The Privacy Notice is based on the information provision obligation to the data subject (Articles 12–14 of the EU General Data Protection Regulation “GDPR”), the data controller’s obligation to maintain a record of processing activities under its responsibility (GDPR, Article 30) and the obligations of the national Data Protection Act (1050/2018) complementing the GDPR.
In addition, this Privacy Notice has been drafted with an aim to comply with the EU’s so called Accessibility Directive and the completing national act on the provision of digital services (Directive of the European Parliament and of the European Council (2016/2102) on the Accessibility of the Websites and Mobile Applications of Public Sector Bodies; Act on the Provision of Digital Services (306/2019)).
Name of the register TUTTU net – Product Developer’s Test and Support Network – online service’s personal data register
Name
Metropolia University of Applied Sciences Ltd
Contact information
Metropolia University of Applied Sciences Ltd (Business ID: 2094551-1)
Postal address: P.O. Box 4000, FI-00079 Metropolia
Visiting address: Myllypurontie 1, 00920 Helsinki, Finland
Telephone (switchboard): +358 9 7424 5000
Person responsible for the register at the data controller
Name: Riitta Konkola
Position: President, CEO of Metropolia University of Applied Sciences
Responsible person for the content of the register:
Name: Annakaisa Oksava
Title: Head of School / School of Wellbeing
Address: Metropolia University of Applied Sciences Ltd., PB 4000, FI-00079 METROPOLIA
E-mail: annakaisa.oksava [at] metropolia.fi (annakaisa[dot]oksava[at]metropolia[dot]fi)
Contact person of the register:
Name: Toini Harra
Title: Project Manager/Principal Lecturer/Elderly Care,
Rehabilitation and Occupational Therapy team
Address: Metropolia University of Applied Sciences Ltd., PB 4000, FI-00079 METROPOLIA
E-mail: toini.harra [at] metropolia.fi (toini[dot]harra[at]metropolia[dot]fi)
Project website: https://tuttunet.fi
Sanna Saarnia, Metropolia’s Data Protection Officer
Email: tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)
The purposes of the processing for which the personal data are intended:
TUTTU net online service supports developers of digital products and services in collaboration with innovation hubs and testlabs in the field of social and health services, construction, ICT and business across Finland.
TUTTU net – Product Developer’s Test and Support Network – online service’s personal data register processes personal data of clients, cooperation partners, Metropolia UAS students, reference groups, potential customers and their representatives. Personal data are used for collaboration, customer communication and information about the project.
This Privacy Notice is complemented by the Privacy Notice of the personal data register of the HIPPA – Well-being and Better Service Housing through Digitalisation – project. The Privacy Notices of Metropolia’s different personal data registers are published on the Privacy Notices section of Metropolia’s public website.
Legal basis for the processing of personal data:
Processing of personal data in the personal data register of TUTTU net – Product Developer’s Test and Support Network – online service
1) is necessary for the performance of a contract to which the data subject is party:
Collecting names and other contact details in TUTTU net is based on a customer relationship (personal data of companies, organisations and cooperation partners participating in TUTTU net, as well as of other clients and potential clients and their representatives, have been collected and stored in the TUTTU net data registers, based on a contractual relationship). The data have been collected at the time of concluding the contract or registration, or when using TUTTU net services.
2) is based on consent obtained from the data subject:
- as regards cookies included in TUTTU net and the website visitor tracking enabled by them, the collection of cookie data of the website visitor is based on consent obtained from the data subject.
- as regards processing of personal data related to events organised in the TUTTU net framework (e.g. participation in workshops, competitions, training and other events), event registration and/or on the feedback collected after the event is based on consent obtained from the data subject.
- processing of personal data in regard to TUTTU net information and marketing communication letters (newsletters) has been based on consent given by the data subject. Addresses have also been collected from public sources. The receiver of the newsletter has had the possibility to cancel the sending of the newsletter at any time without stating a reason.
