Metropolia's guidelines concerning coronavirus

Read about the impact of coronavirus on Metropolia's operations.

The Privacy Notice is based on the information provision obligation to the data subject (Articles 12–14 of the EU General Data Protection Regulation “GDPR”), the data controller’s obligation to maintain a record of processing activities under its responsibility (GDPR, Article 30) and the obligations of the national Data Protection Act (1050/2018) complementing the GDPR.

In addition, this Privacy Notice has been drafted with an aim to comply with the EU’s so called Accessibility Directive and the completing national act on the provision of digital services (Directive of the European Parliament and of the European Council (2016/2102) on the Accessibility of the Websites and Mobile Applications of Public Sector Bodies; Act on the Provision of Digital Services (306/2019)). 

Submitted on 27.5.2021 - 13:08

Name of the register

Name of the registerTUTTU net – Product Developer’s Test and Support Network – online service’s personal data register 

Data controller

Name

Metropolia University of Applied Sciences Ltd

Contact information

Metropolia University of Applied Sciences Ltd (Business ID: 2094551-1)
Postal address: P.O. Box 4000, FI-00079 Metropolia
Visiting address: Myllypurontie 1, 00920 Helsinki, Finland
Telephone (switchboard): +358 9 7424 5000 

Person responsible for the register at the data controller

Name: Riitta Konkola
Position: President, CEO of Metropolia University of Applied Sciences

Responsible person for the content of the register:

Name: Annakaisa Oksava
Title: Head of School / School of Wellbeing
Address: Metropolia University of Applied Sciences Ltd., PB 4000, FI-00079  METROPOLIA
E-mail: annakaisa.oksava [at] metropolia.fi

Contact person of the register:

Name: Toini Harra
Title: Project Manager/Principal Lecturer/Elderly Care,
Rehabilitation and Occupational Therapy team
Address: Metropolia University of Applied Sciences Ltd., PB 4000, FI-00079 METROPOLIA
E-mail: toini.harra [at] metropolia.fi
Project website: https://tuttunet.fi

Data Protection Officer

Tuulia Aarnio, Metropolia’s Data Protection Officer
Tel: +358 40 844 0690
Email: tietosuojavastaava [at] metropolia.fi

Purpose and legal basis of the processing of personal data

The purposes of the processing for which the personal data are intended: 

 

TUTTU net online service supports developers of digital products and services in collaboration with innovation hubs and testlabs in the field of social and health services, construction, ICT and business across Finland.

TUTTU net – Product Developer’s Test and Support Network – online service’s personal data register processes personal data of clients, cooperation partners, Metropolia UAS students, reference groups, potential customers and their representatives. Personal data are used for collaboration, customer communication and information about the project.

This Privacy Notice is complemented by the Privacy Notice of the personal data register of the HIPPA – Well-being and Better Service Housing through Digitalisation – project. The Privacy Notices of Metropolia’s different personal data registers are published on the Privacy Notices section of Metropolia’s public website. 

Legal basis for the processing of personal data: 

Processing of personal data in the personal data register of TUTTU net – Product Developer’s Test and Support Network – online service

1) is necessary for the performance of a contract to which the data subject is party:

Collecting names and other contact details in TUTTU net is based on a customer relationship (personal data of companies, organisations and cooperation partners participating in TUTTU net, as well as of other clients and potential clients and their representatives, have been collected and stored in the TUTTU net data registers, based on a contractual relationship). The data have been collected at the time of concluding the contract or registration, or when using TUTTU net services.

2) is based on consent obtained from the data subject: 

- as regards cookies included in TUTTU net and the website visitor tracking enabled by them, the collection of cookie data of the website visitor is based on consent obtained from the data subject.

- as regards processing of personal data related to events organised in the TUTTU net framework (e.g. participation in workshops, competitions, training and other events), event registration and/or on the feedback collected after the event is based on consent obtained from the data subject. 

- processing of personal data in regard to TUTTU net information and marketing communication letters (newsletters) has been based on consent given by the data subject. Addresses have also been collected from public sources. The receiver of the newsletter has had the possibility to cancel the sending of the newsletter at any time without stating a reason.   

- collection and processing of personal data in regard to the following TUTTU net forms is based on consent given by the data subject:

● Non-disclosure form: the signer commits to keep confidential the information related to the products and services of the company

● Transfer of rights form: the signer commits to transfer the rights to the content produced as an expert to the University of Applied Sciences

● Photography consent form: the signer commits that his or her or the organisation’s photographs may be taken and used as material for the purposes of the HIPPA project and/or TUTTU net online service

● Consent form: the signer gives consent to the collection of personal data for the co-creation and testing/user trials of the project, and for the support measures of commercialization and marketing

● List of participants: the signer gives his or her consent to the collection of personal data and photographing in the project events

- Collection and processing of personal data included in the TUTTU net online service’s forms is based on consent given by the data subject. Submitting contact details and filling in forms is entirely voluntary. This applies to the forms “Challenge”, “Test” and “Develop” of the TUTTU net online service.

