1. Personal Data That We Collect
When you participate in standardisation work coordinated by SFS, we collect the following personal data about you in the data systems for standardisation work: your name, your job title, the organisation you represent, your contact information, your membership in a standardisation group or working group, the stakeholder you represent and other additional information you may give. This information may also be collected if you register to follow specific standardisation work, even if you do not participate in the group’s work.
SFS may also add, collect and store the information on whether you have given your consent to receiving industry newsletters.
SFS obtains this data primarily from you. When you join a standardisation group or a working group preparing a Finnish standard, your data will be collected through an electronic form. The data will be stored in a data system under SFS’s responsibility. In addition, the standards writing body that is responsible for the standardisation group or working group may in this context collect data about you for itself as well, for example, in connection with invoicing. For more information on this, contact the standards writing body in question. SFS is not responsible for the collecting or processing of this other data, except to the extent that SFS itself acts as the standards writing body.
2. Purpose and Legal Basis of Collecting Your Personal Data
SFS collects and processes your aforementioned personal data primarily to exercise our legitimate interest in coordinating and managing standardisation activities and work in Finland and to keep a record of parties that have participated in the preparation of standards. Providing the data requested by SFS is necessary for you to participate in standardisation activities.
SFS may also process this data to exercise our legitimate interest in developing cooperation in the field of standardisation and standardisation activities and to market standards and standardisation activities. However, SFS may in some situations also separately request your consent, for example for sending newsletters that include marketing.
SFS may also process your data to exercise our legitimate interest in defence against legal claims when necessary or to make such claims, for example in relation to receivables.
3. Data Storage on International Data Systems
Your personal data is generally stored on a global data system, i.e. a Global Directory of an international standards organisation. With respect to data stored on these directories, SFS acts, where applicable, as a jointly and severally liable joint data controller together with the international standards organisation in question. Parties participating in international activities have access to this data also outside the EU/EEA.
The CEN-CENELEC Guide 37 for standardisation has more information on how personal data can be processed in international data systems. The guide is currently under preparation.
4. Other Disclosure and Transfer of Your Personal Data
As described above, third parties may have access to your personal data as part of international data systems for standardisation.
SFS may also disclose your personal data, for example, to the following parties:
(1) other members of the standardisation group;
(2) the standards writing body responsible for the standardisation group;
(3) persons that on a case-by-case basis have legitimate interest in receiving information related to the preparation of a certain standard.
In addition, SFS may also use external service providers for collecting and processing the data set out above. These parties may include companies from which SFS buys IT services such as server space or server room services. SFS also uses an external service provider for direct marketing. These technical service providers act as data processors on behalf of SFS. Agreements between SFS and these service providers ensure the safe processing of your personal data in these situations as well.
As part of the actions described above, your personal data may also have to be disclosed or transferred to third countries outside the EU/EEA that do not safeguard a similar data protection level than the EU. In these situations SFS seeks, as required by law, to ensure that the data is processed safely in third countries as well. SFS enters into agreements with our service providers in accordance with the EU Commission’s model contract clauses that ensure the safe data processing in third countries. SFS ensures safe and lawful data processing abroad by other means as well. In some situations, a special ground for exemption (such as substantial public interest) may be applicable to disclosing data to a third country.
With respect to international data systems, the international standards organisation that manages the system is responsible for the legality of data transfer.
5. Storage Period of Your Personal Data
The aforementioned personal data related to standardisation work is stored in identifiable form at least for the duration of your standardisation group membership. To the extent that the data is reasonably necessary for documenting the preparation history of a standard, the data may be stored longer.
The data may also be stored, as applicable, longer than the period mentioned above if, for example, accounting legislation or other legal obligations so require. In addition, the data may be stored longer if SFS has a reasonable doubt that it will be needed in a possible legal dispute in the future.
When the mentioned storage period ends, your personal data will either be deleted or anonymised in such a way that it is no longer possible to identify an individual based on the data.
6. Your Rights Pursuant to Data Protection Law
Pursuant to applicable data protection regulation, you have the following rights as regards your personal data set out above:
(a) to check the personal data about you stored by SFS and, in certain cases, the right to demand a copy of your data or its transfer to another data system;
(b) to demand the correction of incorrect or incomplete data;
(c) to demand the deletion of outdated or unnecessary data from SFS’s filing system;
(d) to demand a temporary limitation on data processing until another claim related to your data has been resolved;
(e) to object to using your data for direct marketing or, when your particular situation so requires, for safeguarding SFS’s legitimate interests.
In situations where SFS processes your personal data based on your consent, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of actions carried out before you withdrew your consent.
If you are dissatisfied with how SFS has processed your personal data, you can also lodge a complaint to competent data protection authorities. In Finland this means the Office of the Data Protection Ombudsman (see tietosuoja.fi/en).
Finnish Standards Association SFS
Malminkatu 34, 00100 Helsinki, Finland
PO Box 130, 00101 Helsinki, Finland
Tel. +358 9 149 9331
SFS may update this policy from time to time. If necessary, we will announce material changes separately.