University of Turku, 20014 University of Turku
+358 29 450 5000
With any issues about data protection or privacy in ViLLE, please contact firstname.lastname@example.org.
The data protection officer of University of Turku is Camilla Engman (email@example.com).
3. Name of Registry
User registry of ViLLE web service.
4. Lawfulness and purpose of processing personal data
According to the General Data Protection Regulation, personal data can be lawfully processed
- with consent of the data subject (documented, voluntary, personalized, unambiguous)
- if it is necessary for the performance of a task carried out in the public interest (collecting study records in educational institutions when required for administrative reasons)
The purpose of processing personal data is to connect a person with their study record or examining students’ study performance.
The data is not used for automated decision-making or profiling without a separate and explicit permission from the user.
5. Content of Registry
Information recorded into the registry contains the following: name of person or other identifier, email and student number (if assigned by the person’s organization). Additionally, information regarding user performance in exercises (points awarded, time-on-task, given answer) is collected. In order to effectively resolve possible errors reported by the user, log files e.g. of starting, deleting or completing an exercise are also gathered. All gathered information is anonymized for research purposes with randomized keys. The anonymized answers cannot be re-connected with user information in any way.
The information is stored until their removal is requested by the user. Data gathered for research purposes is not removed as this information cannot be re-connected to the user.
6. Data acquisition
Data is gathered automatically during the use of the ViLLE web service. By default, no other data is gathered of the user. A separate permission is obtained beforehand from the user if further data is collected for research purposes. A user always has the right to decline the request for such a permission.
7. Transfer of data to third parties or outside the EU or the European Economic Area (ETA)
Data is not transferred to other parties. Information can be published if a permission has been obtained from the user. Scientific studies based on anonymized information can be published in e.g. scientific journals or conferences without separate permission. Information published in this manner cannot be re-connected with the user.
8. Principles of registry protection
The registry is treated with great care and all information gathered through the system is protected appropriately. The information is stored on a protected server which can only be accessed by dedicated administrators. The controller is in charge of overseeing that collected data, server privileges and other information that are critical for the safekeeping of personal data are handled confidentially and only by employees tasked with processing them.
9. Right of access and rectification
Each person included in the registry has the right to examine all data collected from them as well as having erroneous data corrected and incomplete data complemented. If the user wishes to examine, correct or complement their data a written request must be sent to the controller. The controller may require the user to provide proof of identity. A response is provided within the time specified in the General Data Projection Regulation (ordinarily within a month after receiving the request).
10. Other rights concerning data processing
Each person included in the registry has the right to request all their personal data to be erased from the registry (per the “right to be forgotten” principle). In addition, persons included in the registry are granted all other rights detailed in the General Data Projection Regulation of the European Union, such as limited processing of personal data in certain circumstances. All requests must be sent to the controller in written form. The controller may require the user to provide proof of identity. A response is provided within the time specified in the General Data Projection Regulation (ordinarily within a month after receiving the request).