Privacy Statement for the Digital Preservation Services, Fairdata Services and the Digital Preservation Solution
Privacy Statement
Translated 7th June 2024.
Translation from the original Finnish version (last updated 7th June 2024). Should this translation conflict with the Finnish version, the Finnish version will have a higher priority.
1. Name of the Register
User Information and Metadata Register of the Digital Preservation Services ("DPS"), Fairdata Services and the Digital Preservation Solution
2. Data Controller
Ministry of Education and Culture ("Minedu")
P.O. Box 29, FI-00023 Government, Finland
Tel. +358 (0)295 16001 (switchboard)
registry.okm@gov.fi
3. Contact Information for Register-Related Matters
The DPS's, Fairdata Services and the Digital Preservation Solution are produced by CSC – IT Center for Science Ltd. ("CSC") on the behalf of the Ministry of Education and Culture of Finland. CSC acts as the contact person regarding privacy- and register-related matters.
CSC – IT Center for Science Ltd.
P.O. Box 405, FI-02101 Espoo, Finland
Tel. +358 (0)9 457 2001
servicedesk@csc.fi
Street address:
Life Science Center Keilaniemi,
Keilaranta 14, Espoo, Finland
Minedu and CSC have formed a contract regarding producing the services covered in this statement. The DPS and the partner organization sign a service contract that stipulates the use of the service and the digital preservation solution. The DPS's are available to organizations appointed by Minedu. The other services in the Fairdata service catalogue can be used without a DPS service contract.
4. Content in the Register
The DPS's, Fairdata Services and the Digital Preservation Solution support publication, preservation and long-term open access of scientific data, and digital preservation of digital cultural heritage for reasons of public interest and scientific and historical research purposes, as defined in article 89 of the General Data Protection Regulation.
Personal data collected in the services are:
- A. "User Information", of the users of the services
- B. "Metadata", as part of the content sent to the services
A. User Information
The user information consists of data about the partner organizations and their representatives (the users of the services) that is required in order to produce the services, manage incidents, and ensure information security. The data controller has a legitimate interest to process user information to achieve these goals.
The following data is gathered as user information:
- The user's name and possible other data related to identifying a user
- Contact information
- Information about the organization that the user represents
- Login data
- Data related to the usage of the services
B. Metadata of Datasets in Fairdata Services
Processing personal data that exists in the metadata is required in the Fairdata services in order to produce the services for Minedu for reasons of public interest.
The following personal data is stored as metadata to datasets in the Fairdata services:
- Personal names
- Personal data about the creators of the dataset
- Information about the researchers that have been a part of the research that produced the data set
- Information about the home organization of the researcher (at the time of the research)
The datasets, including their metadata, are ingested to the DPS by the partner organization. The datasets are preserved within the Fairdata services according to the service descriptions. These descriptions include service description and the responsibilities of both CSC and the partner organization utilizing the service.
5. Regular Sources of Information
Personal data is collected from partner organizations and their representatives as part of actions defined in the service description.
5.1. Regular Information Sharing
Metadata ingested to the services are made available to the organization that owns the data, and its representatives.
CSC can report usage information of the services in behalf of the data controller to partner organizations in the scope defined by the data controller.
5.2. Transfer of Information Outside the EU or EEA
Information is not transferred outside of EU or EEA, neither by the data controller or the data processor.
5.3. Personal Data Related to Metadata of Datasets
Metadata in the Fairdata services are findable and accessible via a public interface or via open APIs.
5.4. Personal Data Retention
Personal data is retained as long as the service contract is in effect. After the service contract has been terminated, the data is deleted from active use after two years. Personal data can still be stored in some backup locations after this time period. These are regularly overwritten, though.
6. Principles of Data Protection
The information security measures in the DPS's are appropriately scaled to protect the content that is being preserved in the services. In accordance with the service descriptions the partner organizations are responsible for defining requirements for data protection of their contents and informing these requirements to the data controller and CSC. The DPS's implement data protection measures based on these requirements if they fall within the scope of the service.
Access rights to the registry information are granted to persons working with upholding the registry or producing the services. Access is restricted with both network technologies and personal user accounts and passwords. The services are regularly audited with information security in mind.
7. Rights of the Data Subject
The data subject has rights according to the data protection legislation.
The data subject has access to their personal data and rights to obtain information on the processing of their personal data.
The data subject also has rights to rectify and erase their personal data if the data is inaccurate, unwarranted, inadequate or outdated.
The data subject has rights to restrict the processing of their personal data, for example in situations where the data subjects has requested for their data to be rectified or erased.
The data subject has rights to object to the processing of their personal data grounds relating to their particular situation.
Requests by the data subject pertaining to the rights mentioned above are by default free of charge. Users can direct requests directly to the data controller using the contact information in section 2 of this statement. Researchers are encouraged to in the first instance contact the research institution that processes the data if they have requests to rectify metadata. The researcher can direct their requests to the data controller in other matters.
Any rights can be withheld if it is justified by legislation.
The data subject can appeal to the control authority if the data controller has not complied to data protection regulation when operating the services.
8. Changes to the Privacy Statement
Minedu or CSC (if authorized by Minedu) can make changes to this privacy statement if the processing of personal data or the purposes for the processing has changed. Essential changes are communicated on a case by case basis, for example directly to the data subject, if pertinent legislation requires so. An up-to-date version of the privacy statement is always available as part of the public documentation of the DPS's.