JavaScriptin tulee olla päällä. This page requires JavaScript. Den sida kräver JavaScript.
This is a form used for collecting information about what data is processed in BSc, MSc and eMBA theses and course assignments at Hanken in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation).
Note that after completion, a summary email is sent both to the student's and to the supervisor's email addresses submitted.
BSc/MSc/eMBA students processing:
(a) data obtained in trust and confidence – from or about persons not representing a company/organisation commissioning the study,(b) direct identifiers as part of the dataset, (c) sensitive personal data,
and/or conducting a study that requires an ethical review
need to fill in Hanken's DMP template in DMPTuuli. Please discuss this with your supervisor.
Doctoral students and researchers write a data management plan (DMP) with the DMPTuuli tool. The DMP you create with DMPTuuli serves at the same time as a Record of Data Processing Activities, which you can share on request with participants/subjects/respondents of your research. Use Hanken's DMP template or other Public DMP templates (with Hanken's DMP guidance integrated) in DMPTuuli to help you create and update a DMP (See DMPTuuli with Hanken's DMP guidance and DMP template).
For course assignments where students collect and handle data with no direct identifiers (e.g. name, address, email address, username, photo), or data contain public roles in legal entities, publicly available data, contact information stored separately, or data erased within 6 months after the course, the assignment/course teacher/instructor fills in and submits one e-form of this Record of Data Processing Activities for Students for all the assignments of all the students or student groups.
The teacher/instructor should inform the students of this e-form, guide them not to gather or store any direct identifier information (at all, or in the same file as the research data), provide them with a note which they can use to inform respondents about data processing, and instruct them to erase the data within 6 months after the course.
In case that any direct identifier information is gathered by students and stored in the same file as the rest of the research data, each student/student group should fill in a form on their own.
Here are the definitions of the data types listed below:
- No personal data:
Not gathering any data from individuals or about individuals (e.g., consumers, company managers).
Personal data encompasses all data from which a natural person can be identified either directly or indirectly.
"Direct identifiers" are information that is sufficient on its own to identify a natural person. Examples are a person's name, personal identity code, address, email address, telephone numbers, username, user-id, facial image (e.g. profile picture,video footage showing the face), voice pattern, fingerprint, and manual signature.
"Indirect identifiers" include gender, age, education, professional status, nationality, location data, career history, system log data, marital status, and vehicle registration number.
- No direct identifier:
Data wherein no direct identifier information about individual persons are collected or stored at any point.
- Public roles in legal entities:
Names of persons representing legal entities such as companies, associations, foundations, and other organizations obtained from Finnish Business Information System or other similar agencies abroad.
Official and public information about names of executive management roles in companies.
- Publicly available personal data:
Data can be:
(a) aforementioned data about persons holding aforementioned "public roles" in legal entities (e.g., the names of CEOs or Board members of companies),
(b) data obtained from public sector organisations' documents and letters (under, e.g., laws of Openness of Government or Freedom of Information),
(c) data gathered from public websites or mass media (e.g., news stories with citations from individual citizens or company representatives),
(d) data gathered from semi-public websites or discussion forums (e.g., forums accessible through registration as a user), and
(e) data that can be accessed or acquired from commercially available databases.
Note that even if these data (a-e) are publicly available, you should not store aforementioned "direct identifiers" information (e.g., name, address) in the same file as your main research data. If you are storing them in the same file, you have to fill in Hanken's DMP template in DMPTuuli.
- Contact information stored separately:
Data wherein the only direct identifier information collected is the person’s contact information – and this information is stored separately from all other data, is not used for purposes non-related to this research, and will be erased at the latest 6 months after the research is completed.
- Data obtained in trust and confidence:
Data that you are getting access to
(a) after having signed a formal non-disclosure agreement (NDA), or
(b) after having informally promised to hold the data confidential or only to yourself. Such data might include, for instance, information about companies’/organizations’ business secrets or detailed information about business plans or strategies or their implementation. If only part of your data is confidential, always communicate and agree with the data provider, what parts of the data you can share or make public, in order to avoid situations that expectations of trust are not met.
(c) Furthermore, certain types of governmental data may be confidential. If you are processing government-provided data, check the law of Openness of Government to see whether your data is classified as confidential or non-public.
Note that this type of data has two alternatives:
(1) If the only data obtained in trust and confidence relates to the company/organisation commissioning the study, or from the managers/representatives of that company/organisation, and in cases where the employer is the Data Controller, fill in this e-form Record of Data Processing Activities for Students.
(2) If data is obtained in trust and confidence from or about parties/persons outside that company/organisation (e.g., its customers), you need to fill in Hanken's DMP template in DMPTuuli.
- Collected direct identifiers:
Data wherein direct identifier information (e.g., name, address, photo, video) about persons is collected – and this information is stored in the same research data file as other data about those persons.
If you are storing direct identifier information in the same file, you need to fill in Hanken's DMP template in DMPTuuli.
- Sensitive personal data:
Sensitive personal data are special categories of personal data. The following categories are classified as sensitive personal data by the GDPR: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offences, or related security measures.
If you process sensitive personal data, you need to fill in Hanken's DMP template in DMPTuuli.
If you do not gather any data from individuals or about individuals (e.g., consumers, company managers), or if you only use secondary data from databases with company information, you do not need to answer the following questions in this e-form. Remember to click "Save" at the end of this e-form to submit it.
Since your data includes "data obtained in trust and confidence – from or about persons not representing a company/oganisation commissioning the study" or "sensitive personal data," you cannot continue filling in this form, but have to fill in Hankens DMP-mall i DMPTuuli instead. Ask your supervisor for help.
Note that this is not recommended! You should always try to separate the direct identifiers. Ask your supervisor for advice.
If it is not possible to separate the data, you cannot continue filling in this form, but have to fill in Hankens DMP-mall i DMPTuuli instead. Ask your supervisor for help.
Note that if you collect personal data, you always have to inform your research participants about the nature of your data collection and processing.
When collecting different types of data, you can inform your research participants, for instance, with the following different notes:
- No direct identifiers:
“This research does not collect or store any direct identifier information about you (e.g. name, address, username, photo), and any other piece of information/data that would allow identifying you. The entire dataset will be erased no later than 12 months after the thesis is graded and approved.” (OPTIONAL, depending on the source of data: for instance, "Even if you responded to this survey via email or social media platform, your email address or username will not be collected or stored anywhere.”)
If the dataset only includes data from public sources, the research participants/subjects do not have to be informed.
If you includes/combines your own data or other non-public data with the data from public sources, you have to inform the participants with the note: “This research combines your responses with public data about your organisation/yourself. However, immediately after combining the data, I will erase all the direct identifier information about you (e.g. name, address) from the dataset, so that you cannot be identified – and your responses cannot be identified as your responses – in any data analyses or results. The entire dataset will be erased no later than 12 months after the thesis is graded and approved.”
If you are gathering aforementioned types of publicly available personal data c), d), e), you have to inform the persons included in your database about their inclusion in the data as soon as the data has been gathered.
For example, if you are gathering data type (d) above, you have to – even if you do not store direct identifier information (at all or in the same file) – post a note to the forum: "I have been gathering data from the forum, but haven't gathered and stored any direct identifier information about you (e.g. name, address, username, photo), and any other piece of information/data that would allow identifying you. The entire dataset will be erased no later than 12 months after the thesis is graded and approved."
"Direct identifier information about you (e.g. name, address, username, photo) will not be stored in the research dataset at any point. Such information is saved in a separate file from the research dataset, and will only be used for possibly contacting you about matters related to this research. Both the contact data and the research data will be erased no later than 12 months after the thesis is graded and approved.”
Note that if you plan to save, store, reuse or share your data for research purposes other than completing this thesis/assignment (e.g., for a scientific publication), you need to specify this as well in your note to your research respondents.
If the respondent has questions or requests regarding the handling of their personal data, the student/researcher (name, email address) should primarily be contacted. In case of complaints, the respondent can contact Hanken's Data Protection Officer dpo@hanken.fi.
Unless you have entered into a Data Processing Agreement (DPA) with another system/service provider, do not use other than Hanken-provided systems, for example, Dropbox, Google Docs, publicly-available Onedrive (for consumers), and other survey platforms than Webropol.
EMBA students can store the data in IT systems provided by the employers.
Please note that erasing all versions of the personal data within 12 months after the thesis is graded and approved is part of responsible data management and security.
If you plan to save and store the personal data for later and shared use in research other than completing this thesis or assignment (e.g., for a scientific publication), discuss this with your supervisor or teacher.