Privacy notice of the newsletter subscriber register
1. Name of the register
Newsletter subscriber register
2. Data Controller
University of Turku
Postal address: Turun yliopisto, FI-20014 TURUN YLIOPISTO
Email: kirjaamo@utu.fi
Telephone: +358 29 450 5000 (operator)
www.utu.fi/en
3. Purpose of processing personal data
The University of Turku publishes electronic newsletters, which can be subscribed to on the University's website. Personal data is only used for sending newsletters.
The newsletter is used for sharing information about the University's research, education, societal interaction, and related events. Being in the register and receiving messages/invitations does not oblige the subscriber to participate but enables it.
We only collect and process personal data that are necessary for sending newsletters.
Personal data will not be used for direct marketing purposes without the consent of the data subject.
The main legislation applied on the processing of personal data:
- The General Data Protection Regulation of the EU (2016/679)
- Finnish Data Protection Act (2018/1050)
- Universities Act (2009/558).
4. Contact details of the person responsible for the register
Anne Paasi, Communications Director
Email: firstname.lastname@utu.fi
5. Contact information of the Data Protection Officer
More information about the University's Data Protection Officer
6. Outsourcing the processing of personal data by a commission agreement
The processing of the personal data of the persons in the newsletter subscriber register is carried out using the tools of an external service provider or entirely by the service provider. In these cases, the processing of personal data in the register is outsourced by a commission agreement. The commissions may be related to the use of electronic information systems or to statistics, monitoring, communication, reporting and analysis relating to the controller's own activities.
External service providers process personal data on behalf of the controller to the extent required by the agreement. In addition, the commissions are related to maintaining the register's electronic information systems and servers as well as to expert support for applications.
We use the following service providers to process personal data:
- Microsoft Ireland Operations Limited
- Emaileri Oy
- Digia Finland Oy (Microsoft Dynamics consulting)
7. Lawful processing of personal data
Subscription to the newsletter is based on the consent of the data subject. Each subscriber gives consent to the processing of data when subscribing to the newsletter
The data in the register will not be used for automated individual decision-making, including profiling.
8. Personal data contained in the register
Name and email address are stored of the newsletter subscribers as mandatory information. We may also process additional information provided by the data subject which is necessary for targeting the newsletter.
The service also collects data on, for example, the opening rate of the newsletter, which can be used to target automated messages to subscribers.
If the controller produces statistics and reports for other purposes than its own activities, they are produced at a general level so that individual subscribers cannot be identified.
9. Sources of data for the register
We collect and process personal data provided to us by the data subject when subscribing to the newsletter.
Data is not collected from other sources.
As the processing is based on consent, the subscriber can cancel the subscription with each newsletter, in which case the processing will be stopped and the personal data will be erased unless there is another legal basis for the processing. Withdrawal of consent does not affect the processing that took place before the withdrawal. To withdraw your consent, please contact communications@utu.fi
10. Principles for the protection of personal data
The storage, archiving, destruction and other processing of data are steered with retention schedules and the information security and data protection guidelines. The register is protected with user identification and passwords as well as structural and group-specific authorisation. Only authorised persons have access to the electronically stored data in the register. Each person accepts the terms of use and confidentiality of data and information systems when they are granted user rights.
We take appropriate measures (including physical, digital and administrative measures) to protect personal data against loss, destruction, misuse, and unauthorised access or disclosure.
11. Disclosure of personal data in the register
As a rule, the information in the newsletter subscriber register is not disclosed outside the University.
However, we may disclose personal data to third parties
- when our partners process personal data on our behalf by commission and in accordance with our instructions
- when we consider that disclosure is necessary for the exercise of our rights, the protection of our security, the investigation of misconduct or in response to a request from a public authority, in connection with legal proceedings or at the request of a public authority or otherwise as required or permitted by law.
The controller may disclose necessary data only to a partner with whom the controller has a valid and appropriate agreement for the processing of personal data.
Otherwise, data may be disclosed only with the consent of the data subject or to an authority that has the legal right to it.
Basis for disclosure: related legislation and regulations and the data subject's consent.
12. Transfer of data from the register to a third country
Personal data are stored in the EU and the European Economic Area. The electronic information system of the newsletter subscriber register uses applications provided by Microsoft, whose services are mainly provided within the EU. Limited access to the data is available from outside the EEA. The legality of such transfers of personal data is based on the European Commission's decision on the adequacy of data protection in the United States when data are transferred to a certified company in the United States, such as Microsoft. Microsoft is committed to complying with the transfer mechanisms and safeguards set out in the GDPR for any transfers of data to third countries.
13. Determining the retention period of personal data
Personal data will only be retained for as long as necessary to fulfil the purposes of use specified in this notice. Personal data will be stored for as long as necessary to send the newsletter (until the subscription is cancelled or the newsletter service ceases to exist).
The University only retains data that are necessary for its activities and purposes and for which there are legal grounds for processing. Data are anonymised or securely destroyed when they have become redundant, obsolete or when there is no longer justification for their processing, or when the data subject asks for the deletion of their personal data/withdraws consent.
The use of the service creates log entries which are used for ensuring the information security of the service, developing the technology of the service, and for detecting, preventing and solving technical faults or errors. The logs are retained for these purposes for the required time period and they will not be used for any other purposes.
The data are retained in a secure environment for the period of time required by the retention schedule and legislation (e.g. for accounting and reporting obligations, for legal proceedings or similar dispute resolution), in compliance with the retention period for documents.
14. Rights of the data subject
The General Data Protection Regulation of the EU gives various rights to data subjects whose personal data is processed. The rights apply differently depending on the basis on which the personal data are processed.
As a data subject, you have the right to know whether your personal data are being processed and what personal data are being processed, to request information about yourself, to request that inaccurate personal data are corrected and, in certain circumstances, to object to the processing of your personal data and to have your personal data erased. You also have the right to cancel the consent you have given if the processing of personal data is based on consent. More information on your rights.
15. Cookies
When you visit our website, the website stores cookies, i.e. small pieces of text, on your device.
You can give your consent for using the cookies on our website.
16. Amendments to the notice
The controller reserves the right to amend this notice. We will announce any amendments on our website www.utu.fi, where you can find the latest version of this notice.