Skip to Main Content

Research Data Management

Instructions for supervisors

1. Data controllership:

  • When collecting and processing personal data independently for his/her thesis, the BSc/MSc/EMBA student is considered to be the data controller and is primarily responsible for compliance with data protection laws throughout the data life cycle. Since a thesis is made under supervision, however, it is the supervisor’s task to make the student aware of the obligations connected with his/her role as the data controller.
  • If the study by a student is conducted under an employment contract with Hanken or as part of a Hanken’s research project, Hanken is the data controller.
  • If the study is commissioned by a company/organization, usually the company/organization is the data controller.
  • There are also cases where joint controllership needs to be defined for the personal data processed for a student's study or thesis-writing.

2. Legal basis for processing personal data:

  • The lawful ground for processing personal data for a thesis by a BSc/MSc/EMBA student is usually consent. When consent is used as the legal basis, the student needs to obtain the respondents' consent to the processing of their personal data. The supervisor instructs the student to use Hanken's Consent to the processing of personal data template (in Englishin Finnish, in Swedish) to obtain consent from the respondents/informants/research participants/data subjects.
  • If the student is a member of a research project where one or more researchers (at the PhD level or above) are involved, scientific research carried out in the public interest is used as the legal basis. The student needs to obtain informed consent from the research participants, which is required by ethics, for example, TENK's guidelines. The supervisor instructs the student to use Hanken's Informed consent template (in Englishin Finnishin Swedish) to obtain informed consent. This consent (to participate in the research, required by ethical standards) is different from consent (to personal data processing, as a legal basis under the GDPR). 

3. All Hanken students need to fill in the e-form The Study's Privacy Notice (in Englishin Finnish, in Swedish). The e-form also functions as the Record of processing activities which fulfils the record-keeping accountability (GDPR, Art. 30). When filling in the form, the students will get instructions regarding:

  • How to edit the downloaded file so it can be suitable for the respondents.
  • Providing all the mandated information in the Privacy notice to the respondents to fulfil the information provision obligation (GDPR, Art. 12-14
  • How to store the data securely. Students use the IT systems provided by Hanken (e.g. OneDrive for Business, Office 365, Webropol, SPSS). If a student plans to store the data somewhere else, s/he is asked to submit the Data processing agreement (DPA) with the service provider after the matter has been discussed with the supervisor or with Hanken’s Data protection officer (DPO,
    • When it comes to direct identifiers including contact information, the student needs to know that these data should not be stored in the same file as other empirical data at any point. 
  • Erasing all the personal data after the thesis has been graded and approved. Data in Webropol will be erased by the IT services shortly after the student's user ID is inactivated after graduation.

4. After the student submits the e-form The Study's Privacy Notice, both the student and supervisor will get a summary email. The summary email is to be used as a proof of data protection actions on which the AoL-grading of the thesis is based.

5. If the student's study is one of the six types described in Ethical Review, s/he shall request an ethical review statement by Hanken’s Research Ethics Committee. The supervisor and the student fill in the request form together. Be aware that the processing on the request will take at least two or three weeks.

6. Carrying out a Data protection impact assessment (DPIA) when needed. If the student has chosen data obtained in trust and confidence, special categories of personal data, or large amounts of data (e.g., more than 500 respondents), the supervisor needs to have a discussion with the student.

7. For course assignments, the assignment/course teacher/instructor fills in and submits one e-form for the assignments of all the students or student groups.

  • The teacher/instructor shall inform the students of this e-form, instruct them to provide the Privacy notice to the respondents, and instruct them to erase the personal data within 6 or 12 months after the completion of the course.
  • If the students collect special categories of personal data or large amounts of data (e.g., more than 500 respondents), or if any direct identifier is gathered and stored by the students in the same file as the rest of the research data, each student/student group should fill in a form on their own.