Privacy notice of the event register

1. Name of the register

Event register

2. Data Controller

University of Turku

Postal address: Turun yliopisto, FI-20014 TURUN YLIOPISTO
Email: kirjaamo@utu.fi
Telephone: +358 29 450 5000 (operator)
www.utu.fi/en

3. Purpose of processing personal data

Personal data is collected from participants when registering for events, activities, and training organised by the controller.

The processing of personal data is necessary for the organisation of events, maintaining participant data, the collection of participant feedback, and the collection of billing data for paid events.

Information about participation in the event will be transferred to the stakeholder register of the University of Turku if the participant is already in the register, or they will be added to it during the event registration process. From the University's perspective, individuals listed in the register are considered to be in a customer or employee role in relation to the University's third mission, which is societal interaction. A person is included or will be included in the register due to their position, job role, or a significant stakeholder relationship from the University's perspective.

Personal data may also be processed to communicate the controller’s activities and for marketing services or events.

We only collect and process personal data that are necessary for managing and organising events.

Personal data will not be used for direct marketing purposes without the consent of the data subject.

Participation in events and activities organised by the controller is voluntary.

The main legislation applied on the processing of personal data:

• The General Data Protection Regulation of the EU (2016/679)
• Finnish Data Protection Act (2018/1050)
• Universities Act (2009/558).

4. Contact details of the person responsible for the register

Anne Paasi, Communications Director
Email: firstname.lastname@utu.fi

5. Contact information of the Data Protection Officer

DPO@utu.fi

More information about the University's Data Protection Officer

6. Outsourcing the processing of personal data by a commission agreement

The processing of the personal data of the persons in the event register is carried out using the tools of an external service provider or entirely by the service provider. In these cases, the processing of personal data in the register is outsourced by a commission agreement. The commissions may be related to the use of electronic information systems or to statistics, monitoring, communication, reporting and analysis relating to the controller's own activities.

External service providers process personal data on behalf of the controller to the extent required by the agreement. In addition, the commissions are related to maintaining the register's electronic information systems and servers as well as to expert support for applications.

The used external service providers:

• Microsoft Ireland Operations Limited (event management)
• Digia Finland Oy (Microsoft Dynamics consulting)
• Visma Aquila Oy (event registrations)
• Certia Oy (accounting of payments)
• Paytrail Oyj (payment service)

7. Lawful processing of personal data

The mission of the University is to promote independent academic research as well as academic and artistic education, and to provide research-based higher education. In carrying out their mission, the University shall promote lifelong learning, interact with the surrounding society and promote the social impact of university research findings and artistic activities (Universities Act, Section 2). In connection with these duties, the University organizes various events.

The processing of personal data is based on the performance of a task carried out in the public interest and in the exercise of public authority vested in the University. Processing may also be based on a contract formed between the registrant and the University through event registration, for the data necessary to fulfill that contract. In some cases, processing may be based on consent.

8.  Personal data contained in the register

Personal data is collected from persons who register to an event. The collected data may vary between different events. We collect and process the following categories of personal data:

• Participant’s personal data (first name, last name, language)
• Participant’s organisation (name, type, location, billing information)
• Prior information (expectations and other comments about the event) provided by the participant, based on their consent
• Other information related to the nature of the event (e.g. dietary restrictions), based on the participant’s consent
• Service usage data (permissions and consents, cookie data, log data, session IDs, IP addresses).

Participants may be requested to provide various background information, such as age, gender, contact details (address, phone number, email). In addition, participants may also enter direct or indirect personal data in the open prior information fields, even if they are not asked to do so. All information collected during registration will be treated confidentially.

If the data subject does not provide the required data regarding the registration to the event, the data controller cannot accept the registration of the data subject or commit to the agreement between the data controller and the data subject regarding the registration to the event.

If the controller produces statistics and reports of the events for other purposes than its own activities, they are produced at a general level that individual participants cannot be identified.

9. Photography and videography at events

Photos and/or video footage may be taken at events. These images/videos may be published on the University’s website, social media accounts, or other University-related publications. The publication of personal data in this context is based on the protection of freedom of expression and the freedom to disseminate information, and the processing of personal data solely for journalistic purposes or for academic, artistic, or literary expression. The images/videos will not be used for commercial purposes.

