Privacy policy

Nesslink

The Nesslink grant system contains personal data of grant applicants and recipients. The grant system constitutes a personal data register, where information can be retrieved and otherwise processed based on the applicant’s name or other personal data. The register is also used for producing impact assessments, statistics, and reviews related to the foundation’s activities.

The processing of applicants’ personal data in the grant system is based on the legal relationship between the grant applicant and the grant issuer, as well as on commitments and obligations related to conducting and funding research. It is not possible to apply for, award, disburse, or manage grants and associated processes without identifying applicants. There is no alternative to using personal data for identifying applicants during the grant process.

The processing of applicants’ personal data is thus based on the legitimate interests of the foundation. By registering with Nesslink, the grant applicant consents to the retention of information regarding awarded grants indefinitely, even after the legal relationship has ended.

The data controller is the Maj and Tor Nessling Foundation. The contact person and Data Protection Officer (DPO) is Juuso Suutari, Interim Science and Executive Director ().

The grant system stores the information provided in grant applications and details related to the disbursement of awarded grants (bank account details, personal identity number, grant amount, payment date, voucher number, and description). The personal identity number is recorded for the delivery of monitoring data to the Tax Administration and the Farmers’ Social Insurance Institution (MELA).

Data stored in the grant system is retained for the duration of the funded project and thereafter until it is no longer necessary for monitoring and evaluating the foundation’s operations, such as in impact assessments or long-term statistics. Data on rejected applications is deleted from the system no later than three years after the application was submitted. Rejected applications are retained temporarily due to statistical needs but are removed after the specified period. Statistical and impact assessment processes may involve grouping data based on personal details such as age or domicile, which necessitate the processing of personal data.

The connection to the grant system’s online service is secured using SSL technology. Access to the personal data register created on the server is restricted to authorised administrators, foundation staff, and experts. These individuals are aware of their responsibilities and obligations as data processors. Access to the grant system requires administrators, staff, and experts to provide a personal username and password, as well as to undergo two-factor authentication. Grant applicants are not required to use two-factor authentication, but strong identification with banking credentials is required when submitting payment requests for awarded grants.

The servers hosting the grant system are located in an access-controlled data centre in Finland, meeting the facility requirements set by the Finnish Transport and Communications Agency (Directive 48 A/2003, Critical Facilities). The cloud service provider is ISO 27001 certified, and its facilities comply with the PCI-DSS standard. Data is not transferred outside the EU or EEA.

Printed materials containing personal data related to the use of the grant system are stored in locked and access-controlled facilities if temporarily needed for practical purposes.

Grant recipients have access to all information about their project and their personal data, excluding information related to the evaluation of their application.

Information on disbursed grants is disclosed to the Tax Administration and MELA. Data related to grant applications may be shared with other domestic grant foundations, with the applicant’s consent, to avoid full funding of the same project by two foundations. The names and grant amounts of recipients are published on the Nessling Foundation’s website with the explicit consent of the recipients.

The data controller does not make decisions based solely on automated processing, such as profiling, that would have legal or significant effects on data subjects.

Individuals listed in the register have the right to request access to, correction, or deletion of their personal data, as well as to restrict or object to processing. The data controller will not continue processing the individual’s personal data if they object, unless the controller has a compelling and legitimate reason to continue. Data subjects may withdraw their consent for indefinite retention of their personal data at any time, in which case the controller will delete the personal data unless a legal basis for retention remains. Requests regarding data subject rights should be directed to Data Protection Officer Juuso Suutari ().

Users of Nesslink are encouraged to immediately notify the Nessling Foundation’s Data Protection Officer (contact details above) of any issues or risks related to unnecessary processing, unauthorised disclosure, or unjustifiably prolonged retention of personal data.

Data subjects have the right to lodge a complaint with the data protection authority if they believe that the processing of their data by the data controller violates data protection laws.

Cookies

We use cookies to monitor the number of visitors and traffic on our website. For more information about the cookies we use:

Newsletter Subscriber Register

The newsletter subscriber register records the name and email address provided by the subscriber. The submitted personal data is used solely for distributing the newsletter to subscribers. The data is deleted immediately upon cancellation of the subscription. The basis for processing personal data is the subscription to the newsletter.

The data controller is the Maj and Tor Nessling Foundation. The contact person for the subscriber register and the Data Protection Officer (DPO) is Juuso Suutari, Deputy Director of Science and Operations ().

Lyyti

The Lyyti event participant and customer register records the name, email address, position, organisation, phone number, and any additional information that the registrant may voluntarily provide during the registration process. The provided personal data is used to inform registrants about the specific event, unless the registrant has given permission for other types of communication. If the registrant consents to other communications, such as subscribing to the Nessling Foundation’s newsletter during registration, this privacy statement applies to those other registers as well.

The processing of personal data is based on event registration. The information is obtained directly from the participants during registration.

Information may be disclosed to other registrants or participants at the event or immediately afterwards, provided that the registrants have given their consent during registration.

Participant data is retained after the event for statistical and contact purposes. Personal data is stored in Lyyti for a maximum of one year (12 months), with the data of current year registrants being deleted at the end of each year. If personal data is also stored in other Nessling Foundation registers, the retention periods of those specific registers apply. Individuals registered in the register have the right to request access to, correction, or deletion of their personal data, as well as to restrict or object to its processing. The data controller will cease processing an individual’s personal data if the individual objects, unless there is a significantly important and compelling reason to continue processing. The registered person may withdraw their consent for the indefinite retention of personal data at any time, after which the data controller will delete the individual’s personal data if there is no longer a legal basis for retaining it. Requests to exercise these rights should be directed to Juuso Suutari(contact details above).

Use of Lyyti in Recruitment

The Nessling Foundation uses Lyyti for its recruitment processes. Job applicants fill out an application form in Lyyti for open positions. The use of Lyyti for recruitment follows the usage principles described above, except for the retention of applicant data.

During the application process, applicants are asked whether their information can be retained for future recruitment opportunities. If the applicant consents, their data will be stored in the Nessling Foundation’s cloud service, accessible only to authorised administrators and foundation staff. If consent is not given, all applicant data will be deleted once the recruitment process is completed and all applicants have been duly informed of the outcome.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
aka_debug	session	Vimeo sets this cookie which is essential for the website to play video functionality.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.