1. Controller Finnish Meteorological Institute PO Box 503, Erik Palménin aukio 1, FI-00101 Helsinki, Finland tel. +358 29 539 2141, kirjaamo(at)fmi.fi 2. Register contact person Pipsa Ylikantola-Päkki tel. +358 40 572 9755, pipsa.ylikantola-pakki(at)fmi.fi 3. Data Protection Officer Jaana Palmunoksa tel. +358 29 539 2310, jaana.palmunoksa(at)fmi.fi 4. Name of the register Register of personal data used by the Finnish Meteorological Institute in its procurement 5. Legal basis and purpose of personal data processing Processing of personal data is based on the compliance with a legal obligation of the Finnish Meteorological Institute and the performance of a task carried out in the public interest (Article 6(1)(b)(c) of the General Data Protection Regulation). Competitive tendering: As an authority acting as a contracting entity, the Finnish Meteorological Institute must comply with the legislation on public contracts, such as the Act on Public Procurement and Concession Contracts (1397/2016; hereafter the ‘Act on Public Contracts’), the Act on Public Contracts and Concessions of Entities operating in the Water, Energy, Transport and Postal Services Sectors (1398/2016; hereafter the ‘Act on Public Contracts in Special Sectors’), and the Act on Public Defence and Security Procurement (1531/2011). Under this legislation, contracts exceeding certain threshold values must be put out to tender. In addition to legislation, the Finnish Meteorological Institute also complies with central government guidelines and recommendations on public contracts, such as the Handbook on Government Procurement 2017, the procurement regulations of the Finnish Meteorological Institute, and agency-internal guidelines and policies. In addition to the legislation on public contracts, checking of the criminal records extracts of the personnel of the selected tenderer is also based on the Criminal Records Act (770/1993). Other contracts: In addition to what is said above, the Finnish Meteorological Institute also needs to process personal data in connection with contracts that do not exceed the threshold values set in the legislation on public contracts or that, because of the exceptions to the scope of the legislation, can be concluded without a competitive tendering process. In such cases, in order to perform its public interest task defined in the Act on the Finnish Meteorological Institute (212/2018), the Finnish Meteorological Institute has valid grounds for processing personal data in conjunction with contracts when it must be in contact with the tenderers or check the quality of the tenders. Other situations in which personal data is processed: The processing of personal data is also based on legislation in appeals procedures concerning purchasing decisions, in audit procedures based on state budget legislation and in the processing of information requests pertaining to procurement documents.

6. Data content of the register Details of the tenderers’ contact persons and senior management The following personal data on the tenderers’ contact persons is processed: - name - organisation represented by the individual and the individual’s position in the organisation - contact information The following personal data on the members of the tenderers’ administrative, management or supervisory bodies, and the individuals exercising representational, decision-making or supervisory powers are processed: - name - organisation represented by the individual and the individual’s position in the organisation - information contained in the criminal records extract Personal data contained in the tenders and other personal data collected during the procurement process The following personal data on the experts named in the tender and individuals taking part in any interviews or personal assessments carried out in conjunction with the assessment of the tenders is processed: - name - organisation represented by the individual and the individual’s position in the organisation - contact information - education and vocational qualifications, experience and other work history relevant to the object of contract The following personal data on the contact persons for the references listed in the tender are processed: - name - organisation represented by the individual and the individual’s position in the organisation - details of the references listed in the tender Other personal data contained in the tenders or collected during the procurement process, such as details of the tenderer’s personnel contained in the project or implementation plans, details of auditors, authorised signatories and other individuals connected with the tenderer or its subcontractors contained in trade register extracts: - name - organisation represented by the individual and the individual’s position in the organisation - date of birth - contact information - education and vocational qualifications, experience and other work history relevant to the object of contract 7. Regular sources of information The Finnish Meteorological Institute receives the data as part of the tender submitted by a tenderer that is the data subject or the employer of the data subject or that has asked for the data subject’s permission to use the data in its tender (for example, as the reference contact person). The Finnish Meteorological Institute receives the details of the criminal records extracts from the tenderer selected for the contract. The Finnish Meteorological Institute also receives information from public sources, such as the Trade Register kept by the Finnish Patent and Registration Office, Suomen Asiakastieto Oy and the business credit information register.

8. Recipients or recipient groups of the personal data The data in the register is processed only by those employees of the Finnish Meteorological Institute whose duties require them to do so. No information is disclosed to third parties on a regular basis. Information can, on a case-by-case basis, be disclosed to parties requesting it in accordance with the Act on the Openness of Government Activities (621/1999). All official information and documents are public, unless specifically provided otherwise by law. Under section 138 of the Act on Public Contracts, other tenderers that participated in the competitive tendering process have the right to request the tender material of the selected service provider, excluding confidential information contained in it, such as business and professional secrets or personal data (issues related to the publicity of documents in the procurement process are regulated by the Act on the Openness of Government Activities referred to above). The National Audit Office of Finland may process personal data contained in procurement documents as part of the audits carried out under the State Budget Act (423/1988) and provisions issued under it. 9. Transfer of personal data outside the EU or EEA No regular disclosure or transfer of data outside the EU or the EEA. 10. Register protection principles A. Manual data The manual data is protected and kept locked away at the office. B. Digital data The Finnish Meteorological Institute’s systems are protected with passwords and a firewall. Only the individuals who are required by their work duties and who have been granted access to the Finnish Meteorological Institute’s information systems have access to the personal data. 11. The storage period or the criteria for determining the personal data The personal data is stored as necessary during the contract period. When the data becomes redundant, it is further processed in accordance with the Finnish Meteorological Institute’s procurement regulations. The contract documents, including the procurement contract, any security agreement and confidentiality agreements, are stored in accordance with the procurement regulations of the Finnish Meteorological Institute. All procurement documents (including the tenders) are kept for six years from the end of the financial year. In a number of situations, documents can also be retained for longer periods: the selected tender and the appendices to it are always retained for at least as long as the procurement contract and the obligations based on it remain in effect. The procurement documents used in the appeals processes (including the tenders) are always retained at least for the duration of the appeals process and for the period required by the measures arising from the result of the appeals process. The details of the criminal records extracts are not saved or retained, and they are returned or destroyed immediately after the extracts have been checked.

12. The rights of the data subject The data subject has the right to request information on what personal data the Finnish Meteorological Institute collects and for what purposes the personal data is processed. The data subject also has right to correct their personal data and demand that any incorrect data is corrected, or incomplete data supplemented.

• Right of access

• Right to rectification

• Right to object

Within the limits of the existing legislation:

• Right to erasure

• Right to restriction of processing

• Right to data portability

The data subject can send the request concerning their rights to the Finnish Meteorological Institute by email or by post. For contact information, see section 1. No fees are charged for the information or the measures, unless the requests are manifestly unfounded or excessive, and especially if they are submitted on a frequent basis. 13. The right to submit a complaint to the supervisory authority The data subject has the right to submit a complaint to the supervisory authority if the data subject believes that the processing of the personal data concerning him or her is in violation of the applicable data protection legislation. In Finland, the Data Protection Ombudsman is the authority supervising compliance with data protection legislation (Office of the Data Protection Ombudsman, www.tietosuoja.fi).