This Privacy Notice is based on the EU's General Data Protection Regulation (2016/679, “GDPR”), namely the obligation to inform the data subjects (GDPR Articles 12–14), the data controller's obligation to maintain a record of processing activities under its responsibility (GDPR Article 30), as well as the obligations set out in the Finnish Data Protection Act (1050/2018) supplementing the GDPR.
Additionally, this Privacy Notice has been prepared with the aim of making it accessible in accordance with the requirements of the EU's Web Accessibility Directive (Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies) and the Finnish Act on the Provision of Digital Services (306/2019) supplementing it.
Personal data register of Metropolia’s Gamebadges - Skill Mapping and Micro-Credentials for the Game Industry project
Name
Metropolia University of Applied Sciences Ltd
Contact information
Metropolia University of Applied Sciences Ltd (Business ID: 2094551-1)
Postal address: P.O. Box 4000, FI-00079 Metropolia
Visiting address: Myllypurontie 1, 00920 Helsinki, Finland
Telephone (switchboard): +358 9 7424 5000
Person responsible for the register at the data controller
Name: Riitta Konkola
Position: President, CEO of Metropolia University of Applied Sciences
Person responsible for the content of the register:
Name:
Position: Head of department/Head of degree programme/Supervisor
Address: Metropolia Ammattikorkeakoulu Oy, PO Box 4000, FI-00079 METROPOLIA
E-mail:
Contact details of the contact person for the register:
Name:
Position:
Address: Metropolia University of Applied Sciences, PO Box 4000, FI-00079 METROPOLIA
E-mail:
Contact details in questions concerning the purpose of the register:
e.g. kyla [at] metropolia.fi (kyla[at]metropolia[dot]fi)
Suvi Väänänen, Metropolia’s Data Protection Officer
Email: tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi) phone: .+358 40 844 0690
Purpose of the processing of personal data:
The purpose of this personal data register of Metropolia University of Applied Sciences and the personal data it contains is to process the data collected in surveys. workshops and interviews conducted during the Gamebadges - Skill Mapping and Micro-Credentials for the Game Industry project (later Gamebadges). Collected data will be used to design, study, pilot, and implement European-wide competence-based open badge ecosystem targeted at the European game industry and game education.
Legal basis for the processing of personal data:
The processing of the personal data contained in the register is based on consent obtained from the data subject (attendee). The consent is given voluntarily.
The legal basis for the processing of personal data contained in the personal data register of Metropolia University of Applied Sciences is not “legitimate interests”. Therefore this section does not apply.
The data subjects in the personal data register of Metropolia University of Applied Sciences are:
Gamebadges Associated Partners and other volunteers taking part in the Gamebadges project surveys, workshops and interviews.
The following personal data are stored in the personal data register of Metropolia University of Applied Sciences:
BASIC INFORMATION AND CONTACT DETAILS
• First name, surname, job title, email address, company, job experience (including years in industry, field of expertise)
CONSENT FOR AND INFORMATION ON CERTAIN ACTIONS
• Information on consent given for actions targeted at the data subjects in the personal data register of the Gamebadges project of Metropolia.
The personal data are obtained from the data subjects themselves while filling out the survey or participating in workshops and interviews.
Access to the personal data contained in the personal data register of the Gamebadges project of Metropolia will be given, where necessary, in the systems listed below. (For the purpose of repairing a technical fault, for example, access will be given with administrator rights to the system provider or to the maintenance personnel of a measurement device.) All system/equipment/software providers used (the companies behind them) can be deemed to be recipients of personal data and recipients of regular disclosures from the register.
With respect to the systems used by the Gamebadges project of Metropolia, personal data processing agreements in accordance with
Article 28 of the GDPR have been concluded with the following cooperation partners:
E-lomake
Zoom
Personal data contained in the Personal data register of Metropolia’s Gamebadges - Skill Mapping and Micro-Credentials for the Game Industry project of Metropolia will not be transferred outside the EU or EEA or to international organisations.
The personal data collected for and processed within the personal data register of Metropolia are, as a general rule, stored in the register for a period 5 year(s).
The following regulations have been observed when determining the retention times
- EU General Data Protection Regulation (“GDPR”, 2016/679)
- Data Protection Act (1050/2018)
- Universities of Applied Sciences Act (932/2014)
- Decision of the National Archives of Finland on retention times – order given to universities of applied sciences concerning the permanent storage of data in electronic format (AL/20757/07.01.01.03.02/2016)
Data subject may submit a request for information by delivering the data subjects’ information request form, which can be found on Metropolia’s public website and/or Metropolia’s intranet to tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi) or by delivering it to Metropolia’s Myllypuro campus.
