1. For determining data controllership: The supervisor helps a BSc/MSc/EMBA student in determining data controllership of personal data processing for the student's study or thesis-writing. Since a thesis is made under supervision, it is the supervisor’s task to make the student aware of the obligations connected with the role as the data controller.
- When collecting and processing personal data independently for his/her thesis, the BSc/MSc/EMBA student is considered to be the data controller and is primarily responsible for compliance with data protection laws throughout the data life cycle.
- If the study by a BSc/MSc/EMBA student is conducted under an employment contract with Hanken or as part of a Hanken’s research project, Hanken is the data controller.
- If the study is commissioned by a company/organization, usually the company/organization is the data controller.
- There are also cases where joint controllership needs to be defined for the personal data processed for a student's study or thesis-writing.
2. For choosing the legal basis for processing personal data: The supervisor helps a BSc/MSc/EMBA student in choosing the legal basis for processing personal data for the student's study or thesis-writing and instruct him/her to use different templates.
- The lawful ground for processing personal data for a thesis by a BSc/MSc/EMBA student is usually consent. When consent is used as the legal basis, the student needs to obtain the respondents' consent to the processing of their personal data. The supervisor instructs the student to use Hanken's Consent to the processing of personal data template (in English, in Finnish or in Swedish) to obtain consent from the respondents/informants/research participants/data subjects.
- If the student is a member of a research project where one or more researchers (at the PhD level or above) are involved, scientific research carried out in the public interest is used as the legal basis. The student needs to obtain informed consent from the research participants, which is required by ethics, for example, TENK's guidelines. The supervisor instructs the student to use Hanken's Informed consent template (in English, in Finnish or in Swedish) to obtain informed consent. This consent (to participate in the research, required by ethical standards) is different from consent (to personal data processing, as a legal basis under the GDPR).
3. For the e-form privacy notice: All Hanken students need to fill in the e-form The Study's Privacy Notice (in English, in Finnish or in Swedish). After the student submits the e-form, both the student and supervisor will get a summary email. The summary email is to be used as a proof of data protection actions on which the AoL-grading of the thesis is based. When filling in the form, the students will get instructions regarding:
- How to edit the downloaded file so it can be suitable for the respondents.
- Providing the Privacy notice to the respondents to fulfil the information provision obligation.
- How to store the data securely. Students use the IT systems provided by Hanken (e.g. OneDrive for Business, Office 365, Webropol, SPSS). If a student plans to store the data somewhere else, s/he is asked to submit the Data processing agreement (DPA) with the service provider after the matter has been discussed with the supervisor or with Hanken’s Data protection officer (DPO, dpo@hanken.fi).
- Erasing all the personal data after the thesis has been graded and approved. Data in Webropol will be erased by the IT services shortly after the student's user ID is inactivated after graduation.
4. For ethical review: If the student's study is one of the six types described in Ethical Review, s/he shall request an ethical review statement by Hanken’s Research Ethics Committee. The supervisor and the student fill in the request form together. Be aware that the processing on the request will take at least two or three weeks.
5. For conducting a Data protection impact assessment (DPIA): If the student has chosen data obtained in trust and confidence, special categories of personal data, or large amounts of data (e.g., more than 500 respondents), or has children or other vulnerable data subjects involved, the supervisor needs to have a discussion with the student.
6. For course assignments: the assignment/course teacher/instructor fills in and submits one e-form for the assignments of all the students or student groups.
- The teacher/instructor shall inform the students of this e-form, instruct them to provide the Privacy notice to the respondents, and instruct them to erase the personal data within 6 or 12 months after the completion of the course.
- If the students collect special categories of personal data or large amounts of data (e.g., more than 500 respondents), or has children or other vulnerable data subjects involved, each student/student group should fill in a form on their own.