Skip to main content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.

Research Data Management

Data protection in research

Most research at Hanken includes processing and storing personal data. There are several mandatory legal and ethical requirements that every researcher must meet when handling personal data. The core requirements for data protection are described in Hanken's Privacy Policy.

Generic principles

Personal data is any information relating to an identified or identifiable natural person. Examples of personal data can include, but are not limited to, name, address, email address, IP address, picture, and personal identity code.

The main principles of data protection laws state that personal data must be processed lawfully, fairly and in a transparent manner to protect the rights of the data subjects. Furthermore, personal data must be

  • collected and processed for a specific and lawful purpose;
  • collected only to the amount necessary with regard to the purpose of the processing;
  • updated when required ‒ inaccurate personal data must be erased or rectified without delay;
  • kept in a form which only permits the identification of data subjects for as long as is necessary for the purposes of processing the personal data; and
  • processed confidentially and securely.

The most important data protection laws for data protection for researchers at Hanken are the European Data Protection Regulation 2016/679 and the Finnish Data Protection Law.

A data subject is any person whose personal data is being collected, held or processed.

Rights of the data subjects include:

  • to obtain information on the processing of their personal data
  • to access to their data
  • to rectify their data
  • to erase their data and to be forgotten
  • to restrict the processing of their data
  • data portability
  • to object to the processing of their data
  • not to be subject to a decision based solely on automated processing.

In addition to data subjects, there are two other fundamental roles in data protection: data controllers and data processors.

A data controller determines the purposes for which and the means by which personal data is processed. Hanken is for example a data controller when providing higher education for its students.

A data processor processes personal data only on behalf of the controller. The data processor is usually a third external party, for example a cloud service provider who provides online services for Hanken. According to Data Protection Laws, a data controller is required to sign Data Processing Agreements with its data processors to ensure protection of outsourced processing and storing of personal information.

The alternative lawful purposes for collecting and processing are:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public tasks
  • Legitimate interests

More information about the main principles of data protection can be found from Data protection principles by the Office of the Data Protection Ombudsman.

In case of a personal data breach in Finland, the Office of the Finnish Data Protection Ombudsman must be notified within 72 hours  by the Hanken’s Data Protection Officer (

Applying data protection

In most cases, the obligations of the Data Controller are shared between the individual researcher or the principal investigator and Hanken. That implies that there is a need for joint and shared measures to ensure informing the data subjects, defining legal basis for processing, protecting the personal data, and to keep records of processing activities.

The lawful purpose for processing personal data in research at Hanken is normally public tasks (scientific research) or consent of the data subjects. If the research cannot be defined as scientific research with aims for publications for the advancement of science or with aims to train for scientific methods, a consent must be acquired by the data subjects. Model templates for collecting consent are available on the privacy pages on (requires log in).

To inform the data subjects about their rights, the researcher should use wordings of the templates mentioned above. The most important issues are that the data subjects

  • are aware about that their personal data is processed and stored by the researcher.
  • can contact the researcher to use their rights (see above) to, for example have their data erased.
  • are informed that their personal data is protected according to the Privacy Policy of Hanken.
  • can contact the Data Protection Officer of Hanken if they have complaints or further question.

To register legal basis and to keep records of processing activities, Hanken has developed e-forms and templates:

With the help of these forms and templates, Hanken and the researcher can show compliance with the data protection laws.

Help and support

You can contact the Data Protection Officer of Hanken for advice regarding data protection.

Additional resources