Privacy Statement for Fulbright Finland Foundation Grant Programs

As of November 7, 2024

At the Fulbright Finland Foundation (the "Foundation"), we prioritize your privacy and are committed to maintaining the highest standards of confidentiality and security for your personal data. We recognize the importance of your personal information and respect your privacy rights.

This Privacy Statement outlines our practices regarding the collection, use, and protection of your personal data when you interact with our grant programs as an applicant, grantee, or alum. The types of personal data we process may vary depending on the specific program you participate in.

Please note that if you have applied for a grant through one of our program partners’ platforms, such as those administered by IIE, IREX, or World Learning, you have also agreed to their specific terms and conditions. Their data processing and retention policies may differ from ours, and we do not have control over how they handle your data. The Foundation’s Privacy Statement applies only to your interactions with us directly.

We encourage you to read this Statement carefully to understand our views and practices regarding your personal data and how we will treat it.

Controller Details

The controller of your personal data is the Fulbright Finland Foundation, located at:

Fulbright Finland Foundation sr
Hakaniemenranta 6
00530 Helsinki, Finland

If you have any questions about this Statement or our data processing practices, please contact:

Pia Arola
Executive Assistant
Email: [email protected]

Types of Personal Data We Process

Throughout the lifecycle of a particular program, and depending on your status as an applicant, participant, or alum, we may process the following types of information:

  • Identifying and contact information: This includes your name, email address, mailing address, phone number, date of birth, gender and pronouns, citizenship status, marital status, national identification number, and government-issued identification (such as a passport or ID).
  • Academic and professional information: This encompasses your academic history, schools attended, grades, employment history, job titles, professional references, diplomas, certifications, and licenses.
  • Family information: Details regarding your family structure, marital status, dependents (including minors), and emergency contact information.
  • Financial information: This includes information about your bank account number, as well as personal income and savings (if included as proof of funding for budgetary purposes).
  • Photographs or recordings: Images or recordings of you taken during your participation in a program or at one of our events.
  • Personal history: Information about your travel history and other relevant events in your life.
  • Preferences: Information regarding your dietary restrictions and interests.
  • Grant information: Details related to the grant, including the category of grant applied for, the grant period, the purpose of the grant and reports submitted during the grant term.
  • Special categories of data: Information concerning your health, collected only when necessary and required for specific purposes such as medical review and health benefits enrollment.

Purposes for Processing Personal Data

The Foundation will only process personal data when it is necessary and required for the purposes listed or if you choose to provide it to us voluntarily.

The Foundation collects personal data for the following purposes:

  1. Application/Selection: Collecting and reviewing applications for the purpose of selecting potential program participants and/or notifying them of their selection for a program.
  2. Academic Review and Placement: Reading, evaluating, submitting, and/or analyzing applications for the purpose of matching a participant with a host institution and any other relevant entity.
  3. Record Creation/Management: Creating and maintaining a record in the Foundation’s systems, electronically or otherwise, in order to carry out the management of the program.
  4. Financial Verification: Verifying availability of funds or income to cover program-related costs/expenses, financial need, or other financial requirements of a program.
  5. Participant Agreements: Creating an agreement document such as Terms of Award/Grant Authorization or any other type of agreement document with program participants.
  6. Event Management: Planning and/or executing events including registration, scheduling of participants, or any other event-related activities for purposes including program enrichment or partner engagements by the Foundation.
  7. Program Evaluation and Reporting: Reporting, exporting, or compiling data for the purposes of understanding and/or evaluating the state of the program and its participants, impacts, or other legitimate interests. It also includes producing and sharing reports with sponsors or donors about progress, activities, and other program-related information.
  8. Participant Progress Management: Collecting and analyzing any academic, employment, or other information to ensure a participant is meeting the requirements of a program or on track for successful completion of an award.
  9. Payment Processing: Processing payment transactions to or from participants.
  10. Health Benefit Enrollment: Enrolling a participant in a health benefit plan to ensure coverage for medical issues or emergencies while on program.
  11. Medical Review: Reviewing medical data for the purpose of determining eligibility, identifying any issues that could affect participation in a program or activity, or would require additional arrangements.
  12. Emergency Management: Assisting, corresponding, and handling emergencies during program participation.
  13. Tax Reporting: Annually reporting to the Finnish Tax Authority grant amounts paid to program participants.
  14. Alumni Management: Managing data of participants whose programs have ended, including the production of statistical reports, alumni correspondence, and organizing alumni events and activities.
  15. Visual Media Management: Managing photo and video database, which includes photos and videos taken by the Foundation at its events and videos and photos shared by the program participants and alumni prior to, during, and after the grant term.

