Skip to main content

This privacy policy has been written in accordance with the Finnish Personal Data Act (10 and 24 §) and the General Data Protection Regulation (GDPR) of the European Union (EU). Created May 4th, 2018. Last modified May 23rd, 2018.

1. Controller

University of Turku, 20014 University of Turku

+358 29 450 5000

 

2. Representative

With any issues about data protection or privacy in ViLLE, please contact villeteam@utu.fi.

The data protection officer of University of Turku is Camilla Engman (dpo@utu.fi).

 

3. Name of Registry

User registry of ViLLE web service.

 

4. Lawfulness and purpose of processing personal data

According to the General Data Protection Regulation, personal data can be lawfully processed

- with consent of the data subject (documented, voluntary, personalized, unambiguous)

or

 - if it is necessary for the performance of a task carried out in the public interest (collecting study records in educational institutions when required for administrative reasons)

The purpose of processing personal data is to connect a person with their study record or examining students’ study performance.

The data is not used for automated decision-making or profiling without a separate and explicit permission from the user.

 

5. Content of Registry

Information recorded into the registry contains the following: name of person or other identifier, email and student number (if assigned by the person’s organization). Additionally, information regarding user performance in exercises (points awarded, time-on-task, given answer) is collected. In order to effectively resolve possible errors reported by the user, log files e.g. of starting, deleting or completing an exercise are also gathered. All gathered information is anonymized for research purposes with randomized keys. The anonymized answers cannot be re-connected with user information in any way.

The information is stored until their removal is requested by the user. Data gathered for research purposes is not removed as this information cannot be re-connected to the user.

 

6. Data acquisition

Data is gathered automatically during the use of the ViLLE web service. By default, no other data is gathered of the user. A separate permission is obtained beforehand from the user if further data is collected for research purposes. A user always has the right to decline the request for such a permission.

 

7. Transfer of data to third parties or outside the EU or the European Economic Area (ETA)

Data is not  transferred to other parties. Information can be published if a permission has been obtained from the user. Scientific studies based on anonymized information can be published in e.g. scientific journals or conferences without separate permission. Information published in this manner cannot be re-connected with the user.

 

8. Principles of registry protection

The registry is treated with great care and all information gathered through the system is protected appropriately. The information is stored on a protected server which can only be accessed by dedicated administrators. The controller is in charge of overseeing that collected data, server privileges and other information that are critical for the safekeeping of personal data are handled confidentially and only by employees tasked with processing them.

 

9. Right of access and rectification

Each person included in the registry has the right to examine all data collected from them as well as having erroneous data corrected and incomplete data complemented. If the user wishes to examine, correct or complement their data a written request must be sent to the controller. The controller may require the user to provide proof of identity. A response is provided within the time specified in the General Data Projection Regulation (ordinarily within a month after receiving the request).

 

10. Other rights concerning data processing

Each person included in the registry has the right to request all their personal data to be erased from the registry (per the “right to be forgotten” principle). In addition, persons included in the registry are granted all other rights detailed in the General Data Projection Regulation of the European Union, such as limited processing of personal data in certain circumstances. All requests must be sent to the controller in written form. The controller may require the user to provide proof of identity. A response is provided within the time specified in the General Data Projection Regulation (ordinarily within a month after receiving the request).