Privacy notice for the processing of personal data related to event and training registrations via webropol

This privacy notice contains the information required under Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679, which must be provided to the data subject. It explains how the Finnish Environment Institute (Syke) collects, uses, discloses, and stores personal data.

Syke reserves the right to make technical changes to this privacy notice without prior notification to data subjects.

Controller and data protection officer

Finnish Environment Institute (Syke)
Latokartanonkaari 11
00790 Helsinki, Finland
E-mail:kirjaamo@syke.fi
Secure email: https://turvaviesti.ymparisto.fi/
Tel. +358 295 252 001

Contact person for the controller

planner Minna Wasenius
E-mail: firstname.lastname@syke.fi
+358 295 251 730

Data protection officer

Juha Ruotsalainen
E-mail: tietosuojaSYKE@syke.fi

Legal basis for processing

We process your personal data based on your consent (Article 6(1)(a) of the GDPR), which is collected when you register for a training or other event. For Syke employees, the processing of personal data is primarily based on the employment relationship (Article 6(1)(c) of the GDPR).

Participation in trainings requires providing the personal data specified in this notice.

Personal data collected and the purposes of processing 

What personal data do we collect during registration?

  • Name
  • Job title and organization
  • Email address and phone number
  • Special dietary requirements

How do we use your data?

  • Organizing events and trainings
  • Developing our services
  • Sending email notifications about future trainings (only if you give separate consent)

Other information

  • Data is primarily collected in Webropol, but registrations may also be collected through other services. The system used will be indicated during registration.
  • Personnel of service providers for Syke’s registration systems also have access to personal data. These providers act as data processors under the GDPR and must follow Syke’s instructions.

Sources of personal data

Participants themselves or their authorized representatives provide the data in the system.

Recipients of personal data

In addition to Syke staff involved in managing events and trainings, personnel of system service providers have access to personal data. Service providers act as data processors under the GDPR and follow Syke’s instructions.

Syke may also disclose personal data to cooperation partners.

Syke does not actively transfer or disclose personal data outside the EU or EEA. However, Syke can use software service providers such as Microsoft in its operations, which most of the time operate as cloud services. This data is considered to be effectively transferred outside the EU/EEA, regardless of where the data is located.

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision permits the transfer of data from the EU and EEA to participating companies in the US without additional safeguards.

The adequacy decision applies to transfers of personal data made to US companies that have committed to the safeguards specified in the arrangement. The adequacy decision cannot be used as an instrument for the transfer of personal data between public sector entities.

Syke ensures that the service providers it uses are on the list maintained by the European data protection authorities

Protection of personal data

For Webropol, personal data is stored in the outsourced Webropol service (www.webropol.fi). The connection to the service is SSL-secured. Only designated Syke personnel involved in managing the specific trainings have access to the Syke, as the controller, has implemented necessary technical and organizational measures and requires the same from its service providers.

Retention of personal data

Personal data is retained for as long as necessary to fulfill the purposes described in this notice. According to Syke’s information management plan:

  • Participation data: 10 years
  • Training programs and individual feedback: 2 years
  • Annual feedback summaries: 10 years

Your data protection rights

We aim to provide a comprehensive overview of personal data processing related to event registration in this notice. If any aspect remains unclear, you may send questions to the contact person or Syke’s Data Protection Officer.

You have the following rights under the GDPR

  • The right to know the purposes and methods of processing your personal data.
  • The right to obtain a copy of your personal data being processed.
  • The right to request correction of inaccurate or incorrect data. If we correct data based on your request, we will notify all recipients to whom the data was previously disclosed, where possible.
  • The right to lodge a complaint with the supervisory authority.

Additionally, individuals outside Syke have the following rights

  • The right to withdraw consent at any time.
  • The right to request deletion or restriction of processing of personal data.
  • The right to request the transfer of data to another controller.
  • External individuals may request deletion of their data at any time. After deletion, Syke cannot provide participation details to the individual.
Published 3.1.2020 / Updated 30.1.2026