EU’s General Data Protection Regulation
Articles 13 and 14
Date of issue: 09/10/2020
- Controllers, i.e. the parties responsible for processing your data
University of Helsinki
P.O. Box 3
FI-00014 University of Helsinki
Tel. +358 2 941 911 (switchboard)
The contact person of the controller is Leena Itkonen, and her contact details are as follows:
Tel. +358 2 941 226 37
- Data protection officer at the University of Helsinki
You can contact the data protection officer at the University of Helsinki via email at: firstname.lastname@example.org.
- Parties to the collaboration project and the assignment of responsibilities
The University of Helsinki is the service administrator. All universities are individually responsible for the administration of students’ and other end users’ user credentials. Each university is responsible for processing their students’ personal data.
- Why are your personal data processed, i.e. what is the purpose of processing the data?
The University of Helsinki has to process your personal data for the following purposes:
Students and other end users log in to the service using their organisation’s Haka credentials. The data from the login are used for verifying the user’s access rights and for some functions within the service, such as sending the feedback received to the user’s own email. All data concerning the user are deleted either at logout or at the latest, within twenty-four hours of the end of the user session.
Lawful basis for processing personal data:
to meet a legal obligation to which the controller is subject:
The missions set out in the Universities Act also include educating students to serve their country and humanity at large, and to interact with the surrounding society. This service is part of student services.
- What type of personal data does the University of Helsinki process?
We process the following personal data in the system:
Contact details required for identifying main users, i.e. information relating to system administration. These details include the name, email address and user ID. These data are from each of the universities participating in the service.
As for end users (mostly students), we process the user’s name and email address in the service during the session. This information is retrieved from the university’s use authorisation system. To verify access rights, information on the user’s university is required. The information is deleted from the system at logout or at the latest, within twenty-four hours of the end of the browser session.
- Where do the personal data come from, i.e. what is their origin?
The register information is received via the Haka logging system. The information comes from the use authorisation system of each of the universities. Possible errors in personal data must thus be reported to the user’s own university.
- Transfer or disclosure of data outside the University of Helsinki
All personal data processed in the system are processed in a data centre of a third party, in data systems maintained by the third party. The data centre and all technical experts who have access to the information are located within the EEA.
Druid Oy is responsible for the technical maintenance of the system, and their experts can add or remove main users of the application if requested by the ordering party.
The IP addresses of the service users are processed in Google Analytics’ visitor tracking. Some of the servers used by Google Analytics are located in the United States. The use of the service is monitored and analysed with Google Analytics software. The IP addresses retrieved from the users are anonymised before transferring them to Google’s servers.
- How long are the personal data stored?
The information is deleted from the system at logout or at the latest, within twenty-four hours of the end of the browser session. In addition, answers to questions or summary reports are not available via the application after the session.
The main user data are stored in the system for as long as the person is appointed as a main user. The data of those main users who have exited the system are deleted from the system either by another main user or Druid Oy’s administrator.
- Transferring the data outside the EU or EEA
The anonymised IP addresses of the service users are processed in Google Analytics’ visitor tracking. Thus, the data are not transferred outside the EU or EEA.
Your rights and derogations from them
The contact person in matters relating to the rights of the data subject is mentioned in section 1 of this notice.
Withdrawal of consent
You have the right to withdraw your consent if the processing of personal data is based on consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right of access to the data
You have the right to know whether your personal data are processed, and what personal data are processed. You can also ask for a copy of the data being processed.
Right to rectification
If there are inaccuracies or errors in the personal data being processed, you have the right to have the data rectified or completed.
Right to erasure
You have the right to demand erasure of your personal data in the following cases:
- your personal data are no longer required for the purposes for which they were collected or otherwise processed
- you withdraw the consent on which the processing is based, and there is no other legal basis for the processing
- you object to the processing (the right to object is described below), and there is no justified reason for it
- your personal data have been unlawfully processed
- personal data must be erased to meet a legal obligation under EU or national legislation applying to the data controller.
The right to erasure of the data does not apply if:
- the erasure of the data prevents or severely impairs the fulfilment of the purpose of the processing in scientific research
- processing the personal data is necessary to meet a legal obligation under EU or national legislation applying to the data controller
- processing the personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to restrict processing
You have the right to restrict processing of your personal data. This means that we will store your data but not process them in any other way.
You have this right in the following cases:
- you contest the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data
- the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead
- the university no longer requires the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims
- you have objected to the processing of personal data (further information below) pending the verification of whether the legitimate grounds of the controller override those of the data subject.
Right to lodge a complaint
You have the right to lodge a complaint with the data protection supervisor’s office if you think that the processing of your personal data has breached existing data protection legislation.
Data protection supervisor’s office
Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki, Finland
Postal address: P.O. Box 800, FI-00521 Helsinki
Switchboard: +358 2 956 667 00
Fax: +358 2 956 667 35