Privacy notice: Personal data register of U!REKA’s annual conference

Personal data register of U!REKA’s annual conference

Purpose of the processing of personal data:

The purpose of the personal data register of U!REKA’s annual conference (The Urban Research and Education Knowledge Alliance) and the personal data it contains is to manage various registrations for and participation in U!REKA’s annual conference which is organised by the U!REKA Consortium. The purpose of the annual conference is to network with partner institutions, strengthen existing partnerships and forging new joint activities. Attendees share expertise through interactive workshops, presentations and other activities.

The annual conference will be hosted by Metropolia University of Applied Sciences from 16 to 18th November, 2020.

U!REKA consists of a partnership of eight urban-focused higher education institutions located in Europe: Amsterdam University of Applied Sciences; Edinburgh Napier University; HOGENT University of Applied Sciences and Arts; Frankfurt University of Applied Sciences; Metropolia University of Applied Sciences in Helsinki; Oslo Metropolitan University; VSB – Technical University of Ostrava; and Politécnico de Lisboa.

The controller of the personal data register of U!REKA’s annual conference is the host institution. Metropolia University of Applied Sciences (“Metropolia UAS”) is the controller of this personal data register.

Data is collected for the purposes of practical arrangements, such as

• enrollment management,
• training invitations,
• registering the attendees,
• invoicing,
• gathering feedback,
• distributing certificates and
• informing event registrants regarding to U!REKA’s conference schedules

The controller processes the personal data in house and possible subcontracting parties process the data on the controller’s behalf.

Following privacy notices supplement the privacy notice of personal data register of U!REKA’s annual conference:

• Personal data register of Metropolia Event Management
• Personal Data Register of Metropolia Continuing Education and Enterprise Services

The aforementioned privacy notices are viewable at the Privacy Policy section of Metropolia’s public website.

Legal basis for the processing of personal data:

The processing of the personal data contained in the personal data register of U!REKA’s annual conference is mainly based on consent obtained from the data subject (attendee). The data subject has given consent to the processing of his or her personal data for one or more specific purposes (EU's General Data Protection Regulation (GDPR), Article 6.1 (a)).

The consent is given voluntarily for applying/attending to the conference.

While processing sensitive personal data, it requires that the data subject has given their explicit and informed consent to processing (article 9.2(a) of the GDPR). Sensitive personal data consist of data subject’s photo or voice which are considered as biometric personal data according to GDPR article 9.

If separate agreements are entered into regarding the annual conference, processing may also be based on article 6.1(b) of the GDPR, in which case processing is necessary for the performance of the agreement or in order to take steps prior to entering into the agreement.

In the case of activities subject to a charge, processing may also be based on statutory obligations (taxation, accounting) as defined in article 6.1(c) of the GDPR.

In addition, processing of the personal data contained in the personal data register of U!REKA's annual conference is partly based on the legitimate interest pursued by the controller. The legitimate interest is based on a meaningful and appropriate relationship between the controller (Metropolia UAS) and the data subjects (students and staff members of the partner higher education institutions enrolling and inserting their personal information into enrollment forms of U!REKA’s annual conference).

The legal basis for the processing of personal data contained in the personal data register of UREKA’s annual conference is not “legitimate interests”. Therefore this section does not apply.

The data subjects in the personal data register of U!REKA’s annual conference are attendees (students and staff members of the partner higher education institutions).

The following personal data are stored in the personal data register of U!REKA’s annual conference:

BASIC INFORMATION AND CONTACT DETAILS OF DATA SUJECTS (ATTENDEES)

• first name; last name;
• city and country;
• telephone number; email address
• status of the attendee (student/teacher)
• organization
• title/position

CONSENT FOR AND INFORMATION ON CERTAIN ACTIONS

• data subject’s consent for using audio/video or voice during Zoom or Teams meeting or data subject’s refusal.
• data subject’s consent for recording video material or performance during Zoom or Teams meeting or data subject’s refusal
• data subject’s consent for receiving newsletter, mail or other information related to the U!REKA’s activities or data subject’s refusal
• data subject’s consent for communication via email, Viima, Zoom or Teams video conferencing tool or data subject’s refusal
• data subject’s consent for feedback or data subject’s refusal

Information in relation to U!REKA related conference enrollees/attendees, workshop visitors, U!REKA related education activity enrollees/participants, data subjects of the annual conference:

• enrollee’s/attendee’s first name; last name;
• information in relation to U!REKA related event/workshop/education activity and/or meeting, time and place

INFORMATION RELATED TO A SURVEY/QUERY/RESEARCH /(FEEDBACK OPTION) ORGANIZED BY U!REKA

• first name and last name of a data subject giving feedback to U!REKA
• first name and last name of an attendee of a survey/query/research organized by U!REKA
• information in relation to the subject/name of the survey/query/research/(feedback option) organized by U!REKA, time and place
• information in relation to the content /answers given and submitted for a survey/query/research /(feedback option) organized by U!REKA, time and place

Information in relation to performing activities with collaborators, partners, financiers of U!REKA:

BASIC INFORMATION AND CONTACT DETAILS

• collaborator’s/ partners’ name/organization; name of the contact person of the collaborator/partner; email address of the contact person; title of the contact person within organization

Viima application (Project Booster) collects following data about data subjects (end-users of Viima application):

• Name
• Gender
• E-mail address
• Phone number
• Current location based on IP-address
• Information related to the device, browser, and operating system used to access the Service
• Employer and employment related information, such as but not limited to, job title and department
• Pictures, video and other audiovisual material
• Usernames or IDs used in connected third-party accounts
• Pages visited and/or actions performed while using the Service
• Other information submitted via forms or via chat while using the Service

Viima Solutions Oy’s privacy notice applies to Viima application. (Project Booster).