- collection and processing of personal data in regard to the following TUTTU net forms is based on consent given by the data subject:
● Non-disclosure form: the signer commits to keep confidential the information related to the products and services of the company
● Transfer of rights form: the signer commits to transfer the rights to the content produced as an expert to the University of Applied Sciences
● Photography consent form: the signer commits that his or her or the organisation’s photographs may be taken and used as material for the purposes of the HIPPA project and/or TUTTU net online service
● Consent form: the signer gives consent to the collection of personal data for the co-creation and testing/user trials of the project, and for the support measures of commercialization and marketing
● List of participants: the signer gives his or her consent to the collection of personal data and photographing in the project events
- Collection and processing of personal data included in the TUTTU net online service’s forms is based on consent given by the data subject. Submitting contact details and filling in forms is entirely voluntary. This applies to the forms “Challenge”, “Test” and “Develop” of the TUTTU net online service.
The legal basis for the processing of data in the personal data register of TUTTU net – Product Developer’s Test and Support Network – is not a “legitimate interest”. As a result, this point is not applicable.
In TUTTU net – Product Developer’s Test and Support Network – personal data register, data subjects are TUTTU net’s clients, cooperation partners, Metropolia UAS students, reference groups, as well as potential customers and their representatives.
The following personal data by categories of personal data may be stored in the personal register:
Basic information:
- First name and last name
- E-mail address
- Telephone number
- Organisation
- Title/area of responsibility
- Business ID
Data related to the management and communication of customer relationships and collaboration:
- Order and cancellation data of the project’s services
- Feedback
- Audiovisual recordings of the events
Data related to online behaviour:
● Data related to online behaviour on the TUTTU net website and in its online services and on social media platforms
● Technical data, cookies sent to the data subject’s browser and information thereof
● With the help of cookies, measurable data on TUTTU net visitors are obtained which can be used in, for example, planning the marketing of the project. In this manner, project communication can be effectively targeted.
● Data collected on the basis of Google Analytics standard
Data related to marketing and sales promotion:
● Marketing measures targeted to the data subject and their outcomes (e.g. participation in workshops, competitions, trainings and events)
● Giving/declining consent; whether the data subject gives his or her consent to send marketing communication related to the project
The project’s website (https://tuttunet.fi):
● Newsletter subscription form: name, e-mail address
● ”Challenge” form: first name*, last name*, e-mail address*, message data*, wished field(s) of cooperation (fields marked with an asterisk are obligatory)
● ”Test” form: first name*, last name*, e-mail address*, company/organisation, message data*, wished field(s) of cooperation (fields marked with an asterisk are obligatory)
● “Develop” form: first name*, last name*, e-mail address*, name of the company/organisation/UAS*, degree programme, tutor teacher, in which event / activities the data subject wishes to participate in (fields marked with an asterisk are obligatory)
● References page: name of the company, company description, name and title of the contact person, organisation, e-mail address, telephone number and company website
Forms:
● non-disclosure agreement: the signer commits to keep information related to the company’s product and service confidential
● transfer of rights: the signer transfers the rights to the content produced as an expert to the UAS
● photography permissions: the person or organisation to be photographed gives permission for photographing material to be used by the HIPPA project and/or the TUTTU net online service
● list of participants: the lists include information of the participants of the project; name, e-mail address, telephone number, consent to use contact details in the activities and communication of the project, and a consent for photographing during the activities
● registration forms: registration forms include the participant’s name, e-mail address, telephone number, organisation, consent to use contact details in the project’s activities and communication and a consent for photographing during the activities
● consent form: with the consent form, the participant gives his or her consent to voluntary participation in and collecting of personal data (name and contact details) for the co-creation / product or service testing carried out by the UAS / municipality within the HIPPA Well-Being and Better Service Housing Through Digitalisation project. The consent giver confirms to be acquainted with the information note of the matter.
