This Privacy Notice is based on the EU's General Data Protection Regulation (2016/679, “GDPR”), namely the obligation to inform the data subjects (GDPR Articles 12–14), the data controller's obligation to maintain a record of processing activities under its responsibility (GDPR Article 30), as well as the obligations set out in the Finnish Data Protection Act (1050/2018) supplementing the GDPR.
Additionally, this Privacy Notice has been prepared with the aim of making it accessible in accordance with the requirements of the EU's Web Accessibility Directive (Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies) and the Finnish Act on the Provision of Digital Services (306/2019) supplementing it.
The purpose of processing personal data in Metropolia University of Applied Sciences’ research, development, and innovation (RDI) activities personal data register is to manage and respond to data requests and research permit applications related to Metropolia’s registers; to handle communication, reporting, and financial matters related to projects and RDI activities; to collect information required by project funding from the Ministry of Economic Affairs and Employment; to collect, process, and store information on individuals submitting invention disclosures; to ensure the ethical acceptability and reliability of research as well as the reliability of results; and to investigate and resolve allegations of breaches of good scientific practice. Communication and information may also have a marketing purpose.
The processing of personal data may be necessary when reporting on the progress of the project, research or development to the financier as required by the financier.
Processing based on public interest, exercise of public authority, or legal obligation
The processing of personal data in the register is primarily based on public interest, the exercise of public authority, or the controller’s legal obligation.
The legal obligation is based on the following laws and regulations:
Universities of Applied Sciences Act (932/2014)
Act Amending the Universities of Applied Sciences Act (941/2017)
European Social Fund Regulation (EU 1304/2013)
Common Provisions Regulation (EU 1303/2013)
Government Decree on the Eligibility of Costs Financed by Structural Funds (358/2014)
General Data Protection Regulation (GDPR)
The processing of personal data in Metropolia’s invention disclosure register is based on public interest (GDPR Article 6.1(e)).
Processing based on consent
- The invention disclosure register
- Direct marketing when the basis for processing is not a legitimate interest
- Newsletters
The data subjects in Metropolia’s RDI activities register include employees participating in projects and other individuals working on the projects, individuals reporting allegations of breaches of good scientific practice (GSP), and individuals at Metropolia or other entities involved in or related to the allegations.
Types of personal data that may be collected:
Research permit applications
Name
Contact details
Organizational and employment details
Professional qualifications
Projects and initiatives
Name
Contact details
Organizational and employment details
European Social Fund (ESF) projects
Name
Contact details
Social security number
Gender
Employment status
Education
Other background factors (e.g., foreign background, minority status, disability, or disadvantage in the labor market)
Invention disclosures
Name
Contact details
Educational program
Breaches of Good Scientific Practice (GSP)
Name
Contact details
Organizational and employment details
Other necessary information for investigating the allegation
Stakeholders and funders, project promoters, other partners
Name
E-mail address
Telephone number
Job title, organizational information
Administrative and technical information:
IP addresses and other technical information about digital systems
Log information about the user's activities in the project's information systems
Personal data groups:
Project participants:
Students
Teachers and other experts
Representatives of companies and organisations
Persons participating in workshops, seminars and trainings
Participants in research and development are:
People involved in surveys, interviews and other research activities
Persons involved in pilot projects and testing groups
The personal data to be collected, as well as the more specific purposes, ways and grounds for processing, depend on the project or research and, if necessary, are informed to the participants on a project and research-specific basis.
Personal data is primarily obtained directly from the data subject. In cases of GSP allegations, information on the accused and other involved parties is initially obtained from the notifier and subsequently from the data subjects themselves.
Personal data from Metropolia’s personnel register is disclosed to the following groups:
- External research institutions
- Statistics Finland or equivalent entities for conducting survey studies
- For invention disclosures, partners (e.g., when assessing an invention with a partner), only with the consent of the notifier (inventor). The university must keep invention-related information confidential until the invention is sufficiently protected and there are no other specific reasons for confidentiality (University Inventions Act, Section 11.2).
- Authorities, based on law, regulation, or a decision by an authority
- In cases of GSP allegations, the Finnish Advisory Board on Research Integrity (TENK
Funder of a project, research or development
Personal data in the register may also be accessed through technical interfaces for maintenance or error correction purposes. External system providers and service providers operating these tools are considered recipients of personal data and regular recipients of disclosures.
Personal data contained in Metropolia's RDI activities register is not, as a rule, transferred outside the EU or EEA or to international organizations.
However, personal data may be transferred outside the EU or EEA when necessary for implementing IT services essential for work or studies, based on a case-by-case assessment. The primary destination country for such transfers is the United States. It is also possible that countries like India, which is often used as the operational base for global ICT service providers' helpdesk or IT support functions, may serve as the destination for data transfers.
International transfers of personal data from this register to the United States and/or other non-EU/EEA countries are safeguarded under Chapter V of the EU General Data Protection Regulation (GDPR) using the protection measures specified in Article 46. This may include reliance on adequacy decisions or, in the absence of such decisions, the use of Standard Contractual Clauses (SCCs). SCCs are included in the data processing agreements or other contracts made with ICT service providers.
Only essential data is transferred, and all transfers are conducted in compliance with data protection laws and their limitations. The security and privacy of the transfer are always agreed upon separately.
The retention periods for personal data are based on law and vary depending on the nature and purpose of the data. Retention periods are determined by the Act on National Study and Degree Registers (884/2017), the Universities of Applied Sciences Act (932/2014), and the National Archives’ decision on retention periods for universities of applied sciences
(AL/20757/07.01.01.03.02/2016). Some data is deleted when it is no longer needed, and there is no legal obligation to retain it. Retention periods are calculated from the date the personal data was collected or from when the individual stopped using the service.
Examples of retention periods:
- Personal data in Metropolia’s research permit application register: 5 years
- Personal data collected and processed for project and initiative management: Permanently
- Personal data collected for the ESR system: At least 10 years from the end of the project. Data in the electronic register is destroyed after the ESR program period ends.
- Invention disclosures: As agreed in the contract
- GSP allegations: Permanently
The contact details of the partners and project partners are stored during the project and possibly after the project as long as necessary to maintain and build the cooperation relationship, however no more than 2 years after the end of the project, unless the cooperation relationship has continued active.
Regulations Considered for Retention Periods
GDPR (2016/679)
Data Protection Act (1050/2018)
Universities of Applied Sciences Act (932/2014)
National Archives’ decision on retention periods for universities of applied sciences (AL/20757/07.01.01.03.02/2016)