Privacy Notice: Metropolia’s Helsinki XR Center Project register

Metropolia’s Helsinki XR Center Project register

Purpose of the processing of personal data:

The purpose of the Helsinki XR Center Project register (Project name: “Metropolia RDI Profi -to profile Metropolia as an internationally recognized actor in applied XR technology and education”) is to manage the information needed to organise the field of business and manage partner, student, employee, customer and HXRC visitor information.

Helsinki XR Center (HXCR) is the home of Extended Realities opened its doors in early 2019. Term “XR” as a whole means Extended Reality, an umbrella term for technologies that create, augment and merge digital elements with physical space. They are also known as immersive technologies. XR consists of VR (Virtual Reality), AR (Augmented Reality) and MR (Mixed Reality). HXRC - located in Helsinki Arabia next to Metropolia University of Applied Sciences culture campus, HXRC is a hub for co-creation and learning for all XR artists, entrepreneurs, engineers, scientists, students and visitors. HXRC aims to become the largest innovation, development and startup center in the Nordics dedicated to VR and AR technologies - XR related technologies.

Helsinki XR Center is operated by Metropolia University of Applied Sciences together with Finnish Virtual Reality Association FIVR. The Center is powered by the City of Helsinki, Business Finland. www.helsinkixrcenter.com

The purpose of processing personal data of the data subjects registered in the project register of the Helsinki XR Center, are:

• processing activities in relation to communication and information activities of HXRC
• processing activities in relation to financial reporting of HXRC
• manage the contact information of the financiers of HXRC
• manage the contact information of the external co-operation partners (enterprises and organizations and their contact persons) of Metropolia
• organize startup-business in relation to HXRC
• manage and organize XR related events, XR-workshops, XR -education and different kinds of meetings and activities for the companies and organizations interested in co-creation and learning of Virtual Reality (VR) and Augmented Reality (AR) technologies
• collect feedback and collect survey information in relation to the activities performed by HXRC

The controller processes the information in house, as well as subcontracting parties to process the data on the controller’s behalf.

Legal basis for the processing of personal data:

The processing of the personal data contained in the Helsinki XR Center Project register is partly based on the consent obtained directly from the data subject as she/he has been given consent to the processing of her or his personal data for one or more specific purposes.

The processing of the personal data contained in the Helsinki XR Center Project register is partly based on the processing necessary for the performance of an employment or other contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract (employment contracts, partner contracts, co-operation contracts etc.).

Consent is used as the legal basis for the processing of special categories of personal data contained in the register as well as the processing of sensitive personal data, such as biometric data (e.g. facial photos, video material collected from the XR-events, XR-workshops, XR -education activities etc. in which persons are identifiable).

In addition, processing of the personal data contained in the Helsinki XR Center Project register is partly based on the legitimate interest pursued by the controller. The aforementioned legitimate interest is based on a meaningful and appropriate relationship between the data subject and the controller (students of Metropolia enrolling and inserting their personal information into enrollment forms of XR -related events organized by HXRC).

The legitimate interests of Metropolia’s Helsinki XR Center are based on a meaningful and appropriate relationship between the data subject and the controller (e.g. students of Metropolia enrolling and inserting their personal information into enrollment forms of XR -related events organized by HXRC), which arises when the data subject is related to the controller in connection with the purpose of use of the personal data register, as long as the processing is done for purposes which the data subject can reasonably be assumed to have expected at the time of, and in conjunction with, the data being collected.

The data subjects in Helsinki XR Center’s Project register are students of Metropolia, employees of Metropolia, partners of HXRC, corporate partners of HXRC, financiers of HXRC activities, XR related event participants, XR workshop visitors and XR related education activity enrollees (participants) and customers of HXRC.

In general, the personal data contained in the Helsinki XR Center Project register may include, among others, the first name and surname and possible contact details of a data subject who has registered for one of the controller’s events, made a comments to the webpage (helsinkixrcenter.com) as well as other data recorded for the Helsinki XR Center events and possible commenting to the webpage (helsinkixrcenter.com).

Registration details entered personally by the data subject may include the following, among others: email, telephone number, address, date of birth, billing details and dietary requirements.

The following personal data is stored in the personal data register of Helsinki XR Center:

BASIC INFORMATION AND CONTACT DETAILS

• fore name; family name;
• birthday; birth month; birth year;
• address; postal code; city;
• telephone number; email address

CONSENT FOR AND INFORMATION ON CERTAIN ACTIONS

• consent for receiving news letter mail related to the HXRC activities

Information in relation to XR related event enrollees/participants, XR workshop visitors, XR related education activity enrollees/participants, data subjects of an XR meeting:

• enrollee’s/participant’s fore name; last name;
• information in relation to XR related event/workshop/education activity and/or meeting, time and place