Collecting names and other personal data is based on customer relationship or other connection in TUTTU net. Data are collected at the time of concluding an agreement, registration or when using TUTTU net services, i.e. the personal data have mainly been obtained from the data subjects themselves.
Personal data may also be obtained from the employer of the data subject or another party who registers the data subject to an event or training offered by TUTTU net.
TUTTU net also monitors cookies and visits on the TUTTU net website (IP address data). The collection of cookies data requiresk consent from the data subject.
Personal data may also be bought for nonrecurring marketing use from registers outside of TUTTU net. A prior consent from the data subject is required for receiving marketing communication (newsletters).
Personal data may also be obtained from public sources.
An access to personal data included in TUTTU net is given when necessary (with the so called admin codes, for example to the system provider/maintenance person of the measurement device in the occurrence of a technical problem) in the systems listed below. All authorized providers of systems/devices/applications (the companies thereof) may be interpreted as recipients of personal data and recipients of regular disclosures from the point of view of the register.
The contracts for processing personal data, as regards the systems used by TUTTU net, are, as defined in and according to Article 28 of the GDPR, concluded in the unit/school with the following cooperation partners:
Google LLC and G Suite for Education
Data to TUTTU net personal data register are collected and managed by G Suite for Education, the Google application tool specifically targeted to educational establishments.
Personal data are collected to the Google Drive cloud storage service and managed by ancillary software such as Google Docs, Sheets and Slides. Data are collected by Google Forms application which is one of the tools in the application package. For organising workshops, for instance, applications related to G Suite for Education are used.
Google LLC and Google Analytics
Google Analytics is one of the tools used for analysing website traffic data. More information on Google Analytics is available at https://www.google.com/analytics/. You can opt out from data collection by Google Analytics by downloading an expansion to your browser at https://tools.google.com/dlpage/gaoptout.
Liana Technologies Ltd. and Koodiviidakko homepage platform
TUTTU net online service is enabled by Liana Technologies Ltd. homepage platform provider. The technical platform provider and server maintainer is Liana Technologies Ltd.
Eduix Ltd. and e-form software
Registration data are collected by e-form software provided by Eduix Ltd. but the e-form software runs on the private server of the Metropolia UAS.
Cloud services in which personal data may be transferred to countries outside the EU/EEA, may be used in the processing of personal data in TUTTU net – Product Developer’s Test and Support Network – personal data register.
Transferring personal data to countries outside the EU/EEA shall comply with the General Data Protection Regulation when using Google and Microsoft related cloud service tools.
The personal data processing contract between Metropolia and Google LLC is based on the general contract of Google G Suite cloud services as all Google related applications (such as Google Drive storage platform application) have been taken into use in Metropolia as part of G Suite cloud service package.
In this contract package, the transfer of international personal data to countries outside the scope of the GDPR, i.e. countries outside the EU/EEA, is allowed. Google LLC declares to its European partners that it applies, as regards transfer of international personal data, the model contract clauses approved by the European Commission, as specific safeguard measures.
In the valid contract for processing personal data between Google LLC and Metropolia, it is stated that the storage platform accessible via the following link shall always contain up-to-date information as to which physical locations the client’s personal data (a Metropolian person) is stored, in Google data centres/servers:
● “Data Center Information. Information about the locations of Google data centers is available at https://www.google.com/about/datacenters/inside/locations/hamina/”
The personal data processing contract between Metropolia and Microsoft Corporation is based on the general contract of Microsoft cloud services as Microsoft Office 365 Education has been taken into use in Metropolia as part of Microsoft cloud service package. In these contracts, the transfer of international personal data is only allowed to EU/EEA area, i.e. the scope of the GDPR.
