Personal data, data subject, controller and other key terms are defined in the General Data Protection Regulation (2016/679, “GDPR”). The company complies with the GDPR in all processing of personal data in conjunction with other applicable national data protection legislation (“data protection legislation”).
1. CONTROLLER AND CONTACT INFORMATION
Finnish Business Angels Network ry
Business ID: 2480326-2
Address: Lapinlahdenkatu 16, 00180 Helsinki
2. PURPOSE OF THE PROCESSING OF PERSONAL DATA AND LEGAL BASIS
We process personal data that is necessary for the following purposes:
• Customer service and communication
• Provision and development of the Services
• Measuring startup and member satisfaction
• Marketing, including market research, other marketing promotion and analysis, and the production of statistics and the measurement of marketing effectiveness
• Improving the user experience of our Services and tracking user traffic
• Organizing events
• Handling inquiries related to Services
• Processing application information, customer information
• Processing information related to service purchase, payments and sales
• Management of legal obligations (e.g accounting and other legislation) and reporting obligations, such as reporting related to tax legislation
• Prevention of abuse and fraud
We will use the membership application data submitted to:
• evaluate your application;
• review your qualifications, interests and capacity;
• communicating with you in relation to the application, process and membership;
We will use the startup application data submitted to:
We will use the startup application data submitted to:
• evaluate the application;
• reviewing founder/employee/company qualifications and assisting our members in making funding decisions;
• communicate with you in relation to the application, process and funding;
• communicate with you in relation to events and Services;
• forwarding the information you provided to prospective angel investors;
• produce statistics
The legal basis for the processing of personal data is, where not stated otherwise or another legal basis is otherwise applicable, the performance of the contract for providing our’ Services. We can also process your personal data where we have a legitimate interest to do so, such as for marketing purposes. Where we rely on legitimate interests as a reason and legal basis for processing personal data, we have considered whether or not those interests are overridden by the rights and freedoms of the data subjects, and we have concluded that they are not.
Where the processing is such that a consent is required by the applicable legislation, we will state so and obtain the consent, and this will be the legal basis for the processing. However, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. If such withdrawal means that we are no longer able to provide the Services, we may cease to provide the Services.
3. PERSONAL DATA PROCESSED AND SOURCES OF INFORMATION
While the provisioning of certain personal data is necessary for the provisioning of our Services, certain personal data is provided voluntarily by you. Personal data may be updated and supplemented by collecting data from private and public sources, such as commercially available directories and websites.
Personal data is collected directly from you, such as through registration, the application forms, credit rating protection forms or by logging the activities in the Services. This data includes:
|Category of personal data||Examples of information content|
|Information gathered at registration, contact or via application during the application process||• name|
• address & email address
• phone number
• social security number
• work or investment history
• qualification and skills
• date of birth or age
• ownership share
• credit reports
• other personal data possibly include in application and pitch decks including pictures provided to us
|Technical behavioural data and identification data||Monitoring the data subject’s web behaviour and use of Services, for example by means of cookies or similar technical identification data.|
Examples of data that can be collected include unique device identifiers, IP addresses, device software version numbers and identifiers, and rough location information via GPS, IP address or mobile networks.
|Rights management of the data subject, such as consents and prohibitions||Marketing prohibitions and consents.|
Consents regarding sharing of personal data with prospective angel investors.
Communication and measures relating to the rights of the data subject (see the rights of the data subject below).
|Other (additional) information provided voluntarily||Preferences related to the contract or marketing.|
Event and event participation related information.
Other additional information provided in contacts or appointments.
If you do not provide us the required information, this may mean that we may not be able to provide the Services to you, perform the contract necessary for the provisioning of the Services or to comply with our legal obligations.
We may collect your personal data also from publicly available sources (such as LinkedIn). If reference checks are included in the process, we will also collect your personal data from the persons you have indicated as appropriate references in your application process.