Legitimate interests of the data controller or a third party

The legal basis for the processing of data in the personal data register of TUTTU net – Product Developer’s Test and Support Network – is not a “legitimate interest”. As a result, this point is not applicable.

Data recipients or recipient groups and regular disclosures

In TUTTU net – Product Developer’s Test and Support Network – personal data register, data subjects are TUTTU net’s clients, cooperation partners, Metropolia UAS students, reference groups, as well as potential customers and their representatives.

The following personal data by categories of personal data may be stored in the personal register:

Basic information: 

  • First name and last name 
  • E-mail address
  • Telephone number 
  • Organisation 
  • Title/area of responsibility 
  • Business ID 

Data related to the management and communication of customer relationships and collaboration:

  • Order and cancellation data of the project’s services
  • Feedback
  • Audiovisual recordings of the events

Data related to online behaviour:

● Data related to online behaviour on the TUTTU net website and in its online services and on social media platforms

● Technical data, cookies sent to the data subject’s browser and information thereof

● With the help of cookies, measurable data on TUTTU net visitors are obtained which can be used in, for example, planning the marketing of the project. In this manner, project communication can be effectively targeted.

● Data collected on the basis of Google Analytics standard

Data related to marketing and sales promotion:

● Marketing measures targeted to the data subject and their outcomes (e.g. participation in workshops, competitions, trainings and events)

● Giving/declining consent; whether the data subject gives his or her consent to send marketing communication related to the project

The project’s website (https://tuttunet.fi): 

● Newsletter subscription form: name, e-mail address 

● ”Challenge” form: first name*, last name*, e-mail address*, message data*,  wished field(s) of cooperation (fields marked with an asterisk are obligatory)

● ”Test” form: first name*, last name*, e-mail address*, company/organisation, message data*, wished field(s) of cooperation (fields marked with an asterisk are obligatory)

● “Develop” form: first name*, last name*, e-mail address*, name of the company/organisation/UAS*, degree programme, tutor teacher, in which event / activities the data subject wishes to participate in (fields marked with an asterisk are obligatory) 

● References page: name of the company, company description, name and title of the contact person, organisation, e-mail address, telephone number and company website 

Forms: 

● non-disclosure agreement: the signer commits to keep information related to the company’s product and service confidential

● transfer of rights: the signer transfers the rights to the content produced as an expert to the UAS

● photography permissions: the person or organisation to be photographed gives permission for photographing material to be used by the HIPPA project and/or the TUTTU net online service

● list of participants: the lists include information of the participants of the project; name, e-mail address, telephone number, consent to use contact details in the activities and communication of the project, and a consent for photographing during the activities

● registration forms: registration forms include the participant’s name, e-mail address, telephone number, organisation, consent to use contact details in the project’s activities and communication and a consent for photographing during the activities 

● consent form: with the consent form, the participant gives his or her consent to voluntary participation in and collecting of personal data (name and contact details) for the co-creation / product or service testing carried out by the UAS / municipality within the HIPPA Well-Being and Better Service Housing Through Digitalisation project. The consent giver confirms to be acquainted with the information note of the matter.

Regular sources of personal data

Collecting names and other personal data is based on customer relationship or other connection in TUTTU net. Data are collected at the time of concluding an agreement, registration or when using TUTTU net services, i.e. the personal data have mainly been obtained from the data subjects themselves.

Personal data may also be obtained from the employer of the data subject or another party who registers the data subject to an event or training offered by TUTTU net.

TUTTU net also monitors cookies and visits on the TUTTU net website (IP address data). The collection of cookies data requiresk consent from the data subject.

Personal data may also be bought for nonrecurring marketing use from registers outside of TUTTU net. A prior consent from the data subject is required for receiving marketing communication (newsletters).  

Personal data may also be obtained from public sources.

Information systems used in the processing of personal data

Data included in the personal data register of TUTTU net – Product Developer’s Test and Support Network – are processed with the following information systems, applications and software:

G Suite for Education 

HIPPA project’s personal data register’s data are collected and managed by G Suite for Education, the Google application tool specifically targeted to educational establishments.

