Privacy

1. Controller

CSC – IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo
+358 9 457 2821 (operator)
www.csc.fi
servicedesk@csc.fi

(later ”we” or ”CSC”)

2. Controller’s contact persons

CSC Service Desk
tel. 09 457 2821 (operator)
servicedesk@csc.fi

Data protection officer Marita Pajulahti, privacy@csc.fi

3. Name of the register

Chipster account users and evaluation account users

4. Lawful basis and reasons for processing your data

The lawful basis for processing your data is either the performance of a contract between you and CSC, or CSC’s legitimate intrests based on the relationship between you and CSC.

We process your personal data to:

• provide and improve our services,
• perform our contractual obligations,
• as a part of customer relationship.

5. What data do we process?

We process the following information:

• data subject’s basic data such as name*, user ID and/or other identifier, password
• data subject’s contact details such as e-mail address* and physical address
• business-related data such as business IDs and the names and contact details of contact persons
• information on previous and current contracts and orders, and other data from customer interactions (such as email correspondence).

The personal data marked with an asterisk is data that is required for establishing a contract relationship and/or a customer relationship. Without this necessary personal data, we are unable to provide products and/or services.

6. Where do we get the personal data?

Personal data is provided by the data subject.

7. Data transfers

We do not transfer data to third parties.

We do not transfer personal data outside of the EU/EEA.

8. How data is protected and retention period

The only persons authorised to use the systems containing personal data are those employees of our company who have the right to process customer data on the basis of the work they carry out. Each user has their own user ID and password for the systems. The data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and backups of these
databases are located in locked facilities and only designated individuals have access to this data.

We store the personal data for as long as it is needed for the purposes for which it was acquired. We will retain the personal data for ten years after the termination of the evaluation account. When a new application for an account comes in, we need the data to check if the person has previously opened an evaluation account. After ten years, the data and all its copies are deleted.

We regularly assess the need for storing data, taking into account the applicable legislation. In addition, we take reasonable measures to ensure that the personal data about registered persons stored in the register is not contradictory to the data processing purposes, out-of-date or inaccurate. Where such data is identified, it is either corrected or destroyed without delay.

9. Your rights as a data subject

As a data subject, you have the right to inspect the data about yourself that has been saved into the customer register and to demand the correction of inaccurate data or its removal, provided that there is a legal justification for its removal. You also have
the right to withdrawal your approval or change it.

As a data subject, you have the right under the General Data Protection Regulation to oppose the collection of your data or to request that it be restricted and to make a complaint about the processing of personal data to the supervisory authority.

As a data subject, you also have the right, at any time and without cost, to oppose data-processing, wherever it relates to direct marketing.

10. Who should I contact?

All enquiries and requests regarding this privacy notice should be made in writing or in person to the contact person specified in section two (2).

11. Updates to this notice

If we make changes to our privacy policy, we will make these accessible by updating this privacy notice document. If the changes are significant, we may inform people about these changes in some other way, such as by email or by publishing a notification on our webpage. We recommend that you visit our webpage regularly and pay attention to any changes to this privacy notice.

Valid from 1.7.2022

1. . Controller

CSC – Finnish IT Сentre for Science Ltd
P.O. Box 405 (Keilaranta 14)
FI-02101 Espoo
tel. 09 457 2821 (operator)
servicedesk@csc.fi
www.csc.fi

(here in after referred to as “we” or “CSC”)

2. Contact person for register-related matters

CSC Service Desk
tel. 09 457 2821 (operator)
servicedesk@csc.fi

Data asset owner: Financial Director, Finance and Contracts

Data Protection Officer: privacy@csc.fi

3. Name of register

CSC eSign

4. Purposes and lawful bases for processing personal data

We process personal data for electronic signature of documents (or records) through the use of our e-signature platform. A signature seals a document and might serve as evidence that the document was agreed or approved by a signatory, ensuring certainty of the document’s origin and integrity. We may also process data in order to comply with our legal and regulatory requirements as well as for the prevention, detection and investigation of fraud. Processing is done to protect our agreements and other business interests. It is based on our legitimate interests (GDPR 6(1)(f)).

If you decide not to supply personal data that we have requested, then you will be unable to execute the relevant document(-s) with an electronic signature through use of our e-signature platform.

5. What data do we process?

The types of personal data that we will process for facilitating electronic signature of documents (or other records) include:

• Personal details (name, job title)
• Contact information (email)
• Personal identity code, if a strong authentication is used
• Organization you represent
• Type of authorization
• Signatures on documents (including time of a signature, name, title, organization, identity authentication method and its provider)
• IP -addresses or other unique device identifiers

6. Where do we get your data from?

The information needed to send the document to be signed (name, title, contact information and organization) is collected from you, your home organization or from CSC’s customer or other registers. If you sign as a customer: This privacy notice supplements our customer register privacy notice is not intended to override it.

