PRIVACY NOTICE

Last updated: March 2025

1. ABOUT THIS POLICY

1.1 HIAP is committed to protecting the privacy and security of your personal information. This privacy notice described how we collect and use personal information about you during and after your relationship with us, in accordance with the General Data Protection Regulation (GDPR)

1.2 This policy applies to all people who interact with HIAP regardless of length of engagement including employees, contractors and suppliers, board members, volunteers, survey participants, external consultants, audience members, applicants to Open Calls and recruitment processes, sponsors, funders and participants of workshops and educational programmes

1.3 This notice may be updated from time to time and will be updated on the HIAP website as soon as reasonably possible.

1.4 HIAP is a ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

2. DATA PROTECTION PRINCIPLES

2.1 We will comply with data protection law. This says that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept securely.

3. THE KIND OF INFORMATION WE HOLD ABOUT YOU

3.1 Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

3.2 There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health. The types of sensitive personal data we collect are set out at 3.4.

3.3 We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, address, telephone number and email address.
  • Date of birth
  • Gender
  • Marital status and dependents
  • Next of kin and emergency contact information.
  • Tax card.
  • VAT status.
  • Bank account details, payroll records and tax status information.
  • Salary, annual leave, pension and benefits information.
  • Employment records such as current employer, work history location, training records, salary.
  • Copies of identification (driving license, passport, ID card) and insurance documentation.
  • Application information (such as CV, portfolio, motivation statement / cover letter or other information required as part of the application process).
  • Records of payments made to you.
  • Complaints submissions.
  • CCTV footage and other information obtained through electronic means such as electronic key entry.
  • Visa / Residency Permit evidence.

For employees of HIAP (including full time, part time, permanent, fixed term and contractors) we may also collect and retain:

  • Records of salary and payments made to you.
  • Performance information.
  • Grievance and disciplinary information.
  • Information about your use of our information and communication systems.
  • The results of any employment status related check.

3.4 We may also collect, store and use the following more sensitive types of personal information:

  • Information about race, ethnicity, gender identity, sexual orientation, religion, class and / or socio economic background.
  • Trade Union membership.
  • Information about health and access including access riders, medical and health records, health insurance information.We collect this information as part of our diversity, access and inclusion evaluation and monitoring as well as for day to day operation of the organisation including making improvements to working conditions and responding to access needs.

4. HOW IS YOUR PERSONAL INFORMATION COLLECTED?

4.1 We collect personal information through application and recruitment processes, as well as through surveys and questionnaires, contracts and induction forms. This information is usually collected directly from the individual to which the information pertains unless they are working with a third party such as Access Support Worker, agency or other support organisation.

4.2 We collect additional personal information in the course of operational activities throughout the period of you engaging with us.

4.3 We collect personal information through several ways via our website:

  • Via ‘Cookies’ (see 4.4)
  • Enquiries submitted via forms
  • Funding donations via forms
  • Booking onto events via forms and / or third party websites such as Eventbrite.
  • Registering for our newsletter

4.4 Cookies are simple text files which are downloaded onto your computer the first time that you visit a website and then can be read by the website. Typically, they contain two pieces of information: a site name and unique user ID. Cookies are not programs and do not run anything on your computer.

Some cookies are sophisticated and might record things like your preferences for page layouts and colour schemes. They can also be used to store data for example for things like progress in a training course or information on what is in your ‘shopping cart’.

The possibilities are endless, and generally the role of cookies is beneficial, making your interactions with frequently visited sites smoother – for no extra effort on your part.

By their nature cookies are recording behavioural data on your habits on websites and sharing this with the organisation, if you do not trust the organisation then you should be wary of the information being shared with them as they can influence what you see on the internet, for example through targeted advertising. As this can occur without warning we believe (and the law states) that you need to be aware when cookies are in use and provide your consent to their usage.

When you visit the HIAP website for the first time, you will be given the choice to Accept or Decline non-essential cookies. Clicking Accept will allow us to track your visit to our website using non-essential cookies. This allows us to learn more about how you and others are using the website. If you click Decline, we will only load essential cookies when you visit the website. This includes cookies that are essential in ensuring our site works as you expect, like cookies used by our forms system.

To read more about our use of cookies please our cookie declaration.

5. HOW WILL WE USE INFORMATION ABOUT YOU

5.1 We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract we have entered into with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary to pursue our legitimate interests provided that your interests and fundamental rights do not override those interests; for example, we may monitor your use of HIAP IT and communication systems to protect our reputation as an association.

5.2 We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest or for official purposes.

6. SITUATIONS IN WHICH WE WILL USE YOUR PERSONAL INFORMATION

6.1 We need all categories in the above list primarily to allow us to effectively deliver our commitments to you (for example, we need your bank accounts details in order to be able to pay you) and to enable us to comply with legal obligations (for example, we are legally required to confirm you have the right to stay in Finland and will require personal data relating to Visa and / or Residency Permit to fulfil that requirement).

6.2 In some cases we may use your personal information to pursue legitimate interests, provided your interests and fundamental rights do not override those interests. For example, there is a legitimate interest in us for collecting and storing details of your next of kin so that we can contact the correct people on your behalf in any emergency situation.

