Privacy Notice for SENsationalSTEM Project
In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13 and 14)
Published on the project website (English version only)
1. Controllers of data file
The joint controllers of the data file are
- The Estonian Chamber of Disabled People (EPIKoda), business identification code 80014660, address Toompuiestee 10, 10137 Tallinn, Estonia, www.epikoda.ee, data privacy officer Tauno Asuja, email@example.com
- Latvian Umbrella Body for Disability Organisations SUSTENTO, registration number 40008068529, address Antonijas street 24-20, 1010 Riga, Latvia, www.sustento.lv, data privacy officer Valda Lutina, firstname.lastname@example.org
- HAAGA-HELIA University of Applied Sciences, business identification code 2029188-8, address Ratapihantie 13, 00520 Helsinki, Finland, www.haaga-helia.fi, data privacy officer Teija Aarnio, email@example.com
- The Estonian Agrenska Foundation, business identification code 90007514, address Lunini 6, 50406 Tartu, Estonia, www.agrenska.ee, data privacy officer Tiina Stelmach firstname.lastname@example.org
2. Controllers’ contact persons
- The Estonian Chamber of Disabled People (EPIKoda). Project manager: Meelis Joost, email@example.com
- Latvian Umbrella Body for Disability Organisations SUSTENTO. Daiga Veinberga, firstname.lastname@example.org
- HAAGA-HELIA. Project manager of the partner: Pirjo Saaranen, email@example.com
- The Estonian Agrenska Foundation. Project manager of the partner: Raido Rozental, firstname.lastname@example.org
Requests concerning the exercising of the data subject’s rights should be addressed to any of the controllers’ contact persons.
3. Name of data file
Data file for SENsationalSTEM Project.
4. Purpose and lawfulness of processing of personal data
Personal data are processed for the execution of project activities, data management of data subjects participating in the project and for communication between the participants (GDPR art. 6 (1) b, performance of a contract).
Additionally, personal data can be processed for research purposes and in order to improve the project activities (GDPR art. 6 (1) f, legitimate interest).
In the case of special categories of personal data, the data subject has given explicit consent to the processing of those personal data for one or more specified purposes (GDPR Art. 9 (2)a).
5. Scope of data file and personal data categories processed
5.1 Data subjects
a) Teachers from Finland, Estonia and Latvia
b) Students from Finland, Estonia and Latvia
c) Mentors from Finland, Estonia and Latvia
5.2. Personal data categories
The following personal data shall be processed in the connection with the project (the list is not exhaustive)
- Name, date of birth, telephone number, email address, the educational institution where the teacher is teaching, nationality, field of education, special need for adjustment for travelling and accommodation, special diet, documented materials produced within the scope of the project
- Name, date of birth, telephone number, email address, the educational institution where the student is studying, nationality, special need for adjustment for studying, travelling and accommodation, needs for special education, special diet, documented materials produced within the scope of the project
- Name, date of birth, email address, telephone number, nationality, company name, link to company website, degree, special need for adjustment for travelling and accommodation, special diet, documented materials produced within the scope of the project
6. Regular data sources and personal data generated as part of controller’s operations
Personal data are primarily collected from the data subjects themselves (e.g. by filling in a Webropol form) or from the teachers participating in the project.
Additionally, the controllers collect personal data related to the documented materials produced within the scope of the project.
7. Period of storage of personal data
The personal data in the data file are only stored for as long as and to the extent that each category of data is needed, proportionate to the purpose of processing of the personal data.
All personal data will be deleted or anonymized when the project is ended, unless there are statutory requirements for longer storage periods.
8. Regular disclosures of personal data
Personal data may be disclosed to the financier upon request and in absolute necessity.
9. Transfers and disclosures of data to outside of the EU or ETA
Data from the data file are not habitually transferred to outside the EU or ETA, nor processed outside the EU or ETA, unless this is necessary for the technical implementation of the processing (for example if the technical maintenance of systems is located outside the EU or ETA), or in order to manage international functions related to the purpose of use of the data file.
In transferring personal data, the controller complies with the standard contractual clauses approved by the European Commission in relation to the transfer of personal data to third-party countries, or alternatively implements other appropriate safeguards, or alternatively ensures that the third-party country can guarantee a sufficient level of data protection.
10. Data security principle
Access to databases and systems and use of the data file are only available to such employees of the controllers or of subcontractors working on the controllers’ behalf, whose work duties entitle them to handle the data contained in the data file. Every user of the data file has an individual username and password for the systems.
The database containing personal data are stored on a server which is placed in a locked facility that may only be accessed by specifically appointed persons whose work duties entitle them to do so. The server is protected by an appropriate firewall and technical security systems.
11. Rights of the data subject
The data subject has the following rights in accordance with the EU General Data Protection Regulation:
1) The right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
i) the purposes of the processing;
ii) the categories of personal data concerned;
iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
vi) the right to lodge a complaint with a supervisory authority;
vii) where the personal data are not collected from the data subject, any available information as to their source;
viii) and the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. (GDPR Art. 15)
Additionally, the data subject has the following rights:
1. The right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. (GDPR Art. 7)
2. The right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her, as well as the right to have incomplete personal data completed, including by means of providing a supplementary statement. (GDPR Art. 16)
3. The right to obtain from the controller the erasure of personal data concerning him or her without undue delay, where one of the following grounds applies:
i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
ii) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
iii) the data subject objects to the processing on grounds relating to his or her particular situation, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;
iv) the personal data have been unlawfully processed;
v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. (GDPR Art. 17)
4. The right to obtain from the controller restriction of processing, where one of the following applies:
i) the accuracy of the personal data are contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
iv) or the data subject has objected to processing on grounds relating to his or her particular situation, pending the verification whether the legitimate grounds of the controller override those of the data subject. (GDPR Art 18)
5. The right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to the GDPR, and the processing is carried out by automated means. (GDPR Art. 20)
6. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. (GDPR Art. 77)
Requests concerning the exercising of the data subject’s rights should be addressed to the controllers’ contact persons.