4. RETENTION OF PERSONAL DATA
|Personal Data||Retention period or criteria used to determine the period|
|Membership and startup data||As long as necessary to fulfill the purpose personal data has been gathered for or as required by applicable laws.|
|Contractual data||As long as necessary for the performance of a contract based on which the personal data has been gathered and retained as required by retention requirements set out by applicable laws and regulations|
|Technically gathered data||As long as necessary to fulfill the purpose personal data has been gathered for or as required by applicable laws.|
We may keep certain personal data for other purposes than those of the performance of a contract, such as for the settlement of disputes. We will only retain data that is pertinent to the reason it is being retained for and in any case only for as long as allowed by applicable law.
5. RECIPIENTS OF PERSONAL DATA
We will only disclose personal data to third parties if there is a justified reason, legitimate interest, or express consent. We regularly transfer startup application related personal data to prospective investors.
Personal data may be disclosed to authorized third party processors who process the data for us for example IT and technical service providers. All such processing is based on our prior instructions set out in a binding contract that is compliant with the requirements of the applicable law. We do not sell, rent, distribute, or otherwise make your personal data available to any third party except with regard to providing certain personal data to investors and our affiliates in order to provide our Services.
The personal data may also be disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the Services as well as to ensure the safety of the Services. In addition, personal data may have to be disclosed in connection with legal proceedings or for similar dispute resolution purposes.
Some of the services we use for processing personal data my operate outside the territory of the European Union or the European Economic Area. Thus, personal data can be transferred regularly outside the European Union (EU) and the European Economic Area (EEA). In cases where personal data is transferred outside EU/EEA, such transfers are either made to a country that is either deemed to provide a sufficient level of privacy protection by the European Commission or transfers are carried out by using appropriate safeguards such as the Standard Contractual Clauses approved by the EU Commission ensuring also that the data processing and confidentiality fulfills the requirements under applicable laws.
We will provide more information regarding the processing upon request.
6. PROTECTION OF PERSONAL DATA
We use appropriate technical, administrative and organizational security measures to protect personal data against unauthorized access, disclosure, destruction or other unauthorized processing: firewalls, proper access control, controlled provision of access and monitoring of use, and the use of encryption technologies are also in use. The servers are located in the EU. Network services are protected by a HTTPS connection, which encrypts communications.
All parties processing personal data have a duty of confidentiality in matters related to the processing of personal data. Access to personal data is restricted to those employees and parties who need it to perform their duties. We also require our service providers to have appropriate methods in place to protect personal data.
7. RIGHTS OF THE DATA SUBJECTS AND SUPERVISORY AUTHORITY
Right to access, rectification and erasure
You have the right to contact us, and we will inform you what Personal Data We have stored regarding you, and the purposes such data is used for.
You may also ask us to delete your personal data from our systems. We will comply with such request unless we have a legitimate ground to not delete the data. After the data has been deleted, we may not immediately be able to delete all residual copies from all of our systems. Such copies shall be deleted as soon as reasonably possible.
Right to Object or Restrict Processing
You may object to certain use of personal data when such processing is based on legitimate interest, including direct marketing or profiling. You may opt-out of receiving promotional emails by following the instructions in those emails. If you opt-out, we may still send you non-promotional customer information, such as emails about your account, providing our services and products or our ongoing relationship with you.
You may request that we restrict processing of certain personal data. Your personal data will then only be stored and not processed otherwise; this may however lead to fewer possibilities to use the Services. If such restriction means that we are no longer able to provide the Services to you, we shall be entitled to stop providing the Services.
Right to data portability
You have the right to receive personal data provided by you to us in a structured, commonly used format. We provide no guarantee that this information will be compatible, relevant or useful to any other service.
Withdrawal of consent
You can deny any direct marketing and withdraw your consent regarding electronic direct marketing. You can always withdraw any other consent including parental consent.
How to exercise your rights
These rights may be used by sending an e-mail to the addresses set out below. Your identity will be verified before the information is given out, which is why we may have to ask for necessary additional details. We will respond to the request within a reasonable amount of time and, where possible, within one month of the request and the verification of your identity. If your request cannot be met, the refusal shall be communicated to you in writing. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.
Right to lodge a complaint with the supervisory authority
In case you consider our processing activities of your Personal Data to be inconsistent with the General Data Protection Regulation (GDPR) (EU) 2016/679 or other applicable data protection legislation, you have the right to complain to the applicable data protection supervisory authorities.