Before entering the platform, you are asked to verify your identity via a mobile ID or bank ID authentication or email. We collect the following information about you when you complete the signing process: your internet protocol (IP) address, an identity authentication method used and information about identity verification (if needed), a type of your authorization to approve or terminate a legally binding document, the date and time of each action you take to review or sign a document and other technical information about your access to and use of the platform. Information about you will be stored in the documents you sign. Such information includes or may include the date and time of signature, your name, title, organization, and information about the identity authentication method used and its provider are embedded in the documents to which you apply your electronic signature. All this information may be used as evidence of the validity of your signature.

7. Where do we transfer your data?

The following parties have or may have access to information about you:

• Our staff and partners in the course of their duties (such as contracts management) and others lawfully working with us in the ordinary course of our business (for example auditors).
• An electronic signature platform provider is processing data on behalf of us based on a data processing agreement.
• Parties who will sign the same document with you and have access or receive the data stored in the document.

We will disclose your personal information to another party if you have consented to the disclosure or if we are required or permitted to do so by law.

Personal data will not be transferred outside the EU/EEA.

8. How do we protect your data and how long we store your data?

We will store your personal data on the electronic signature platform for a maximum of 90 days from sending the document for signature or signing it, whichever occurs later.

Each signing party needs their own copy of the signed document. After the signatures, you can download and save your own or your organization’s copy of the signature platform. We will store our copy for the duration of the applicable statutory retention periods and, if necessary, for the duration of the applicable statute of limitations.

In individual cases, we may be obliged to kept data longer if legal or regulatory proceedings require; or where proceedings are underway such as require the data to be retained until those proceedings have finished.

9. What are your rights as a data subject?

With respect to the processing of your personal data, you have the following rights:

• to request confirmation as to whether we are processing personal data concerning you and to access to your personal data
• to demand the rectification or completion of inaccurate or incomplete data
• to request the erasure of data, if those are no longer required for the purposes for which they were collected or processed or the data processing is unlawful
• to request the restriction of processing, under certain conditions

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you.

We will then no longer process the personal data, unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

We will always use best efforts to address and settle any requests or complaints you bring to our attention. Besides contacting us you always have the right to approach the competent data protection authority with your request or complaint:

• at your habitual residence in the EEA
• at the place of your work in the EEA or
• at the place of the alleged infringement in the EEA.

The data protection authority competent for CSC – IT Center for Science Ltd is:

Office of the Data Protection Ombudsman
Postal address: PL 800
00531 Helsinki, Finland
https://tietosuoja.fi/en/contact-information.

10. Who should you contact?

If you have any questions about this privacy notice please use the following contact point: servicedesk@csc.fi or contact the person specified in section two (2).

In order to exercise any of your data subject rights, you can send us a request, indicating the right you wish to exercise by e-mailing us at servicedesk@csc.fi .

11. Changes to this notice

This privacy notice is current as of the date which appears at the top of the document. If there are essential changes to this privacy notice, or in how we will process your personal data, we will use reasonable efforts to notify you.

Updated 21 December 2023

1. Registrar

CSC – IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo, Finland
Tel. +358 (0)9 457 2821 (operator)
servicedesk@csc.fi
Business ID: 0920632-0
www.csc.fi

(hereinafter referred to as “we” or “CSC”)

2. Contact person for register-related matters

Data asset owner: Head of HR

Data Protection Officer: privacy@csc.fi

3. What are the purposes and legal grounds for processing personal data?

The processing of personal data is based on the implementation of an employment contract or at the request of the data subject prior to entering into an employment contract.

Personal data is processed in matters and obligations relating to recruitment for CSC – IT center for science Ltd.

No automated decisions are made using the applicant register.

4. What data do we process?

We will request the following information from you:

• Applicant’s basic details and personal data such as name, home address, email and phone number
• Data reported by the applicant such as information about education, previous work experience, qualifications and other competences, language skills and references
• Data obtained from the applicant or obtained from a third party with the applicant’s consent (such as references from previous employers)
• Other recruitment-related data

5. Where do we get your data from?

Per se, CSC gathers all applicant related data from the applicant themselves. In some cases, CSC might also gather data from sources other than the applicant themselves within the limits of the legislation and with the applicant’s consent or when the legislation allows it.

6. To whom do we disclose your data?

Data is not disclosed to entities outside of CSC.

7. How do we protect your data and for how long do we keep it?

The data will only be retained for as long as it is necessary for the purposes defined in this Privacy Statement or for the retention period determined by legislation. For example, equality legislation requires us to retain your information for one year after the end of the recruitment process. When the retention period of personal data has expired and there is no longer any reason to process it within the limits allowed by data protection law, the personal data will be deleted.

The data subject may request in writing that their data be erased completely from the recruitment system. The data subject may also request in writing that their data be deleted completely. Requests should be addressed to the controller.

