Privacy notice of the stakeholder register

1. Name of the register

Stakeholder register

2. Data Controller

University of Turku

Postal address: Turun yliopisto, FI-20014 TURUN YLIOPISTO
Email: kirjaamo@utu.fi
Telephone: +358 29 450 5000 (operator)
www.utu.fi/en

3. Purpose of processing personal data

Personal data is collected in order to manage relations with the controller's customers and potential customers, and to develop the controller's own activities.

The purpose of processing personal data is increasing interaction and collaboration with internal and external customers and partners, and to promote the University’s societal interaction.

We only collect and process personal data that are necessary for maintaining customer relationships.

Personal data may be processed for the management, administration, development, communication and analysis of the customer relationship or other relevant relationship through various channels, including targeted measures in communication, marketing, surveys, and statistics.

Personal data may also be processed to communicate the controller’s activities and for marketing services, such as sending invitations to events organised by the University.

Personal data will not be used for direct marketing purposes without the consent of the data subject.

The main legislation applied on the processing of personal data:

  • The General Data Protection Regulation of the EU (2016/679)
  • Finnish Data Protection Act (2018/1050)
  • Universities Act (2009/558).

4. Contact details of the person responsible for the register

Anne Paasi, Communications Director
Email: firstname.lastname@utu.fi

5. Contact information of the Data Protection Officer

DPO@utu.fi

More information about the University's Data Protection Officer

6. Outsourcing the processing of personal data by a commission agreement

The processing of the personal data in the stakeholder register may be carried out using the tools of an external service provider or entirely by the service provider. In these cases, the processing of personal data in the register is outsourced by a commission agreement. The commissions may be related to the use of electronic information systems or to statistics, monitoring, communication, reporting and analysis relating to the controller's own activities.

External service providers process personal data on behalf of the controller to the extent required by the agreement. In addition, the commissions are related to maintaining the register's electronic information systems and servers as well as to expert support for applications.

We use the following service providers to process personal data:

  • Microsoft Ireland Operations Limited
  • Digia Finland Oy (Microsoft Dynamics consulting)

7. Lawful processing of personal data

The processing of personal data is based on the performance of a task carried out in the public interest and in the exercise of public authority vested in the University.

From the University’s perspective, the persons in the register are in the position of a customer or an employee concerning the University’s third mission, societal interaction. The person has been included in the register due to their position, work task, or a stakeholder connection significant for the University.

The data in the register will not be used for automated individual decision-making, including profiling.

8.  Personal data contained in the register

We collect and process the following categories of personal data:

  • Personal data of the data subject (first name, last name, title, telephone number, email, home address)
  • Person’s organisation (name, location, billing information)
  • Additional information related to managing the customer relationship, such as
    • Stakeholder category (e.g. university rectors, members of parliament)
    • Information on actions (e.g. information on past contacts)
  • Other additional information related to managing the customer relationship, which are provided with consent
  • Service usage data (permissions and consents, cookie data, log data, session IDs, IP addresses).

If the controller produces statistics and reports for other purposes than its own activities, they are produced at a general level so that individuals cannot be identified.

Some of the information comes from the data subject. The University of Turku searches for information also from public sources, such as online search engines and the Digital and Population Data Services Agency. We also retrieve information from the University's study and alumni registers and the University's event management system.

9. Manual (paper) records in the register

The register does not contain manual records.

10. Sources of data for the register

We collect and process personal data provided to us by the data subject when contacted.

Information is also obtained from people involved in advocacy, the Business Information System as well as from public sources and websites.

Contact details may be checked from public sources.

11. Principles for the protection of personal data

The storage, archiving, destruction and other processing of data are steered with retention schedules and the information security and data protection guidelines. The register is protected with user identification and passwords as well as structural and group-specific authorisation. Only authorised persons have access to the electronically stored data in the register. Each person accepts the terms of use and confidentiality of data and information systems when they are granted user rights.

We take appropriate measures (including physical, digital and administrative measures) to protect personal data against loss, destruction, misuse, and unauthorised access or disclosure.

12. Disclosure of personal data in the register

As a rule, the information in the stakeholder register is not disclosed outside the University.

However, we may disclose personal data to third parties

  • when our partners process personal data on our behalf by commission and in accordance with our instructions
  • when we consider that disclosure is necessary for the exercise of our rights, the protection of our security, the investigation of misconduct or in response to a request from a public authority, in connection with legal proceedings or at the request of a public authority or otherwise as required or permitted by law.

The controller may disclose necessary data only to a partner with whom the controller has a valid and appropriate agreement for the processing of personal data.

Otherwise, data may be disclosed only with the consent of the data subject or to an authority that has the legal right to it.

Basis for disclosure: related legislation and regulations and the data subject's consent.

13. Transfer of data from the register to a third country

Personal data are stored in the EU and the European Economic Area. The electronic information system of the stakeholder register uses applications provided by Microsoft, whose services are mainly provided within the EU. Limited access to the data is available from outside the EEA. The legality of such transfers of personal data is based on the European Commission's decision on the adequacy of data protection in the United States when data are transferred to a certified company in the United States, such as Microsoft. Microsoft is committed to complying with the transfer mechanisms and safeguards set out in the GDPR for any transfers of data to third countries.

14. Determining the retention period of personal data

Personal data is stored in the register for two years or for as long as necessary to fulfil the purposes specified in this notice, or when the relationship with the data subject ends.

The University only retains data that are necessary for its activities and purposes and for which there are legal grounds for processing. Data are anonymised or securely destroyed when they have become redundant, obsolete or when there is no longer justification for their processing, or when the data subject asks for the deletion of their personal data/withdraws consent.

The use of the service creates log entries which are used for ensuring the information security of the service, developing the technology of the service, and for detecting, preventing and solving technical faults or errors. The logs are retained for these purposes for the required time period and they will not be used for any other purposes.

The data are retained in a secure environment for the period of time required by the retention schedule and legislation (e.g. for accounting and reporting obligations, for legal proceedings or similar dispute resolution), in compliance with the retention period for documents.

15. Rights of the data subject

The General Data Protection Regulation of the EU gives various rights to data subjects whose personal data is processed. The rights apply differently depending on the basis on which the personal data are processed.

As a data subject, you have the right to know whether your personal data are being processed and what personal data are being processed, to request information about yourself, to request that inaccurate personal data are corrected and, in certain circumstances, to object to the processing of your personal data and to have your personal data erased. You also have the right to cancel the consent you have given if the processing of personal data is based on consent. More information on your rights.

16.  Cookies

When you visit our website, the website stores cookies, i.e. small pieces of text, on your device.

You can give your consent for using the cookies on our website.

17. Amendments to the notice

The controller reserves the right to amend this notice. We will announce any amendments on our website www.utu.fi, where you can find the latest version of this notice.

Data protection in stakeholder registers