KIOS Applicant Data Privacy Policy

1. Controller of registry

Name: KIOS Foundation
Trade registry number: 1497493-0
Postal address: Lintulahdenkatu 10, 00500, Helsinki, Finland 

2. Name of registry

KIOS Foundation applicant and grantee database 

3. Contact persons for registry

Representatives of the Foundation: 

Visa Hytönen, visa@kios.fi; Annika Gostowski, annika@kios.fi
Email for general inquiries: calls@kios.fi 

4. Purpose, Legal Basis, and Types of Data

Article 5 of the General Data Protection Regulation (GDPR) establishes the framework for our data processing principles, with our primary legal bases being necessity and consent. Data subjects are always asked for consent for personal data collection, processing and storage before collection. All data subjects have the right to withdraw consent at any time. 

The collected personal data serves the purposes of managing grant and capacity building applications and disbursing granted funds, facilitating communication with applicants, and enhancing digital service quality. The registry includes data collected in the grant application, essential details for grant payment, and particulars submitted in grant utilisation and outcome reports. The registry contains applicant contact details, along with those of potential associates, provided to us throughout the application procedure and expressions of interest. Additionally, contact information for previous referees, as supplied by the applicant, is retained within the registry. Furthermore, KIOS gathers grant payment details, insights into how applicants utilise the grant system, and technical data such as login credentials. Communication between registered applicants and the registry operator is also saved. The storage and processing of applicant information depend on their consent and the legitimate interest of the registry operator. To facilitate application processing, the application form must include personal data for both applicants and attached individuals. Insufficient data may result in application rejection. 

5. Regular disclosures of personal data and transfers to third parties

Personal data may be managed by KIOS staff (staff involved in grantmaking), KIOS Board of Directors, IT support service providers, accounting service providers, and auditors or evaluators appointed by KIOS or the Ministry for Foreign Affairs of Finland (MFA). Information is disclosed only to the extent necessary for the functions of the receiving party and shared with third parties only when it is required for specific purposes, in compliance with applicable laws, and with the consent of the data subjects when necessary.

6. Principles of register protection

Our principles of register protection are in line with the KIOS Privacy Policy, and with relevant regulations of the EU, and Finland. We only use software that are secure and established, providing us with data encryption. We minimise the data and use access controls throughout the process. 

The data is stored in: 

  1. The Aspicore system database, which is a protected cloud service (Microsoft Azure, EU). Servers are in locked and guarded facilities, to which access is given only to nominated persons. 
  2. KIOS local drive, accessible only by nominated persons, with multifactor authentication. 
  3. Microsoft 365 cloud storage, accessible only by nominated persons, with multifactor authentication. 

7. Principles of storing personal data

Grantee data and attached personal data 

  • Personal data will be archived only for as long as necessary for the purposes outlined in Item 4, but no longer than 10 years from the grant’s closure. When personal data is processed for its purpose, it will be anonymised (deletion of any information relating to an identified or identifiable individual). 
  • Financial data and supporting documents are kept for no longer than of 10 years from the grant’s closure. This information will be stored in Finland in physical archives as well as secure local and cloud drives. However, sensitive data, if any, will be removed after the approval of the final report.  
  • Anonymisation will be used when personal data is used outside of database or KIOS archives. This would be summarising statistical reports for donors and third parties for example. 

Usernames in Aspicore 

  • Usernames are stored, if the user has unfinished applications, which have not been marked as finished. 
  • If the username has been inactive for two years, and does not have any active applications, the username will be removed from the system. 

Unfinished applications in Aspicore 

  • The applicant can remove any unfinished applications from the system 
  • KIOS removes any unfinished and not granted applications within 12 months after the call for grants has closed. 

Applications not funded 

  • KIOS removes or anonymises not funded applications within five years of the decision. 
  • Anonymisation removes all personal data from the application. 

Messages 

  • All messages concerning an application will be removed with the application or in any case within five years. 

8. The rights of the data subject

  • The right to access – You have the right to request for copies of your personal data. 
  • The right to rectification – You have the right to request that KIOS correct any information you believe is inaccurate. You also have the right to request KIOS to complete the information you believe is incomplete. 
  • The right to erasure – You have the right to request that KIOS erase your personal data, under certain conditions. 
  • The right to restrict processing – You have the right to request that KIOS restrict the processing of your personal data, under certain conditions. 
  • The right to object to processing – You have the right to object to KIOS’s processing of your personal data, under certain conditions. 
  • The right to data portability – You have the right to request that KIOS transfers the data collected to another organisation, or directly to you, under certain conditions. 

9. Transfer of data to third parties

Any personal data included in the grant contract may be processed by the Ministry for Foreign Affairs of Finland for the purpose of implementing, managing, and monitoring the grant contract or to protect the financial interests MFA, including checks, audits, and investigations. The beneficiaries have the right to access, rectify or erase their own personal data and the right to restrict the processing of their personal data or, where applicable, the right to data portability or the right to object to data processing in accordance.

10. Data Breach Response

Data subjects will be informed as soon as possible in any case of data breach that KIOS becomes aware of. 

Updated May 2026