Privacy Policy of the Teosto Cultural Foundation

We are committed to protecting your privacy. This privacy policy applies to the processing of personal data of grant applicants and recipients, and our interest groups.

In this privacy policy, we provide detailed information on:

Please, familiarize yourself with the content of this privacy policy, also note that our website may contain links to third-party services. If you click on any such links and navigate to a third-party service, we encourage you to review their privacy policy on processing personal data.

Who is the data controller?

Teoston kulttuurisäätiö sr / Teosto Cultural Foundation
Business ID 3431198-2
Keilasatama 2 A, FI-02150 Espoo, Finland

Contact person:
Teijamari Jyrkkiö,

Data processor:

Utdelningsstiftelsen för Svenska kulturfonden sr. / The Swedish Cultural Foundation in Finland
Business ID 2379356-8
Yrjönkatu 27, FI-00100 Helsinki, Finland

The Swedish Cultural Foundation uses the following processors of personal data:

  • Amazon Web Services: Sending emails to registered users.
  • Trust Services ApS: Identification of recipients of grants or funding related to payment requests. 
  • Hetzner Online GmbH: Storage of all data in the register on Hetzner servers

What personal data is processed and how it is collected?

Typically, we process the following data:

  • Data of grant and project grant applicants, including identifying information such as name, address, telephone number, email, personal or business ID number; information provided in the application such as CV, work samples, and any other information provided; recommendations obtained with the approval of the applicant, and other relevant data. 
  • Data of grant and project grant applicants, such as banking details, payment request and transaction related data, decision dates, possible changes to the grant or its reimbursement, reports of grants to relevant authorities, electronic identification regarding payment requests, and reports on the use of the awarded funds. 
  • Contact information of interest groups’ contact person, including name, contact details, title, name of the organisation represented, business ID number, and the organisation’s contact details.

The personal data is provided either by the individual or the organisation they represent.

We also monitor the use of our website with WP Statistics that does not use cookies but only collects anonymized statistics of website visits.

What is the purpose and legal basis for processing personal data?

We process data for the following purposes:

  • Fulfilling the mission of the Foundation: We process provided data to enable the Foundation to fulfil is purpose. This processing is based on our legitimate interest. We process your data in relation to managing applications, analysing and archiving them, also for monitoring and paying awarded grants, and communicating about the Foundation to relevant interest groups.
  • Publishing: Awarded grants and project grants are published on our website, in our annual reports and in newsletters. Publishing this information is based on public interest.
  • Safeguarding our rights: We may need to process personal data to establish or defend legal claims or settle disputes amicably. This processing is based on our legitimate interest. 
  • Fulfilling legal obligations: We are required to collect and report personal data of awarded grants to relevant authorities such as the Tax Administration and the Farmers’ Social Insurance Institution. In addition, we may be obligated to retain some personal data to comply with accounting and other mandatory legislation. The processing of data is based on legal obligation. 

We may use AI tools in analysing applications or other processing of personal data. These tools are not used for profiling or automated decisions with legal or otherwise significant impact on you.

Where data processing is based on public interest. We have assessed that it is in interest of society in general to have transparent information about how the Foundation uses its funds. The legitimate interest allows the Foundation to monitor its operation and the allocation of grants, and to track application history, to survey payments and to investigate possible misuse. Based on our assessment, the processing described above is not in conflict with the applicant’s fundamental rights or freedoms.

How long is data retained?

We retain your personal data as long as necessary for the purposes described above. Retention times are generally as follows:

  • Rejected applications: Contact details and attachments are deleted three years after the processing year. After that, data is transferred for analysis and archiving as described below.
    Draft applications and reports are saved for no longer than two years or until deleted by the applicant.
  • Awarded grants and project grants: Data for these grants is retained for processing for at least 13 years from the date of application, after which the contact and personal ID information of the main applicant and other working group members is deleted and transferred for analysis and archiving as described below. Payment data is stored for at least 10 years from the date of the last payment, as regulated by Finnish accounting legislation.  
  • Analysis and archiving: Based on legitimate interest, remaining application data is retained for 30 years for analytical purposes or, under the EU Article 89 of the GDPR, for archiving and scientific and historical research.
    In archiving, the grant data is transferred to permanent storage in minimized form. The contact information of applicants and working group members as well as attachments of rejected applications are deleted.
  • All awarded grants published on our website and information in the attachments of minutes related to grant decisions are stored permanently based on public interest.
  • Interest groups: Contact information is retained as long as the contact person is in a position in which it is reasonable to assume that they are still interested in the Foundation’s operation. However, a registered contact person may request the deletion of their data.

Please note, we may retain data for the establishment, exercise or defence of legal claims.      

What are your rights?

Subject to legal rights and limitations, we implement the following rights:

  • Right of access: You have the right to receive confirmation that your personal data is processed or is not processed. If processed, you have the right to access it; unless it adversely affects the rights and freedoms of others.
  • Right of rectification and deletion: Upon request, we will rectify or delete inaccurate, incomplete or unnecessary personal data; unless the data is pertinent for establishing, exercising or defending legal claims.
  • Right to withdraw consent: You may withdraw your consent at any time.
  • Right to object and restrict processing: You may object processing, based on legitimate interest, justified by on your personal circumstances. In such cases, processing is restricted while the objection is evaluated. If you, for example, contest the accuracy of your personal information, restriction can also be applied for the duration that the correctness of the information is evaluated. In case there is a substantial justification for processing your data that overrides your rights or freedoms, or processing is necessary for the establishment, exercise or defence of a legal claim, we will contact you about the continuation of processing data.
  • Right to lodge complaint: You can lodge a complaint with authorities if your personal data has been processed in violation of this policy or applicable law. Contact information for the Data Protection Ombudsman is on their website www.tietosuoja.fi.

To exercise your above-described rights, please, be in contact to the address provided in paragraph 1. You will need to verify your identity to ensure that your data is not disclosed to anybody but you.

Where is data transferred or disclosed?

We use subcontractors for data processing and ensure contractually that the data is processed in accordance to applicable laws. If data is transferred outside the EU or EEA, we ensure adequate protection of the data by confidentiality and processing agreements as required by law, and utilise, for example, the EU standard contractual clauses. 

We do not disclose personal data to third parties for their independent use, except in the following cases:

  • Authorities: Personal data may be disclosed to relevant authorities in accordance to applicable laws.
  • Other funding organisations: Applicant data may be disclosed to other funding organisations.
  •  Debt collectors and legal claims: Personal data may be shared with selected partners for the recovery of funds, or the establishment or defence of legal claims.
  • Consent: With your consent your data may be disclosed to our partners.

How is data protected?

We use appropriate technical and organisational measures to protect your personal data against unauthorized access and processing. These measures include firewalls and encryption methods, appropriate access control, limited access to the registry, training of personnel involved in processing data, and careful selection of subcontractors.

Can this privacy policy be changed?

We continuously develop our operations and this privacy policy may be updated accordingly. Legislative or regulatory changes may also cause modifications. Please, review this policy regularly.

This Privacy Policy was last updated on 2 May 2025.