CSC may use external service providers to assist in its recruitment. In this case, the Service Providers will process personal data exclusively and in accordance with CSC’s instructions and on behalf of CSC. CSC has made sure that the processing of personal data has then been agreed to as required by data protection law.

Personal data isn’t transferred outside EU/ETA.

Manual sources:
Documents are kept in locked premises with access control. Access to documents is restricted to persons who, for their job, have the right to process the data of data subjects.

Data in information systems:

Files containing the data are accessed only by persons working on recruitment in accordance with their job description. Access to the applicant register is restricted and users are identified with a username and password. The programs and data are located on the servers of external service providers.

CSC has agreed with the outsourced service providers on the necessary data protection obligations in accordance with the Data Protection Regulation.

8. What are your rights as a data subject?

Data subjects have the right under the Data Protection Regulation, among others, to check the information in the register and request the correction of false information concerning themselves. The right of access or consultation shall be exercised without undue delay on the basis of resources, but in any case no later than the time limit set by the Data Protection Regulation. The identity of the data subject is verified before the information is provided. Upon request, the information shall be provided in writing.

The controller must correct or complete incorrect data, either independently or upon the request of the data subject. The controller must delete unnecessary or expired data, either independently or upon the request of the data subject, unless legislation or agreements justify or require the retention of the data by the controller.

The data subject has the right to request the restriction of the processing or to object to the processing within the limits and in accordance with the applicable data protection law.

Data subjects have the right to transfer data from one system to another, in other words, to receive their personal data in a structured and commonly-used format, and to transfer it to another controller within the limits and in accordance with the applicable data protection legislation.

You may send the aforementioned requests and questions regarding this Privacy Statement and the processing of CSC’s personal data to asiakaspalvelu@csc.fi.

You also have the right to appeal to the Data Protection Officer. Contact details of the Data Protection Officer can be found on the Data Protection Officer’s website at tietosuoja.fi.

9. Who should you contact?

All contacts and requests concerning this statement must be made in writing or in person to the contact person specified in section 2.

10. Changes to the privacy policy

Any changes made to this document will be presented with dates. If the changes are significant, we may inform you about them by email or by issuing a notification on our website.

Updated 11.1.2023

1. Registrar

CSC – Finnish IT Сentre for Science Ltd
P.O. Box 405 (Keilaranta 14)
FI-02101 Espoo
tel. 09 457 2821 (operator)
servicedesk@csc.fi
www.csc.fi

(hereinafter referred to as “we” or “CSC”)

2. Contact person for register-related matters

CSC Service Desk
tel. 09 457 2821 (operator)
servicedesk@csc.fi

Data Protection Officer
privacy@csc.fi

3. Name of register

CSC customer and stakeholder register

4. What are the purposes and lawful bases for processing personal data?

Personal data processing is based on our legitimate interests, or on the performance of a contract.

We process your personal data to:

• produce and develop our products and services
• fulfil our contractual commitments and obligations
• manage our customer relationships
• administrate the contact details of stakeholder networks
• organise events
• analyse the customer’s or other registered “user’s” use of services
• create statistics and reports to meet the needs of the owners, customers and funders
• carry out direct marketing, opinion polls, and market surveys
• target content in the online services of both our company and other organisations

5. What data do we process regarding you?

The register consists of following data:

• data subject’s basic details, such as name*, customer number, username and/or other unique identifier, password, gender and language of communication
• data subject’s contact details, such as email address*, telephone number* and physical address*
• professional and research-related information of users of Services for Research, such as home organisation*, department or institution, job title, scientific field*, nationality* and level of education*
• information regarding use of Services for Research, such as data subject’s project memberships, resource applications and use of resources
• any direct marketing blocks or approvals
• participant data for events and any event-related data, such as dietary restrictions
• contact person data related to customer relationships, organisations and contracts, such as business IDs and the names and contact details of contact persons, information on previous and current contracts and orders, and other data from customer interactions
• service use data generated by technical systems, such as logs, online identifiers and
• any other data collected with specific agreement from the data subject.

The personal data marked with an asterisk is required for establishing a contract or customer relationship with us. We collect only such necessary data that is needed for service provisioning, and for improving service quality and user experience.

6. Where do we get your data from?

Your data is acquired from:

• you
• your organization
• your service use

We may collect and update your personal data from publicly available sources only for the purposes described in this privacy policy.

7. Where do we transfer your data?

We may transfer service use -related data to the Ministry of Education and Culture, to the research organizations and to education institutions or to other home organizations, and to funders for:

• statistical and reporting purposes
• fulfilling our contractual commitments and obligations

We may transfer your personal data outside of the EU/EEA only based on your consent you provide when starting to use services provided by third-parties, for example to comply with software license agreements.

We ensure that our partners have committed to comply with privacy laws and regulations.

