Data Protection Description
This description is in accordance with EU General Data Protection Regulation (2016/679, “GDPR”) and other applicable legislation. Data Protection Description version 1.0, date 23.8.2018.
This Data Protection Description may be subject to changes from time to time due to i.a. changes in Service, legislation, guidance and/or legal interpretations.
1. Description of processing
Registered users of “Mobiilimittari.fi” service (“Service”)
Note: Besides processing of registration information as described in this Data Protection Description, the Service also requires processing of user’s location data availablefrom a communications network or terminal device. VTT transfers this data to Finnish Communications Regulatory Authority (Finnish Communications Regulatory Authority, P.O. Box 313, FI-00181 Helsinki, Finland) who is the data controller with respect to said data. Further information: www.viestintavirasto.fi
2. Controller, data protection officer and contact person
Name: VTT Technical Research Centre of Finland Ltd. (”VTT”), Business ID: 2647375-4
Address: Vuorimiehentie 3, 02150 Espoo, Finland
Data protection officer (DPO):
Name: Seppo Viinikainen
Address: VTT Technical Research Centre of Finland Ltd., Koivurannantie 1, 40400 Jyväskylä, Finland
E-mail:dataprotection [-at-] vtt.fi(DPO, data security manager and legal counsel) or seppo.viinikainen [-at-] vtt.fi(DPO)
Contact person concerning the Service:
Name: Petri Jurmu
Address: Teknologian tutkimuskeskus VTT Oy, Kaitoväylä 1, 90570 Oulu, Finland
E-mail: petri.jurmu [-at-] vtt.fi
3. Categories of the personal data
The data subject categories: Service user. The categories of the personal data: username, email and password. Also changes to the aforementioned data and logging information may be processed.
4. Purposes of the processing
The personal data is processed for purposes of Service’s contract management, monitoring the use and operation of the Service and production of the Service.
5. The legal basis for the processing
The processing is based on the performance of a contract concerning the Service and in order to take steps at the request of the data subject prior to entering into a contract. The processing is based also on the basis of legitimate interest of the Controller. The applicable legitimate interest is the right to monitor and supervise the use of Service for the purpose of development and maintenance of Service and the data controller’s business.
If the data subject does not provide personal data, the data controller cannot commit to producing all parts of the Service to the data subject. However, the Service may be used at least partially without registration and processing of the above mentioned personal data.
6. Regular sources of information
The personal data is collected from the data subject in connection with the registration and use of the Service.
7. Recipients or categories of recipients of the personal data
The personal data collected in registration is not regularly disclosed to third parties. VTT may provide access to the personal data to third parties only if this is justified i.a. for securing technical operation and development of the Service and/or required by legislation, i.a. to authorities. This is done under appropriate arrangements in accordance with requirements of GDPR and applicable legislation.
8. Transfer of data outside the European Union or the European Economic Area
The personal data is not transferred outside European Union or EEA.
9. The existence of automated decision-making, including profiling
The personal data is not used for decision-making based solely on automated processing (including profiling), which produces legal effects concerning the data subject or similarly significantly affects him or her.
10.The period for which the personal data is stored or the criteria used to determine that period
The personal data is mainly stored as long as the data subject’s user account and/or contract concerning Service is valid. After this the personal data is either erased or anonymised unless other legal basis for processing of such personal data remains.
11.Principles of protection of the register
The personal data is protected by technical and organizational measures from unauthorized processing and access by third parties. The personal data is located at VTT’s server and protected from unauthorized access by facility arrangements, access control and technical measures (such as, limited user rights, passwords and firewalls). Only persons who need access to the personal data for the purpose carrying out tasks related to Service have access to the personal data, under confidentiality obligations.
12.Rights of the data subject
The data subjects have the following rights, which may be exempted from in accordance with GDPR and applicable legislation.
The data subject can exercise these rights by contacting the Controller’s contact person with contact information set forth in section 2, in writing, preferably by an email. The data subject is advised to use an email address that is known to the Controller, if possible.
Right of access
The data subjects have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her is being processed and access to his or her personal data and information concerning the processing of his or her personal data.
Right to rectification
The data subjects have the right to obtain from the Controller rectification of inaccurate personal data concerning him or her, and the right to have incomplete personal data completed.
Right to erasure
The data subjects have the right to obtain from the Controller the erasure of personal data concerning him or her in accordance with GDPR. This may be the case in the following situations: (i) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the personal data have been unlawfully processed; (iii) the personal data have to be erased for compliance with a legal obligation in Union or Finnish law; or (iv) the data subject objects to the processing.
Right to restriction of processing
The data subjects have the right to obtain from the Controller restriction of processing in cases set forth in GDPR.
Right to data portability
Where the processing is (i) carried out by automated means, and (ii) is based on the data subject’s consent or contractual relationship, and the data subjects have the right to receive the personal data concerning him or her, which he or she has provided to the Controller and have the right to transmit those data to another controller.
Right to object
The data subject’s may object to the processing of personal data carried out on the basis of legitimate interest of the controller.
Right to lodge a complaint with a supervisory authority
The data subjects have a right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data breaches the data subject’s rights pursuant to GDPR.