FCA Privacy Statement

Finn Church Aid (FCA) is careful with your information when you support us in seeking positive change to the most vulnerable people in fragile contexts.

When you contribute to our work, we process some information about you.

This is so, when for example you:

  • Donate a fixed monthly amount or a single donation
  • Draw up a deed of gift
  • Bequest FCA in a will
  • Donate via a digital gift Toisenlainen Lahja in our web-pages
  • Have donated an amount once or more times
  • Become a volunteer with FCA; e.g. Teachers without Boarders, Changemaker or Womens’s Bank
  • Apply for a job or are an employee in FCA
  • Subscribe to our newsletter or our Tekoja Magazine
  • Visit our website.

In a number of cases we process your data as a precondition for receiving financial support from you or for having an agreement with you; that is why we have prepared this privacy policy in order to inform you how we protect your data and process them in conformity with data protection regulations. FCA collects data of people affected by crisis for the purpose of assistance, statistics and mandatory reporting. This data is anonymized when possible and kept outside of the European Economic Area.  

Data responsibility and contact information

FCA is data Controller for the information we process about you, when as a private person or owner of a one-man company send donations to us, when you buy goods in our web shop, when you want to become a volunteer with FCA, or when we are in contact with you in general, e.g. when you may consider becoming a donor. FCA acts also as joint-controller on behalf of certain common registers based on a contract, for example with SecuryCast,  Finnish Bible Society and Finnish Evangelical Lutheran Mission.

Being data Controller when processing information about you means that we as an organisation decide the purposes and the means of processing your information. We do all we can to protect your information, and we have, among others, internal organisational and technical procedures for protection of your personal data. As Joint-controller, the Controllers together decide   the purposes and the means of processing your information and this is based on a contract between the Joint-controllers.

As data Processor, FCA processes certain registers according to the instructions given by the data Controller based on a Procesessor-contract. FCA  country offices also act as data Processors towards FCA on behalf of multiple registers, which are mainly internal FCA HR-registers.  Required Processor-contracts are also made between FCA Ccountry offices  and FCA foundation.

If you have questions about our processing of your personal data, please contact us as follows:

Finn Church Aid’s Data Protection Officer (DPO), Legal Specialist Viivi Varila.

The contact of the DPO: email dataprotection@kirkonulkomaanapu.fi, tel. +358 50 577 7114.  Data subjects can contact the data protection officer in all matters related to the processing of their personal data or the exercise of rights based on the GDPR.

What kind of information about you are we processing?

When you donate to us or buy goods in our web-pages, the following information about you is processed:

  • First name and surname
  • Address, zip code, city, country
  • Mobile phone number
  • E-mail address
  • Credit card information (encrypted via service provider Paytrail)
  • Name of bank if you want to make donations through bank transfer
  • Information about donation, including amount, number of donations and what you have donated
  • Information whether you want to donate or not
  • Bank information, such as registration- and account number in connection with bank transfers
  • Information about payments, including missing payments
  • Purchase of goods in our web-pages
  • Information from your Will, including a possible amount of share of total inheritance
  • Inquiries, contacts, claim, complaints, if any
  • Data improved from cooperation partners with a view to quality assurance and marketing
  • Pictures on the website, if any, if you have given your consent
  • Member statistics

What kind of information about you are we processing when you are a volunteer or apply for a job?

  • First name and surname
  • Date of birth
  • Gender
  • Mobile number
  • Address, zip code, city and country
  • E-mail address
  • Application and possible CV

Information that we process concerning our employees is on FCA intranet.

As a main rule, we do not register sensitive /special categories of information or criminal activities about you. However, in the international aid work, the beneficiary data may include special categories data. This data is processed with reinforced technical and organisational measures. As an employer FCA  processes employee data by law or that derives directly from a statutory duty set out for the Controller by law. When processing data in FCA’s internal complain mechanisms, this this data may include sensitive/special categories data.

