Data protection and processing personal data in Tampere Universities

We at Tampere Universities value your privacy and respect your right to the protection of your personal data. You have the right to know what data is stored about you and how your data is processed. Personal data may only be processed for a specific and lawful purpose. Privacy notices that describe how we process personal data are collected on these pages. Your rights as a data subject are listed further down this page. Data protection refers to a set of practices and safeguards that are in place to ensure compliance with data protection regulations across Tampere Universities. The purpose of our data protection activities is to ensure the appropriate processing of personal data, encourage good data protection practices, and protect individuals’ privacy in compliance with the EU’s General Data Protection Regulation (GDPR, EU 2016/679) and other applicable regulations.

Data protection and research

The Finnish Constitution safeguards the freedom of science. The GDPR regards research as a special case of processing personal data.

Researchers must adhere to data protection requirements when processing personal data in the course of their research. Under the GDPR, personal data may only be collected for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes. However, the processing of personal data for the purpose of scientific research is not considered to be incompatible with the original purposes. The Finnish Data Protection Act (1050/2018) sets out further provisions on the processing of personal data in the course of research.

Personal data is information that relates to an identified or identifiable individual. If it is possible to identify an individual directly or indirectly from the information you are processing, then that information may be personal data. The purposes and means of processing personal data are determined by the data controller. In a research study, the data controller can be an individual researcher, a research group, a university, a university department or a separate research institution. As simply collecting personal data constitutes processing, the data controller must be identified before a research project begins.

The data controller has an obligation to demonstrate compliance with the GDPR. A separate privacy notice must be prepared for each research project, as all projects are unique. The purposes and means of processing must be identified in your research plan on a case-by-case basis. You must carry out a Data Protection Impact Assessment (DPIA) when you begin a new research project which will require the processing of personal data that is likely to result in a high risk to data subjects. You need to complete a DPIA if you will be processing, for example, special category data (sensitive personal data) during your research project. To read more about data protection impact assessment, please go to the website of the Office of the Data Protection Ombudsman.

Data protection and research in Tampere Universities

Your rights as a data subject

Data subject refers to the person whose personal data are being processed. Please see your rights below. In case you would like to use those rights, send a request to dpo(at)tuni.fi