1. Data controller
Suomen Lähetysseura (Felm)
P.O.Box 56, 00241 Helsinki
Tel. +358 9 129 71
Business ID: 0116962-5
2. Name of the register
Felm’s contact detail register (formerly address register)
3. Contact person
Data Protection Officer Teemu Hirvonen
P.O.Box 56, 00241 HELSINKI
Tel. +358 40 658 3669
4. Legal grounds and purpose of collecting and processing of data
The register is collected on the basis of the legitimate interest of Felm (Article 6(1)(f) of the EU General Data Protection Regulation). The legitimate interest is described in more detail in section 4.1.
The purpose of the register is to maintain a register containing contact and contract details of Felm’s customers, donors (including contact persons and officials in parishes) and volunteers. Persons in the register may be informed of Felm’s activities and campaigns by telephone, SMS, email or post.
Personal data that are obtained from those potentially interested in Felm through events, raffles and other such activities are also stored in the register. When these people are contacted for the first time, they are told how their contact details were obtained, and they are offered the option to have their details deleted from the register.
Customers’ personal data may be processed for the following purposes:
• managing and improving customer relations;
• delivering a service;
• collecting customer details and donations;
• customer transaction verification;
• developing customer services;
• direct marketing and communications;
• analysis and compilation of statistics; and
4.1 The legitimate interests of the controller or a third party
Felm is a non-profit mission organisation of the Evangelical Lutheran Church of Finland. The organisation’s activities rely on donations. The biggest donors are the parishes of the Evangelical Lutheran Church of Finland. Felm also shares information about missionary work and its outcomes with both parishes and individuals, and it supports parishes in promoting global responsibility and missionary work in the parishes.
In order to raise funds and provide services, it is necessary to maintain and process data in the register.
5. If the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on the other purpose in question and any other necessary information.
If the data are used for any other purpose, the customer will always be duly informed and provided with all necessary additional information and the possibility of prohibiting the change of purpose. Notification is made at the time of the first contact with the new purpose at the latest.
6. Providing personal data in cases where it is a statutory or contractual requirement, or a requirement necessary to enter into a contract. If the data subject is obliged to provide personal data, the possible consequences of failure to provide such data (when the data is collected from the data subject, Article 13).
There is a contractual requirement for product orders (details of the person submitting an order) and contracts with regular supporters and details of volunteers. Processing these requires certain contact and other details that are a prerequisite for a contract.
7. Description of the data, data subjects and categories of personal data
The register may contain the following information concerning the data subjects:
• First and last name
• Email address
• Postal address
• Telephone number
• Year of birth
• Identity number
• Information concerning the customer relationship, such as information about donations, customer feedback and information about contacts made, raffle and competition details, and unsubscription details
• Possible permissions and consents
• Possible restrictions on marketing communications
• Any other information collected with the customer’s consent
• Donation agreements
8. The period for which the personal data will be stored
The data is stored indefinitely as the system also maintains marketing information. A
marketing ban made by a customer is deleted if the personal details are deleted from the register, after which the customer may receive communications that they have banned. For this reason, the data are usually stored indefinitely.
If customers so wish, their personal data and data concerning their children under the age of 13 are always deleted.
9. Regular sources of data
The data in the register are obtained from customers themselves by phone, SMS, form, return form, the internet, email and at events, or when a donor makes a one-time donation or becomes a monthly donor, or when a person has submitted personal data in some other context and is interested in Felm’s products, activities and services.
Addresses, telephone numbers, and email addresses of people working in public offices and parishes can be collected from the parishes’ public websites.
10. Regular disclosure of data
Data can be disclosed to third parties for purposes such as cross-referencing to ensure that old donors and those who have submitted a marketing ban are not approached again. Data may also be disclosed to parties acting as data processor on behalf of the controller.
Disclosures are always subject to a separate agreement that requires the third party to be subject to confidentiality and to observe at least the same level of data protection and security as Felm. This is done by requiring the processor to undertake to comply with Felm’s data protection policy and its personnel’s privacy guidelines. The processor must also undertake to destroy the disclosed data without delay when the use thereof is no longer required.
11. Transferring personal data outside the EU/the EEA
In the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy thereof or where they have been made available.
The transfer from the service to the processor is encrypted, and two-factor authentication is used at login. The system in which data are processed and stored is EU-US and Swiss-US Privacy Shield Frameworks certified. More information about the certificate: https://www.privacyshield.gov/list
12. Principles of protecting the data file
The scale of the security measures is based on Felm’s data security and privacy policies and the annual data inventory. In connection with the data inventory, an assessment is always carried out on the risks to each system and on how Felm has ensured the implementation of data protection obligations in its operations with the necessary technical, administrative and organisational measures.
Personal data can only be processed for the purpose for which they were collected and only by persons authorised to use the data by virtue of their duties.
The register is kept in electronic form only, and only the persons authorised by the controller have the right to use the register. Each user has a personal username and password. The duty of confidentiality binds those who process the data.
13. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
14. The exercise of the rights of data subjects. These rights are:
1) Right to access their personal data (right of access).
2) Right to request that inaccurate information be rectified.
3) Right to request deletion of data.
4) Right to restrict access to information.
Data subjects can exercise these rights by contacting the contact person (see Section 2). The controller shall respond to requests concerning data subjects’ own personal data without undue delay.
Data subjects can exercise rights 2 and 3 by contacting the Felm customer service team, tel. +358 20 7127 256, email kampanjat(at)suomenlahetysseura.fi or the contact person (see Section 2).
The exception to this rule is contact persons at parishes that make donations. Their personal data cannot be deleted for as long as they remain the contact persons for their parishes. These persons can exercise the other rights by contacting the register’s contact person, their nominated contact person at Felm or Sari Savolainen (firstname.lastname@example.org).
15. If the processing is based on the subparagraph of Article 6(1)(a) of the EU General Data Protection Regulation (the person’s consent) or the subparagraph of Article 9(2) (explicit consent regarding sensitive data), the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Processing is not based on consent.
16. Right to lodge a complaint with a supervisory authority
Data subjects have the right to lodge a complaint with a supervisory authority if they think that their rights or the scope of the regulation have been infringed.