Personal data is any information relating to an identified or identifiable natural person. Examples of personal data can include, but are not limited to, name, address, email address, IP address, picture, and personal identity code.
The main principles of data protection laws state that personal data must be processed lawfully, fairly and in a transparent manner to protect the rights of the data subjects. Furthermore, personal data must be
A data subject is any person whose personal data is being collected, held or processed.
Rights of the data subjects include:
In addition to data subjects, there are two other fundamental roles in data protection: data controllers and data processors.
A data controller determines the purposes for which and the means by which personal data is processed. Hanken is for example a data controller when providing higher education for its students.
A data processor processes personal data only on behalf of the controller. The data processor is usually a third external party, for example a cloud service provider who provides online services for Hanken. According to Data Protection Laws, a data controller is required to sign Data Processing Agreements with its data processors to ensure protection of outsourced processing and storing of personal information.
The alternative lawful purposes for collecting and processing are:
More information about the main principles of data protection can be found from Data protection principles by the Office of the Data Protection Ombudsman.
In case of a personal data breach in Finland, the Office of the Finnish Data Protection Ombudsman must be notified within 72 hours by the Hanken’s Data Protection Officer (email@example.com).
In most cases, the obligations of the Data Controller are shared between the individual researcher or the principal investigator and Hanken. That implies that there is a need for joint and shared measures to ensure informing the data subjects, defining legal basis for processing, protecting the personal data, and to keep records of processing activities.
The lawful purpose for processing personal data in research at Hanken is normally public tasks (scientific research) or consent of the data subjects. If the research cannot be defined as scientific research with aims for publications for the advancement of science or with aims to train for scientific methods, a consent must be acquired by the data subjects. Model templates for collecting consent are available on the privacy pages on www.hanken.fi/privacy (requires log in).
To inform the data subjects about their rights, the researcher should use wordings of the templates mentioned above. The most important issues are that the data subjects
To register legal basis and to keep records of processing activities, Hanken has developed e-forms and templates:
With the help of these forms and templates, Hanken and the researcher can show compliance with the data protection laws.