon matters related to the confidentiality and processing of personal data in a manner required by the legislation.
11. Automatic decision making and profiling
We do not use personal data for automatic decision making or profiling.