Data protection practices in VTT research

In its research activities, VTT always processes personal data in accordance with the EU’s General Data Protection Regulation (679/2016, “GDPR”), the Data Protection Act (1050/2018) and other special legislation applicable on a case-by-case basis to the processing of personal data. Reliable operations in accordance with data protection principles and legislation are an integral part of our scientific research activities.

In research, personal data may be part of the research data, but personal data may also be otherwise necessary for carrying out research. The personal data of persons participating in a study in different ways (e.g., study participants, interviewees and specialists) may need to be processed in the study, even if the personal data are not actually the subject of the study. The content and categories of personal data vary greatly depending on the research topic. 

Personal data are collected directly from data subjects and other sources (e.g., contact information for interview invitations). Personal data can only be collected for research purposes, but in research purposes it is possible to also process personal data whose primary purpose was originally not the research. Processing for the purposes of scientific research may be compatible with the original processing in accordance with the so-called “appropriate safeguards”, which allows such secondary processing. In the secondary use of social and health data, the Act on the Secondary Use of Social and Health Data (552/2019) is complied with.

VTT has varying roles in the processing of research personal data. The role is clarified for each processing purpose and may even vary in different tasks and research sections of the research project.

In its research, VTT may be a controller or joint controller. This applies especially to research funded by VTT itself and to publicly funded research. This typically includes Business Finland joint actions and projects that produce public research results, research projects funded by the European Commission (H2020, HEU) and other similar research projects in which VTT is the recipient of funding. Joint controllers with VTT may include research partners and consortium parties of the same research, with which VTT has jointly planned the study and committed to carrying it out, and thus also determined the purpose of the processing of personal data. The research and its parties are presented on the project website and in information sheet of the research.

At times in a research project, VTT is a processor of personal data that processes personal data on behalf of the controller and in accordance with its instructions. This situation is particularly typical in a VTT customer research projects, where the customer is often the controller. As a general rule, the controller is primarily in contact with the data subjects and responds to requests for the implementation of their rights. In such a situation, information on the processing of personal data and the implementation of data subjects’ rights can be found, for example, on the customer’s website or in the information otherwise made available to data subjects by the customer. The privacy notice found on VTT’s website does not apply to processing purposes other than those included in VTT’s role as a controller.

If personal data are collected from the data subject, the processing is already communicated in connection with the collection. If the information originates from a party other than the data subject, the information will be provided at the latest when the processing is initiated. However, an exception to the obligation to provide information may be made if it is not possible to provide information or if it would require unreasonable effort due to, for example, the lack of contact information and identification data. In this case, the processing of personal data is communicated by publishing a research-specific privacy notice on the website or by following the general privacy notice for VTT research activities.

The general privacy notice for research activities is not used when processing special categories of personal data (GDPR article 9) or information on criminal convictions or infringements (GDPR article 10). When VTT processes these in its research, a separate privacy notice is applied.

As a controller, VTT typically processes personal data on the following legal grounds: task carried out in the public interest, scientific research (GDPR article 6(e)) and article 4 of the Data Protection Act), consent of the data subject (GDPR article 6(a)) and legitimate interest of the controller (GDPR article 6(f)). In connection with contractual services provided by VTT to data subjects and other processing tasks in connection with a contract, the legal basis may be a contract (GDPR article 6(b)).

It should be noted that VTT may have requested consent from the subject for reasons other than the processing of personal data, and even in this case, the processing of personal data may be based on legal grounds other than consent. Consent to participate may be requested for reasons such as research ethics.

If a party other than VTT is the controller (e.g., VTT’s customer), the legal basis specified and reported by the controller is applied.

The rights of the data subject depend on the legal basis of the processing. In research, it is possible to restrict the rights of data subjects for a justified reason, but this is exceptional. If it is not possible to identify the data subject (e.g., pseudonymised data), certain rights of the data subjects will not apply (GDPR article 11) unless the data subject provides additional information for identification. The application of restrictions and rights is always checked on a case-by-case basis.

You can check the applicable rights here: https://tietosuoja.fi/en/what-rights-do-data-subjects-have-in-different-situations

As a general rule, the contact person for the project at VTT is the right person to answer questions concerning data protection and the implementation of the data subjects’ rights. However, you can always contact VTT’s data protection specialists (data protection officer and information security manager and their substitutes): [email protected]