The personal data is obtained from the data subjects themselves.

Access to the personal data contained in the personal data register of U!REKA’s annual conference will be given, where necessary, in the systems listed below. (For the purpose of repairing a technical fault, for example, access will be given with administrator rights to the system provider or to the maintenance personnel of a measurement device.) All system/equipment/software providers used (the companies behind them) can be deemed to be recipients of personal data and recipients of regular disclosures from the register.

With respect to the systems used by U!REKA’s annual conference in Metropolia UAS, personal data processing agreements in accordance with Article 28 of the GDPR will be concluded/have been concluded with the following cooperation partners:

Eduix Oy and E-form software

The enrollment process for U!REKA’s annual conference in Metropolia UAS (including meetings, workshops and other U!REKA related educational activities) are being organized by using E-form software. The information provided for the E-form software is being transmitted through Excel into the host institution’s (Metropolia UAS’s) Google Drive cloud storage tool.

Lyyti Ltd and the Lyyti event management system

Participants/attendees enroll to the educational/training activities and events produced by U!REKA’s annual conference in Metropolia UAS and through the Lyyti event management system. In the case of activities that award study credits, the information can be transferred from Lyyti to the OMA/Peppi student registry system.

Participants/attendees enroll to the educational/training activities and events produced by U!REKA’s annual conference in Metropolia UAS and through the Lyyti event management system. In the case of activities that award study credits, the information can be transferred from Lyyti to the OMA/Peppi student registry system.

Viima Solutions Oy and Viima application (Project Booster)

Viima application’s Project Booster is an online-based visual platform which purpose is to help U!REKA members to connect around ideas for joint collaborative work. The partner education institutions’ staff members can submit their project proposals for the workshops to this format (Project Booster). By using the platform staff members can contribute to the thematic areas of the workshops by offering ideas to other academics of the alliance, sharing common expertise or complementary knowledge on a given topic. The Project Booster is also a platform to increase the visibility of diverse research and applied project work at U!REKA’s partner institutions and to get involved into new collaboration. The staff members can log into Viima application (Project Booster) by using Microsoft Office 365 email or Google Gmail. The use of Viima application (Project Booster) is voluntary. The personal data is collected and stored in Viima Solution Oy’s Service. Viima Solution Oy’s server is located inside the European Union.

Microsoft Corporation and Metropolia’s email system (Microsoft Office 365 Education)

The staff members of Metropolia UAS are using Metropolia’s email system in order to manage and organize work tasks and for example, send invitations to U!REKA’s annual conference related activities (if the data subject has given their express consent for this processing activity). Although Metropolia has procured the email system as part of the Microsoft Office 365 Education service package, the system is operated on Metropolia’s own server.

Microsoft Corporation and Microsoft Teams (Microsoft Office 365 Education)

The staff members of U!REKA’s partner institutions may use Microsoft Teams for internal communication related to U!REKA activities. Microsoft Teams has been procured to Metropolia as part of Microsoft Office 365 educational application package. Also other Microsoft -based tools are being used to process information within the tasks and work assignments of U!REKA’s annual conference.

Microsoft Excel (Microsoft Office 365 Education)

Microsoft Excel software is used to manage attendee information of U!REKA’s annual conference.

Funet Miitti / NORDUnet, service provider CSC Oy and Zoom web conferencing tool

Zoom is a web conferencing tool (Funet Miitti / NORDUnet, service provider CSC Oy). Zoom web conferencing tool is used to organize U!REKA’s annual conference: to conduct performances, task forces, group discussions or other assignments related to U!REKA’s annual conference. The Center for Science Information Technology - IT Center for Science - CSC's Funet Miitti (Zoom) service is used at Metropolia University of Applied Sciences. The service has been implemented jointly in co-operation with NORDUnet and is therefore not part of the publicly available Zoom service. In addition, the Zoom service provided by NORDUnet operates entirely in the EU, in server environments reserved for NORDUnet's own use. These servers are located in Denmark and Sweden. The services have also been agreed with NORDUnet and Zoom, taking into account the requirements of European data protection.

Google LLC and G Suite for Education

The personal data processed within U!REKA’s annual conference in Metropolia UAS is being managed by Google's so-called G Suite for Education toolkit included in the educational application package. Personal and contact information, tables and feedback information from the data subjects are being processed by Google Drive cloud storage tool. Also other Google-based tools are being used to process possible images, videos and research survey answer received from data subjects.

