Privacy notice regarding University of Oulu room booking application

This is a privacy notice complainant with EU General Data Protection Regulation (GDPR).

1. Data controller

University of Oulu, IT Services
P.O. Box 8000
90014 University of Oulu
 

2. Contact details of the unit in charge

Kari Keinänen, kari.keinanen@oulu.fi, +358 29 448 3067
Data protection officer, University of Oulu, dpo@oulu.fi
 

3. Name of the data registry

University of Oulu mobile room reservation application.
 

4. The purposes and legal basis for the processing of personal data

Personal data is processed based on the user’s consent.   

The units in charge of the registry has the right to make changes to this privacy policy, and shall keep a version history of the changes. Changes in the privacy policy will be informed to users whose data is kept in the registry.

The register will only include personal information of users that have signed in to the room reservation application.

The use of personal data in this registry is related to the use of the room reservation application, and to the creation of new room and service reservations done with the application. In addition, the data may be used to improve the application and related services with statistical analysis. Anonymized data may also be given to research purposes.

The personal data of users will not be used for automated decision making or profiling.
 

5. Personal data to be processed

We handle the following personal data:

  • name of the user
  • e-mail address of the user
  • username of the user
  • user’s calendar and service reservations and their details
  • user login information

In addition to this personal data, the application may gather calendar reservations from the registrar’s existing systems, but this information is not stored within this registry.
 

6. Retention time of personal data

Personal data of the user is retained until it is requested to be removed, there is no use for them for the application, or when there are no legal grounds to keep them.
 

7. The origin of personal data

The personal data is collected from the user based on their login information from the registrar’s existing personnel and room booking systems, and through the use of the application.
 

8. Transfers of personal data to third countries or international organizations

The personal data held in the registry will be shared by the application provider when needed for application use. There is an existing Data Processing Agreement (DPA) with the application provider to describe the handling of this data. The personal data will not be shared regularly with any other party.

The personal data will not be transferred outside the EU and EEA.
 

9. Principles of protecting the registry

Handling of the registry will be done with diligence and care, and data processed with information systems will be protected appropriately. When any registry data will be stored on internet servers, the hardware’s physical and digital security will be handled appropriately. The registrar will see that any stored data, server access rights and other data critical to personal security will be handled confidentially and only by those employees whose job description includes it.
 

10. Your rights as a data subject, and exceptions to these rights

Should you want to exercise any of the rights mentioned in this section, please contact kirjaamo@oulu.fi.
 

Withdrawing consent (GDPR Article 7)

You have the right to withdraw your consent, provided that the processing of the personal data is based on consent. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
 

Right of access (GDPR Article 15)

You have the right to obtain information on whether or not personal data concerning you are being processed in the project, as well as the data being processed. You can also request a copy of the personal data undergoing processing.
 

Right to rectification (GDPR Article 16)

If there are inaccuracies or errors in your personal data undergoing processing, you have the right to request their rectification or supplementation.
 

Right to erasure (GDPR Article 17)

You have the right to request the erasure of your personal data on the following grounds:

a)  The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

b)  You withdraw the consent on which the processing was based, and there are no other legal grounds for the processing.

c)  You object to the processing (the right to object is described below), and there are no justified grounds for the processing.

d)  The personal data have been unlawfully processed, or

e)  The personal data must be erased to comply with a legal obligation in Union or Member State law to which the controller is subject.

The right to erasure does not apply if the erasure of data renders impossible or seriously impairs the achievement of the objectives of the processing in scientific research.
 

Right to restriction of processing (GDPR Article 18)

You have the right to restrict the processing of your personal data on the following grounds:

a)  You contest the accuracy of the personal data, whereupon the processing will be restricted for a period enabling the University to verify their accuracy.

b)  The processing is unlawful and you oppose the erasure of the personal data, requesting the restriction of their use instead.

c)  The University no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims.

d)  You have objected to processing (see details below) pending verification of whether the legitimate grounds of the controller override those of the data subject.
 

Right to data portability (GDPR Article 20)

You have the right to request to receive the personal data you have submitted to the University in a structured, commonly used and machine-readable format and have the right to transmit these data to another controller without hindrance from the University, provided that the processing is based on consent or a contract, and the processing is carried out by automated means.

When exercising your right to data portability, you have the right to have your personal data transmitted from one controller to another, where technically feasible.
 

Right to object (GDPR Article 21)

You have the right to object to processing your personal data, provided that the processing is based on the public interest or legitimate interests. The University will no longer have the right to process your personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or unless it is necessary for the establishment, exercise or defence of legal claims. The University can continue processing your personal data also when necessary for the performance of a task carried out for reasons of the public interest.
 

Derogating from rights

In certain individual cases, derogations from the rights described above in this section 10. “Your rights as a data subject, and exceptions to these rights” may be made on the basis of the GDPR and the Finnish Data Protection Act. The need for derogations will always be assessed on a case-by-case basis.
 

Right to lodge a complaint

You have the right to lodge a complaint with the Data Protection Ombudsman’s Office if you think your personal data has been processed in violation of applicable data protection laws. The contact details and opening hours can be found on the website of the Office of the Data Protection Ombudsman.

Last updated: 16.5.2019