Personal data are collected to the Google Drive cloud storage service and managed by ancillary software such as Google  Docs, Sheets and Slides. Data are collected by Google Forms application which is one of the tools in the application package. For organising workshops, for instance, applications related to G Suite  for Education are used.

Google Analytics 

Google Analytics is one of the tools used for analysing website traffic data. More information on Google Analytics is available at  http://www.google.com/analytics/. You can opt out from data collection by Google Analytics by downloading an expansion to your browser at https://tools.google.com/dlpage/gaoptout

Koodiviidakko homepage platform

TUTTU net online service is enabled by Liana Technologies Ltd. homepage platform provider. The technical platform provider and server maintainer is Liana Technologies Ltd.

E-form software

The registration data needed for TUTTU net activities and events are collected by Metropolia e-forms software.

Cookies

If the data subject has an account and signs in to TUTTU net website, the set temporary cookie is used, provided that the data subject gives consent to it. This consent does not include any personal data and it is removed when the browser window is closed.

When the data subject signs in, cookies to save registration and screen setting data are used. The data subject’s consent is needed for the use of these cookies. The signing in cookies are removed within 48 hours and the screen setting cookies within one year. If the data subject selects “Remember me” when signing in, the signing in information will be stored for two weeks. If the data subject signs out, the cookies related to signing in will be removed at the same time.

If the data subject publishes an article or edits an existing article, it will be saved to the browser cookie which includes the ID of the article to be edited. This cookie will expire within 24 hours.

Embedded content from other websites

TUTTU net website’s articles may include embedded content (e.g. videos, images, articles etc.). Opening embedded content originating from other websites is comparable to the user visiting third party websites.

TUTTU net website may collect data from the data subject, use cookies, embed third party tracking cookies and monitor the user’s interaction with embedded content, including monitoring this interaction, if and when the data subject has signed in as a user to the website. Consent of the data subject must be obtained in order to use these cookies.

Metropolia e-mail system

Communication about the activities of TUTTU net by e-mail and, for example, invitations to events (provided that the data subject has given his or her explicit consent in writing) occurs through Metropolia’s  Microsoft Outlook Exchange e-mail system. Metropolia has acquired the e-mail system as part of the Microsoft O365 service package but it runs on the private server of the Metropolia UAS.

Description of the groups of data subjects and personal data groups

An access to personal data included in TUTTU net is given when necessary (with the so called admin codes, for example to the system provider/maintenance person of the measurement device in the occurrence of a technical problem) in the systems listed below. All authorized providers of systems/devices/applications (the companies thereof) may be interpreted as recipients of personal data and recipients of regular disclosures from the point of view of the register.

The contracts for processing personal data, as regards the systems used by TUTTU net, are, as defined in and according to Article 28 of the GDPR, concluded in the unit/school with the following cooperation partners:

Google LLC and G Suite for Education 

Data to TUTTU net personal data register are collected and managed by G Suite for Education, the Google application tool specifically targeted to educational establishments.

Personal data are collected to the Google Drive cloud storage service and managed by ancillary software such as Google  Docs, Sheets and Slides. Data are collected by Google Forms application which is one of the tools in the application package. For organising workshops, for instance, applications related to G Suite  for Education are used.

Google LLC and Google Analytics

Google Analytics is one of the tools used for analysing website traffic data. More information on Google Analytics is available at  http://www.google.com/analytics/. You can opt out from data collection by Google Analytics by downloading an expansion to your browser at https://tools.google.com/dlpage/gaoptout.

Liana Technologies Ltd. and Koodiviidakko homepage platform

TUTTU net online service is enabled by Liana Technologies Ltd. homepage platform provider. The technical platform provider and server maintainer is Liana Technologies Ltd.

Eduix Ltd. and e-form software

Registration data are collected by e-form software provided by Eduix Ltd. but the e-form software runs on the private server of the Metropolia UAS.

Transfer of information outside the EU or EEA or to international organisations

Cloud services in which personal data may be transferred to countries outside the EU/EEA, may be used in the processing of personal data in TUTTU net – Product Developer’s Test and Support Network – personal data register.

Transferring personal data to countries outside the EU/EEA shall comply with the General Data Protection Regulation when using Google and Microsoft related cloud service tools.

The personal data processing contract between Metropolia and Google LLC is based on the general contract of Google G Suite cloud services as all Google related applications (such as Google Drive storage platform application) have been taken into use in Metropolia as part of G Suite cloud service package.

In this contract package, the transfer of international personal data to countries outside the scope of the GDPR, i.e. countries outside the EU/EEA, is allowed. Google LLC declares to its European partners that it applies, as regards transfer of international personal data, the model contract clauses approved by the European Commission, as specific safeguard measures.

