Purpose of processing personal data and legal basis

Personal data is being processed in order to implement the contract signed between the File Controller and the Registered Person and, where applicable and subject to the prior consent of the Registered Person, also in connection to and to facilitate measures relating to membership management such as orders, registration, contacts, and reporting.

Purchase and service use data and location data processed as part of the register can also be used for customer communications based on the interests of the Registered Person. Personal data will also be processed in connection to the sending of newsletters and to participation in events.

If the Registered Person fails to provide information that is required to register, the File Controller cannot accept the said registration or commit to the contract between the File Controller and the Registered Person. By submitting personal data when registering as a member, the Registered Person agrees to processing, storing and transfer of personal data as outlined in this document. 

Storage period of personal data

Membership register: Personal data will be stored for as long as it is necessary to facilitate the registration of the Registered Person as a member of Association for Cultural Studies and keep the membership information. The data will be stored securely in the membership register (provided by the Finnish membership register service Yhdistysavain, www.yhdistysavain.fi/) and will be stored for approximately 1–2 years after the membership has been terminated (the registered persons have the right to ask for the data to be removed sooner) for statistical purposes. Data will be deleted when the abovementioned storage period has expired. 

Invoicing data is held in the Lyyti participation membership database (https://www.lyyti.com/en/purpose-business-development) for 6 years after the event has taken place. Back-ups will be kept in a location protected by passwords and will be deleted after the abovementioned storage periods have expired.

Mailing lists: Upon joining the Association, members are automatically subscribed to the two mailing lists, administered by the File Controller, for communication purposes. Personal data will be stored for as long as it is necessary to facilitate the Registered Person’s subscription to the mailing list, which coincides with the duration of the membership. The Registered Persons can unsubscribe from the mailing list at an earlier date by either following a link in the text of the email or by sending a request to the administrative secretary by email (info(a)cultstud.org). Upon the termination of the subscription, the data will be permanently removed from the mailing list register.

Groups of persons, data content, and personal data groups of the register

Groups of persons whose personal data can be processed include members registered in the association of the File Controller.

Membership register: The personal data that can be processed within the register include the first and last names and any contact details of the person registered, and any necessary information provided by the Registered Person upon the filling of the registration form.

Mailing lists: The personal data with regards to mailing lists subscriptions include email addresses and first and last names.

Regular sources of information

Information provided by the participant and invoicing database.

Regular disclosure of information

Information contained in the register can be distributed within the organization (ACS). The membership register service provider Yhdistysavain may employ subcontractors outside EU/EAA, such as the United States of America, to handle personal data in the register. These subcontractors can provide, for example, infrastructure and IT services. In such cases, sufficient data security and the handling of the filing system are taken care of by an EU-U.S.-Privacy Shield arrangement, or by contract using templates approved by the EU Commission.

Data security principles

Data will be stored in a technically secure location. Physical access to the data is prevented by means of access control and other security measures. Access to the data requires sufficient rights and identification. Data contained in the register can only be accessed by the File Controller, membership register service provider and, in some cases, specially designated technical persons and their subcontractors.

The rights of the Registered Persons

The rights of the Registered Persons include

– The right to request from the File Controller access to their personal data and the right to request that any error in the said data be corrected or removed or its processing be restricted, and to oppose to the processing or transferring of the said data from one system to another;

– The right to view and, where required, to correct the personal data stored in the register; all requests must be submitted to the File Controller in writing. The Registered Persons have the right to require that any incorrect personal data saved in the register be corrected.

– To the extent that the processing of the personal data is based on the consent of the Registered Person, the Registered Person has the right to cancel this consent at any time without this cancellation having any effect on the legality of processing completed before the said cancellation.

– The right to submit claims to the supervisory authority on the processing of personal data.