Privacy Policy

Privacy Statement

This is the privacy statement of the Lieto Savings Bank Foundation in accordance with the EU General Data Protection Regulation (GDPR). The Foundation is committed to complying with the obligations of the GDPR and other legislation concerning the processing of personal data.

Data controller
Lieto Savings Bank Foundation (Liedon Säästöpankkisäätiö), PO Box 1895, 20101 Turku, Finland
Business ID: FI 0134703-0
info@lspsaatio.fi

Contact information for the register
Email: tietosuoja@lspsaatio.fi

Name of the register
Lieto Savings Bank Foundation’s register for grants and subsidies

Purpose and legal basis of processing

The purpose of processing personal data is processing and statistical monitoring of grant and subsidy applications as well as awarded grants / subsidies. additional purposes include distribution of funds, internal reporting, communication with the applicants, and monitoring and development of the online service.

The legal basis for processing personal data is Lieto Savings Bank Foundation’s legitimate interest, which is based on the relevant relationship between Lieto Savings Bank Foundation and the data subject when the data subject applies for a grant / subsidy from the controller or acts as a referee for an applicant.

Groups of data subjects and content of the register

Data subjects are individuals who have applied for and/or received grants and their referees, as well as contact persons of companies applying for subsidies.

The following data is collected about data subjects:

• Basic information such as name, address, phone number, email address, profession / place of study.
• Information related to the application, such as details of the research plan (e.g., research topic), members of the working group and referees, information related to cost estimate (e.g., research assistants, salaries and expenses), previous grants from the last three years, pending grant applications submitted to other foundations at the time of applying, personal identity codes of grant recipients and bank details for payment, information related to the progress of the research and the final report, information about the applicant’s actions in the grant system.
• Technical information related to the use of the system, such as event logs.
• Information about communication between the applicant and the controller.
• Other necessary information provided in the grant / subsidy application and collected during the processing of the application.
• History and change information of the aforementioned data.

Sources of data
Personal data is primarily obtained from the data subject themselves or their organisation through the electronic grant management system (Aspicore). Additionally, we may collect personal data from authorities or public sources within the limits permitted by law.

Transfers and disclosures of personal data

Personal data in the register is not transferred outside the EU/EEA.

The names of grant / subsidy recipients are published on the foundation’s website. We may disclose personal data within the limits permitted and required by current legislation, for example, to authorities or to our service providers. Information about grants / subsidies paid to natural persons is disclosed to the Tax Administration and, if necessary, also to the Farmers’ Social Insurance Institution (MELA). We transfer personal data to data processors (e.g., accounting firms) to carry out services or tasks assigned to them. Ownership of the data does not transfer from the controller to the processor, and the processor does not have the right to use the data beyond the assignment. We have ensured that all our service providers comply with data protection legislation.

Principles of register protection and personal data processing practices

Confidentiality of personal data is important to us. We have implemented appropriate technical and organisational measures to protect personal data from accidental or unlawful loss, disclosure, misuse, alteration, destruction, or unauthorized access.

The register is used with due care, and the data processed through information systems is adequately protected. The controller ensures that any stored data, server access rights, and other critical information for the security of personal data are handled confidentially. Access rights for the electronic information system used for grant management are limited to parties responsible for grants within the data controller’s organisation. The data produced by the information system and other electronically processed register data are stored in adequately protected systems.

Personal data is processed by the foundation’s employees, users specifically appointed by the foundation, evaluators specifically defined by the foundation, possible referees named by the applicant, the Board of the foundation, technical support personnel, designated users of the accounting firm, auditors, and possibly other grant providers. Personal data is shared only to the extent necessary for the recipient group’s activities.

Access to the grant system is restricted to designated individuals. Register access requires a personal user ID. The system’s administrator also determines the access levels granted to other users. A personal password is required for logging into the system, and system usage occurs through an encrypted SSL connection. Register usage and login actions are monitored. Data is stored in databases protected by firewalls and other technical measures. The servers hosting the register are maintained by an external service provider. The service provider is responsible for the protection of the equipment.

Lieto Savings Bank Foundation is a member of the Association of Finnish Foundations https://saatiotrahastot.fi/en/ and follows the principles of the Good Governance of Foundations https://saatiotrahastot.fi/srnk_good-governance-of-foundations/.

Retention of personal data
The personal data collected will be retained for as long as necessary to fulfil the purpose of the processing or as permitted by law.

Retention period of personal data
Personal data is retained for as long as necessary to fulfil the purpose of processing or as required by legislation, generally up to 12 years from the application for a grant / subsidy. Below are the retention periods for different data groups:

• User IDs and related personal data:
  • The user ID is deleted if it has not been used for four (4) years and the user does not have an application in the system.
• Incomplete applications:
  • The applicant can delete their incomplete applications themselves.
  • The foundation deletes any incomplete applications no later than one year after the end of the application period.
• Applications with annexes:
  • The foundation retains applications, related annexes and data related to the processing of the applications for archiving and statistical purposes, as well as for research made in the public interest, for as long as is necessary for the grant foundation to fulfil its purpose.
• Payment information:
  • Data is retained for as long as is necessary for official reporting purposes and possible audits.
• Reporting information:
  • Data is retained on a long-term basis for statistical and research purposes.
• Board meeting materials:
  • The annexes to board meeting materials include the applicant’s name, the purpose of the grant and the amount requested. This data is stored permanently.

Information and rights of the data subjects
The data subject is informed about the application of personal data legislation and their rights when applying for a grant using the data controller’s electronic information system. The data subject can exercise their rights described below by sending related requests via email to tietosuoja@lspsaatio.fi. The request must be made in writing and, if necessary, accompanied by sufficient information to verify the requester’s identity.

• Data inspection: The data subject has the right, notwithstanding confidentiality provisions, to know what information about them is stored in the personal register or that no information about them is stored in the register. The grant applicant can review the information they have themselves provided in the grant system.
• Data correction: The data subject can request the correction of incorrect information about them from the controller. The grant applicant must keep their contact information up to date in the system.
• Data deletion: The data subject has the right to request the controller to delete information related to them. Deletion may be restricted by statutory or technical reasons to retain the information.
• Other rights: The data subject may also have the right to receive the information they have provided to the controller and transfer this information to another controller. In some cases prescribed by law, the data subject also has the right to object to or request the restriction of the processing of their personal data. The data subject also has the right to file a complaint about the processing of their personal data with the competent supervisory authority, in Finland the Data Protection Ombudsman, whose contact information can be found at https://tietosuoja.fi/en/. For any questions or comments regarding the processing of personal data or the exercise of the rights described above, the data subject can also always contact the controller’s email address tietosuoja@lspsaatio.fi.

Changes to the privacy statement

We monitor changes in data protection legislation and strive to continuously improve our operations; therefore, we reserve the right to amend or update this privacy statement when necessary.

This privacy statement was last reviewed / updated on May 7, 2025.