This Data Protection Policy imposes obligations on Hanken’s personnel (including administrative staff, teachers, and researchers), students, and other stakeholders and members of Hanken’s community to ensure compliance with data protection legislation.
In addition to this Data Protection Policy, Hanken has adopted Code of Conduct and Data Security Policy and Instruction, which together with this Policy constitute a cohesive whole.
The Data Protection Policy stipulates the following aspects of personal data processing at Hanken:
6. Enforcement and implementation
7. Personal data processing in studies and research
Hanken is committed to protecting the rights and freedoms of individuals. As a centre of knowledge-dissemination, academic learning, and scientific research, Hanken continuously processes a large amount of data in connection with studies, teaching, research, and administrative operations. The majority of such data is personal data relating to an identified or identifiable natural person.
The purpose of this Data Protection Policy is to set forth data protection principles and obligations, roles and responsibilities, implementation procedures and operating models that shall be followed by Hanken’s personnel (including administrative staff, teachers, and researchers), students, and other stakeholders and members of Hanken’s community. The aim is to ensure compliance with data protection regulations and laws that govern the processing of personal data including the General Data Protection Regulation of the European Union (GDPR, 2016/679) and Data Protection Act (1050/2018), and to maintain privacy as a timeless value and accountability through transparent, ethical, and justifiable uses of personal data.
This Data Protection Policy shall be complied with whenever personal data are processed for work-related purposes at Hanken, regardless of where such data are stored and who owns the equipment used in the processing.
This Policy shall also be followed whenever personal data are processed using Hanken’s materials, IT resources or human resources, regardless of whether personal data are processed on behalf of Hanken. Hanken may not be the data controller in all the cases.
Personal data refers to any information relating to an identified or identifiable natural person (data subject) and encompasses all data from which a natural person can be directly or indirectly identified (GDPR, Art. 4).
Direct identifiers are information that is sufficient on its own to identify a natural person. Examples are a person’s full name, personal identity code, email address containing the personal name, and biometric identifiers (e.g., fingerprint, facial image, voice pattern or manual signature).
Indirect identifiers are information that on its own is not enough to identify someone, but can be used to deduce the identity of a person when linked with other available information. Examples are a person's age, gender, educational background, economic activity, occupational status, socio-economic status, household composition, income, marital status, mother tongue, nationality, ethnic background, place of work or study, and postal code.
Strong indirect identifiers are information which can be used to identify an individual fairly easily, such as a postal address, phone number, vehicle registration number, bibliographic citation of a publication by the individual, email address not in the form of the personal name, web address to a web page containing personal data, very rare disease, unusual job title, position held by only one person at a time (e.g., chairperson in an organisation), a student ID number, insurance or bank account number, and IP address of a computer.
Special categories of personal data (sensitive personal data) include personal data that reveal a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (GDPR, Art. 9). Personal data relating to criminal convictions and offences or related security measures are also, by their nature, particularly sensitive and merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms of the data subject (GDPR, Art. 10).
Processing of personal data refers to, for example, collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, combination, disclosure by transmission or transfers, dissemination or making data otherwise available, erasure and destruction of data.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means (i.e., why and how) of the processing of personal data. The data controller is primarily responsible for compliance with data protection laws throughout the data life cycle.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The data processor does not determine the purposes and means of the processing of personal data and processes the personal data only on documented instructions from the controller.
Privacy notice (also called privacy statement or privacy policy) is a statement or legal document that provides sufficient and mandated information to the data subjects about if, what, by whom, why and how their personal data are being collected, used, stored, disseminated or otherwise processed, as well as the information on what rights the data subjects have pertaining to their personal data and how they can exercise these rights. Privacy notice fulfils the transparency requirement and information provision obligation under the GDPR (Art. 12-14).
Record of processing activities is an internal documentation and written description of an organization's processing operations performed on personal data under its responsibility, fulfilling the record-keeping accountability under the GDPR (Recital 82 and Art. 30), as well as the transparency requirement. As an integral part of demonstrating the organisation's accountability and compliance with the GDPR, data controllers and processors maintain records of processing activities and make the records, on request, available to the supervisory authorities/Data protection authorities (DPAs).
The following personal data processing principles (GDPR, Art. 5 and Art. 25) shall be observed in all personal data processing activities by Hanken's personnel, students, and other members of Hanken’s community:
Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subjects.
Purpose limitations: Personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for scientific research purposes shall not be considered to be incompatible with the initial purposes.
Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data shall be accurate and, where necessary, kept up to date. Inaccurate and incomplete information shall be erased or rectified without delay.
Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures.
Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data protection by design and by default requires that technical and organisational measures are implemented at the earliest stages of the design of the processing activity, and that by default, personal data are processed with the highest privacy protection measures, for example, only the minimum necessary amount of data collected and processed, limited short storage period, and restricted accessibility to the personal data.