8. How long do we store your data?

Storage times of personal data vary, depending on the purpose of their collection.

We regularly assess the need for storing data, taking into account the applicable legislation. We also take reasonable measures to ensure that the personal data is not contradictory to the data processing purposes, out of date or inaccurate. Where such data is identified, it is either corrected or destroyed without delay.

9. What are your rights as a data subject?

You have a right to object the processing of your data, to review your data, and to demand rectification or erasure of inaccurate or false information.

You can prohibit the use of your data for direct marketing.

On request, we will present a document assessing our legitimate interests to process your personal data. You can also request us to stop processing your data while you review the document.

You have the right to complain to the Data Protection Ombudsman.

10. Who should you contact?

All enquiries and requests regarding this privacy policy should be made in writing or in person to the contact person specified in section two (2).

11. Changes to privacy policy

Material changes to this document will be displayed with dates. If the changes are significant, we may inform you of them by email or by publishing a notification on our website.

Updated 19 December 2019

1. Registrar

CSC – IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo, Finland
Tel. +358 (0)9 457 2821 (operator)
servicedesk@csc.fi
Business ID: 0920632-0
www.csc.fi

(hereinafter referred to as “we” or “CSC”)

2. Contact person for register-related matters

Event organizers: event-support@csc.fi

Data Protection Officer: privacy@csc.fi

3. What are the purposes and legal grounds for processing personal data?

With your consent, we process your personal data:

• to organize and develop events
• for compiling statistics and reporting
• for electronic direct marketing and conducting opinion polls and market surveys

4. What data do we process?

We will request the following information from you:

• first and last name
• email and phone number
• home organization
• consent to direct marketing
• participant information, such as dietary restrictions
• preliminary information on qualifications/skill levels that may be required by the trainer for training courses

5. Where do we get your data from?

We only use the information you provide.

6. To whom do we disclose your data?

Your data may be disclosed to partners involved in organizing the event, such as external trainers. We may disclose information regarding dietary restrictions to catering service providers.

We ensure that our partners are obligated to comply with privacy laws and regulations.

7. How do we protect your data and for how long do we keep it?

Only CSC employees who have the right to process personal data for their work are entitled to use systems containing personal data. Each user has their own user name and password for the systems. The data is collected in databases. Databases and their backups are protected by appropriate technical means.

We store personal data for as long as is necessary in relation to the purpose of the personal data.

We regularly assess the need for data storage, taking into account any applicable legislation. We take reasonable measures to ensure that the personal data is not contradictory to the data processing purposes, out of date or inaccurate. If we should discover such data, it will be either corrected or destroyed without delay.

Sensitive information, such as dietary restrictions, will be deleted from the system within one month of the end of the event.

8. What are your rights as a data subject?

You have the right to review your data, and demand rectification or erasure of inaccurate or false information.

You may prohibit the use of your data for direct marketing.

You may withdraw any consent that you have given.

You have the right to lodge an appeal with the Data Protection Ombudsman.

9. Who should you contact?

All contacts and requests concerning this statement must be made in writing or in person to the contact person specified in section 2.

10. Changes to the privacy policy

Any changes made to this document will be presented with dates. If the changes are significant, we may inform you about them by email or by issuing a notification on our website.

Valid from: 01 March 2022

This privacy notice describes the purpose for which your personal data is used and the rights you have as a
data subject on the CSC online learning platform eLena.

Data controller

CSC – IT Center for Science Ltd (0920632-0)
P.O. Box 405 (Keilaranta 14)
02101 Espoo
+358 9 457 2001 (switchboard)

Contact information for matters related to the register

CSC customer service
CSC – IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo
Tel. +358 9 457 2821 (switchboard)
asiakaspalvelu@csc.fi

Data protection officer contact details

CSC Data Protection Officer
CSC – IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo
tel. +358 9 457 2821 (switchboard)
privacy@csc.fi

What are the purposes for which your personal data is used and what is the legal basis for the processing?

The eLena online learning platform provides learning content organised and provided on request by CSC. Personal data is used to:

• Identify course participants, teachers and administrators
• Guide learning and assess performance
• Communicate about learning content
• Log into integrated services
• Solve problems
• Ensure the safety of services
• Investigate any misuse
• Invoice commissioned learning content
• Collect feedback for the development of learning content
• Compile statistics: number of participants and completed learning contents

CSC’s right to process your data as a controller is based on an agreement (data protection regulation 6.1 b) when you participate in the training as a member of CSC’s staff or when a customer relationship is established between you and CSC when you register for the training. The processing of your data is based on consent (GDPR 6.1 a) when you enter data into the training system for purposes other than completing the training. The legitimate interest of the controller (data protection regulation 6.1 f) is the basis for processing when CSC protects its online learning environment and the data processed in it or uses the said data. A legitimate interest also consists of a service or customer relationship between the controller and the data subject when we process personal data to manage a service or customer relationship, for invoicing
or for statistical purposes. We have assessed that we can use the legitimate interest as a basis for processing in the above-mentioned situations.