Please note that the most common scenarios for the Foundation processing special categories of personal data are when medical data is collected to review your medical history to determine eligibility to participate in a program; and information concerning minors, if you are bringing dependents with you and we are required to process their data for visa sponsorship or other purposes. In most cases, the Foundation only processes other types of sensitive information if you voluntarily provide it, such as referring to religious or political views in an application.

Legal Basis for Processing

The legal basis for processing your personal data is based on your voluntary, informed, and unambiguous consent. Participation in the grant program requires your consent to process personal data.

The Foundation processes your personal data on the following grounds:

  • Contractual Necessity: To enter into and fulfill a contract with you when awarding a grant, including taking any necessary pre-contractual steps at your request.
  • Legal/Regulatory Obligation: To comply with legal requirements to which the Foundation is subject, such as accounting and tax obligations.
  • Consent: Where you have given us explicit consent for a specific purpose of processing.
  • Legitimate Interests: When necessary to pursue our legitimate interests or those of others, provided that these interests are not outweighed by your rights or freedoms. This includes managing our programs effectively, investigating complaints, addressing legal claims, ensuring compliance, and fulfilling regulatory and investigative obligations.

With Whom We May Share Your Data

To process grant applications, the Foundation may share personal data with the following third parties:

  • Academic and research institutions
  • External expert evaluators, interview panelists, and award selection committees
  • Finnish and U.S. Governmental agencies
  • Insurance and health providers
  • Program and award partners
  • Program and award sponsors

Additional third parties may include legal counsel representing the Foundation, courts, regulators, government authorities and law enforcement officials if required by law or for the Foundation’s legitimate interest in compliance with applicable laws/regulations.

If you are a program participant, the following information may be published on the Foundation’s social media channels, website, and brochures, as well as in print and online publications, such as the Fulbright Finland News magazine:

  • First name(s)
  • Last name(s)
  • Photo
  • Grant category
  • Project title
  • Project description
  • Name of home institution(s)
  • Host institution(s)
  • Grant period(s)

In addition, the following information may be shared with the Foundation’s programs participants and alumni, the U.S. Embassy in Helsinki, the Finnish Embassy in Washington D.C., and the Consulates General of Finland in the U.S.:

  • Primary email address
  • Job title
  • Organization
  • State/City
  • Country

The Foundation takes photographs and video recordings at its events and asks program participants to share photos of their grant projects with the Foundation throughout the grant term. The Foundation may use these photographs and video recordings in the Foundation’s social media channels, website, and brochures, as well as in print and online publications, such as the Fulbright Finland News magazine.

Regular Destinations of Disclosed Data and Transfers Outside the EU/EEA

The Foundation collects personal data via cloud-based, third-party hosting and service providers with whom the Foundation engages. These platform servers may be located outside of the European Union or the European Economic Area (“EEA”). Your personal data may also be shared with academic and research institutions, expert evaluators, interview panelists, award selection committees, Finnish and U.S. Governmental agencies, insurance and health providers, program and award partners, program and award sponsors, and with alumni and program participants who may be located outside the EU/EEA.

Data Security

The Foundation is committed to ensuring the security, integrity, and privacy of your personal data. We use servers and platforms that comply with the European Union General Data Protection Regulation (EU GDPR). Access to personal data is limited to authorized personnel only. Various security measures, such as firewalls, encryption, and secure access protocols, are employed to protect stored data.

