Privacy notice for the customer communications register

General Data Protection Regulation (EU) 679/2016

1. Controller Finnish Meteorological Institute P.O. Box 503 (Erik Palménin aukio 1) FI-00101 Helsinki, Finland tel. +358 29 539 1000 kirjaamo@fmi.fi 2. Register contact person Jani Poutiainen tel.+358 50 3673 172 jani.poutiainen@fmi.fi

3. Data Protection Officer Jaana Palmunoksa tel. +358 29 539 2310 jaana.palmunoksa@fmi.fi 4. Name of the register Customer communications register for the Finnish Meteorological Institute’s service activities

5. Purposes for the processing of personal data The purposes for processing the personal data are: -Customer relationship management -The management of data related to customer events - Implementation of customer satisfaction and other customer surveys -Service and product marketing -Service and product invoicing -Submission of press releases - Allowing the use of customer portals, applications, data interfaces and other customer services -Fault situation management -Other customer communications

6. Legal basis for the processing The legislation governing the activities of the Finnish Meteorological Institute, agreements

7. Data content of the register The customer communications register can contain the following information: -The name of a previous, current or potential customer or partner, or the name of some other company or person -Other data related to the person’s name: job title, email addresses, phone numbers, address information, marketing lists and other email lists defined by the customer -Customer number, address and billing contact information -Contact method, language, consent from customer companies’ employees, web addresses -Identification and payment information needed to allow the use of customer portals, applications and data interfaces and the contact details related to the maintenance of these

8. Regular sources of information The information is received personally from the data subject, from agreements or from the organisation's contact person. The information can be received from services that provide public contact information. The service administrator can also create the information required for identification in the service (e.g. user ID).

9. Recipients or recipient groups of the personal data Finnish Meteorological Institute employees whose work includes maintaining the applications, services and customer information referred to in this notice. In principle, the data is not disclosed to any third parties. However, the data can be disclosed in connection with a customer survey that is implemented by a partner.

10. The transfer of personal data outside the EU or EEA The data is not transferred outside the EU or EEA.

11. Register protection principles The processing of the data is subject to the data security policy and instructions issued by the Finnish Meteorological Institute that apply to materials that are processed digitally. Only the individuals who are required by their work duties and who have been granted access to the Finnish Meteorological Institute’s information systems have access to the personal data.

12. Retention period and criteria for determining personal data The data is stored in the customer relationship and technical systems for the necessary duration required by the activity or until the data subject requests that their data be removed.

13. The rights of a data subject The data subject has the right to request information on what personal data the FMI collects and for what purposes the personal data in the customer register is processed. The data subject also has the right to correct their personal data, demand that any incorrect data be corrected or incomplete data be supplemented, the right to restrict the processing, the right to object to the processing as well as the right to demand that their data be removed. The request for information must submitted by email to kirjaamo@fmi.fi

14. The right to submit a complaint to the supervisory authority The data subject has the right to submit a complaint to the supervisory authority if the data subject believes that the processing of the personal data concerning him or her is in violation of the applicable data protection legislation.