Privacy notice – Customer and stakeholder register
1. Data Controller
Address: Tampere University, Kalevantie 4, FI-33014 Tampere University, Finland
Tel. +358 294 5211
Business ID 2844561-8
2. Contact person
tel. +358 40 8490 200
email: soile.harjala [at] tuni.fi
3. Data Protection Officer
dpo [at] tuni.fi ()
4. Name of the register
Customer and stakeholder register
5. Purpose and lawful basis for processing personal data
Purpose of processing:
Personal data is processed for the purpose of managing Tampere University’s customer, stakeholder, donor and alumni relationships and thereby maintain and improve the University’s impact and interaction with the broader society and the quality of its paid services. The data stored in the customer and stakeholder register is used to manage the University’s interaction with customers, develop the University’s activities and stay connected with customers (for example, to send event invitations and for the purposes of marketing and maintaining alumni relations).
The data may be processed, among other things, in connection with practical event arrangements (for example, to manage event attendance, send invitations to training programmes, record credits for completing paid training programmes, manage invoices and collect feedback).
Lawful basis for processing:
We always ask for your consent to receive marketing messages. We may ask you whether you are interested in receiving information about our training opportunities, events and projects, for example, when you register for our training programme or event. In this context, the lawful basis for processing is consent. You may withhold this consent at any time without giving a reason. All our marketing messages include instructions for withholding your consent.
When you have, for example, registered for an event hosted by the University or commissioned research services or professional development services from the University, the lawful basis for processing your data is contract.
Based on your earlier customership, we may send you marketing messages and information about the University’s activities and events. We may also send you news about the University’s activities and other information that may interest you. In this context, the lawful basis for processing is the University’s legitimate interests. You can unsubscribe to our newsletters at any time by following the instructions provided in each newsletter.
The University may use the data stored in the register to manage and foster customer relationships and provide you with information about the University’s activities and training opportunities that match your interests and preferences.
The register contains the following types of data:
- contact information of customers, stakeholders, partners and representatives
- contact information of private donors
- event participation records
- willingness to participate in and receive information about upcoming training events
7. Sources of information
The data stored in the register is collected from data subjects and reliable publicly accessible sources.
The data may be supplemented with information retrieved from the University’s internal systems to ensure the accuracy of data.
8. Regular disclosure of data and recipients
Disclosure of data:
As a rule, the data stored in the register is not disclosed for external use.
Data may be disclosed, for example, to the employment and tax authorities for the purpose of fulfilling the University’s legal obligations.
The Data Controller has signed a contract to outsource processing activities:
☒ Yes, more information about outsourced processing activities:
The data is hosted on an external service provider’s server. The server on which the data is stored is located in the EU.
In addition, the Data Controller may procure application development services relating to the CRM system as well as event communication services from an external service provider. To protect the privacy of data subjects, the University and external service providers will always enter into a data processing agreement that complies with the provisions set out in data protection laws.
9. Transfer of data outside the EU or the EEA
Will data stored in the register be transferred to a country or an international organisation located outside the EU or the EEA:
10. Data protection principles
A manual data
- The register does not contain manually processed data.
B electronic data
- The CRM system is accessed through a browser via a secure connection. The server environment is secured in accordance with the privacy and security policies of the Data Controller and the server hosting provider.
11. Data retention period or criteria for determining the retention period
The data will be stored indefinitely (until a data subject withdraws his or her consent or objects to the processing of his or her data).
12. Existence of automated decision-making or profiling, the logic involved and the significance of the envisaged consequences for data subjects
The data stored in the register will be used to carry out automated decision-making, including profiling:
13. Rights of data subjects
Data subjects have the following rights under the EU’s General Data Protection Regulation (GDPR):
- Right of access
o Data subjects are entitled to find out what information the University holds about them or to receive confirmation that their personal data is not processed by the University.
- Right to rectification
o Data subjects have the right to have any incorrect, inaccurate or incomplete personal details held by the University revised or supplemented without undue delay. In addition, data subjects are entitled to have any unnecessary personal data deleted from the system.
- Right to erasure
o In exceptional circumstances, data subjects have the right to have their personal data erased from the Data Controller’s records (‘right to be forgotten’).
- Right to restrict processing
o In certain circumstances, data subjects have the right to request the University to restrict processing their personal data until the accuracy of their data, or the basis for processing their data, has been appropriately reviewed and potentially revised or supplemented.
- Right to object
o In certain circumstances, data subjects may at any time object to the processing of their personal data for compelling personal reasons.
- Right to data portability
o Data subjects have the right to obtain a copy of the personal data that they have submitted to the University in a commonly used, machine-readable format and transfer the data to another Data Controller.
- Right to lodge a complaint
o Data subjects have the right to lodge a complaint with a supervisory authority in their permanent place of residence or place of work, if they consider the processing of their personal data to violate the provisions of the EU’s General Data Protection Regulation, (GDPR, EU 2016/679). In addition, data subjects may follow other administrative procedures to appeal against a decision made by a supervisory authority or seek a judicial remedy.
The Data Controller follows a GDPR-compliant procedure for responding to subject access requests.