In addition to legislation regarding the protection of personal data, Hanken is bound by the Act on the Openness of Government Activities (621/1999). According to the principle of public access, all information held by the university is public unless otherwise decreed. The Act determines the publicity of personal data and applies to the divulgence of personal data from the university’s personal data registers. In accordance with the Act, Hanken may be required to divulge information that includes personal data to third parties.
The whole school is responsible for the implementation of data protection legislation, Hanken's Data Protection Policy and Data Security Policy and Instruction. All employees, students and users of Hanken's systems and services are obligated to maintain and ensure data protection and information security. The following defines the roles and responsibilities:
As a privacy champion and proponent, the Research ethics committee not only provides guidance and supervision on ethical assessment and review, oversees responsible conduct of research and responsible evaluation of research, but also supports the application and implementation of the GDPR and fosters activities to elevate data protection as a core organizational value and asset.
The responsible person assigns who may be the contact person(s) for a given processing activity, personal data file(s) and associated responsibilities. It may be possible that the same employee assumes both the roles of responsible person and contact person. Responsible and contact persons shall complete necessary trainings on data protection and information security before processing personal data.
When planning a processing activity and before data collection and processing, the responsible and contact persons shall consider, at least, the following obligations:
When collecting and processing the personal data, the responsible and contact persons shall fulfil, at least, the following obligations:
Secure data storage concerns data contained both in paper or other physical form and in digital form. When personal data are stored in manual materials (e.g., paper documents including registration or consent forms, agreements, contracts, reports and printouts with names, contact information or signatures), they should be kept in a secure place to prevent unauthorised access. For data in digital form, appropriate safeguard measures need to be implemented to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems to protect the personal data being stored, transferred, and processed.
To ensure the quality and consistency of personal data, dates of data collection, retrieval, transfers, and changes are recorded, making all data-related actions traceable and repeatable. Data protection measures such as minimisation, pseudonymisation and anonymisation shall not affect data quality. In all conversions, maintaining the original information content need to be ensured.
Inform data subjects of changes and update the privacy notice and documentation. If there are changes in personal data processing, for example, if there are new, compatible processing purposes other than the initial purposes, or if there are new recipients of the personal data, the privacy notice and other documentation need to be updated and the data subjects be informed of the changes prior to the new processing.
After the processing activity is completed, the responsible and contact persons shall ensure, at least:
Accuracy of personal data: The responsible person and contact person ensure that the personal data they hold about individuals are accurate and up to date. Each employee, student, and visitor is responsible for reporting the errors if their personal data are not accurate and updated. Such reports and requests shall be responded to by the contact person without undue delay.
Data subjects’ requests: Hanken shall adopt appropriate procedures that facilitate the exercise of data subjects’ rights including providing privacy notices and responding to data subjects' requests to access, review, verify, correct, or erase their personal data and other requests concerning their personal data without undue delay and within one month of receipt of the request. There shall be mechanisms available for receiving and fulfilling data subject requests, for example, an online form or a dedicated contact email, phone number or physical address.
If the requests are complex or numerous, the contact person can reply that more time is needed to process them. In such cases, that one-month period may be extended by two further months. The contact person shall inform the data subject of such extension within one month of receipt of the request, together with the reasons for the delay.
If the contact person has reasonable doubts concerning the identity of the person who made the request, s/he can request the provision of additional information necessary to confirm the person's identity. If the data subject's request is refused, the contact person shall notify the data subject of this refusal within one month of receiving the request. The refusal shall be justified to the data subject. In addition, the contact person shall also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.
After a data subject's request is verified and taken in, correction work shall be made across all the systems and with the third parties. If the personal data have been transferred to other recipients or parties, all reasonable measures need to be taken to inform these parties about the requests for rectification, erasure or restriction of processing.
Make sure that the rights and freedoms of other individuals cannot be adversely affected by a data subject's request. Requests and actions taken are documented and recorded.
Retention periods of personal data: Personal data may generally be processed for as long as they are necessary to achieve the original purposes for which they were collected. When no longer needed for the original purposes, personal data should be disposed as soon as possible unless there are special reasons or legislation that require archiving. Storage periods of the personal data collected and processed are based on current legislation and Hanken’s Records Management Plan. The criteria for determining the retention period shall be included in each privacy notice concerning a specific personal data file or processing activity. After the specified retention period ends, personal data shall be destroyed or anonymised in accordance with the archiving plan.
Outsourcing the processing of personal data: Hanken may outsource some of its processing activities to external data processors. Processing activities may only be outsourced to an external data processor which possesses and employs sufficient technical and organisational safeguard measures and ensures that all the personal data are processed in compliance with data protection laws, Hanken's data protection and data security policies and instructions and other operational requirements.