Which personal data concerning you is collected, and from where?

When you log into the service, the following information is retrieved from your home organisation and stored in the service:

• name
• username
• email address
• your home organization

We may obtain your personal information from you or your home organization when it enrols you onto training content or defines you as the training contact person. The online learning environment stores information about actions taken by users, such as messages you send. Discussions, surveys, assignments,
and performance assessments within the course are saved as part of the data to be saved. The user’s IP address and login time are stored in the service’s technical log. The log is used to diagnose technical problems and misconduct. The information may be used to establish, present or defend a legal claim.

In our e-learning platform, we use session cookies that are necessary to operate a site that requires login. Session cookies are removed from your device when you log out of the service or close your browser. Blocking them in your browser settings may interfere with your use of the service. We also use a functional cookie that facilitates use in some situations. Blocking it in your browser settings does not prevent you from using the service. The cookies we use are:

Who has access to your personal data?

By logging in to the service, you can view the information concerning you that saved in the online learning environment. The course teacher has access to the information of the course participants. The name of the course teacher appears in the course information and may appear to enrolled users. Participants in the same course will see each other’s name in the list of participants and information stored in the course
workspace, if necessary for the implementation of the training. The training contact persons designated by your home organisation will have access to your information. Our partner maintaining the system has access to all information, if necessary. Our contractual partner’s learning environment supplier Mediamaisteri Oy and Ficolo Oy, which produces a storage service for the system, process the data on behalf of and for CSC. Course completion information can be handed over to the organization that ordered the learning content. For CSC’s personnel training, the performance data is transferred to CSC’s HRM system, in which data can be accessed by the user’s supervisor and other persons authorised by the controller to access the data, in addition to the user themselves.

Is your personal data transferred outside the EU/EEA?

Personal data shall not be transferred outside the European Union or the European Economic Area.

How long will your personal data be stored and archived?

The participant’s access to the course will end within (1) month of the end of the course. Data for course participants will be deleted from the course data six (6) months after the opportunity to complete the course has expired. CSC will erase all information on the participants and performance of commissioned learning content within one (1) month of the submission of the information to those who ordered the course. Participants will not be notified of the deletion of data and the data cannot be restored after deletion. CSC does not archive the performance data of commissioned courses or the performance data of courses open to everyone.

CSC transfers the performance data of CSC’s personnel training courses to its HRM system for storage, in which they are stored for the period specified in the personnel’s privacy statement. Data is not archived.

If no end date is specified for the course, its data will be deleted from the e-learning platform two (2) years after the start date of the training (example: Training starting in September 2022 will be removed at the beginning of October 2024), unless otherwise agreed with the client or owner of the learning content. Courses for CSC staff will be removed one (1) year after the last use, i.e. from the last time a user who has
enrolled onto the course or a course teacher has logged into the course. Before deleting a course, its teacher or owner is notified by email of the plan to delete the course and given the opportunity to ‘optout’, i.e. to keep the course available or transfer the course material to a new course. If the course teacher or owner does not respond to the request within one (1) month, the course will be deleted.

Any users who do not use the system for 180 days are considered inactive and their account information is
erased. The user must log in at least once every 180 days (6 months) if they want their account and information to remain in the learning environment. The data deletion process is automated. The user will not be notified and the data cannot be recovered after the deletion.

Technical log data of the service is stored for 365 days.

Your personal data will be stored for longer than described above if it is necessary to prepare, present or defend a legal claim.

What kinds of rights do you have as a data subject?

You have the right to receive information on the processing of your personal data (Articles 12-14 of the
GDPR).

You have the right to know whether we process your personal data and have access to the data collected about you (Article 15 of the GDPR). If you are registered with the service, you will see the information about you on the service when you are logged in. At your request, a copy of your information may be provided to you.

You have the right to ask us to rectify any inaccurate information about you and to delete any unnecessary information about you (Article 16 of the GDPR).

You may have the right to have your personal data completely deleted (right to be forgotten, Article 17 of the GDPR). However, there is no such right if the learning content is for CSC personnel or if it is a training commissioned by CSC, and the data is needed to fulfil CSC’s obligations and rights.

You have the right to restrict the processing of your personal data (Article 18 of the GDPR) in the following situations:

• You have reported an error in your information and CSC is inspecting the matter
• In your opinion, your data is processed in an unlawful manner, but you do not want it to be deleted
• CSC no longer needs your information, but you need it to prepare, present or defend a legal claim
• You have opposed the processing of personal data on the basis of the legitimate interest described above and you expect the justification for the processing from CSC to be verified.

You have the right to receive personal data regarding yourself in a structured, commonly used and machine-readable format and, if you wish, to transfer it to another controller in another system (Article 20 of the GDPR).