In the valid contract for processing personal data between Google LLC and Metropolia, it is stated that the storage platform accessible via the following link shall always contain up-to-date information as to which physical locations the client’s personal data (a Metropolian person) is stored, in Google data centres/servers:

● “Data Center Information. Information about the locations of Google data centers is available at https://www.google.com/about/datacenters/inside/locations/hamina/

The personal data processing contract between Metropolia and Microsoft Corporation is based on the general contract of Microsoft cloud services as Microsoft Office 365 Education has been taken into use in Metropolia as part of Microsoft cloud service package. In these contracts, the transfer of international personal data is only allowed to EU/EEA area, i.e. the scope of the GDPR.

Microsoft Corporation declares to its European partners using the Microsoft Office 365 Education system that it applies, as regards transfer of international personal data, the model contract clauses approved by the European Commission, as specific safeguard measures:

https://www.microsoft.com/en-us/trustcenter/Compliance/EU-Model-Clauses

The contract related to Microsoft cloud services is accessible at https://www.microsoft.com/en-us/trustcenter

Personal data retention times

In the personal data register of TUTTU net – Product Developer’s Test and Support Network – personal data are stored in a database which is protected by firewalls, passwords and other technical means, and which is accessible only to persons authorized by TUTTU net.

Data collected for the project’s measures and activities (co-creation, testing and commercialization) are anonymized. After the termination of the project, personal data shall be stored according to the archive constitution plan of the funding body and Metropolia.

The storage periods of cookie data are explained in point 8 of this Privacy Notice.

Outdated and unnecessary data are removed in an appropriate manner. Personal data are stored for solely the period necessary for the purposes of processing personal data as determined in this Privacy Notice. Due to obligations of the Accounting Act or other applicable law, data may have to be stored for a period longer than the above mentioned period.

Rights of the Data Subject

The data subjects have the right to receive confirmation from the data controller of whether their personal data are being processed. Furthermore, the data subjects have the right of access to their personal data and the right to inspect their personal data stored in the register and to receive copies of them. Under the GDPR, the data controller must respond to requests by the data subjects to exercise their rights within one month of receiving such a request.

A. Right of access to personal data

The data subjects have the right to check whether their personal data are stored in the personal data register. A data subject may submit a request for information by delivering the data subjects’ information request form, which can be found on Metropolia’s public website and/or Metropolia’s intranet, to one of the three offices of Metropolia’s Student and Admission Services. The form must be filled in carefully, printed and signed personally by the data subject. If the data subject is a member of staff, they can deliver the request form to Metropolia’s Human Resources Management unit. When submitting the request, the data subject must prove their identity in a reliable manner (for example by presenting an official personal identity document or driving licence to the Metropolia employee receiving the request).

The visiting addresses of the offices of Metropolia’s Student and Admission Services are:

Metropolia’s Myllypuro campus

Myllypurontie 1, 00920 Helsinki, Finland

Metropolia’s Arabia campus

Hämeentie 135 D, 00560 Helsinki, Finland

Metropolia’s Myyrmäki campus

Leiritie 1, 01600 Vantaa, Finland

Metropolia’s Karamalmi campus

Karaportti 2, 02610 Espoo, Finland

The visiting address of Metropolia’s Human Resources Management unit is:

Metropolia’s Myllypuro campus (Buildings C and D, 5th floor)

Myllypurontie 1, 00920 Helsinki, Finland

All information requests will be forwarded from the offices of Metropolia’s Student and Admission Services and/or the Human Resources Management unit to Metropolia’s Data Protection Officer (email: tuulia.aarnio [at] metropolia.fi, tietosuojavastaava [at] metropolia.fi).

Metropolia’s Data Protection Officer will respond to information request submitted by the data subjects. If necessary, the Data Protection Officer can be requested to provide additional information on progress in the processing of the request or on the content of the response.

B. Right to rectify personal data and to restrict processing

The data subjects have the right to request the data controller to restrict the processing of their personal data in the following cases:

  • the data subject disputes the correctness of their personal data (right to rectify personal data), in which case processing will be restricted until the data controller can ascertain that the data is correct;
  • processing violates the law and the data subject objects to the erasure of their personal data, instead requesting that the processing of the data be restricted;
  • the data controller no longer needs the personal data for the purposes of the processing, but the data subject needs them in order to establish, exercise or defend a legal claim.

