Privacy statements for Traficom events

Grounds for and purpose of the data processing

The European Cybersecurity Competence Centre’s National Coordination Centre in Finland (NCC-FI) operates under the National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom. The NCC-FI organises informal discussion, networking and cooperation events for the members of the Competence Community. The events are organised as online or live events during a project. These events are organised regularly. They may be part of the NCC-FI’s own activities or associated with various development projects implemented by the Competence Community. Personal data is processed for the purpose of enabling the planning and organisation of events and communication with participants. Moreover, personal data is processed for the purpose of enabling the development of the NCC-FI’s activities and improving its opportunities for influence.

The processing of personal data is based on Article 6(1)(e) of the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the ‘GDPR’) and section 4, subsection 1, paragraph 2 of the Data Protection Act specifying the GDPR provision. According to these provisions, the processing of personal data is lawful when it is proportionate and necessary for the performance of a task carried out in the public interest. As a national authority, the NCC-FI performs the tasks laid down in the Regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres ((EU) 2021/887, Article 7), which include, among other tasks: (h) promoting and disseminating the relevant outcomes of the work of the Network, the Community and the Competence Centre at national, regional or local level; (i) assessing requests by entities established in the same Member State as the national coordination centre to become part of the Community.

The NCC-FI maintains a list of the members of the Competence Community. The related privacy statement is available here.

Data content

The data undergoing processing

The following types of personal data are processed for the planning, organisation and participant communications of events:

• Name
• Email address
• Title
• Name of the organisation that the participant represents
• Membership in the Competence Community (including membershiplist)
• Questions, comments, development ideas and  other similar messages by the participant.

Online meetings are organised with the Microsoft Teams application. The processing of personal data in the application is described in a separate privacy statement. 

Data is also collected via the Webropol survey platform. Webropol uses cookies that are necessary for the functioning of its service platform and uses them to collect the data listed below. These cookies are related to monitoring the functionality and quality of the service.

Webropol uses cookies to collect e.g. the following information:

• operating system
• browser version
• IP address
• browser add-ons
• page download time
• incomplete responses.

Sources of the processed data (where the data is received from)

Data is received from the persons themselves, including their actions in the Teams environment.

Storage period of personal data 

Personal data is stored for as long as is necessary to perform a statutory duty. 

Webropol stores data collected through cookies for 14 days. Registration data is stored on Webropol Oy’s service platform for 90 days after the registration deadline, after which the data is transferred to Traficom’s own server and anonymised after six months of the date of the training event. Webropol stores survey data removed from the Webropol service on its servers for a year after the removal, after which the data is destroyed. 

Microsoft applies its own personal data storage periods on the Teams platform. These are described in the related privacy statement (in Finnish).

In accordance with Article 6(4) of the GDPR, personal data may be processed in a compatible manner in the NCC-FI’s or Traficom's other activities, if the preconditions laid down in the GDPR are met. In such a case, the storage period is determined according to the object of the compatible processing, within the limits of legislation.

Data processing

Recipients and categories of recipients of personal data (to whom personal data is disclosed)

Data can only be disclosed in accordance with the obligations and restrictions set out in currently valid legislation. 

The data is not disclosed for direct marketing purposes.

Processing of personal data on behalf of the controller

Webropol Oy (business ID: 1773960-2) acts as the processor and its subcontractors Telia Cygate Oy (business ID: 0752421-0) and Qumio Ltd (business ID: 2466203-3) as sub-processors. Webropol Oy and Traficom have an agreement on the processing of personal data. 

Webropol may not transfer personal data to third parties, except to subcontractors agreed upon by Traficom and Webropol. The following subcontractors may act as processors as defined in data protection regulation when serving as Webropol subcontractors to ensure and improve the development, usability and reliability of the system: Telia Cygate (business ID: 0752421-0) and Qumio Ltd (business ID: 2466203-3).

Microsoft acts as the processor as regards the Teams service. This is described in more detail in the privacy statement for the Teams service (inFinnish)

Transfer of personal data to third countries outside the EU/EEA

As regards Teams, processing takes place, as a rule, within the EU/EEA. However, Microsoft has also reserved the right to process personal data outside the EU/EEA in exceptional cases (e.g. detecting information security threats, error diagnostics, routing network traffic and monitoring service quality). In these situations, personal data may be processed across the world, e.g. in the United States, depending on the situation. More information is available in the privacy statement for Teams (in Finnish).

With the exception of Teams, data is not transferred outside the EU/EEA.

Automated decisionmaking and profiling

Data processing does not involve automated decision-making or profiling.

Rights related to the processing of personal data 

About exercising rights 

You can exercise your rights by submitting a request to Traficom by email or post. The controller’s contact details are listed in this privacy statement under the section ‘Controller’s contact details’. 

The right to lodge a complaint with the supervisory authority 

If you believe that your personal data is being processed in violation of legislation, you may lodge a complaint with the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
PO Box 800, FI-00531 Helsinki
tietosuoja(at)om.fi
tel. +358 29 566 6700

Rights

Right of access

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. If processing takes place, the data subject has the right to access the personal data. 

Right to rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to object 

In situations where the processing of personal data is based on public interest, the exercise of official authority vested in the controller or the legitimate interest of the controller or a third party, the data subject has the right to object to the processing of personal data concerning him or her.

If a data subject uses his or her right to object, the controller must stop the processing of the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing without any specific grounds. 

In situations where personal data is processed for statistical or research purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in response to which the controller must stop processing the data subject’s data, unless the processing is necessary for performing a task carried out for reasons of public interest. 

Right to restriction of processing 

The data subject has the right to obtain from the controller restriction of processing if:

• the accuracy of the personal data is contested by the data subject;

• the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;

• the data subject has objected to the processing of the personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to erasure 

In situations where the legal basis for the processing of personal data is something other than compliance with a legal obligation, public interest or the exercise of official authority vested in the controller, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her. The requested data will be erased unless the controller has a legal basis for refusing to erase the data, such as a legal obligation to retain the data.

Right to withdraw consent

Insofar as personal data is processed on the basis of the consent of the data subject, the data subject may withdraw his or her consent at any time by notifying the controller of the withdrawal. Withdrawing consent will not affect the lawfulness of processing carried out on the basis of the consent of the data subject before its withdrawal.

28.5.2025 TRAFICOM/196190/00.04.00.03/2025