SPARK Education Platform

1. Data Controller

Tampere University Foundation sr

FI-33014 Tampere University

Kalevantie 4, FI-33100 Tampere, Finland

Business ID 2844561-8

2. Contact person

Please send all inquiries to:

Helena Lähdekorpi

+358 50 3094393

helena.lahdekorpi@sparkfinland.fi

3. Data Protection Officer

dpo@tuni.fi

4. Name of the register

SPARK Education Platform’s user register

5. Purpose of processing personal data

and the lawful basis for processing

Purpose of processing:

The provisioning of learning management services.

Lawful basis for processing:

☒ Consent

☐ Contract

☐ Legal obligation

☐ Vital interests of data subjects

☐ Public interest or the exercise of official authority

☐ Legitimate interests of the Data Controller

If the basis for processing is Consent, describe how users can withdraw their consent: User can inform the contact person to withdraw their consent.

6. Contents

Registry consists of the following compulsory user information: first name, last name, username, password, email, home organisation, SPARK organisation and country. In addition, user can voluntarily add such information as: photo, town, interests, instant messenger, contact info, phone number, home address, website address and language selection.

7. Sources of information

Personal data is collected:

- when user becomes a customer, signs up as a user, uses the services or has an appropriate contact with the data controller

- from third parties within the limits of law for purposes stated in this privacy policy

8. Regular disclosure of data and recipients

Regular disclosure of data to third parties:

Name of the user is accessible by other users. Furthermore, user may allow their email address andother attributes to be accessible by other users.

The Data Controller has signed a contract to outsource processing activities:

☐ No

☒ Yes, please specify:

Mediamaisteri Oy

PL 82 (Erkkilänkatu 11, 33100 Tampere)

33101 Tampere

010281 8000

info@mediamaisteri.com

9. Transfer of data outside the EU/EEA

If data is transferred outside the EEA, please describe the related data protection procedures

Will data stored in the register be transferred to a country or an international organisation located outside the EU/EEA:

☒ No

☐ Yes, please specify:

Description of the measures taken to protect data:

10. Data protection principles

A manual data

☐ In a locked room

☐ In a locked cupboard

☐ Other, please specify:

B electronic data (e.g. information systems and equipment):

☒ usernames

☒ password

☐ multi-factor authentication (MFA)

☐ access management (IP address)

☐ collection of log data

☐ physical access control

☐ other, please specify

11. Data retention period or criteria for determining the retention period

Personal data will be removed when the data is not needed to the provisioning of the services unless the applicable law states otherwise.

12. Existence of automated decision-making or profiling, the logic involved as well as the significance and the envisaged consequences for data subjects

The data stored in the register will be used to carry out automated decision-making, including profiling:

☒ No

☐ Yes, please specify:

13. Rights of data subjects

Data subjects have the following rights under the EU’s General Data Protection Regulation (GDPR):

- Right of access

o Data subjects are entitled to find out what information the University holds about them or to receive confirmation that their personal data is not processed by the University.

- Right to rectification

o Data subjects have the right to have any incorrect, inaccurate or incomplete personal details held by the University revised or supplemented without undue delay. In addition, data subjects are entitled to have any unnecessary personal data deleted.

- Right to erasure

o In exceptional circumstances, data subjects have the right to have their personal data erased from the Data Controller’s records (‘right to be forgotten’).

- Right to restrict processing

o In certain circumstances, data subjects have the right to request the University to restrict processing their personal data until the accuracy of their data (or the basis for processing their data) has been appropriately reviewed and potentially revised or supplemented.

- Right to object

o In certain circumstances, data subjects may at any time object to the processing of their personal data for compelling personal reasons.

- Right to data portability

o Data subjects have the right to obtain a copy of the personal data that they have submitted to the University in a commonly used, machine-readable format and transfer the data to another Data Controller.

- Right to lodge a complaint with a supervisory authority

o Data subjects have the right to lodge a complaint with a supervisory authority in their permanent place of residence or place of work, if they consider the processing of their personal data to violate the provisions of the GDPR (EU 2016/679). In addition, data subjects may follow other administrative procedures to appeal against a decision made by a supervisory authority or seek a judicial remedy.

The Data Controller follows a GDPR-compliant procedure for responding to subject access requests.

Enquiries regarding the subject's rights should be addressed to the data controller.