Privacy Policy

1. Who we are

MyData Global is an international nonprofit, whose mission is to empower individuals by improving their right to self-determination regarding their personal data. 

Our office address is:
MyData Global ry
Maria 01
Lapinlahdenkatu 16
00180 Helsinki

2. Websites within scope

The following websites are within scope for this privacy notice:

We consider these websites to be EU-based websites; see section 4 below for more information on non-EU data storage.

3. Collection of personal data

We collect personal data from you for one or more of the following purposes:

  • To provide you with information that you have requested (such as conference updates through our newsletter);
  • To initiate and complete commercial transactions with you, or the entity that you represent, for the purchase of products and/or services (such as conference passes);
  • To fulfil a contract that we have entered into with you or with the entity that you represent (such as partnership agreements);
  • To manage any communication between you and us (such as replying to contact form submissions).

4. Storage of personal data

MyData Global ry is an EU-domiciled organisation whose primary offices are in Finland. Personal data may be nevertheless transferred outside the European Union or the European Economic Area.

  • Our websites are hosted in the EU. In addition to our EU-based staff, they may be accessed by staff and/or volunteers based outside of the EU if deemed necessary.
  • We use G Suite for our main operations: Drive for file storage; Docs, Sheets and Slides for productivity and collaboration; Calendar for calendaring; Gmail with a custom email addresses at a domain for communications, and an Admin panel for managing users and the services.
  • Our payment processors and banking arrangements are provided by Holvi, Stripe and Transferwise.
  • Individual register descriptions define how we collect, store and/or process personal information
  • Data is stored for the minimum time necessary and at most, for 1 (one) year from last interaction with the collected data

5. Lawful basis for the processing of personal data

Our organisation’s infrastructure means that all personal data is processed on common platforms. We have processes in place to make sure that only those people related to the organisation (staff, board, steering group), who need to access your data can do so. By default, only the organisations’ staff have access to all collected personal data and others, such as board and steering group members, as well as our volunteers, are granted access on an as-needed basis.
Some data may be shared with third parties and, where this happens, this is always indicated in the relevant registry description.

Before we ask for your data, we always apply the following tests to determine whether it is appropriate:

  • Purpose test – why are we collecting this data?
  • Necessity test – is it essential that we collect this data?

We collect the following types of personal information on the legal grounds of legitimate interests, contractual performance, and/or consent where applicable:

Click to see the list

  • Name
  • Email
  • City, country, and/or continent of residence
  • Gender
  • Phone number
  • Twitter ID
  • Linkedin ID
  • Facebook ID
  • Address
  • Job title
  • Date of Birth
  • T-shirt size
  • Dietary information
  • Photo
  • Billing details

6. Your rights as a data subject

As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email datarequest(at) or use the information supplied in the Contact us section on our website. In order to process your request, we will need to verify your identity.

Your rights are as follows (click on the + sign to read more):

The right to be informed

As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy notice and any related communications we may send you.

The right of access

You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requester, we will provide access to the personal data we hold about you as well as the following information:

  • Why we have your data
  • What types of data we have
  • Who can access your data
  • For how long we foresee storing this data

If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. Otherwise, we will comply with all data requests. If answering requests is likely to require additional time, we will inform you.

The right to rectification

When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.

The right to erasure (the ‘right to be forgotten’)

Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. We will take all reasonable steps to ensure erasure.

The right to restrict processing

You may ask us to stop processing your personal data. We will still hold the data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:

  • The accuracy of the personal data is contested
  • Processing of the personal data is unlawful
  • We no longer need the personal data for processing but the personal data is required for part of a legal process
  • The right to object has been exercised and processing is restricted pending a decision on the status of the processing

The right to data portability

You may request your set of personal data for yourself or to be transferred to another controller or processor, provided in a commonly used and machine-readable format.

The right to object

You have the right to object to our processing of your data where

  • Processing is based on legitimate interest;
  • Processing is for the purpose of direct marketing; or
  • Processing is for the purposes of scientific or historical research.

7. Security measures

We have what we believe are appropriate security controls in place to protect personal data. Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of our project. We do not, however, have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information. We accept no liability in respect of breaches that occur beyond our sphere of control.

8. Complaints

Should you wish to discuss a complaint, please feel free to contact us using the details provided above. All complaints will be treated in a confidential manner.

Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the European Union.

9. Contact us

Any comments, questions or suggestions about this privacy notice or our handling of your personal data should be emailed to hello(at)

Alternatively, you can contact us at our office using the following postal address:

Data Protection Officer
MyData Global ry
Maria 01
Lapinlahdenkatu 16
00180 Helsinki

Update notice

We’ve made some changes to our privacy policy and registry descriptions. The changes were made Friday 6 March 2020.

Here’s a short summary of them:

Mainly we’ve simplified the language, clarified some points and removed parts that were redundant. Of important note is the inclusion of an explicit mention of the fact that we use Google services for a) our email messaging (G Suite) and b) file hosting (Google Drive). We manage our membership registry and contact details of partners, collaborators, and community in the services Airtable and Pipedrive. Please follow the links provided to their privacy policies.

The basis of MyData Global’s online activity is to respect user’s privacy and we don’t gather any unnecessary personal data.

We may change the Privacy Policy and registry descriptions from time to time in order to be always up-to-date and compliant with the GDPR. We will take the appropriate measures to inform you of changes in a manner consistent with the significance of the changes we make. 

You can see when the Privacy Policy was last updated by checking the “last updated” date displayed at the top of the page.

Please contact with any questions you might have. Also if you notice any mistakes or unclarities, please reach out. We always seek out to improve our activity!