Privacy notice of the donor register

1. Name of the register

Donor register

2. Data Controller

University of Turku

Postal address: Turun yliopisto, FI-20014 TURUN YLIOPISTO
Email: kirjaamo@utu.fi
Telephone: +358 29 450 5000 (operator)
www.utu.fi/en

3. Purpose of processing personal data

The University of Turku maintains a register of the persons and organisations who have provided their personal data when making a donation.

The purpose of processing personal data is to maintain and develop the University’s relationship with its supporters. The processing of the necessary personal data is an essential condition for managing the donor relationship.

The basis for the processing of personal data is the donor relationship which is created when the donation is made.

The personal data are used for contacting the donors in matters such as sending news letters for donors and sending invitations to stakeholder events. In addition, the data related to donations are used in governmental matched funding campaigns to monitor that the conditions of the matched funding campaign are complied with. Information on donations can also be used for historical research.

Donations can be made by companies, communities and individuals. You can make a donation with a deed of donation or with an online donation form. Donations made online are paid using an online payment service (e.g. Paytrail), either through online banking or with the most common credit cards. An electronic receipt of the donation is issued after the transaction is complete.

We only collect and process personal data that are necessary for processing donations and managing the donor relationship.

Personal data will not be used for direct marketing purposes without the consent of the data subject.

The main legislation applied on the processing of personal data:

  • The General Data Protection Regulation of the EU (2016/679)
  • Finnish Data Protection Act (2018/1050)
  • Universities Act (2009/558).

4. Contact person(s) of the register:

Laura Kopu, Development Specialist
Email: firstname.lastname@utu.fi

5. Contact information of the Data Protection Officer

DPO@utu.fi

More information about the University's Data Protection Officer

6. Outsourcing the processing of personal data by a commission agreement

The processing of the donors’ personal data in the donor register may be carried out using the tools of an external service provider or entirely by the service provider. In these cases, the processing of personal data in the register is outsourced by a commission agreement. The commissions may be related to the use of electronic information systems or to statistics, monitoring, communication, reporting and analysis relating to the controller's own activities.

External service providers process personal data on behalf of the controller to the extent required by the agreement. In addition, the commissions are related to maintaining the register's electronic information systems and servers as well as to expert support for applications.

We use the following service providers to process personal data:

  • Microsoft Ireland Operations Limited (donor register and University of Turku data warehouse)
  • Certia Oy (accounting and invoicing of payments)
  • Paytrail Oyj (payment service)
  • iRaiser (online donations)
  • Digia Finland Oy (Microsoft Dynamics consulting)
  • Visma Aquila Oy (event registrations)

7. Lawful processing of personal data

The processing of personal data is based on the performance of a task carried out in the public interest and in the exercise of public authority vested in the University, and, regarding receipts, on the legal obligation of the controller.

The retention of both the deeds and the donor’s name and place of domicile is based on the performance of a task carried out in the public interest, historical research, and archiving carried out in the public interest.

The University of Turku and the data subject have a relationship based on the donation made by the data subject to the University of Turku.

Information about the donor may be disclosed and displayed permanently (e.g. displaying the donor’s name on the University’s website) if the data subject has given their consent when making the donation.

The data in the register will not be used for automated individual decision-making, including profiling.

8.  Personal data contained in the register

We collect and process the following categories of personal data:

  • The contact details of a private donor (first name, last name, email address, telephone number, postal address, postcode, town), and social security number if the value of the donation exceeds €850.
  • Information on a corporate donor (company, business ID)
  • Contact details of the contact person of the corporate donor (first name, last name, job title, telephone number, email address, postal address, postcode, town)
  • Information about the donation (amount of the donation and possible target)
  • Service usage data (permissions and consents, cookie data, log data, session IDs, IP addresses, payment transactions, and payment intermediary data).

If the controller produces statistics and reports for other purposes than its own activities, they are produced at a general level so that individual donors cannot be identified.

9. Sources of data for the register

We collect and process personal data that:We collect and process personal data provided to us when a donation is made with a deed of donation or electronic donation form.

Contact details may be checked from public sources..

10. Principles for the protection of personal data

The storage, archiving, destruction and other processing of data are steered with retention schedules and the information security and data protection guidelines. The register is protected with user identification and passwords as well as structural and group-specific authorisation. Only authorised persons have access to the electronically stored data in the register. Each person accepts the terms of use and confidentiality of data and information systems when they are granted user rights.

We take appropriate measures (including physical, digital and administrative measures) to protect personal data against loss, destruction, misuse, and unauthorised access or disclosure.

11. Disclosure of personal data in the register

As a rule, the information in the donor register is not disclosed outside the University.

However, we may disclose personal data to third parties

  • to the extent permitted or required by law, such as providing the tax administration information about donations exceeding €850, complying with a request for information from a competent authority, or disclosing information for the purposes of legal proceedings
  • when our partners process personal data on our behalf by commission and in accordance with our instructions
  • when we consider that disclosure is necessary for the exercise of our rights, the protection of our security, the investigation of misconduct or in response to a request from a public authority, in connection with legal proceedings or at the request of a public authority or otherwise as required or permitted by law
  • The Ministry of Education and Culture will be provided with the identification data of the donations for any governmental matched funding campaigns, in order to monitor compliance with the terms of the matched funding campaign.

The controller may disclose necessary data only to a partner with whom the controller has a valid and appropriate agreement for the processing of personal data.

Otherwise, data may be disclosed only with the consent of the data subject or to an authority that has the legal right to it.

Basis for disclosure: related legislation and regulations and the data subject's consent.

12. Transfer of data from the register to a third country

Personal data are stored in the EU and the European Economic Area. The electronic information system of the donor register uses applications provided by Microsoft, whose services are mainly provided within the EU. Limited access to the data is available from outside the EEA. The legality of such transfers of personal data is based on the European Commission's decision on the adequacy of data protection in the United States when data are transferred to a certified company in the United States, such as Microsoft. Microsoft is committed to complying with the transfer mechanisms and safeguards set out in the GDPR for any transfers of data to third countries.

13. Determining the retention period of personal data

Personal data will only be retained for as long as necessary to fulfil the purposes of use specified in this notice.

The donor’s name and place of domicile will be archived permanently. Personal data are stored for 10 years after the last donation, after which it is deleted or anonymised.

The University only retains data that are necessary for its activities and purposes and for which there are legal grounds for processing. Data that have become redundant, obsolete or when there is no longer justification for their processing are anonymised or securely destroyed.

The use of the service creates log entries which are used for ensuring the information security of the service, developing the technology of the service, and for detecting, preventing and solving technical faults or errors. The logs are retained for these purposes for the required time period and they will not be used for any other purposes.

The data are retained in a secure environment for the period of time required by the retention schedule and legislation (e.g. for accounting and reporting obligations, for legal proceedings or similar dispute resolution), in compliance with the retention period for documents.

14. Rights of the data subject

The General Data Protection Regulation of the EU gives various rights to data subjects whose personal data is processed. The rights apply differently depending on the basis on which the personal data are processed.

As a data subject, you have the right to know whether your personal data are being processed and what personal data are being processed, to request information about yourself, to request that inaccurate personal data are corrected and, in certain circumstances, to object to the processing of your personal data and to have your personal data erased. You also have the right to cancel the consent you have given if the processing of personal data is based on consent. More information on your rights.

15.  Cookies

When you visit our website, the website stores cookies, i.e. small pieces of text, on your device.

You can give your consent for using the cookies on our website.

16. Amendments to the notice

The controller reserves the right to amend this notice. We will announce any amendments on our website www.utu.fi, where you can find the latest version of this notice.

Data protection in stakeholder registers