Cookies

When you visit the Finn Church Aid webpages, your web browser automatically stores cookies onto your hard drive.  Cookies can contain text, numbers, dates, location information and other data, but cookies do not store any personal data. A cookie is neither an application, nor does it allow viruses or other malware to enter your computer.  Cookies do not harm your computer in any way.

Cookies help us find out the number of visitors to our pages, save selections made on the pages (e.g. language settings), monitor how the page is used (e.g. click streams) and focus and control advertising (e.g. not showing the same ads repeatedly). However, we do not monitor the data of individual visitors, but we store user data, based on behaviour and geographical location, for example.

Cookies help us improve the user experience on our webpages and introduce advertising that the user is interested in. For example, you can see Finn Church Aid’s advertising while visiting other webpages. Cookies enable us to do this.

If you do not wish to have cookies stored on your device, you can prevent their use by changing the settings in your browser.

For which purposes do we process your information?

We process your information in order to:

  • Receive, register and administer donations from you
  • Deliver  Toisenlainen Lahja- cards you have purchased in our web-pages, including administer your orders and payments
  • Send News Letters to you if you are registered for them
  • Send you marketing material if it is according to the marketing regulations
  • Make a profile with a view to create the best possible relation, including quality assurance and marketing. This profile allows us to target relevant marketing to you, based on your personal information and preferences.
  • Process information about correspondence with you, including your inquiries or complaints, if any
  • Provide statistics in order to know e.g. the number of donors, age and gender distribution, average amount of donations etc.
  • Process your application as a volunteer
  • Establish and manage your employment relationship
  • Train our Telemarketing staff
  • Assist people affected by crisis in FCA’s programme areas; to mandatory reporting, audits and statistics of our work
  • Improve the functionality of our website and prepare statistics on the use of the website

On what legal basis do we process your information?

When you donate an amount or buy goods in the web shop, we can process your general ID information, donation, orders etc., because it is necessary for delivering your goods and administering your donation. In the same way, prior to receiving your donation or your purchase in the web shop, we can process your information as part of the work prior to making an agreement with you. When you will donate an amount to us, we can also process your information with a view to carrying out arrangements prior to making an agreement with you. This is also the case with your application as a volunteer.

As to your CPR-number we can process it in connection with your donation in the countries where donations are deductible of tax, because reporting about deduction to Tax shall be given with CPR-number according to the tax control regulations. We also use the CPR-number to create recurring payments with NETS (BS-agreement)

According to the accounting regulations we are legally obliged to process transaction tracks with a view to our financial accounts.

If you have questions or complaints, we can process information about it because we have a legitimate interest in giving you the best possible experience, answering possible questions or determine a possible legal claim.

We have a legitimate interest in processing your basic personal information with a view to profiling and marketing in order to better and more precisely adjust our information and marketing to you. Furthermore, we have a legitimate interest in processing information about activities on our website at IP-address level with a view to improve the functionality of the website and prepare statistics.

According to the fundraising regulations we as an international aid organisation have the right to approach you with a view of receiving a donation.

When FCA processes beneficiary data in its humanitarian program work, this is either based on explicit consent or to protection of vital interests of the data subjects or other persons. When FCA processes employee data, this is based on Controller’s legal obligations. When processing data in FCa’s internal complain mechanisms, this is based on Controller’s legal obligations.

The legal basis of has been defined in advance by each register in FCA’s internal Recorrd of Processing Activities and it is revised regularly, for example  as part of the Data Protection Impact Assessment procedure.

How long do we keep your data?

We keep your data as long as we see a factual need for it. This means among others, that when deciding the period of keeping the data, we weight a number of criteria, including:

  • Regulations of accounting about keeping of accounting material
  • Other regulations about keeping of payment information
  • If a special association with you as a donor or potential donor has been established
  • If we have been in contact with you within the last two years
  • If we have received donations from you with the last five years
  • If you have been a volunteer; how probable is it that we can recruit you within the nearest future.

As to cookies you can read more about e.g. the expiration of our cookie policy above. The period of keeping the data has been defined in advance by each register in FCA’s internal Record of Processing Activities.

Who do we share your information with, and where do we collect your data?

