Privacy statement for the Free Movement association (GDPR)

  1. Data controller and contact person

Data controller: Free Movement (”the Association”), Business ID 2518478-2

Address: Kaivonkatsojantie 9 G 118, FI-00980 Helsinki

Phone number: +358 40 241 06 62

Email: [email protected]

Contact person in registry matters: Siiri Savinotko, chairperson, the Free Movement association

  1. Data subjects

In the registry, we process the personal data of the current and former members of the Association (“Data Subjects”).

  1. The basis and purpose of processing the personal data

The purpose of the registry is up-to-date control of the Data Subjects’ personal data during their membership, maintenance and development of the registry, and managing the documentation of past memberships in the personal data system (“System”). The personal data is also used for communicating about association activities, sustenance of member relations, and taking care of tasks related to essential organizational duties, such as notifying members about meetings.

The processing of the personal data is based on the Association’s legal obligation to maintain a member registry and, occasionally, enforce contracts.

  1. The processed personal data

In the registry, we process the personal data and contact information of the Association members and other necessary information related to the Association membership. Such information includes:

  • The Data Subject’s first name and last name;
  • The Data Subject’s address;
  • The Data Subject’s email address;
  • The Data Subject’s phone number;
  • Identifying information for electronic communication
  1. Regular sources of information

Personal data is collected from the Data Subject themself.

  1. Protecting personal data and data security

The digitally processed personal data is protected and saved at a service called Yhdistysavain. Access to the service is restricted only to people who need the data in their professional capacity. Those people have personal usernames and passwords for the service.

The personal data is protected from outside use and the use of the data is monitored. Each user has a personal user account which is password-protected. Personal data that is sent outside the Association is encrypted. The used workstations and storage media are also encrypted.

  1. Regular disclosure and transfer of personal data

The personal data can be transferred to other service providers (the Yhdistysavain service) to maintain the member registry. The data controller’s partner responsible for the technical maintenance of the registry can transfer the personal data according to applicable privacy legislation and this privacy statement.

Otherwise, the personal data is not disclosed to third parties.

  1. Transferring the personal data outside the European Union or the European Economic Area

In processing the personal data, the Association may also use other service providers which are located outside the European Union or the European Economic Area. The personal data is always transferred outside the European Union or the European Economic Area on one of the following legal bases:

  • The European Commission has determined that the level of data security in the recipient country is confirmed to be sufficient;
  • The Association has taken appropriate safeguards in the personal data transfer by using the standard data protection clauses approved by the European Commission. In such cases, the Data Subject has a right to get a copy of the standard clauses by contacting the Association through the channels described in the section Contacts; or
  • The Data Subject has specifically agreed to transferring their personal data or there is some other legal basis for the data transfer.

Access to the personal data is granted only to the extent that is necessary to provide the services in question. Transferring the personal data outside the European Union or the European Economic Area is always based on the current personal data processing legislation, and the data is transferred in accordance with the legislation.

  1. The retention period of the personal data

The personal data is retained in the registry as long as the Data Subject is a member of the Association. After the membership has ended, the personal data is retained up to ten years from the end of the membership based on the Association’s legitimate interest, that is, in case the Association has to defend itself against legal claims (the Finnish Supreme Court ruling 2017:15). The personal data can be retained longer than that if an applicable law or the Association’s contractual obligations to third parties require a longer retention period. 

  1. Rights of the Data Subject

The Data Subject has at any time a right to deny the processing of their personal data for direct marketing purposes.  The Data Subject can give the Association channel-specific permissions and prohibitions regarding direct marketing (for example, prohibit email marketing).

In addition, according to the applicable legislation, the Data Subject has a right at any time:

  • to be informed about the processing of their personal data;
  • to access their own data and check their personal data processed by the Association;
  • to demand the rectification of inaccurate or false personal data and completing the data;
  • to demand the deletion of their personal data;
  • to cancel their consent and object to the processing of their personal data insofar as the processing of the personal data is based on the Data Subject’s consent; 
  • to object to the processing of their personal data based on a justification related to their specific personal situation insofar as the basis of processing of the personal data is the legitimate interest of the Association;
  • to receive their personal data in a machine-readable format and transfer the data to another data controller. Presuming that the personal data was personally delivered by the Data Subject to the Association, the Association will process the personal data in question based on the Data Subject‘s consent and process the data automatically; and
  • to demand limitations to the processing of their personal data.

The Data Subject can request using an aforementioned right through one of the channels mentioned in the section Contacts of this privacy statement. The Association can ask the Data Subject to specify their request in writing and to verify their identity before processing the request. The Association can deny granting the request on a basis decreed in the applicable law.

  1. Right to appeal to a supervisory authority

If the Data Subject sees that their personal data was not processed according to the applicable data protection law, they have a right to appeal to a relevant supervisory authority or the supervisory authority of the European Union member country in which the Data Subject lives or works.

  1. Contacts

Requests about using the Data Subject’s rights, questions about this privacy statement, and other contacts should be made via email to Siiri Savinotko at [email protected] The Data Subject can also approach the contact person in writing or in person at the following address:

Vapaa Liikkuvuus ry

Siiri Savinotko

Kaivonkatsojantie 9 G 118, FI-00980 Helsinki

  1. Changes to this privacy statement

This privacy statement may be updated from time to time, for example, if the legislation changes. This privacy statement was last updated on August 12, 2021.
Contact information
vapaaliikkuvuus (at)