While we undertake reasonable efforts to prevent unauthorized access, alteration, disclosure, or destruction of personal data, we cannot ensure or warrant the security of data transmitted to us, provided online, or stored by our service providers. Personal data is submitted at your own risk. We are not liable for disclosures of your personal data due to errors in transmission or the acts of our service providers or other third parties. We encourage you to review the privacy policies of any third-party platforms through which we may request your personal data.

Data Retention

The Foundation retains your data on its servers and on cloud-based, third-party hosting and service providers, including application management portals and other relevant systems. Personal data is retained for as long as necessary to achieve the purposes outlined in this Privacy Statement. The duration of retention depends on the type of data, the category of data subject, and the specific purposes for which the data was processed.
The Foundation will retain your personal data under the following conditions:

  • Purpose Fulfillment: As long as necessary to fulfill the purposes for which the data was processed, based on the legal basis for processing.
  • Legitimate Interest: Until the Foundation no longer has a legitimate interest in retaining the data or until any potential claims related to the Foundation’s contractual relationship with you have expired.
  • Consent Withdrawal: Until you withdraw your consent.
  • Legal/Regulatory Obligations: Where retention is mandated by legal or regulatory requirements.

Please note that the Foundation is not responsible for removing your personal data from the lists or systems of any third parties not connected to the Foundation who have previously been provided with your data in accordance with this Statement.

In addition to the general retention principles outlined above, the Foundation applies the following specific retention policies for different types of applications and data:

  • Unsubmitted Applications: Applications started but not submitted by the application deadline are deleted.
  • Non-Selected Applications: Applications, attachments, and other personal data shared during the application period by non-selected applicants are retained for 2 years after the application period ends.
  • Alternate Status Applications: Applications, attachments, and other personal data shared during the application period are retained for 2 years after the application period ends. Certain data, including name, grant category, project field, project title, home and host institution, grant period, and potential grant amount, is permanently recorded in the Foundation’s internal documentation.
  • Awarded Grants: Grant applications (excluding certificates, transcripts, diplomas, recommendation letters, passport and ID card copies) and reports, including mid-term and final reports, are permanently archived for research purposes. The Foundation also retains grantees’ contact information and grant details indefinitely to support alumni management and statistical analysis. Specific data, as outlined in the “With Whom We May Share Your Data” section, will be made publicly available on our website.
  • Payment Data: Grant payment data is stored for 6 years from the end of the financial year based on the Accounting Act (1336/1997).

Automated Decision-Making

The Foundation does not use personal data for automated decision-making processes, including profiling, in the administration of its grant programs.

The Data Subject’s Rights

As a data subject, you have several rights under the General Data Protection Regulation (GDPR). We are committed to ensuring that you can exercise these rights. Below is a summary of your rights, coming directly from the GDPR, and how you can exercise them:

  • Right to be Informed: We are committed to being transparent about how we use your personal data. We will inform you about the processing of your data before collecting it.
  • Right to Access: You have the right to request access to the personal data we hold about you and how we process it.
  • Right to Rectification: If you believe that the personal data we hold about you is incorrect or incomplete, you have the right to request its correction or completion. We will correct or complete your data as soon as possible.
  • Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data when there is no compelling reason for us to continue processing it.
  • Right to Restrict Processing: You have the right to request the restriction of the processing of your personal data under certain circumstances, such as if you contest the accuracy of your data.
  • Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services.
  • Right to Object: You have the right to object to the processing of your personal data under certain circumstances, including direct marketing purposes.
  • Right to be Not Subject to Automated Decision-Making including Profiling: You have the right not to be subject to a decision based solely on automated processing,

Changes to This Privacy Statement

The Foundation reserves the right to update this Privacy Statement at any time without notice to you. Any changes we may make to this Statement in the future will be posted on our website. All changes shall be effective from the date of publication unless otherwise provided in the notification.

We encourage you to review this Privacy Statement periodically to stay informed about how we are helping to protect the personal data we collect. Your continued use of our services constitutes your agreement to this Privacy Statement and any updates.