INFORMATION IN RELATION TO A SURVEY/QUERY/RESEARCH /(FEEDBACK OPTION) ORGANIZED BY HXRC

• fore name and family name of a data subject giving feedback to HXRC
• fore name and family name of a participant of a survey/query/research organized by HXRC
• information in relation to the subject/name of the survey/query/research/(feedback option) organized by HXRC, time and place
• information in relation to the content /answers given and submitted for a survey/query/research /(feedback option) organized by HXRC, time and place

PHOTOGRAPHS AND VIDEO MATERIAL

• Volunteers may be photographed or (video)filmed during XR related events, workshops and educational activities organized by HXRC
• The data subjects will be informed and asked to consent photographing or video filming prior to photographing or video filming activity

Information in relation to performing activities with collaborators, partners, financiers of HXRC:

BASIC INFORMATION AND CONTACT DETAILS

• collaborator’s/ partners’ name/organization; name of the contact person of the collaborator/partner; email address of the contact person; title of the contact person within organization

The personal data is obtained from the data subjects themselves.

Additionally, the controller collects personal data related to the purpose of use of the personal data register, generated as part of the controller’s operations. Within the bounds of applicable legislation, personal data are collected from sources in the public domain, as well as from other third parties, such as companies in the same group and other contractual partners.

Access to the personal data contained in Helsinki XR Center’s Project register will be given, where necessary, in the systems listed below. (For the purpose of repairing a technical fault, for example, access will be given with administrator rights to the system provider or to the maintenance personnel of a measurement device.) All system/equipment/software providers used (the companies behind them) can be deemed to be recipients of personal data and recipients of regular disclosures from the register.

With respect to the systems used by Helsinki XR Center’s Project register Data Processing Agreements in accordance with Article 28 of the GDPR will be concluded by Metropolia with the following cooperation partners:

Eduix Oy and E-form software

The enrollment process for the XR related events, XR related meetings, XR related workshops and XR related educational activities are being organized by using E-form software and/or Eventbrite event management system. The information provided for the E form software is being transmitted through Excel into the Helsinki XR Center’s Google Drive cloud storage tool.

Google LLC and G Suite for Education

The personal data processed within Metropolia's Helsinki XR Center project register is being managed by Google's so-called G Suite for Education toolkit included in the educational application package. Personal and contact information, tables and feedback information from the data subjects are being processed by Google Drive cloud storage tool. Also other Google-based tools are being used to process images, videos and research survey answer received from HXRC’s data subjects.

Microsoft Corporation and Metropolia’s email system (Microsoft Office 365 Education)

The employees’ of Metropolian Helsinki XR Center are using Metropolia’s email system in order to manage and organize work tasks and for example, send invitations to XR related events (if the data subject has given their express consent for this processing activity). Although Metropolia has procured the email system as part of the Microsoft Office 365 Education service package, the system is operated on Metropolia’s own server.

Microsoft Corporation and Microsoft TEAMS (Microsoft Office 365 Education)

The employees’ of Metropolian Helsinki XR Center are using Microsoft Teams for internal communication within HXRC. Microsoft Teams has been procured to Metropolia as part of Microsoft Office 365 educational application package. Also other Microsoft -based tools are being used to process information within the tasks and work assignments of the HXRC.

Innofactor Oyj and Dynasty case and contract management system

Contracts relating to Metropolia’s Helsinki XR Center project are managed through the Dynasty case and contract management system.

Sebitti Oy and Reportronic project management system

Reportronic project management system is used for processing personal information of the data subjects registered in the project register of the Helsinki XR Center.

Thinking Portfolio Oy and Halli project management system

Halli project management system is used for processing personal information of the data subjects registered in the project register of the Helsinki XR Center.

Eventbrite Inc. and Eventbrite -event management system

The enrollment process for the XR related events, XR related meetings, XR related workshops and XR related educational activities are being organized by using E-form software and/or Eventbrite event management system. The information provided for the E form software is being transmitted through Excel into the Helsinki XR Center’s Google Drive cloud storage tool.

Zoner Oy and Zoner.fi -web hotel tool kit + Wordpress web pages

Public web pages of Helsinki XR Center are constructed and publishes by using Wordpress and Zoner.fi - web hotel tool kit. HXRC’s web pages are operated on Metropolia’s own server. The HXRC project’s employees contact information is being published in the Helsinki XR Center’s web pages.

As a general rule, personal data contained in the personal data register of the xx activities / project of Metropolia will not be transferred outside the EU or EEA or to international organisations.

However, personal data contained in the personal data register may be transferred outside the EU or the EEA in order to provide IT services necessary for work or study, on a case-by-case basis. The destination country to which the personal data is transferred then, is mainly the United States. It is also possible that India is the destination country as global ICT service providers use often India as a host country for the international helpdesk service / ICT technical user support. International transfers of personal data from the Metropolia University of Applied Sciences' personal register to the United States and / or elsewhere outside the EU / EEA are primarily secured then by the safeguard provided for in Article 46 of Chapter V of the EU General Data Protection Regulation (GDPR), standard contractual clauses. The SCC (Standard Contractual Clauses) clauses will be included as part of the personal data processing agreement to be drawn up with the ICT service provider. Only the necessary data will be transferred and the transfer will be made in accordance with and within the limits set by data protection law. The security and data protection of the transfer are always agreed separately.