The person responsible for the relevant personal data and processing activities assesses the suitability of a proposed external processor. A Data processing agreement (DPA) shall be signed in order to stipulate the instructions for the intended outsourced processing activities. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)).
Transfers of personal data outside the EU and EEA: Special care shall be taken whenever personal data are transferred outside the European Union and the European Economic Area. Personal data may not be transferred outside the EU and EEA unless appropriate measures are in place to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. All the personnel and students processing personal data shall also ensure that the level of data security provided by, for instance, a cloud storage service they use is in accordance with the level required by the GDPR. Hanken follows the European Commission's Rules on international data transfers and the GDPR (Chapter V, Art. 44-50).
Personal data shall be processed lawfully, fairly and in a transparent manner to protect the fundamental rights and freedoms of research participants. Personal data collected and processed by students and researchers shall be protected with adequate organisational and technical measures to minimise the risk to the data subjects' rights and to prevent unauthorised access and usage. Data-processing students and researchers need to complete necessary trainings on data protection and information security before processing personal data.
When personal data are collected and processed for studies, thesis-writing, and research projects, Hanken students and researchers shall follow the Guidelines and procedures of personal data processing in studies and research at Hanken in the LibGuide on Research data management (RDM) to maintain high ethical standards and comply with data protection laws. Students and researchers are responsible for fulfilling the requirements written down in the Guidelines, for example:
During research planning phase, plan the entire life cycle of the research data and implement data protection by design and default principles.
It is highly recommended to write a Data management plan (DMP) which helps with the planning work as an essential tool for following good, responsible research practices. The DMP as a living document is updated continuously as the research project evolves.
Prior to personal data processing and data collection, evaluate risks to the research participants and carry out a Data protection impact assessment (DPIA) when needed. A DPIA shall be conducted by consulting Hanken's Data protection officer (DPO) who shall also monitor its performance (GDPR, Art. 35 and 39). Use Hanken's DPIA template (for studies and research).
For personal data processing in studies and research, data controllership shall be determined on a case-by-case basis, which is specified in the Guidelines.
Rely on at least one legal basis for collecting and processing personal data in studies and researcher, which is specified in the Guidelines.
The flowcharts or stages outlined in Data management processes at Hanken in the RDM LibGuide provide practical guidance for students and researchers to complete various RDM tasks throughout the data life cycle. Note that there are two different data management processes with different instructions and templates for BSc/MSc/eMBA students and for researchers and PhD students, respectively.
Data security is one way of implementing data protection. Among other things, data security refers to organisational and technical measures to ensure the ongoing confidentiality, integrity, availability and resilience of data processing systems and to protect the rights and freedoms of the data subjects. It is essential to consider and ensure data security when personal data, special categories of personal data, or confidential data are processed. Hanken’s personnel, students, and other members of Hanken’s community shall comply with Hanken's Data Security Policy and Instruction.
Each of Hanken’s personnel, students, and other members of Hanken’s community is obligated to report actual or suspected personal data breaches in accordance with data protection regulations and laws, Hanken's Data Protection Policy and Data Security Policy and Instruction. Persons who notice that the processing of their personal data violates the legislation and Hanken's policies and instructions is advised to contact immediately Hanken's Data protection officer (DPO, dpo@hanken.fi, for privacy incidents and breaches) or Information security officer (datasakerhetschef@hanken.fi, for security incidents and breaches), so that actions can be taken to remedy the situation. They may also appeal to the Office of the Data Protection Ombudsman to review the lawfulness of the data processing activities.
If a data breach is likely to result in a risk to the rights and freedoms of data subjects, Hanken's Data protection officer (DPO) shall notify the breach to the Office of the Data Protection Ombudsman without undue delay and not later than 72 hours after being made aware of it (GDOR, Art. 33). If a data breach is likely to result in a high risk to the rights and freedoms of data subjects, the affected data subjects shall be notified of the breach without undue delay in order to allow them to take the necessary precautions (GDPR, Recital 86 and Art. 34).
Hanken’s personnel, students, and other members of Hanken’s community are expected to be familiar and comply with this Data Protection Policy and Hanken's Data Security Policy and Instruction. Data-processing staff and students are required to complete necessary trainings when the job duties or positions and studies at Hanken necessitate such trainings.
Training materials, code of conduct, policies and instructions, and other personal data protection documents will be made public on Hanken's website.
Failure to comply with data protection legislation and this Policy may lead to disciplinary or legal action.
After being reviewed by the Data protection management team, this Policy has been approved by the Rector for it to be binding for Hanken's personnel, students, and other members of Hanken's community from 25.5.2018 onwards.
Hanken's Data protection officer (DPO) is in charge of assessing possible amendment requirements and ensures that the Policy stays up to date.
For more information, contact Hanken's Data protection officer (DPO, dpo@hanken.fi).