As a general rule, personal data contained in the personal data register of the xx activities / project of Metropolia will not be transferred outside the EU or EEA or to international organisations.

However, personal data contained in the personal data register may be transferred outside the EU or the EEA in order to provide IT services necessary for work or study, on a case-by-case basis. The destination country to which the personal data is transferred then, is mainly the United States. It is also possible that India is the destination country as global ICT service providers use often India as a host country for the international helpdesk service / ICT technical user support. International transfers of personal data from the Metropolia University of Applied Sciences' personal register to the United States and / or elsewhere outside the EU / EEA are primarily secured then by the safeguard provided for in Article 46 of Chapter V of the EU General Data Protection Regulation (GDPR), standard contractual clauses. The SCC (Standard Contractual Clauses) clauses will be included as part of the personal data processing agreement to be drawn up with the ICT service provider. Only the necessary data will be transferred and the transfer will be made in accordance with and within the limits set by data protection law. The security and data protection of the transfer are always agreed separately.

(-> If you use IT systems, softwares etc. provided by IT service provider registered in United States /outside the EU/EAA, it might be possible that the IT service provider uses servers for the data storage located in United States /outside the EU/EEA -> This might mean that personal data will be transferred to United States/ outside the EU/EEA as the storing of personal data is considered as processing of personal data according to the GDPR, and as storing personal data into the data storage servers located outside the EU/EEA, is considered as transferring personal data outside the EU/EEA according to the GDPR).

If that is the case, you need to specify to which third countries outside the EU or EEA you are transferring personal data (list of countries/mapping of countries).

When mapping transfers, do not forget to also take into account onward transfers, for instance whether your processors outside the EEA transfer the personal data you entrusted to them to a sub-processor in another third country or in the same third country. In other words, you must know where the personal data you exported may be located or processed by the importers (map of destinations).

Keep in mind that remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA, is also considered to be a transfer. More specifically, if you are using an international cloud infrastructure you must assess if your data will be transferred to third countries and where, unless the cloud provider clearly states in its contract that the data will not be processed at all in third countries.

As a next step, you must identify the transfer tools (safeguards) you are relying on amongst those described in the Chapter V of the GDPR (Articles 45 - 49).

Article 46 of the Chapter V of the GDPR lists standard contractual clauses (SCCs) as a transfer tool containing “appropriate safeguards” for the data transfer.

Whatever GDPR transfer tool you choose, you must ensure that, overall, the transferred personal data will have the benefit of an essentially equivalent level of protection. “An essentially equivalent level of protection” means that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA where strict data protection legislation prevails.

It might be useful to contact Data Protection Officer of Metropolia UAS (dpo [at] metropolia.fi (dpo[at]metropolia[dot]fi); tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)) in a case considering international personal data transfers outside the EU or EEA.

Personal data is erased when the data is no longer needed for the U!REKA’s annual conference or other activities regarding to it. Contact information can be used to send notifications of similar upcoming events if the data subject has given their express consent for this processing activity. Any data collected after the end of an event is stored anonymously for statistical purposes, if required.

The controller regularly evaluates the need for storing data in accordance with its internal practices. The personal data in the Personal data register of U!REKA’s annual conference is only stored for as long as and to the extent that each category of data is needed, proportionate to the purpose of processing of the personal data.

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent for processing at any time without the withdrawal of consent affecting the lawfulness of processing based on consent before its withdrawal.

The withdrawal of consent for the processing of personal data collected by Metropolia (withdrawal request) can be submitted to one of the three above-mentioned offices of Metropolia’s Student and Admission Services (or in the case of a member of staff, to the Human Resources Management unit), where the data subject must prove their identity when submitting the request.

Information on whether the provision of personal data for processing activities of the Personal data register of U!REKA’s annual conference, is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. An explanation has been given for each register regarding how the personal information was obtained.

Personal data of the data subjects registered in the Personal data register of U!REKA’s annual conference, is based on voluntary registration and it is used to manage the activities and services of U!REKA’s annual conference.

It is not compulsory to be registered in the Personal data register of U!REKA’s annual conference.

The personal data stored in the Personal data register of U!REKA’s annual conference has been collected from the data subjects themselves.

The personal data register of U!REKA’s annual conference and the data contained in it will not be used in automated decision-making or profiling.

Person responsible for the content of the register:

Name: Niina Huovinen
Position: Head of International Relations
Address: Metropolia Ammattikorkeakoulu Oy, PO Box 4000, FI-00079 METROPOLIA
E-mail: niina.huovinen [at] metropolia.fi (niina[dot]huovinen[at]metropolia[dot]fi)

Contact details of the contact person for the register:

Name: Virpi Luoma
Position: Coordinator, RDI
Address: Metropolia University of Applied Sciences, PO Box 4000, FI-00079 METROPOLIA
E-mail: virpi.luoma [at] metropolia.fi (virpi[dot]luoma[at]metropolia[dot]fi)