GDPR Privacy Policy of Project FRANCIS

GDPR Privacy Policy of Project FRANCIS

InnoFrugal (IF), on behalf of FRANCIS project is fully aware that the treatment of your personal data requires your trust. We are compliant with high privacy standards and we guarantee that the use of your personal data will be strictly directed to our identified purposes and always in respect of your data protection rights.
The confidentiality and integrity of your data is one of our utmost concerns. Accordingly, it is approved and disseminated by InnoFrugal’s Data Protection and Privacy Policy.


1. Personal Data

InnoFrugal, with headquarters in Otakaari 7, 02150 Espoo, Finland, and Business ID 2684746-1 (hereinafter IF), within the framework of its activities collects and treats personal data, such as:

  • Name
  • Email address


2. Personal Data Processing

Personal data processing is performed by IF through automated and/or analogical means (without prejudice of the provisions of chapter VIII), such as:

  • Collection
  • Register and storage
  • Organization
  • Customization
  • Search and use
  • Dissemination, regardless of the disclosure means
  • Comparison or interconnection
  • Limitation, deletion or destruction


3. Data Subject Consent

IF requires the data subject, in all cases, the freely given, specific, informed and unambiguous consent for the processing of his/her personal data, using formal templates designed case by case, considering the type, scope and extension of said personal data processing.

Conditions applicable to child’s consent

According to Article 8 of the GDPR, all personal data belonging to children can only be processed under an express consent observing the rules of Article 6, number 1, point a) of the GDPR related to information society services when said children complete 13 years old.

For children with less than 13 years old, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child, preferably through the use of electronic certification means, such as Citizen Card or Digital Authentication Key.


4. GDPR Compliance

IF is fully compliant with EU rules concerning personal data protection, approved by the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR), as well as with the full body of internal legislation if force.

IF is responsible for the personal data processing, under automated and analogical means, since its collection, through its organization and storage, up to its deletion.

IF keeps a continuous and thorough registry of all its personal data processing activities.


5. Lawfulness of Processing

Personal data shall be processed only according to a bundle of lawful purposes, which include:
Performance of IF´s statutory goals and activities

  • Compliance with legislation in force and generic legal rules and obligations
  • Book-keeping and document integrity legal rules
  • Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • IF´s role as subcontractor, as defined in number 8, Article 4 of the GDPR


6. Data Storage Period

Personal data will be stored for the period defined by legal rules or, in their absence, for the strict time needed for the fulfillment of the processing purpose, taking in consideration the legal basis for said processing, as well as all the remaining requisites and time periods determined by law, namely the lapse terms for legal actions based on the correlated rights.
Accordingly, in all cases where a mandatory storage period is determined by law, the right to erasure of personal data as stated in Article 17 of the GDPR can only be exercised by the data subject after said period is lapsed.
IF shall store the personal data for the strict period of time needed for the fulfilment of the data processing purpose, as well as its erasure (or anonymization, if and when applicable/needed) immediately after said period and/or upon the data subject´s request, always considering the above-cited exceptions and all legally defined terms.


7. Data Subject Rights

The data subject has the right, at all time, to require to IF, free of charge:

  • The access to his/her personal data
  • The rectification and correction of his/her personal data
  • The erasure of his/her personal data (the “right to be forgotten”) (the conditions defined above in VI. on personal data storage may apply
  • The limitation of his/her data processing (idem)
  • The opposition of his/her data processing
  • The portability of his/her personal data to an appointed third entity, provided that said data are stored exclusively in electronic form.
  • In every case, if a legal rule or legal obligation is in force which supersedes these data subject rights, IF reserves the right of denial of the data subject request (and/or to determine restrictions to said request, if and when applicable), duly communicating to the data subject the respective grounds of said decision.

The data subject is entitled to file complaints to the Office of the Data Protection Ombudsman (hereafter called ODPO), the Finnish Controller Authority, according to the definitions duly stated in numbers 21 and 22 of article 4 and article 51 of the GDPR.


8. Processor and Third-Party Intervention

Third-party intervention

IF, while conducting its undertakings, may authorise third parties (as defined in number 10 of article 4 of the GDPR) to process personal data which are under IF´s domain, in order to comply with legal duties, pre-contractual or contractual obligations and/or as indispensable means of performance of IF´s statutory goals. Said third parties can be public authorities, namely in charge of auditing tasks, project, activity or service partners.

In order to comply with the GDPR requisites, IF shall require the previous and mandatory consent to the data subject for this specific processing.

Processor intervention

IF, while conducting its undertakings, may subcontract third entities (as defined in number 8 of article 4 of the GDPR) to process personal data on IF´s behalf. In order to comply with the GDPR requisites, IF shall require the previous and mandatory consent to the data subject for this specific processing.


9. Cookies

This Site uses cookies (i.e., small text files placed on your device) and similar technologies (e.g., pixels and pixel tags, ad tags, clear GIFs, and Javascript) – including cookies and technologies from third-party providers – to enable certain features and functionality and to collect additional information that helps us to improve this Site and our services. This Site may use session cookies (which expire when you close your browser) and persistent cookies (which remain on your device after you close your browser until you delete them or they expire). We use these technologies for security purposes, to help you navigate this Site, to display information more effectively, to better serve you with tailored information on this Site, and to gather statistical information about how visitors use this Site in order to continually improve its design and functions.

If you do not want data to be collected from your device via cookies, most browsers have a setting that allows you to decline the use of cookies. Some features of this Site may not work properly if you decline the use of cookies. To learn more about cookies, please visit

Google Analytics: We use Google Analytics, a web analytics tool that may set cookies in your browser, in order to help us understand how visitors engage with this Site. To learn more about Google Analytics’ data practices, please visit here. For opt-out options specific to Google Analytics, please visit here.


10. IF´S Duty of Protection

IF complies with the drafting, approval and implementation of all formal and technical proceedings needed for the security of data processing, as well as to assure the accurate and timely record of all processing activities. In addition, a prior assessment will be made with regard to all future data processing activities to be launched by IF in the future, assuring that they will be fully GDPR compliant.

IF will perform its best efforts to assure the proper operation of all available technical means to avoid the loss, improper use, unauthorized access and unlawful appropriation of personal data, regardless of the likelihood of failure of part of the Internet security measures in force.
IF assumes no liability for any damages and losses suffered by any individuals due to illegitimate access to personal data transmitted by any data subject through IF´s Internet portal and/or through IF´s remaining informatic infrastructure.

Nevertheless, IF shall notify ODPO according to the rules defined in article 33 of the GDPR, if and when acknowledges any event which constitutes a violation of personal data, as defined in number 12 of article 4 of the GDPR.


11. Contacts

Data subject can exercise his/her rights of rectification, modification or cancellation of his/her personal data or request any information related with said data under written form, directed to IF to the address indicated above in I. or through the following specific email address:


12. Final Dispositions

IF is entitled to change this Policy without any prior notice, namely due to the need of its compliance with new legislation or ODPO recommendations. In the event of any change to this Policy, IF will immediately publicize said changes through its public Internet portal.