Privacy Policy: Demos Helsinki’s Customer, Marketing and Recruitment Register

This is a combined privacy policy for Demos ry’s and its group companies’ customers, potential customers, stakeholders, website users and persons filling in the recruitment form, in accordance with § 10 and § 24 of the Personal Data Act (523/1999) and the EU’s General Data Protection Regulation (EU) 679/2016.


We are Demos Helsinki, an independent think tank working to solve societal problems and challenges. You can read more about our work here.

In this privacy policy, we will explain to you how we process the personal data we collect through our website. Our aim is to inform you about the processing of personal data as transparently and openly as possible – and thus always remain worthy of your trust. Please get in touch with us if anything remains unclear to you or if you have any questions regarding the processing of your personal data.

1. Data controller

Demos ry
Business ID: 1978805-3
Address: Mechelininkatu 3D, 00100, Helsinki
Tel. +358 40 557 2730

2. Contact person for matters concerning the register

Sofia Rahikainen, Legal Counsel

3. Name of the register

Demos Helsinki’s Customer, Marketing and Recruitment Register.

4. Whose data do we process?

• Customers and potential customers
• Persons who fill in the contact form
• Persons who fill in the recruitment form
• Newsletter subscribers
• Website users

5. The purpose of processing personal data

Data subjects Purpose of processing Legal grounds for processing
Customers, potential customers, stakeholders Maintaining and developing customer relationships, marketing communications The legitimate interest* of the controller, or a contract***
Persons who contact us Answering contact requests received through the website Consent** of the data subject or legitimate interest* of the controller
Persons who fill in the recruitment form or send us a job application Recruitment contacting. The data is stored for 24 months or deleted upon request immediately after the recruitment process has ended. Consent** of the data subject
Newsletter subscribers Direct marketing, general informing Consent** of the data subject or legitimate interest* of the controller
Website users Statistical tracking of the website, website development Identifiable personal data is not collected

The processing of personal data may be in the legitimate interest of the controller when, for example, its purpose is to manage a customer relationship and enable contact requests required by customer service. Read more about the legitimate interest of the controller from this webpage compiled by the Information Commissioner’s Office.

** Consent of the data subject refers to a situation in which a person him/herself has given consent to be contacted. These situations include filling in the contact form or recruitment form on our website. The data subject may also have given us consent to send them a newsletter by email.

*** A contract means the processing of personal data required for the performance of a contract to which you are a party, or at your request, taking the necessary precursory steps to make such a contract.

6. Regular data sources

We primarily collect the personal data that we process directly from you. Alternatively, we may collect data from publicly available sources, but always in accordance with applicable legislation.

Your personal data may also be obtained on a case-by-case basis from our partners, provided that you have consented to the disclosure of your personal data.

7. The data content of our register: what data may we have about you?

In this section, we will go through what data about you may have been collected in our register. We collect data for the following reasons: maintaining customer relationships, communication, and marketing. We may not collect all types of aforementioned data on all individuals, thus the data collected may, in reality, be less than as described herein.

Please contact us if you would like more information on the data we collect for our register. Also see Section 9, The rights of the data subject.

• First and last name
• Email address
• Telephone number
• Title, as well as operational and procurement areas of responsibility
• The name of the company or organisation
• Company contact details
• The company’s field of operation
• Information about the marketing permissions and bans reported by the person
• The user’s IP address

8. How long is the data processed for?

• You can unsubscribe from our email marketing list whenever you like: an unsubscribe link is included in every notification or marketing email that we send.
• If you are a customer of ours or we are discussing potential collaboration, we mainly process your personal data for as long as we need your information for communication related to the customer relationship.
• If you fill in the recruitment form on our website, we will keep your information only for that application period or a maximum of 24 months, according to your wishes.
• We delete unnecessary personal data every 24 months or more. The data that we are asked to delete is processed as soon as possible.  

9. The rights of the data subject, that is, your rights

You have the right to…

• erase your data
• gain information on the collection and processing of your personal data
• gain access to your personal data and inspect the data saved in the register
• correct inaccurate and incorrect personal data
• prohibit the controller from processing data concerning you
• object to the processing of your personal data
• not be subject to decision-making based solely on automatic processing
• receive information on security breach in the controller
• make a complaint to the supervisory authority

In matters concerning the processing of personal data, the data subject can contact us by email at the address mentioned in Section 2.

10. The disclosure of personal data

As a rule, we do not disclose your personal data to third parties. However, information may be disclosed to third parties in cases where we are conducting a targeted marketing campaign with a third party, or when disclosing information is required for the performance of an assignment based on a customer relationship. A ”third party” in this case may be a service such as MailChimp or Facebook, for example, or a partner related to or participating in the assignment. In these cases, the third party acting as processor of personal data does not have the right to wider use of your personal data than as set out under our assignment and this privacy policy.

We have ensured that our service providers comply with EU data protection legislation. The following third parties act as personal data processors:

• Pipedrive
• MailChimp
• G-Suite (Google)

We use the MailChimp email service for communications and direct marketing, and the G-Suite cloud service for data management. The aforementioned service providers are American companies, meaning that personal data is transferred outside the European Union. The personal data is protected in the manner required by the data protection legislation and we have ensured that our service providers have joined the EU–U.S. Privacy Shield Framework. This arrangement guarantees the fundamental rights of EU citizens when their personal data is transferred to the United States. More information about Privacy Shield Framework can be found here.

We may also disclose your personal data to our cooperation partners, who are involved and/or participate in the relevant research or development project for which your personal data was collected. Personal data may be disclosed in these cases if such disclosure is necessary in order to carry out research and development in accordance with the purposes of the project. Upon such disclosure, the recipient shall be deemed as a data controller to the disclosed personal data, and the recipient’s processing of personal data shall be subject to the recipient’s privacy policy.

11. Protection of the register

The security of your personal data is important to us. We ensure the security of data processing in the following ways:

Usernames and passwords: Accessing the data in the register requires user-specific usernames and passwords
Restriction of access rights: Data stored in the system can only be accessed and authorised for use by specific predefined employees of the controller
Protection: The system is protected by firewalls and other technical means. Our website is protected by an SSL certificate, which ensures a safe and secure connection between your browser and the server.

12. Changes to our privacy policy

If we change this privacy policy, we will make the changes visible in the policy and date them. If we make any significant changes to this privacy policy, we will give clear notification of it when the applicable law so requires.   

Updated: 28th of May, 2018