Skip to Main Content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.

Research Data Management

Instructions for supervisors

1. Data controllership:

  • When collecting and processing personal data independently for his/her thesis, the BSc/MSc/eMBA student is considered to be the data controller of the personal data and is primarily responsible for compliance with data protection laws throughout the data lifecycle. Since a thesis is made under supervision, however, it is the supervisor’s task to make the student aware of the obligations connected with his/her role as the data controller.
  • If the study by a BSc/MSc/eMBA student is conducted in an employment contract with Hanken, Hanken acts as the data controller. 

2. Lawful basis for processing personal data:

  • The lawful basis for processing personal data in a thesis by a BSc/MSc/eMBA student is usually consent. When consent is used as the legal basis, the student needs to obtain the respondents' consent to the processing of their personal data. The supervisor needs to instruct the student to use Hanken's Consent to use and process personal data template to obtain consent from the respondents/informants/research participants/data subjects.
  • If the student is a member of a research project where more senior researchers (PhD level or above) are involved, scientific research carried out in the public interest is used as the legal basis. The student needs to obtain informed consent from the research participants, which is required by ethics, for example, TENK's guidelines. The supervisor instructs the student to use Hanken's Informed consent template to obtain informed consent from the research participants. This consent (to participate in the research, required by ethical standards) is different from consent (to personal data processing, as a legal basis under the GDPR). 

3. All Hanken students need to fill in the e-form The Study's Privacy Notice which also functions as the Record of data processing activities fulfilling the record-keeping accountability (GDPR, Art. 30). When filling in the form, the student will get instructions regarding:

  • How to edit the downloaded file so it can be suitable for his/her respondents.
  • Providing all the mandated information in the Privacy notice to the respondents to fulfil the information provision obligation (GDPR, Art. 12-14
  • How to store the data securely by using the IT systems provided by Hanken (e.g. OneDrive for Business, Office 365, Webropol, SPSS). If a student chooses IT systems not provided by Hanken and plans to store the data somewhere else, he/she is asked to submit the Data processing agreement (DPA) with the service provider after the matter has been discussed with the supervisor or with Hanken’s Data protection officer (DPO,
  • Erasing all the personal data after the thesis has been graded and approved. Data in Webropol will be erased by the IT services shortly after the student's user ID is inactivated due to examination.
  • If the student has chosen direct identifiers, data obtained in trust and confidencespecial categories of personal data, or large amounts of data (e.g., more than 500 respondents), the supervisor needs to have a discussion with the student.

4. After the student submits the e-form, both the student and supervisor will get a summary email. The summary email is to be used as a proof of data protection actions on which the AoL-grading of the thesis is based.

5. If the student's study is one of the six types described in Ethical Review, the student shall fill in the ethical review request e-form and submit to Hanken’s Research Ethics Committee. The supervisor and the student should fill in the request form together and be aware that the processing on the request will take at least two or three weeks.

6. For course assignments, the assignment/course teacher/instructor fills in and submits one e-form for the assignments of all the students or student groups.

  • The teacher/instructor shall inform the students of this e-form, instruct them to provide the Privacy notice to the respondents, and instruct them to erase the personal data within 6 or 12 months after the completion of the course.
  • If the students collect special categories of personal data or large amounts of data (e.g., more than 500 respondents), or if any direct identifier is gathered by the students and stored in the same file as the rest of the research data, each student/student group should fill in a form on their own.