Microsoft Corporation declares to its European partners using the Microsoft Office 365 Education system that it applies, as regards transfer of international personal data, the model contract clauses approved by the European Commission, as specific safeguard measures:
https://www.microsoft.com/en-us/trustcenter/Compliance/EU-Model-Clauses
The contract related to Microsoft cloud services is accessible at https://www.microsoft.com/en-us/trustcenter
In the personal data register of TUTTU net – Product Developer’s Test and Support Network – personal data are stored in a database which is protected by firewalls, passwords and other technical means, and which is accessible only to persons authorized by TUTTU net.
Data collected for the project’s measures and activities (co-creation, testing and commercialization) are anonymized. After the termination of the project, personal data shall be stored according to the archive constitution plan of the funding body and Metropolia.
The storage periods of cookie data are explained in point 8 of this Privacy Notice.
Outdated and unnecessary data are removed in an appropriate manner. Personal data are stored for solely the period necessary for the purposes of processing personal data as determined in this Privacy Notice. Due to obligations of the Accounting Act or other applicable law, data may have to be stored for a period longer than the above mentioned period.
The data subjects have the right to receive confirmation from the data controller of whether their personal data are being processed. Furthermore, the data subjects have the right of access to their personal data and the right to inspect their personal data stored in the register and to receive copies of them. Under the GDPR, the data controller must respond to requests by the data subjects to exercise their rights within one month of receiving such a request.
A. Right of access to personal data
The data subjects have the right to check whether their personal data are stored in the personal data register. A data subject may submit a request for information by delivering the data subjects’ information request form, which can be found on Metropolia’s public website and/or Metropolia’s intranet, to one of the three offices of Metropolia’s Student and Admission Services. The form must be filled in carefully, printed and signed personally by the data subject. If the data subject is a member of staff, they can deliver the request form to Metropolia’s Human Resources Management unit. When submitting the request, the data subject must prove their identity in a reliable manner (for example by presenting an official personal identity document or driving licence to the Metropolia employee receiving the request).
The visiting addresses of the offices of Metropolia’s Student and Admission Services are:
Metropolia’s Myllypuro campus
Myllypurontie 1, 00920 Helsinki, Finland
Metropolia’s Arabia campus
Hämeentie 135 D, 00560 Helsinki, Finland
Metropolia’s Myyrmäki campus
Leiritie 1, 01600 Vantaa, Finland
Metropolia’s Karamalmi campus
Karaportti 2, 02610 Espoo, Finland
The visiting address of Metropolia’s Human Resources Management unit is:
Metropolia’s Myllypuro campus (Buildings C and D, 5th floor)
Myllypurontie 1, 00920 Helsinki, Finland
All information requests will be forwarded from the offices of Metropolia’s Student and Admission Services and/or the Human Resources Management unit to Metropolia’s Data Protection Officer (email: tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)).
Metropolia’s Data Protection Officer will respond to information request submitted by the data subjects. If necessary, the Data Protection Officer can be requested to provide additional information on progress in the processing of the request or on the content of the response.
B. Right to rectify personal data and to restrict processing
The data subjects have the right to request the data controller to restrict the processing of their personal data in the following cases:
- the data subject disputes the correctness of their personal data (right to rectify personal data), in which case processing will be restricted until the data controller can ascertain that the data is correct;
- processing violates the law and the data subject objects to the erasure of their personal data, instead requesting that the processing of the data be restricted;
- the data controller no longer needs the personal data for the purposes of the processing, but the data subject needs them in order to establish, exercise or defend a legal claim.
Such a request for rectifying personal data in a Metropolia personal data register or restricting processing can be submitted in person to one of the above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.
C. Right to erase personal data
The data subject has the right to obtain from the controller the erasure of their personal data from a Metropolia register without undue delay if any of the following conditions are met:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which processing is based and there is no other lawful basis for processing;
- the personal data have been unlawfully processed; or
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
Such a request for the erasure of personal data in a Metropolia personal data register can be submitted in person to one of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.
