AaltoSDG mobile application Privacy Notice
This Privacy Notice applies to the AaltoSDG (Service). Aalto University (Aalto) acts as the controller for personal data that users of the Service provide.
Protecting your privacy and your personal data is of the utmost importance to us. Aalto is committed to complying with the requirements that data protection regulation places upon Aalto in the processing of your personal data. The means and purposes of processing your personal data are described in further detail in this Privacy Notice.
This Privacy Notice might be subject to change. You will always find the up-to-date version of this Privacy Notice on this Service.
1. Why does Aalto process personal data?
Aalto collects and processes certain personal information about you in order to:
- enable you to use the Service
- maintain and develop the Service
- use data for research purposes
- for Aalto SDG reporting
In addition, Aalto will also process personal data for the purposes of data security and to prevent and resolve possible misconduct.
2. What personal data does Aalto process?
Aalto will only process personal data that is necessary for the processing purposes defined in this Privacy Notice. The personal information Aalto collects can be grouped into the following categories:
- Information related to user: such as Aalto username (if logged in), role, first name and last name.
- Device related information: such as Device ID(Android) or randomly generated id for Apple devices (if not logged in), FCM token and whether Android or iOS is used.
- Information about the administrators: contact details, such as name and email address.
- Usage information: such as whether person has accepted certain challenge or rejected certain challenge.
- Information related to information security: such as different types of logs.
- Other information: as there is an option for the user to give feedback freely other types of personal data may be processed.
3. Children’s personal data
This Service requires you to be at least 16-years old or to have consent of guardian for the use of Service.
4. Sources of information
Personal data is collected from the users during their use of Service or when they otherwise interact with Aalto. Aalto user information (such as Aalto username) is from the databases of Aalto University.
5. Lawful Basis for Processing
User enters into a contract by using the Service. Lawful basis for processing of personal data is performance of a contract when Aalto enables you to use the Service and when Aalto maintains the Service.
Lawful basis for processing of location data is consent, if we process this type of data. Giving of consent constitutes a lawful basis for the processing of location data. Your consent is given through the adjustment of your phone settings accordingly.
Lawful basis for research use is public interest. For research use lawful basis is processing of personal data required for the performance of a task carried out in the public interest, namely scientific research and academic expression.
Lawful basis for following uses is legitimate interest: Aalto has legitimate interest to develop the Service and to process personal data for communications. Legitimate interest is also lawful basis for the processing of your personal data for the purposes of data security and to prevent and resolve possible misconduct.
6. Sharing of personal data
Aalto shares personal data only to the extent necessary for the purposes personal data is processed:
I) Service providers
Aalto uses service providers, such as Geniem, to maintain and provide the Service that enables the application to work and for processing purposes as specified in this Privacy Notice.
This Service can be downloaded through Google Play and Apple Store
Privacy policy of Google or privacy policy of Apple apply in addition to this Privacy Notice. Users should familiarise themselves with the terms and privacy policies provided by device platforms.
II) Scientific research use
Aalto may share your personal data for the purposes of scientific research. Statistical information derived from personal data is going to be published in research results. In these cases, all personal data is processed in accordance with the General Data Protection Regulation and national data protection legislation on scientific research use.
III) Statutory reasons
Aalto may use your personal data to third parties if access to personal data or other processing of personal data is required to
i) fulfil statutory responsibilities or a court order;
ii) detecting, preventing or handling misuses, security risks or technical issues.
7. International transfers of personal data
We strive to carry out all services related to our Service using operators and services located within the EU or the EEA. However, in some cases, services related to the use of our Service may also be carried out by operators and on servers located in third countries. In such cases, your personal data may also be transferred outside the EU or EEA in accordance with applicable legislation. In regards to transfers of personal data to countries where local data protection legislation does not provide an adequate level of data protection, transfers are protected utilising appropriate safeguards, such as standard contractual clauses approved by the European Commission or a competent supervisory authority, or binding corporate rules. To learn more about the appropriate safeguards we use, please contact us by using the contact information provided below.
8. Retention period
Personal data will be retained for the period of validity of the legal basis for processing and for as long as necessary for the processing purposes mentioned in this Privacy Notice.
For example, the information of users is retained for as long as Aalto's legitimate interests can reasonably be deemed valid. We determine the validity of our legitimate interest by, for example, your use of Services well as the communication between us.
9. Your rights
The General Data Protection Regulation grants the data subject a number of rights with which the data subject can govern the processing of their personal data.
Anonymised and statistical data is no longer personal data.
The data subject may use the following rights in relation to Aalto insofar as Aalto acts as the controller for the data subject’s personal data:
Right of access and right to rectification
You have the right to receive confirmation on whether we process personal data relating to you and the right to access any such personal data. Aalto may ask you to specify your request where necessary, for example with regard to activities to which the request relates. In addition, you have the right to request the rectification of incorrect personal data relating to you, or to supplement incomplete personal data that Aalto is processing.
Right to data erasure
You have the right to request erasure of your personal data from our data systems. Aalto will comply with your request, provided we do not have a legitimate reason not to delete the data, such as a statutory obligation to continue processing the personal data. Personal data may not be deleted instantly from backup copies and other such data systems, but will be deleted through regular database retention practices.
Right to object
You also have the right to object to the processing of your personal data if your personal data is processed for other purposes than the fulfilment of legal responsibilities or the provision of services. Objecting to the processing of your personal data may lead to limitation of the usage of Aalto Service. You have the right to prohibit direct marketing by following the instructions contained in all of our marketing messages.
Right to restriction of processing
If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data to only storage. The processing will only be restricted to storage, until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests.
If you are not entitled to erasure of the data which we have registered about you, you may instead request that we restrict the processing of these data to only storage. If the processing of the data which we have registered about you is solely necessary to assert a legal claim, you may also demand that other processing of these data be restricted to storage. We may process your data for other purposes if this is necessary to assert a legal claim or if you have granted your consent to this.
Right to data portability
You have the right to receive your personal data from us in a structured, commonly used format so that you may transfer your personal data to another controller, provided that the processing of your personal data is based on consent or a contract between you and Aalto.
10. Who is the controller and who can I contact?
You can use your rights by contacting Aalto’s data protection officer at [email protected]. The extent of your rights is subject to the legal basis for processing and exercising your rights requires identification.
The controller: Aalto korkeakoulusäätiö sr, which functions as Aalto University
Mailing address: PL 11000, 00076 AALTO
Phone number: (09) 47001
Visiting address: Otakaari 24, 02150 Espoo
Data protection officer: Anni Tuomela
Contact information: [email protected]
Right to lodge a complaint
If the processing of your personal data is in breach of applicable legislation, you have the right to lodge a complaint with the national supervisory authority. You can lodge the complaint with a competent supervisory authority. In Finland, this is the Data Protection Ombudsman, and the complaint must be lodged in accordance with instructions provided by the Office of the Data Protection Ombudsman. Please see http://www.tietosuoja.fi for more information.
- Published:
- Updated: