JavaScriptin tulee olla päällä. This page requires JavaScript. Den sida kräver JavaScript.
This e-form Privacy notice/Record of processing activities describes what personal data are collected from the data subjects, and why and how the personal data are processed at Hanken. It also provides the information on what rights the data subjects have pertaining to their personal data and how they can exercise these rights at Hanken.
[Instructions on how to use this e-form:
[Instruction: Consider and choose who is the data controller. The data controller determines the purposes and means (i.e., why and how) of the processing of personal data and is primarily responsible for compliance with the data protection laws throughout the data life cycle.]
Hanken School of Economics Arkadiankatu 22, 00100 Helsinki, Finland Postal Address: P.O.Box 479, 00101 Helsinki Phone: +358 (0)29 431 331 Business ID: FI02459077
Hanken's Data protection officer (DPO): dpo@hanken.fi
Hanken as the data controller only processes the personal data that are necessary and proportionate to the accomplishment of the work tasks and execution of the work.
[Instruction: Specify below why the personal data are processed and how the work is carried out, so the data subjects understand for which purpose(s) you process their personal data and why it is necessary for you to do so.
If you have any other purposes of processing the personal data than carrying out this work, also specify these other purposes below. These other purposes need to be compatible with the original purpose(s) for which the personal data are initially collected.
In case of joint controllership, the organisations serve as the joint controllers shall jointly determine the purposes and means of processing personal data. Specify the joint controllers’ division of responsibilities and the types of personal data that they process also in the box below.]
[Instruction: Personal data shall be processed lawfully with at least one of the six legal bases: consent, contract, legal obligation, protection of vital interests, public interest or official authority, and legitimate interests (GDPR, Art. 6).
Processing of special categories of personal data (sensitive personal data) shall be prohibited. The responsible person needs to rely on at least one of the ten exceptions or derogations to the prohibition in order to collect and process special categories of personal data, data of a highly personal nature, and other specially protected personal data. These exceptions or derogations are specified in the GDPR (Art. 9) and supplemented in the Data Protection Act (1050/2018, Sections 6, 7 and 29).]
[Instruction: When a planned processing is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment (DPIA) shall be carried out prior to the processing.
Check the list in the GDPR (Art. 35) and List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA).
A DPIA shall be conducted by consulting Hanken's DPO (dpo@hanken.fi) who shall also monitor its performance (GDPR, Art. 35 and 39). Hanken's DPIA template is available here.]
Personal data are primarily processed by Hanken’s staff members at the Office of Studies and Admissions, Office of University Services, Office of Research, International Affairs and Corporate Connections, and the teaching and research staff. Hanken ensures that the recipients of the personal data are entitled to process the data in connection with their professional duties to achieve the purposes of the processing activities.
[Instruction: Hanken may outsource some of its processing activities to external data processors. Data processors process personal data on behalf of the data controller and do not determine the purposes and means (i.e., why and how) of the processing of personal data.
The person responsible for the relevant personal data and processing activities assesses the suitability of a proposed external processor. A Data processing agreement (DPA) shall be signed in order to stipulate the terms and conditions for the intended outsourced processing activities. Hanken’s DPA templates are available here (Data Processing Agreement template and Data Processing Appendix template (as part of an Agreement)).]
Hanken as the data controller is responsible for taking appropriate technical and organisational measures to protect the personal data against unauthorized access or illegal use and against damage to or loss of the personal data.
[Instruction: If you plan to transfer personal data outside the EU/EEA and the target country is not on the list of the European Commission's Adequacy decision, contact Hanken’s DPO (dpo@hanken.fi).]
Personal data that are no longer needed for the original purposes shall be disposed as soon as possible unless there are special reasons or legislation that require archiving. Storage periods of the personal data collected and processed are based on current legislation and Hanken’s Records Management Plan (the PDF file GDPR Informationsstyrningsplan v1.6).
[Instruction: If you use AI tools, address the ethics of AI, such as how you will maintain the principles of transparency and explainability, fairness and non-discrimination, responsibility and accountability, human oversight and determination, safety and security, and right to privacy and data protection (UNESCO’s Recommendation on the Ethics of Artificial Intelligence, 2021).
Article 22 of the GDPR especially requires that data subjects “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
A Data protection impact assessment (DPIA) shall be required in the case of a systematic and extensive analysis of personal data in the context of automated processing, including profiling, where this has a significant effect on the data subject (GDPR, Art. 35 (3)(a)).
If you use AI tools with automated decisions, contact dpo@hanken.fi and explain in the box below what and how the AI tools will be used for making decisions concerning your data subjects or for analysing or predicting their personal preferences, behaviours or attitudes, and what are the consequences of such automated decisions. The data subject should be informed of the existence of automated decisions including profiling and the consequences of such decisions.]
According to the General Data Protection Regulation of the European Union (GDPR, 2016/679), the data subjects have the right to:
When personal data processing is for archiving, scientific or historical research or statistical purposes, the rights may be restricted under the GDPR and Finnish Data Protection Act (1050/2018). Restrictions of rights always require special protective measures.
Personal data will always be processed lawfully, fairly and in a transparent manner to protect the fundamental rights and freedoms of the data subjects. The data controller follows a GDPR-compliant procedure to respond to subject access requests.
If the data subjects have questions or requests related to data protection or the processing of personal data, they can contact the contact person(s) or Data protection officer (DPO) mentioned above.
The data subjects have the right to lodge a complaint with the supervisory authority if they feel that the processing of their personal data is an infringement of data protection laws.
Contact information of the supervisory authority/Data protection authority (DPA) in Finland:
Office of the Data Protection Ombudsman Visiting address: Lintulahdenkuja 4, 00530 Helsinki Postal address: PO Box 800, 00531 Helsinki Switchboard: tel. +358 29 566 6700 Registry: +358 29 566 6768 Email: tietosuoja@om.fi https://tietosuoja.fi