D. Right to data portability (transfer of data from one system to another)
Partly applicable. Article 20 of the General Data Protection Regulation (GDPR) introduces a new right of data portability of a data subject. This right allows for data subjects to receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance. The new right to data portability aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another (whether to their own systems, the systems of trusted third parties or those of new data controllers).
In accordance with Article 20(1)(a) of the GDPR, in order to fall under the scope of data portability, processing operations must be based:
- either on the data subject’s consent (pursuant to Article 6(1)(a), or pursuant to Article 9(2)(a) when it comes to special categories of personal data);
- or, on a contract to which the data subject is a party pursuant to Article 6(1)(b).
The GDPR does not establish a general right to data portability for cases where the processing of personal data is not based on consent or contract.
Such a request pursuant to Article 20 of the GDPR can be submitted in person to one of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.
E. Right to not be subjected to a personal data breach
The data subject has the right to not be subjected to a personal data breach, as referred to in Article 33 of the EU’s General Data Protection Regulation, due to the data controller’s negligence in data protection and/or data security matters or due to negligence on the part of a data processor used by the controller in data protection and/or data security matters. The data subject has the right to be informed without undue delay if a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons.
According to Article 21 of the EU’s General Data Protection Regulation, the data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller), such as profiling based on these provisions. The data controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The request to stop processing of collected personal data can be submitted to one of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity when submitting the request.
Where processing of personal data is based the consent of the data subject, the data subject shall have the right to withdraw consent at any time, without it affecting the lawfulness of processing based on consent before its withdrawal.
The request to withdraw consent to processing of personal data (withdrawal request) may be submitted to any of the three above mentioned Metropolia Student and Admission Services offices (or, in the case of personnel, to the Human Resources Management unit). At the time of submitting the request, the data subject shall prove his or her identity.
Every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of their personal data infringes the applicable data protection regulations.
The national supervisory authority in Finland is the Office of the Data Protection Ombudsman. Contact details:
Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Postal address: PO Box 800
FI-00531 Helsinki
Telephone (switchboard): + 358 29 56 66700
Fax: + 358 9 56 66735
Email: tietosuoja [at] om.fi (tietosuoja[at]om[dot]fi)
General description of the technical and organisational security measures aiming at protecting the personal data of the data subjects and the personal data registers:
- The protection of the register has been agreed upon with the system providers. If necessary, the responsibilities have been described in adequate detail in the appropriate agreements.
- The employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.
- The system providers (personal data processors) undertake to maintain the register and the personal data relating to it in accordance with good data processing practices and comply with the obligation to absolute secrecy and confidentiality.
- The data security of the personal data register of the data controllers and the confidentiality of the data contained therein are ensured with appropriate technical and administrative means in accordance with good data processing practices.
- The data controllers have restricted user rights and authorisations to data systems, tools and other storage platforms in such a way that they can only be accessed and processed by the persons who are necessary for such processing due to their job duties or position.
- The system containing personal data may only be used by employees who are entitled to process personal data due to their job duties and/or position. Such employees will be given the appropriate training for their duties.
- Every user of a tool/system must identify themselves with their personal codes, which are issued when the right to access the tool/system is granted. The right of access will expire once the employee resigns or is transferred from the duties for which they were granted the right at Metropolia.
- The data are collected in databases that are protected logically and physically.
The databases and their back-up copies are located in locked premises, and the data can only be accessed by certain pre-appointed persons.
Information on whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data (information regarding how the personal data was obtained).
Information on whether the provision of personal data for processing in the personal data register of TUTTU net – Product Developer’s Test and Support Network – is a statutory or contractual requirement, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. An account has been given for each register regarding how the personal data was obtained.
No person is obligated to join the voluntary personal data register of TUTTU net – Product Developer’s Test and Support Network – with which TUTTU net activities and services are managed. The personal data saved in the register have mainly been obtained from the data subjects themselves.
Data included in the personal data register of TUTTU net – Product Developer’s Test and Support Network – shall not be used for automated decision-making or profiling.