(-> If you use IT systems, softwares etc. provided by IT service provider registered in United States /outside the EU/EAA, it might be possible that the IT service provider uses servers for the data storage located in United States /outside the EU/EEA -> This might mean that personal data will be transferred to United States/ outside the EU/EEA as the storing of personal data is considered as processing of personal data according to the GDPR, and as storing personal data into the data storage servers located outside the EU/EEA, is considered as transferring personal data outside the EU/EEA according to the GDPR).

If that is the case, you need to specify to which third countries outside the EU or EEA you are transferring personal data (list of countries/mapping of countries).

When mapping transfers, do not forget to also take into account onward transfers, for instance whether your processors outside the EEA transfer the personal data you entrusted to them to a sub-processor in another third country or in the same third country. In other words, you must know where the personal data you exported may be located or processed by the importers (map of destinations).

Keep in mind that remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA, is also considered to be a transfer. More specifically, if you are using an international cloud infrastructure you must assess if your data will be transferred to third countries and where, unless the cloud provider clearly states in its contract that the data will not be processed at all in third countries.

As a next step, you must identify the transfer tools (safeguards) you are relying on amongst those described in the Chapter V of the GDPR (Articles 45 - 49).

Article 46 of the Chapter V of the GDPR lists standard contractual clauses (SCCs) as a transfer tool containing “appropriate safeguards” for the data transfer.

Whatever GDPR transfer tool you choose, you must ensure that, overall, the transferred personal data will have the benefit of an essentially equivalent level of protection. “An essentially equivalent level of protection” means that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA where strict data protection legislation prevails.

It might be useful to contact Data Protection Officer of Metropolia UAS (dpo [at] metropolia.fi (dpo[at]metropolia[dot]fi); tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)) in a case considering international personal data transfers outside the EU or EEA.

The personal data collected for and processed within Helsinki XR Center’s Project register is stored in the register for a maximum period of ten years.

The duration of storage of personal data complies with possible statutory requirements. The above mentioned retention period is mainly based on the Decision of the National Archives of Finland on retention times – order given to universities of applied sciences concerning the permanent storage of data in electronic format (AL/20757/07.01.01.03.02/2016).

The controller of the data file regularly evaluates the need for storing data in accordance with its internal practices. The personal information in the project register are only stored for as long as and to the extent that each category of data is needed, proportionate to the purpose of processing of the personal data.

The following regulations have been also observed when determining the retention times:

• EU General Data Protection Regulation (“GDPR”, 2016/679)
• Data Protection Act (1050/2018)
• Universities of Applied Sciences Act (932/2014)
• Decision of the National Archives of Finland on retention times – order given to universities of applied sciences concerning the permanent storage of data in electronic format (AL/20757/07.01.01.03.02/2016)

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent for processing at any time without the withdrawal of consent affecting the lawfulness of processing based on consent before its withdrawal.

The withdrawal of consent for the processing of personal data collected by Metropolia (withdrawal request) can be submitted to one of the three above-mentioned offices of Metropolia’s Student and Admission Services (or in the case of a member of staff, to the Human Resources Management unit), where the data subject must prove their identity when submitting the request.

Information on whether the provision of personal data for processing activities of the project register of the Helsinki XR Center, is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. An explanation has been given for each register regarding how the personal information was obtained.

Personal data of the data subjects registered in the project register of the Helsinki XR Center, is based on voluntary registration and it is used to manage the activities and services of the HXRC.

It is not compulsory to be registered in the personal data register (project register) of Helsinki XR Center.

The personal data stored in the project register have mainly been collected from the data subjects themselves. However, the controller collects personal data related to the purpose of use of the personal data register, generated as part of the controller’s operations. Within the bounds of applicable legislation, personal data is collected from sources in the public domain, as well as from other third parties, such as companies in the same group and other contractual partners.

Volunteers may be photographed or (video)filmed during XR related events, workshops and educational activities organized by HXRC. The data subjects will be informed and asked to consent photographing or video filming prior to photographing or video filming activity.

Metropolia’s Helsinki XR Center Project register and the personal data contained in it will not be used in automated decision-making or profiling.

Person responsible for the content of the register:

Name: Tiina Vuorio
Position: Project Manager/Research, Development and Innovation
Address: Metropolia Ammattikorkeakoulu Oy, PO Box 4000, FI-00079 METROPOLIA
E-mail: tiina.vuorio [at] metropolia.fi (tiina[dot]vuorio[at]metropolia[dot]fi)

Contact details of the contact person for the register:

Name: Mira Simsiö
Position: Producer/Research, Development and Innovation
Address: Metropolia University of Applied Sciences, PO Box 4000, FI-00079 METROPOLIA
E-mail: mira.simsio [at] metropolia.fi (mira[dot]simsio[at]metropolia[dot]fi)