6.3 The situations in which we will process your information are listed below:

  • Making a decision about your application / recruitment.
  • Paying you and, if you are an employee for tax purposes, deducting tax contributions.
  • Submitting insurance claims.
  • Administering the contract we have entered into with you.
  • Business management and planning, including accounting and auditing.
  • Gathering evidence for a possible Complaints or Grievance procedure.
  • Dealing with legal disputes including accidents in our premises.
  • Complying with Health and Safety regulations.
  • Diversity, inclusion and equality monitoring.

For employees of HIAP (including full time, part time, permanent, fixed term and contractors) the situations will also include:

  • Determining the terms on which you work for us.
  • Checking you are legally entitled to work in Finland.
  • Enrolling you into pension insurance arrangements.
  • Conducting performance reviews, managing performance and determining performance requirements.
  • Making decisions about salary reviews and compensation.
  • Assessing qualifications for a particular job or task, including decisions about promotions.
  • Education, training and development requirements.
  • To prevent fraud.
  • Managing sickness absence.
  • To ensure network and information security, including preventing unauthorized access to computer and electronic systems and preventing malicious software distribution.

6.4 Some of the grounds for processing may overlap and there could be several grounds which justify the use of your personal information.

7. CHANGE OF PURPOSE

7.1 We will only use your personal information for the purposes for which we collected it. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

7.2 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this information is required or permitted by law.

8. HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION

8.1 ‘Special categories’ of particularly sensitive information, such as information about your health, race, ethnicity, gender identity or trade union membership, require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit written consent.
  • Where we need to carry out our legal obligations.
  • Where it is needed for the public interest, such as for statistical monitoring or in relation to insurance.

8.2 Less commonly, we may process this information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

8.3 Particularly sensitive information, such as demographic data, will not be used in any decision making processes regarding Open Calls, recruitment or otherwise.

9. SITUATIONS IN WHICH WE WILL USE YOUR SENSITIVE PERSONAL INFORMATION

9.1 In general, we will not process particularly sensitive information about you unless it is necessary for performing or exercising obligations or rights in connection with your relationship with us (such as employment or under the Residency agreement). On rare occasions, there may be other reasons for processing. The situations in which we will process your particularly sensitive personal information are:

  • We will use information about your physical or mental health, or disability status to ensure your health and safety in our premises, to provide workplace or programme adjustments and to administer benefits such as maternity pay, sick pay and pensions. With your consent, this information may be shared with external parties such as facilitators, advisors and partner organisations in order to ensure the activities you participate in are adapted and accessible where needed.
  • We will use demographic information such as race, ethnicity, gender identity, religion, sexual orientation, disability, mental health, class and / or socio economic status to ensure meaningful monitoring and reporting relating to diversity, inclusion and access.

10. DO WE NEED YOUR CONSENT?

10.1 We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific legal rights. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information we would like and the reason we need it so that you can carefully consider whether you wish to consent. You should be aware that this is not a condition of any contract you may have with us.

11. DATA SHARING

11.1 We may have to share your data with third parties, including third-party service providers and public sector funders. We require third parties to respect the security of your data and to treat it in accordance to the law.

11.2 We will share your personal information with third parties where required by law, where it is necessary to administer the relationship with you or where we have another legitimate interest in doing so.

11.3 ‘Third parties’ includes third party service providers, including contractors and designated agents. The following activities may be carried out by third party service providers: bookkeeping and payroll, legal services, IT services, communications services.

11.4 All third party service providers are required to take appropriate security measures to protect your personal information in line with this policy. We do not allow third party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

11.5 If our third party service providers notify us that there has been a data security breach, or one is suspected, we will follow any legally required procedures to notify you.

11.6 We may share your personal information with other third parties, for example in the context of reporting to public sector funders. In this situation we will, so far as we are permitted, only share anonymized data.

11.7 We may also need to share your personal information with a regulator or to otherwise comply with law, for example making tax returns.

11.8 We do not currently anticipate transferring any data outside of the European Eonomic Area (EEA). If this position changes, we will update this privacy notice accordingly and to ensure your personal information receives an adequate level of protection we will ensure that either:

  • There is an adequacy decision from the European Commission in place; or
  • We have put in place appropriate measures to ensure that your personal information is treated in a way that is consistent with and which respects the EU laws on data protection.

12. DATA SECURITY

12.1 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

12.2 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

13. DATA RETENTION

13.1 We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of any legal, accounting, or reporting requirements.

13.2 To consider the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

13.3 In some circumstances we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer engaged with the company we will retain and securely destroy your personal information in accordance with the applicable laws and regulations.

14. RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION

14.1 It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

14.2 Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

14.3 If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Head of Administration in writing.

14.4 You will not have to pay a fee to access your personal information (or to exercise any other rights). However we may refuse to comply with the request if it is clearly unfounded or excessive.

14.5 We may need to request specific information from you to help us confirm your identity and ensure your right to access information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

15. RIGHT TO WITHDRAW CONSENT

15.1 In limited circumstances where you may have provided your consent to collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Head of Administration.

15.2 Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

16. CONTACT US

If you have any questions about this privacy notice or how we handle your personal information, please contact our Data Protection Officer. You have the right to make a complaint at any time to the Office of the Data Protection Ombudsman Office, Finland’s supervisory authority for data protection issues.

17. CHANGES TO THIS PRIVACY NOTICE

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.