Privacy Notice – Castrén & Snellman’s scholarship programme

Privacy Notice – Castrén & Snellman’s scholarship programme

Updated 2 April 2024

1. Controller

Castrén & Snellman

Business ID: 0103602-1

Street address: Eteläesplanadi 14, FI-00130 Helsinki, Finland

Postal address: PO Box 233

2. Legal basis and purposes of processing

The controller (‘Castrén & Snellman’, ‘we’) processes the collected personal data in order to implement the Scholarship for the Future scholarship programme. The Scholarship for the Future scholarship programme supports students in the form of a monetary scholarship. The scholarships are awarded to support the studies of the chosen recipients.

The processing of personal data in the scholarship application process is necessary for the processing of applications and the implementation of the scholarship programme. When the applicant has filled in the scholarship programme application themselves, the processing of personal data is based on the applicant’s consent. It is also possible to refer another person for a scholarship. When the referee fills in the referral form, the processing of the referee’s personal data is based on the referee’s consent. With respect to the referred person, the processing of personal data is based on the controller’s legitimate interest. The referred person will receive a notification of the referral via email, together with the referee’s name, a link to review the privacy notice, and the terms and conditions of the scholarship programme.

The controller may publish the names of the scholarship recipients on its website and in its marketing channels based on legitimate interest.

3. Personal data collected

We collect the following personal data about the applicant:

  • name and contact information (e.g. address, telephone number, email address)
  • age
  • educational institution and study programme
  • any other information the applicant includes in the application
  • transcript of studies, personal identification number and bank account details (only for applicants who are chosen as scholarship recipients).

With respect to referees, we only collect their name.

4. Retention period of personal data

We store the applicant’s personal data for two years after the end of the scholarship programme. With respect to the paid scholarships, data is stored in accordance with applicable accounting legislation.

We will erase the referees’ personal data after the scholarship programme has ended.

5. How we collect data

We collect personal data primarily from the applicants themselves when they fill in the scholarship programme application form. It is also possible to refer another person for a scholarship. Referees are asked to fill in their own name and the name and email address of the referred person in a separate referral form, after which the referred person will receive a notification of the referral via email together with the referee’s name and an invitation to fill in the application form and to review the privacy notice and the terms and conditions of the scholarship programme.

6. Disclosures and transfers of personal data

Processing tasks may be outsourced to service providers in accordance with and within the limits set by data protection legislation. Surveypal Inc implements the application form functionality on our behalf. We use agreements to ensure that the service providers acting on our behalf process personal data in compliance with the controller’s instructions and this privacy notice.

Personal data may be transferred outside the European Union or the European Economic Area in accordance with and within the limits set by data protection legislation. We have ensured an adequate level of data protection in accordance with the conditions of the EU General Data Protection Regulation, including in situations where data is transferred outside the EU or the EEA, by complying with the adequacy decisions set by the European Commission and using, where appropriate, the new standard contractual clauses adopted by the European Commission and, where appropriate, supplementary safeguards.

7. Security measures and data storage

The data is stored appropriately on servers located in protected facilities. The technical data security of the servers is controlled by several different means. Access to personal data is managed using role-based management of access rights, and the use of the data is monitored constantly.

The purpose of the activities above is to secure the confidentiality of the personal data stored by the controller, the availability and integrity of the data and the realisation of the rights of the data subjects.

8. Automated decision-making

Personal data is not used for automated decision-making that would have legal or similar effects concerning the data subject.

9. Rights of the data subject

Right of access

The data subject has the right of access to their personal data processed by the controller. The access request must be made in accordance with the instructions given in this privacy notice. The right of access can be refused on the grounds set out in law. Exercising the right of access is generally free of charge.

Right to request rectification, erasure or restriction of processing of personal data

The data subject has the right to request that the controller rectifies any erroneous data concerning them. The data subject can also request that the controller erases data concerning them or request that the controller restricts processing on the grounds set out in law. Such requests must be made in accordance with section Contact information of this privacy notice.

Right to object

The data subject has the right to object to the processing of their personal data on grounds related to their particular situation if the processing is based on the controller’s legitimate interest.

The data subject can make their objection in accordance with section Contact information of this privacy notice. The data subject must specify the particular situation forming the grounds for the objection when making the request. The controller can refuse to comply with the objection on the grounds set out in law.

Right to data portability

If the data subject has provided data for the register themselves and such data is processed based on the data subject’s consent, the data subject has the right to receive the data primarily in a machine-readable format and to transmit such data to another controller.

Right to withdraw consent

If personal data is processed based on the data subject’s consent, the data subject has the right to withdraw their consent by notifying the controller of this in accordance with section Contact information of this privacy notice.

Right to lodge a complaint with the supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the controller has not complied with the data protection regulations applicable to its operations. In Finland, the competent supervisory authority is the Office of the Data Protection Ombudsman, www.tietosuoja.fi/en.

10. Contact information

In all matters relating to the processing of personal data and in situations involving the exercise of rights, the data subject should contact the controller by sending an email to privacy@castren.fi.