Such a request for rectifying personal data in a Metropolia personal data register or restricting processing can be submitted in person to one of the above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

C. Right to erase personal data

The data subject has the right to obtain from the controller the erasure of their personal data from a Metropolia register without undue delay if any of the following conditions are met:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which processing is based and there is no other lawful basis for processing;
  • the personal data have been unlawfully processed; or
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

Such a request for the erasure of personal data in a Metropolia personal data register can be submitted in person to one of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

D. Right to data portability (transfer of data from one system to another)

Partly applicable. Article 20 of the General Data Protection Regulation (GDPR) introduces a new right of data portability of a data subject. This right allows for data subjects to receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance. The new right to data portability aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another (whether to their own systems, the systems of trusted third parties or those of new data controllers).

In accordance with Article 20(1)(a) of the GDPR, in order to fall under the scope of data portability, processing operations must be based:

  • either on the data subject’s consent (pursuant to Article 6(1)(a), or pursuant to Article 9(2)(a) when it comes to special categories of personal data);
  • or, on a contract to which the data subject is a party pursuant to Article 6(1)(b).

 The GDPR does not establish a general right to data portability for cases where the processing of personal data is not based on consent or contract.

Such a request pursuant to Article 20 of the GDPR can be submitted in person to one of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

E. Right to not be subjected to a personal data breach

The data subject has the right to not be subjected to a personal data breach, as referred to in Article 33 of the EU’s General Data Protection Regulation, due to the data controller’s negligence in data protection and/or data security matters or due to negligence on the part of a data processor used by the controller in data protection and/or data security matters. The data subject has the right to be informed without undue delay if a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons.

Right to Object

According to Article 21 of the EU’s General Data Protection Regulation, the data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller), such as profiling based on these provisions. The data controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The request to stop processing of collected personal data can be submitted to one of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity when submitting the request.

Right to withdraw consent

Where processing of personal data is based the consent of the data subject, the data subject shall have the right to withdraw consent at any time, without it affecting the lawfulness of processing based on consent before its withdrawal.

The request to withdraw consent to processing of personal data (withdrawal request) may be submitted to any of the three above mentioned Metropolia Student and Admission Services offices (or, in the case of personnel, to the Human Resources Management unit). At the time of submitting the request, the data subject shall prove his or her identity.

Right to lodge a complaint with a supervisory authority

Every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of their personal data infringes the applicable data protection regulations.

The national supervisory authority in Finland is the Office of the Data Protection Ombudsman. Contact details:

Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Postal address: PO Box 800
FI-00531 Helsinki

Telephone (switchboard): + 358 29 56 66700
Fax: + 358 9 56 66735
Email: tietosuoja [at] om.fi

Registry Security Principles

General description of the technical and organisational security measures aiming at protecting the personal data of the data subjects and the personal data registers at Metropolia:

  • The data controller (Metropolia) and the system providers have agreed on the protection of the register. If necessary, the responsibilities have been described in adequate detail in the appropriate agreements.
  • The employees and other personnel of the data controller (Metropolia) have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.
  • The system providers (personal data processors that act on behalf of the data controller, Metropolia) undertake to maintain the register and the personal data relating to it in accordance with good data processing practices and comply with the obligation to absolute secrecy and confidentiality.
  • The data security of the personal data register of the data controller (Metropolia) and the confidentiality of the data contained therein are ensured with appropriate technical and administrative means in accordance with good data processing practices.
  • The data controller (Metropolia) has restricted user rights and authorisations to data systems, tools and other storage platforms in such a way that they can only be accessed and processed by the persons who are necessary for such processing due to their job duties or position.
  • The system containing personal data may only be used by employees who are entitled to process personal data due to their job duties and/or position. Such employees will be given the appropriate training for their duties.
  • Every user of a tool/system must identify themselves with their personal codes, which are issued when the right to access the tool/system is granted. The right of access will expire once the employee resigns or is transferred from the duties for which they were granted the right at Metropolia.
  • The data are collected in databases that are protected logically and physically.
     
  • The databases and their back-up copies are located in locked premises, and the data can only be accessed by certain pre-appointed persons.

Information on whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to e

Information on whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data (information regarding how the personal data was obtained).

Information on whether the provision of personal data for processing in the personal data register of TUTTU net – Product Developer’s Test and Support Network – is a statutory or contractual requirement, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. An account has been given for each register regarding how the personal data was obtained.

No person is obligated to join the voluntary personal data register of TUTTU net – Product Developer’s Test and Support Network – with which TUTTU net activities and services are managed. The personal data saved in the register have mainly been obtained from the data subjects themselves.

Automated individual decision-making, including profiling

Data included in the personal data register of TUTTU net – Product Developer’s Test and Support Network – shall not be used for automated decision-making or profiling.