10. Manual (paper) records in the register

Participant records are retained in accordance with legislative or other external obligation (for example, terms stated by the funder of training), in compliance with the retention schedule and the retention period for documents.

Paper documents are stored in a carefully locked room.

11. Sources of data for the register

We collect and process personal data provided to us by the data subject when registering for an event.

Contact details may be checked from public sources.

As the processing is based on consent, the data subject has the right to withdraw their consent at any time, in which case the processing will be stopped and the personal data will be erased unless there is another legal basis for the processing. Withdrawal of consent does not affect the processing that took place before the withdrawal. To withdraw your consent, please contact crm@utu.fi.

12. Principles for the protection of personal data

The storage, archiving, destruction and other processing of data are steered with retention schedules and the information security and data protection guidelines. The register is protected with user identification and passwords as well as structural and group-specific authorisation. Only authorised persons have access to the electronically stored data in the register. Each person accepts the terms of use and confidentiality of data and information systems when they are granted user rights.

We take appropriate measures (including physical, digital and administrative measures) to protect personal data against loss, destruction, misuse, and unauthorised access or disclosure.

13. Disclosure of personal data in the register

As a rule, the information in the event register is not disclosed outside the University.

However, we may disclose personal data to third parties

• when our partners process personal data on our behalf by commission and in accordance with our instructions
• when we consider that disclosure is necessary for the exercise of our rights, the protection of our security, the investigation of misconduct or in response to a request from a public authority, in connection with legal proceedings or at the request of a public authority or otherwise as required or permitted by law.

The controller may disclose necessary data only to a partner with whom the controller has a valid and appropriate agreement for the processing of personal data.

Otherwise, data may be disclosed only with the consent of the data subject, or

1. to an authority that has the legal right to it
2. to an authority funding the activity for reporting.

Basis for disclosure: related legislation and regulations and the data subject's consent.

14. Transfer of data from the register to a third country

Personal data are stored in the EU and the European Economic Area. The electronic information system of the event register uses applications provided by Microsoft, whose services are mainly provided within the EU. Limited access to the data is available from outside the EEA. The legality of such transfers of personal data is based on the European Commission's decision on the adequacy of data protection in the United States when data are transferred to a certified company in the United States, such as Microsoft. Microsoft is committed to complying with the transfer mechanisms and safeguards set out in the GDPR for any transfers of data to third countries.

15. Determining the retention period of personal data

Personal data will only be retained for as long as necessary to fulfil the purposes of use specified in this notice.

Personal data and other registration data related to the event is stored in the register for 2 years after the end of the event or training, after which it is deleted or anonymised.

Personal data can be stored longer than 2 years if there is a legislative or other obligation originating from outside the University (for example, terms stated by the funder of training) which requires a longer retention period for personal data.

The University only retains data that are necessary for its activities and purposes and for which there are legal grounds for processing. Data are anonymised or securely destroyed when they have become redundant, obsolete or when there is no longer justification for their processing, or when the data subject asks for the deletion of their personal data/withdraws consent.

The use of the service creates log entries which are used for ensuring the information security of the service, developing the technology of the service, and for detecting, preventing and solving technical faults or errors. The logs are retained for these purposes for the required time period and they will not be used for any other purposes.

The data are retained in a secure environment for the period of time required by the retention schedule and legislation (e.g. for accounting and reporting obligations, for legal proceedings or similar dispute resolution), in compliance with the retention period for documents.

16. Rights of the data subject

The General Data Protection Regulation of the EU gives various rights to data subjects whose personal data is processed. The rights apply differently depending on the basis on which the personal data are processed.

As a data subject, you have the right to know whether your personal data are being processed and what personal data are being processed, to request information about yourself, to request that inaccurate personal data are corrected and, in certain circumstances, to object to the processing of your personal data and to have your personal data erased. You also have the right to cancel the consent you have given if the processing of personal data is based on consent. More information on your rights.

17. Cookies

When you visit our website, the website stores cookies, i.e. small pieces of text, on your device.

You can give your consent for using the cookies on our website.

18. Amendments to the notice

The controller reserves the right to amend this notice. We will announce any amendments on our website www.utu.fi, where you can find the latest version of this notice.