Finnish Standards Association SFS’s Privacy Policy for Standardisation

This privacy policy describes how the SFS Finnish Standards (SFS) as the responsible data controller processes your personal data in the data systems for standardisation work. As regards certain international data systems, SFS acts as a responsible joint data controller together with the respective international standards organisation as described in more detail below.

1. Personal Data That We Collect

When you participate in standardisation work coordinated by SFS, we collect the following personal data about you in the data systems for standardisation work: your name, your job title, the organisation you represent, your contact information, your membership in a standardisation group or working group, the stakeholder you represent and other additional information you may give. This information may also be collected if you register to follow specific standardisation work, even if you do not participate in the group’s work.

SFS may also add, collect and store the information on whether you have given your consent to receiving industry newsletters.

SFS obtains this data primarily from you. When you join a standardisation group or a working group preparing a Finnish standard, your data will be collected through an electronic form. The data will be stored in a data system under SFS’s responsibility. In addition, the standards writing body that is responsible for the standardisation group or working group may in this context collect data about you for itself as well, for example, in connection with invoicing. For more information on this, contact the standards writing body in question. SFS is not responsible for the collecting or processing of this other data, except to the extent that SFS itself acts as the standards writing body.

When you use SFS’s online services, we may also collect data about you with respect to these services. This data has been described in more detail in SFS’s privacy policy for customer and marketing data.

2. Purpose and Legal Basis of Collecting Your Personal Data

SFS collects and processes your aforementioned personal data primarily to exercise our legitimate interest in coordinating and managing standardisation activities and work in Finland and to keep a record of parties that have participated in the preparation of standards. Providing the data requested by SFS is necessary for you to participate in standardisation activities.

SFS may also process this data to exercise our legitimate interest in developing cooperation in the field of standardisation and standardisation activities and to market standards and standardisation activities. However, SFS may in some situations also separately request your consent, for example for sending newsletters that include marketing.

SFS may also process your data to exercise our legitimate interest in defence against legal claims when necessary or to make such claims, for example in relation to receivables.

3. Data Storage on International Data Systems

Your personal data is generally stored on a global data system, i.e. a Global Directory of an international standards organisation. With respect to data stored on these directories, SFS acts, where applicable, as a jointly and severally liable joint data controller together with the international standards organisation in question. Parties participating in international activities have access to this data also outside the EU/EEA.

The CEN-CENELEC Guide 37 for standardisation has more information on how personal data can be processed in international data systems. The guide is currently under preparation.

4. Other Disclosure and Transfer of Your Personal Data

As described above, third parties may have access to your personal data as part of international data systems for standardisation.

SFS may also disclose your personal data, for example, to the following parties:

(1) other members of the standardisation group;
(2) the standards writing body responsible for the standardisation group;
(3) persons that on a case-by-case basis have legitimate interest in receiving information related to the preparation of a certain standard.

In addition, SFS may also use external service providers for collecting and processing the data set out above. These parties may include companies from which SFS buys IT services such as server space or server room services. SFS also uses an external service provider for direct marketing. These technical service providers act as data processors on behalf of SFS. Agreements between SFS and these service providers ensure the safe processing of your personal data in these situations as well.

As part of the actions described above, your personal data may also have to be disclosed or transferred to third countries outside the EU/EEA that do not safeguard a similar data protection level than the EU. In these situations SFS seeks, as required by law, to ensure that the data is processed safely in third countries as well. SFS enters into agreements with our service providers in accordance with the EU Commission’s model contract clauses that ensure the safe data processing in third countries. SFS ensures safe and lawful data processing abroad by other means as well. In some situations, a special ground for exemption (such as substantial public interest) may be applicable to disclosing data to a third country.

With respect to international data systems, the international standards organisation that manages the system is responsible for the legality of data transfer.

5. Storage Period of Your Personal Data

The aforementioned personal data related to standardisation work is stored in identifiable form at least for the duration of your standardisation group membership. To the extent that the data is reasonably necessary for documenting the preparation history of a standard, the data may be stored longer.

The data may also be stored, as applicable, longer than the period mentioned above if, for example, accounting legislation or other legal obligations so require. In addition, the data may be stored longer if SFS has a reasonable doubt that it will be needed in a possible legal dispute in the future.

When the mentioned storage period ends, your personal data will either be deleted or anonymised in such a way that it is no longer possible to identify an individual based on the data.

Some of your data may be transferred to SFS’s marketing register. This data has been described in more detail in SFS’s privacy policy for customer and marketing data.

6. Your Rights Pursuant to Data Protection Law

Pursuant to applicable data protection regulation, you have the following rights as regards your personal data set out above:

(a) to check the personal data about you stored by SFS and, in certain cases, the right to demand a copy of your data or its transfer to another data system;
(b) to demand the correction of incorrect or incomplete data;
(c) to demand the deletion of outdated or unnecessary data from SFS’s filing system;
(d) to demand a temporary limitation on data processing until another claim related to your data has been resolved;
(e) to object to using your data for direct marketing or, when your particular situation so requires, for safeguarding SFS’s legitimate interests.

In situations where SFS processes your personal data based on your consent, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of actions carried out before you withdrew your consent.

If you are dissatisfied with how SFS has processed your personal data, you can also lodge a complaint to competent data protection authorities. In Finland this means the Office of the Data Protection Ombudsman (see tietosuoja.fi/en).

7. Contacts

In matters related to this privacy policy or your personal data you can contact SFS with the following contact details:

SFS Finnish Standards
Malminkatu 34, 00100 Helsinki, Finland
PO Box 130, 00101 Helsinki, Finland
Tel. +358 9 149 9331
E-mail: standardeista@sfs.fi

8. Changes

SFS may update this policy from time to time. If necessary, we will announce material changes separately.

The effective date of this privacy policy version is 1 June 2021.