8. If you disclose or transfer personal data to be processed outside of Aalto note the following:
If the other party processes personal data only for purposes, which are defined by Aalto, e.g. when you transfer personal data for a subcontractor or to cloud storage service, you must make a data protection agreement (DPA) with that party.
If you transfer personal data to another university or to a research institution, which together with Aalto defines the purposes for which personal data will be processed or Aalto and the other university have a joint personal data filing system, which can be used independently by both Aalto and the other university, both universities are considered to be controllers.
If you disclose personal data to another university or research institution, which can independently define the purposes for which personal data will be processed, you must agree in detail on e.g. the purpose for processing personal data and information of research participants before you disclose any personal data.
Personal data can be transferred outside of the EEA only under certain conditions. For more information, please see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
Aalto templates (login required):
The same person, who signs the main agreement, shall sign these agreements. Privacy agreements must be sent to: [email protected].
9. Inform data subjects about changes and update documentation
Personal data may only be processed for the purposes, which have been informed to the research participant prior to the beginning of the processing (by Privacy notice templates). If you need to process personal data for other purposes, you must inform the research participants on these new purposes and update all documents prior to the processing.
10. Anonymize data prior to archiving or publishing
The Finnish Social Science Data Archive FSD is a certified research data repository serving researchers who wish to archive data. FSD offers advice on data management and management of personal data see : http://www.fsd.uta.fi/aineistonhallinta/en/. Other recommended data repositories are listed here:
Data publishing repositories
Anonymised data is no longer personal data. Anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means "likely reasonably” to be used for identification. See Working Party 29 Opinion 05/2014 on anonymisation techniques.
Before the anonymization, personal data has to be handled according to the above mentioned legislation, principles and guidelines.
If you wish to collect and reuse personal data that is not wholly anonymized, for example, interviews from professional experts on a certain field, contact the FSD repository staff to see if archiving could be achieved before you start collecting information, so that research participants can be informed in a manner required by the repository. The staff of the repository can help researchers with data curation and steps leading to a successful collection and preservation of research data. Use of pseudonymised data is still personal data and allowing only restricted access can be used as a measure to archive the data.