If you are a registered user of the service, you can submit a request concerning your rights through the functions provided. As a registered user, you can view your personal information and make copies of it yourself. You can also submit a request for your rights to CSC by email or by post. You can find the contact information at the beginning of the privacy notice.

You have the right to lodge a complaint with the data protection supervisory authority of your permanent residence or place of work or the location where the suspected data breach took place, if you consider that the processing of personal data concerning you is in breach of the EU General Data Protection Regulation (EU) 2016/679. In Finland, the Data protection Ombudsman acts as the supervisory authority.

Updated 5 January 2024

1. Registrar

CSC – IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo, Finland
Tel. +358 (0)9 457 2821 (operator)
servicedesk@csc.fi
Business ID: 0920632-0
www.csc.fi

(hereinafter referred to as “we” or “CSC”)

2. Contact person for register-related matters

globalcollab@postit.csc.fi

Data Protection Officer: ​​​​​​​privacy@csc.fi

3. Name of register

Expressions of interest for research collaboration register

4. What are the purposes and lawful bases for processing personal data?

Data processing is based on our legitimate interests, or on the performance of a contract.

We process your data to:

• fulfil our contractual commitments and obligations
• manage our customer relationships
• process expressions of interest for research collaborations
• process and evaluate application for research collaborations
• manage and report on international and global research collaboration activities
• administrate the contact details of stakeholder networks
• organise events
• produce and develop our products and services
• analyse the customer’s or other data subject’s use of services
• create statistics and reports to meet the needs of the owners, customers and funders
• carry out direct marketing, opinion polls, and market surveys
• target content at stakeholders on the company’s electronic channels.

5. What data do we process?

The register consists of following data:

• data subject’s basic details such as name*, unique identifier
• data subject’s contact details such as email address*, telephone number* and physical address*
• professional and research-related information about collaborators, applicants and users of CSC’s services such as home organisation*, department or institution, job title, scientific field*, nationality* and the data subject’s role as a member of his/her organisation*, collaborators and scientific networks
• information about the data subject as a CSC customer, collaborator, applicant or other stakeholder such as the represented stakeholder, collaborator, applicant, stakeholder history, research projects and information related to billing and collection
• any direct marketing blocks or approvals
• participant data for events and customer trainings and any event-related data such as dietary restrictions
• contact person data related to customer relationships, organisations and contracts, such as business IDs and the names and contact details of contact persons; information on previous and current contracts and orders; and other data on customer interactions
• service use data generated by technical systems such as log data, online identifier data, source address of network traffic, website use, session duration, IP address and customer information derived from these data, detailed analyses of the data.

The personal data marked with an asterisk is required for establishing a contract or customer relationship with us. We may collect only some of the data, depending on what is necessary for service provision, and for improving service quality and user experience.

6. Where do we get your data from?

Your data is acquired primarily from:

• you
• your organisation
• service use
• forms compiled by the data subject or designated representative e.g. project coordinator, PI

We may collect and update your personal data from publicly available sources only for the purposes described in this privacy policy.

7. Where do we transfer your data?​​​​​​​

We may transfer your data outside of the EU/EEA only in connection with services provided by third-parties, for example to comply with software license agreements.

We ensure that our partners have committed to comply with privacy laws and regulations.

Explicit consent will be requested for any other type of transfer.

8. How do we protect the data and for how long do we hold it for?

Systems containing personal data can be accessed only by designated employees with their own access credentials. The data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and backups of these databases are located in locked facilities

Storage times of personal data vary, depending on the purpose of their collection.Data associated to submitted expressions of interest will be stored for the duration of the evaluation, contractualisation where applicable, and other legal or funding obligations including reporting, a standard +1 year after the end of project is considered as a baseline.

We regularly assess the need for storing data, taking into account the applicable legislation. We also take reasonable measures to ensure that the personal data is not contradictory to the data processing purposes, out of date or inaccurate. Where such data is identified, it is either corrected or destroyed without delay.

9. What are your rights as a data subject?

You have the right to review your data, and demand rectification or erasure of inaccurate or false information.

You can withdraw any consent you’ve given, and prohibit the use of your data for direct marketing.

We will present a document assessing our legitimate interests to process your data on request. You can also request us to stop processing your data while you review the document.

You have the right to complain to the Data Protection Ombudsman.

10. Who should you contact?

All enquiries and requests regarding this privacy policy should be made in writing or in person to the contact person specified in section two (2).

11. Changes to the privacy policy

Material changes to this document will be displayed with dates. If the changes are significant, we may inform you about them by email or by publishing a notification on our website.

