PRIVACY NOTICE Secport
This Privacy Notice applies to the SecPort cybersecurity portal (Service). Aalto University (Aalto) acts as the controller for personal data that users of the Service provide.
Protecting your privacy and your personal data is of the utmost importance to us. Aalto is committed to complying with the requirements that data protection regulation places upon Aalto in the processing of your personal data. The means and purposes of processing your personal data are described in further detail in this Privacy Notice.
This Privacy Notice might be subject to change. You will always find the up-to-date version of this Privacy Notice on this Service.
1. Why does Aalto process personal data?
Aalto collects and processes certain personal information about you in order to:
- enable you to use the Service, e.g. saving your progress;
- maintain and develop the Service by, for example, for the purpose of diagnosing problems;
- communication;
- providing user specific content recommendations;
- use data for research purposes.
In addition, Aalto will also process personal data for the purposes of data security and to prevent and resolve possible misconduct.
2. What personal data does Aalto process?
Aalto will only process personal data that is necessary for the processing purposes defined in this Privacy Notice. The personal information Aalto collects can be grouped into the following categories:
- Identifiers and contact information: name and e-mail address
- Online identifiers (web data): IP address, cookies, operating system, web browser, page usage, details of the device used in browsing
- Location data
- Biographical Information (all supplied by the person): date of birth, gender, language, nationality, interests (in the context of available material in the portal), background (such as student, employed, retired), preferred learning style, cyber security knowledge level
3. Children’s personal data
This Service requires you to be at least 16-years old or to have consent of guardian for the use of Service.
4. Sources of information
Personal data is collected from the users during their use of Service.
5. Lawful Basis for Processing
User enters into a contract by using the Service. Lawful basis for processing of personal data is performance of a contract when Aalto enables you to use the Service and when Aalto maintains the Service.
Lawful basis for research use is public interest. For research use lawful basis is processing of personal data required for the performance of a task carried out in the public interest, namely scientific research and academic expression.
Lawful basis for following uses is legitimate interest: Aalto has legitimate interest to develop the Service and to process personal data for communications. Legitimate interest is also lawfull basis for the processing of your personal data for the purposes of data security and to prevent and resolve possible misconduct.
6. Sharing of personal data
Aalto shares personal data only to the extent necessary for the purposes personal data is processed:
- Service providers
- Aalto uses service providers, such as Netum Oy to maintain and provide the Service that enables the application to work and for processing purposes as specified in this Privacy Notice.
- Scientific research use
- Aalto may share your personal data for the purposes of scientific research. Statistical information derived from personal data might be published in research results. In these cases, all personal data is processed in accordance with the General Data Protection Regulation and national data protection legislation on scientific research use.
- Statutory reasons
- Aalto may provide your personal data to third parties if access to personal data or other processing of personal data is required to i) fulfill statutory responsibilities or a court order; ii) detecting, preventing or handling misuses, security risks or technical issues.
7. International transfers of personal data
We strive to carry out all services related to our Service using operators and services located within the EU or the EEA. However, in some cases, services related to the use of our Service may also be carried out by operators and on servers located in third countries. In such cases, your personal data may also be transferred outside the EU or EEA in accordance with applicable legislation. In regards to transfers of personal data to countries where local data protection legislation does not provide an adequate level of data protection, transfers are protected utilizing appropriate safeguards, such as standard contractual clauses approved by the European Commission or a competent supervisory authority, or binding corporate rules. To learn more about the appropriate safeguards we use, please contact us by using the contact information provided below.
8. Retention period
Personal data will be retained for the period of validity of the legal basis for processing and for as long as necessary for the processing purposes mentioned in this Privacy Notice.
For example, the information of users is retained for as long as Aalto´s legitimate interests can reasonably be deemed valid. We determine the validity of our legitimate interest by, for example, your use of Service as well as the communication between us.
9. Your rights
The General Data Protection Regulation grants the data subject a number of rights with which the data subject can govern the processing of their personal data. The data subject may use the following rights in relation to Aalto insofar as Aalto acts as the controller for the data subject’s personal data:
Right of access and right to rectification
You have the right to receive confirmation on whether we process personal data relating to you and the right to access any such personal data. Aalto may ask you to specify your request where necessary, for example with regard to activities to which the request relates.
In addition, you have the right to request the rectification of incorrect personal data relating to you, or to supplement incomplete personal data that Aalto is processing.
Right to data erasure
You have the right to request erasure of your personal data from our data systems. Aalto will comply with your request, provided we do not have a legitimate reason not to delete the data, such as a statutory obligation to continue processing the personal data. Personal data may not be deleted instantly from backup copies and other such data systems, but will be deleted through regular database retention practices.
Right to object
You also have the right to object to the processing of your personal data if your personal data is processed for other purposes than the fulfilment of legal responsibilities or the provision of services. Objecting to the processing of your personal data may lead to limitation of the usage of Aalto Service. You have the right to prohibit direct marketing by following the instructions contained in all of our marketing messages.
Right to restriction of processing
If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data to only storage. The processing will only be restricted to storage, until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests.
If you are not entitled to erasure of the data which we have registered about you, you may instead request that we restrict the processing of these data to only storage. If the processing of the data which we have registered about you is solely necessary to assert a legal claim, you may also demand that other processing of these data be restricted to storage. We may process your data for other purposes if this is necessary to assert a legal claim or if you have granted your consent to this.
Right to data portability
You have the right to receive your personal data from us in a structured, commonly used format so that you may transfer your personal data to another controller, provided that the processing of your personal data is based on consent or a contract between you and Aalto.
10. Who is the controller and who can I contact?
You can use your rights by contacting Aalto’s data protection officer at tietosuojavastaava@aalto.fi. The extent of your rights is subject to the legal basis for processing and exercising your rights requires identification.
The controller:
Aalto korkeakoulusäätiö sr, which functions as Aalto University
Mailing address: PL 11000, 00076 AALTO
Phone number: (09) 47001
Visiting address: Otakaari 24, 02150 Espoo
Data protection officer: Sirpa Syrjälä
Contact information: tietosuojavastaava@aalto.fi
Right to lodge a complaint
If the processing of your personal data is in breach of applicable legislation, you have the right to lodge a complaint with the national supervisory authority. You can lodge the complaint with a competent supervisory authority. In Finland, this is the Data Protection Ombudsman, and the complaint must be lodged in accordance with instructions provided by the Office of the Data Protection Ombudsman. Please see http://www.tietosuoja.fi for more information.