We share your information only with partners if there is a factual and legal need for it and  the legal basis on which  each register is processed, enables this. If it is a question of personal data which FCA processes based on contract or consent, we will inform you in advance if this data can be shared with partners.  We do not share information without either a processing contract or a required  transfer tool, which are documented. We have internal procedures so that only employees with a work related need have access to your information.

Furthermore, we use external data processors with whom we have a data processing agreement. In addition there are cases when we collect data from external cooperation partners.  You can read more under “Profiling” below.

Transfer of personal data to third countries

As FCA is one overall data-responsible body, the EU data protection regulation is valid for the processing of your personal data by us, no matter where in the world this takes place. When FCA country offices outside the EU process FCA’s data as  data Prosessors, the  EU data protection regulation is valid for the processing. FCA country offices outside the EU/EEA, when processing their own beneficiary-data will apply local laws and FCA Guidelines. If they transfer this data into EU to FCA, the EU data protection regulation will be applied also to this data.

If you are a volunteer abroad, there are cases when your data will be transferred to FCA local offices outside the EU/EEA.

We ensure that the necessary guarantees are in place to protect your information when it is processed in our offices outside the EU/EEA. This means among others that:

  • We only transfer data to offices outside the EU/EEA when there is a specific need in connection with a stay as volunteer outside the EU/EEA
  • We transfer the data because it is necessary for an agreement with you or for making steps based on your request before entering into such an agreement
  • Even if the data are processed at our local offices abroad, the very processing takes place only on servers placed in the EU and in FCA’s closed network.
  • We use EU Commissions’ model clauses as transfer tools when possible
  • Data transfers with international organizations, which do not recognize the EU jurisdiction, are made according to the basic contracts provided by these organizations.
  • The personal data, which is being transferred is always protected with   adequate technical safety measures.

Security

FCA implements and improves constantly internal organisational and technical arrangements in order to protect your information against accidental or illegal destruction, being lost or changed, against unauthorised passing on and against unauthorised access to or knowledge of this data information. These safety measures are implied inside FCA and in cooperation with contractual partners. The Data Protection Officer also monitors all processing of personal data at FCA. FCA has internal guidelines and the personnel is being trained on how to process personal data safely.  FCA has processes and instruction in place on how to proceed  if a data breach occurs. Each register, which  FCA is in Controller or Processor position has been documented in FCA’s internal Record of Processing Activities as required by law.

Consequences by not giving data information

The processing of your data is necessary so that we can administer your donations and send your purchases according to agreement.

If you do not want us to process your data information, the consequence may be that we cannot administer your donations, or send goods purchased on the web-pages 

Profiling

In order to have the most meaningful relation to you and with a view of making target group analyses, we use general personal data such as frequency and type of donation to make your profile. We collect these data based on your donations, among others.

As to quality assurance of the data we use and in relation to marketing, there are cases where we improve the existing data we have on you with data collected from cooperation partners.

Based on the data we have on you, we may also in some cases use basic personal data, such as in relation to segmenting, with a view to do marketing on social media.

FCA does not make automatic decisions.

What are my rights?

According to the EU data protection regulation you have a number of rights related to the information about you that we process. There are certain exemptions from these rights, and you cannot claim your rights in all cases.

You have a right to have insight in the data we process about you.

You have a right to have inaccurate personal data corrected.

You have a right to have data deleted if there is no legitimate need any more for processing your data.

With certain limitations you can object to a processing of personal data, e.g. when doing profiling.

In some cases you also have the right to limit the processing of your personal data.

If the processing of personal data about you is based on agreement or contract and the processing is totally automatic, you have, with some exemptions, also the right to data-portability.

Furthermore, you can object to our processing of your personal data.

If our processing of personal data is based on your consent, you have the right to withdraw this consent.

Where can I complain?

You have a right to complain to the Office of  the Data Protection Ombudsman about our processing of your personal data at the following address:

Lintulahdenkuja 4, 00530 Helsinki, Finland

E-mail: tietosuoja@om.fi

Phone: +358 295 666 700

Procedure of Handling Data Subject Requests