Valid from 1.4.2023

1. Controller

CSC – Finnish IT Сentre for Science Ltd
P.O. Box 405 (Keilaranta 14)
FI-02101 Espoo
tel. 09 457 2821 (operator)
servicedesk@csc.fi
www.csc.fi

(hereinafter referred to as “we” or “CSC”)

2. Contact person for register-related matters

CSC Service Desk
tel. 09 457 2821 (operator)
servicedesk@csc.fi

The processing is carried out by: Director, Sustainablity and Risk management

Data Protection Officer: privacy@csc.fi

3. Purposes and lawful bases for processing personal data

The Whistleblower system allows you and all CSC employees to report suspected abuses to CSC. The reports may concern a possible violation of the legislative areas referred to in the Whistleblower Act. Such legislative areas include the protection of personal data and competition laws.

In addition, the reports may concern activities that violate CSC’s Code of Conduct.

You can submit the report anonymously without any personal data. Anonymous reporting may interfere with our ability to investigate the reported matter thoroughly or to respond to your requests.

After receiving the report, we process personal data for the purpose of investigating the reported matter, responding to the person submitting the report and deciding on the follow-up measures that we consider justified on the basis of the report. Only information submitted and reported for Whistleblower purposes and relevant to the reported matter will be retained after the reception inspection of the report. We will send the person who submitted report an acknowledgement of receipt within seven days and a description of the follow-up measures taken within three months of receipt of the report. All reports are processed in strict confidentiality.

The purpose of the data processing is to promote the legal compliance of CSC’s operations by providing it with the opportunity to intervene in any detected shortcomings. We can use this information to investigate the matter, identify and correct deviations and develop processes that ensure compliance. In addition, we can use this information to establish, present or defend a legal claim or to protect our personnel from false accusations.

The processing of personal data is based on CSC’s statutory obligation (GDPR 6(1)(c)) to the extent that the reports concern violations of the laws referred to in the Whistleblower Act.

The processing is based on our legitimate interest (GDPR 6 (1)(f)) when the report concerns only breaches of our Code of Conduct. Such report may specifically concern violations of laws other than those referred to in the Whistleblower Act. Our legitimate interest is to be informed of such violations so that we can ensure that our operations comply with the law, industry standards and our own guidelines. The investigation of the issues specified in the report and the measures taken following the investigations will help us to combat financial losses and reputational risks. Our legitimate interests override the interests of the data subject, given that violations of the Code of Conduct are typically the most serious issues, such as discrimination, and that we have ensured the confidentiality of the processing.

It may also be necessary to process data belonging to special categories of personal data on a case-by-case basis in reports if this is necessary to investigate the matter. In this case, the legal basis for processing is Article 9 (2)(g) of the GDPR together with the Whistleblower Act.

4. What data do we process?

The Whistleblower process can involve the processing of the personal data of several different data subjects:

• the person submitting the report
• the object of the report
• a person or other third party mentioned in the report who has further information on the matter
• persons processing CSC’s and its subcontractor’s reports.

If you use the Whistleblower system, you will be asked to provide the following information when submitting the report. However, only entries marked with (*) are mandatory:

• Do you wish to report anonymously*
• Language*
• Your name and contact information
• Free-form description of suspected misconduct (submitting attachments is also possible)
• Password you must set to log in to your report again

During the investigation, we may collect additional written or oral information from the person who submitted the report, the object of the report and other persons suspected of having information on the matter. The processing of the report ends with an evaluation and a decision on further measures. Drawing up further measures and the introduction of such measures may also require the processing of personal data.

In addition, logs of CSC’s and its subcontractor’s personnel processing reports are collected for access control in order to ensure the confidentiality and integrity of the information.

About the use of cookies and other technologies:

The Whistleblower system will remember your language selection using a session cookie. The cookie will be deleted as soon as you close the browser.

The cookie is necessary for the provision of the service – we will not separately ask you to consent to using the cookie.

• Cookie name: Cookie for language setting
• Provider: EQS
• Validity: Session
• Purpose: Preserving language selection

5. Where do we get your data?

During the Whistleblower processing process, we may receive your data from you, the person submitting the report, and the persons involved in the investigation of the report. In addition, data may be generated in connection with the use of the whistleblowing channel (such as the processing times indicated in the log data). Other CSC’s internal or public sources of information may be used to investigate the matter within the limits permitted by law.

6. Recipients and recipient groups of personal data

Your personal data is processed by:

• Persons appointed to process reports at CSC and its subcontractor.
• Supplier of the electronic system used for processing reports. However, the supplier’s personnel do not have the right to view or edit personal data.
• Data may be disclosed to competent authorities, prosecutors or pre-trial investigation authorities in special situations referred to in the Whistleblower Act. The subject of the processing will be notified of such identity disclosure, unless this information endangers the investigation of the matter in an internal investigation, official investigation, pre-trial investigation or trial.

Personal data are not transferred outside the EU/EEA.

