Privacy notice for VTT research activities

In accordance with EU General Data Protection Regulation (2016/679, “GDPR”) and applicable national legislation (including Finnish Data Protection Act 1050/2018). Version 1.0. The privacy notice may be updated from time to time, and data subjects are requested to review the current information in this document.

1. Name and purpose of processing

VTT research activities and research project management.

This privacy notice is used to communicate VTT general research data protection practices. Any project-specific privacy information will precede and prevail over this privacy notice.

The purpose of processing and details of the research are specified in the other documentation referring to this privacy notice (e.g., information sheet, invitation letter, research website, consent form).

2. Controller(s), data protection officer and contact person

VTT Technical Research Centre of Finland Ltd (“VTT”), business ID: 2647375-4, Tekniikantie 21, 02150 Espoo

Contact details of VTT’s data protection officer:

Address: VTT Technical Research Centre of Finland Ltd., Register Office, P.O. Box 1000, FI-02044 VTT, Finland
E-mail: tietosuoja@vtt.fi (data protection officer and information security manager and their substitutes)

In addition to VTT, joint controllers and/or other independent controllers may participate in determining the purpose of the processing. In particular, joint controllers may be the consortium parties of a joint action, research project or ecosystem and, in some cases, the financiers. Any joint controllers and their contact details are specified in other documentation referring to this privacy notice. Unless otherwise communicated, VTT is the primary contact point towards data subjects and coordinates the activities of other joint controllers.

3. Data subject and personal data categories

Category of data subjects Categories of personal data 
Research participant (e.g. interviewee, other person participating in the study, subject of a database study)



 
  1. Name (first name, last name), organisation, position and role in the organisation, demographic data and contact details (e.g. e-mail address, telephone number)
  2. The data accumulated in the research (e.g., opinions of the interviewed specialist, survey results, measurement data accumulated from the performance of the research task, photograph, interview video or other recording)
Member of a advisory group or other body (e.g., member of steering group, member of specialist panel)


 
  1. Name (first name, last name), organisation, position and role in the organisation and contact details (e.g. e-mail address, telephone number)
  2. The data accumulated in the research (e.g., information on a person’s participation, subject of interest and expertise, topic)
Other representatives of research stakeholders (e.g., representatives of utilising organisations)



 
  1. Name (first name, last name), organisation, position and role in the organisation and contact details (e.g. e-mail address, telephone number)
  2. Material accumulated in the research (e.g., information on a person’s participation, subject of interest and expertise, topic)

4. Purpose of processing and legal basis

Category of data subjects Purpose of processing and legal basis
Research participant (e.g. interviewee, other person participating in the study, data subject of a register research, representative of a utilising organisation)










 

Research:

a) public interest, scientific research, article 6(e) of the GDPR and section 4 of the Data Protection Act (joint or self-funded research, see information sheet);
b) the consent of the data subject, article 6(a) of the GDPR (on request); or
c) the legitimate interest of the controller, article 6(f) of the GDPR (see study bulletin).

Publishing the name and information of the interviewed person:

a) the consent of the data subject, article 6(a) of the GDPR; or
b) safeguarding freedom of expression and information, for the purposes of academic expression (section 27 of the Data Protection Act).

Member of an advisory group or other body (e.g., member of steering group, member of specialist panel)








 

Project management:

b) the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract (data subject’s commitment to the task), article 6(b) of the GDPR;
b) the consent of the data subject, article 6(a) of the GDPR (on request); or
c) the legitimate interest of the controller, article 6(f) of the GDPR, the right to ensure the necessary expertise and competence in research activities, drawing on external expertise and networks.

Other representatives of research stakeholders (e.g., representatives of utilising organisations)


 

Information, communication, marketing:

a) the legitimate interest of the controller, article 6(f) of the GDPR, the right to communicate the results of research activities and about the research activities themselves.

5. Personal data sources

Personal data can be collected from the data subjects themselves (e.g., interviews, surveys, participation) or from sources whose processing purpose is originally other than the study.