Metropolia’s Myllypuro campus
Myllypurontie 1, 00920 Helsinki, Finland
Under the GDPR, the data controller must respond to requests by the data subjects to exercise their rights within one month of receiving such a request.
A. Right of access to personal data
The data subjects have the right to check whether their personal data are stored in the personal data register. The data subjects have the right to review and receive copies if the personal data that has been stored of them.
B. Right to rectify personal data and to restrict processing
The data subjects have the right to request the data controller to restrict the processing of their personal data in the following cases:
• the data subject disputes the correctness of their personal data (right to rectify personal data), in which case processing will be restricted until the data controller can ascertain that the data is correct;
• processing violates the law and the data subject objects to the erasure of their personal data, instead requesting that the processing of the data be restricted;
• the data controller no longer needs the personal data for the purposes of the processing, but the data subject needs them in order to establish, exercise or defend a legal claim.
C. Right to erase personal data
The data subject has the right to obtain from the controller the erasure of their personal data from a Metropolia register without undue delay if any of the following conditions are met:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent on which processing is based and there is no other lawful basis for processing;
• the personal data have been unlawfully processed; or
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
D. Right to data portability (transfer of data from one system to another)
Data subject has the right to receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance.
E. Right to not be subjected to a personal data breach
The data subject has the right to not be subjected to a personal data breach, as referred to in Article 33 of the EU’s General Data Protection Regulation, due to the data controller’s negligence in data protection and/or data security matters or due to negligence on the part of a data processor used by the controller in data protection and/or data security matters. The data subject has the right to be informed without undue delay if a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons.
According to Article 21 of the EU’s General Data Protection Regulation, the data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller), such as profiling based on these provisions. The data controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The request to stop processing of collected personal data can be submitted to tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)
If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent for processing at any time without the withdrawal of consent affecting the lawfulness of processing based on consent before its withdrawal.
The withdrawal of consent for the processing of personal data collected by Metropolia (withdrawal request) can be submitted to tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)
Every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of their personal data infringes the applicable data protection regulations.
The national supervisory authority in Finland is the Office of the Data Protection Ombudsman. Contact details:
Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Postal address: PO Box 800
FI-00531 Helsinki
Telephone (switchboard): + 358 29 56 66700
Fax: + 358 9 56 66735
Email: tietosuoja [at] om.fi (tietosuoja[at]om[dot]fi)
Every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of their personal data infringes the applicable data protection regulations.
The national supervisory authority in Finland is the Office of the Data Protection Ombudsman. Contact details:
Office of the Data Protection Ombudsman
Street address: Ratapihantie 9, 6th floor
00520 Helsinki, Finland
Postal address: PO Box 800
FI-00521 Helsinki
Telephone (switchboard): + 358 29 56 66700
Fax: + 358 9 56 66735
Email: tietosuoja [at] om.fi (tietosuoja[at]om[dot]fi)
General description of the technical and organisational security measures aiming at protecting the personal data of the data subjects and the personal data registers:
- The protection of the register has been agreed upon with the system providers. If necessary, the responsibilities have been described in adequate detail in the appropriate agreements.
- The employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.
- The system providers (personal data processors) undertake to maintain the register and the personal data relating to it in accordance with good data processing practices and comply with the obligation to absolute secrecy and confidentiality.
- The data security of the personal data register of the data controllers and the confidentiality of the data contained therein are ensured with appropriate technical and administrative means in accordance with good data processing practices.
- The data controllers have restricted user rights and authorisations to data systems, tools and other storage platforms in such a way that they can only be accessed and processed by the persons who are necessary for such processing due to their job duties or position.
- The system containing personal data may only be used by employees who are entitled to process personal data due to their job duties and/or position. Such employees will be given the appropriate training for their duties.
- Every user of a tool/system must identify themselves with their personal codes, which are issued when the right to access the tool/system is granted. The right of access will expire once the employee resigns or is transferred from the duties for which they were granted the right at Metropolia.
- The data are collected in databases that are protected logically and physically.
The databases and their back-up copies are located in locked premises, and the data can only be accessed by certain pre-appointed persons.
Personal data register of Metropolia’s Gamebadges - Skill Mapping and Micro-Credentials for the Game Industry project of Metropolia University of Applied Sciences and the data contained in it will not be used in automated decision-making or profiling.