7. How do we protect your data?

Your data may only be processed by CSC’s and its subcontractors’ designated personnel. The Whistleblower channel is maintained by a separate operator and meets the requirements to protect personal data and the identity of the whistleblower in accordance with Directive (EU) 2019/1937.

8. How long do we retain your data?

As a rule, all data related to the report are kept for five (5) years from the date of receipt of the report. Data may be stored in individual cases for a longer period if the data is needed for an existing or future judicial procedure or for an official investigation. In addition, necessary data on further measures, such as disciplinary measures, may be retained longer for human resources management purposes.

However, any data unnecessary from the perspective of the report will be deleted without delay after it has become clear that the data are not needed for the purposes of the processing.

9. What are your rights as a data subject?

You have the following rights in relation to the processing of your personal data:

Access to your data: You have the right to be informed of whether we process personal data concerning you and have access to your personal data if this is not considered to endanger the investigation of the matter or the disclosure of the whistleblower’s identity. If we are unable to fulfil your request, we will justify the reasons for this decision, and you have the right to request the disclosure of your data to the Data Protection Ombudsman (see the contact details of the Data Protection Officer below).

Right to rectification: You have the right to demand that incorrect or incomplete information be rectified or supplemented. However, for investigative reasons, a request for rectification cannot usually be carried out in such a way that the previous data are deleted. Instead, you typically have the opportunity to provide additional data during the investigation. If you are the whistleblower, you can provide additional data in your report with your case number and password while the relevant processing is in progress.

Other rights:

To the extent that the report concerns only activities that violate our internal guidelines, you have the right to object to the processing of your data for reasons arising from your special situation. After you object to the processing, we will delete your personal data unless we are able to provide compelling legitimate grounds for processing that override your interests, rights and freedoms. You also have the right to ask us to restrict the processing of your data while we evaluate your objection request. However, we want to emphasise that these rights do not exist to the extent that the processing is based on the obligations laid down in the Whistleblower Act.

As the processing is not based on consent, you do not have the right to transfer your data to another controller.

We will always do our best to process and resolve any requests or complaints you make regarding the processing of your data. In addition, you always have the right to contact the competent data protection authority regarding your request or to lodge a complaint:

• in your permanent place of residence in the EU/EEA
• at your place of work in the EU/EEA, or
• at the location of the suspected data breach in the EU/EEA.

The competent data protection authority for CSC − IT Center for Science Ltd. is:

Office of the Data Protection Ombudsman
Postal address: P.O. Box 800
FI-00531 Helsinki
https://tietosuoja.fi/en/contact-information

10. Who should you contact?

All enquiries and requests regarding this privacy policy should be made in writing or in person to the contact person specified in section two (2).

You can send us your request concerning your data subject’s rights by e-mail to servicedesk@csc.fi.

11. Changes to this notice

This privacy policy is valid from the date shown at the top. We may update this privacy policy. If there are significant changes to the privacy policy or the processing of your data, we will try to notify you.

You have the right to check what personal data concerning you CSC processes as a controller. To get access to your data, send us an email to servicedesk@csc.fi.
If CSC handles your personal data in the role of a processor, you should contact the data controller, which may be your higher education institution, research institute, or some other organization that uses CSC’s services.

In your request, we kindly ask you to tell us:

• which data you wish to check (for example, you can describe the role in which you have been in contact with CSC and in which we have processed your personal data)
• if you wish to check all of your data, or data concerning a certain period of time
• the format in which you would like to have access to the data
• your name
• your contact details (for example, your email address or phone number)

We will respond to your request within one month. If you send us several requests or your requests are complex, we may let you know that we need more time to process them. In this case, the deadline is three months after receiving your original request. If we do not respond within this deadline, you may contact the Data Protection Ombudsman and report a violation of your data protection rights.

If we refuse to give you access to your data, we must inform you of the reasons for doing so. Any refusal must always have a reason laid down in the legislation. If you find that our grounds for refusing your request are not valid, you may contact the Data Protection Ombudsman at tietosuoja(at)om.fi.

In addition to checking your personal data, you also have other rights concerning them. For more information about these rights, read our privacy statements.

If you detect a personal data breach concerning CSC or its services, report it by email to servicedesk(at)csc.fi. In your report, please describe as accurately as possible the type of breach that has occurred, when it started and when you noticed it. We recommend that you use secure email.

• The EU General Data Protection Regulation (GDPR) regulates the processing of personal data within the EU and the disclosure of data outside the EU.
• The national Data Protection Act (in Finnish) adds detail to the EU General Data Protection Regulation and clarifies its national implementation in Finland.
• The Act on the Protection of Privacy in Working Life (in Finnish) safeguards employees regarding the processing of personal data related to working life.
• The Act on Electronic Communication Services (in Finnish) ensures the accessibility, development and reliability of communications networks and services.
• The Act on the Provision of Digital Services (in Finnish) contains provisions on the availability, quality, information security and accessibility of digital services.