Privacy Notice of Konsta, the Contact and Event Management System

The EU General Data Protection Regulation, articles 13 and 14

Identity and Contact Information of the Data Controller 
University of Turku 
Address: University of Turku, FI-20014 TURUN YLIOPISTO
Telephone: +358 29 450 5000 (operator) 

Contact information of the Data Protection Officer
Further information:

Contact information for matters regarding the use of the register 
University of Turku 
Development Services/Engagement and Impact

Purpose and legal basis for the processing of personal data 

Konsta, the Contact and Event Management System, consists of the contact register (CRM) and the event management of the University of Turku.
The contact register stores data of the various stakeholder groups of the University of Turku (e.g. alumni, partners, customers) in order to ensure the quality and improvement of societal interaction and impact, diverse co-operation, and the chargeable services of the University of Turku.
Event management is used in collecting registration data related to events organised by the University of Turku as well as managing the registrations, and for communication and marketing purposes related to these events.
In addition, data related to personnel training organised by the University of Turku is stored in Konsta. 

The legal basis for processing personal data varies between registers. The legal basis is disclosed in the privacy notices of each register.

Links to the privacy notices of the registers maintained in Konsta
The contact register and event management maintained in Konsta are constructed of several registers containing personal data. Each register has its own privacy notice. The notices include a more specific description of the information that is required in accordance with the informing obligation stated in articles 13 and 14 of the EU General Data Protection Regulation. 

Rights of the data subject 
The data subject has the right to access their personal data retained by the Data Controller, the right to rectification or erasure of data, and the right to restrict or object the processing of data, and the right to transfer the data from one controller to another. 

In so far as the processing of personal data is based on the consent of the data subject, the data subject has the right to cancel the consent at any time without any effect on the legality of the processing that has occurred before the cancellation. 

The data subject has the right to make a complaint with the supervisory authority. 

The rights of the data subject may vary between registers. The rights of the data subject have been disclosed in closer detail in the privacy notices of each register (links above). 

The scope of the rights of the data subject is connected to the legal basis for processing personal data. If, for example, the legal basis for processing personal data is the legitimate obligation of the data controller, the data subject cannot ask for the erasure of data.

The contact person in matters regarding the rights and obligations of the data subject is the Data Protection Officer, whose contact information is listed at the beginning of this privacy notice. 

Log entries
The use of the service creates log entries which are used for ensuring the information security of the service, developing the technology of the service, and for detecting, preventing or investigating technical faults or errors (Sections 138,141,144, and 272 of the Information Society Code (917/2014)). The logs are retained for these purposes for the required time period and they will not be used for any other purposes. 

Principles for the protection of personal data
The registered data is stored according to the best practices, good information security and legislative regulations so that it is protected from external parties. The register is protected with user identification and passwords as well as structural and group-specific authorisation. The personal data registers can be accessed only by members of personnel who require the use of personal data for performing their work tasks. The system can be accessed only through a protected network connection. 
An agreement on the terms regarding the processing of personal data, which is in accordance with the EU Data Protection Regulations, has been made with the system supplier (eTaika Oy).