VTT may receive personal data from other consortium parties participating in the study. In this case, the original controller will also communicate the disclosure of the data. VTT may secondarily utilise personal data in research, where the primary purpose of the data is something other than research, if the processing is considered compatible with the original purpose of processing.
https://tietosuoja.fi/en/defining-the-research-scheme-and-purpose-for-processing-personal-data

Personal data processed when inviting a research participant, a specialist group or a member of another body and a stakeholder representative may originate from public sources, other research activities of VTT, personal data collected in connection with VTT events or marketing or meetings.

6. Recipients or categories of recipients

In addition to VTT, personal data can be processed by joint controllers. VTT may give personal data to compatible scientific research activities after checking the lawfulness of the recipient’s processing purpose and disclosure.

VTT uses external service providers in the processing of personal data. As a contracting entity (Act on Public Procurement and Concession Contracts 1397/2016), VTT subjects its service providers to competitive bidding, and therefore the service providers change from time-to-time. Service providers involved in the processing of personal data include cloud service providers, interview and survey platform providers (e.g. Microsoft Inc./ Microsoft Teams), transcription and translation service providers. Personal data are also processed by VTT’s marketing, communication and event management service providers when these are used, for example, in the implementation of research arrangements (e.g., interview invitations, collection of background information on interviews).

7. Transfer of personal data outside the EU or the EEA

Personal data may be transferred outside the EU and EEA if this is possible in view of GDPR Chapter V and possible risk assessment of data transfer (transfer impact assessment), in which case the data transfer complies with the requirements laid down in the GDPR. If the commission’s decision on the adequacy of data protection covering the target country is not available, VTT may, among other things, use the standard contractual clauses for international data transfers currently approved by the competent authorities (6/2021). The data controller can be asked about the applied procedure separately, or the information is available in other forms of research documentation.

In connection with the Microsoft Teams environment used by VTT, the transfer of personal data outside the EEA is possible: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr

8. Retention period of personal data

The personal data will be retained for the duration of the research and thereafter for the additional time (archiving for public interest, Data Protection Act 4 §) required for scientific publications and peer review (typically maximum 5 years after the end of the research). 

In the case of follow-up or longitudinal research, personal data are retained taking this into account in determining the duration of the research.

Information on the expected duration of the research is presented in project-specific information.

9. Principles of personal data protection

Personal data are processed in a secure manner, ensuring their confidentiality and security. VTT employees are committed to confidentiality and have completed data protection training at VTT. At VTT, personal data are processed only by persons who need to process personal data in order to carry out the research in question and to organise it appropriately.

10. Rights of the data subject

The data subject has the following rights, however, which may be derogated from and/or restricted in accordance with applicable legislation in scientific research. Restriction and deviation are verified on a case-by-case basis.

  • right to withdraw consent (and right to erase data) (consent only)
  • right to access
  • right to rectification
  • right to erasure (so-called “right to be forgotten”)
  • right to restrict the processing of data
  • right to data portability (only consent or contract)
  • right to object to the processing of data (only public interest, controller’s legitimate interest)
  • right to lodge a complaint with a supervisory authority

Further information on the data subject’s rights:

Right to withdraw consent

If the processing is based on consent, the data subject has the right to withdraw their consent at any time regarding the processing of their personal data.

The data subject’s right to access data

The data subject has the right to obtain confirmation from the controller as to whether personal data concerning them are processed. In addition, the data subject has the right to access personal data concerning themselves and information on the processing of personal data.

Right to rectification

The data subject has the right to have inaccurate and incorrect personal data concerning the data subject rectified and incomplete personal data completed without undue delay.

Right to erasure, so-called “right to be forgotten”

The data subject has the right to have the controller erase personal data concerning the data subject.

Right to restriction of processing

In certain situations, the data subject has the right to demand that the controller restricts the processing. 

Right to object to the processing

In certain situations, the data subject has the right to object to the processing of personal data.

Right to data portability

The data subject has the right to receive personal data concerning them that they have provided to the controller and the right to transfer such data to another controller in so far as the processing is based on consent or agreement and the processing is carried out automatically.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with supervisory authorities if the data subject considers that the processing is contrary to data protection legislation. Contact details of the Finnish Data Protection Ombudsman: https://tietosuoja.fi/en/contact-information