1. Data Controller

Name: Metropolia University of Applied Sciences Ltd.

Business ID: 2094551-1

Postal Address: PL 4000, 00079 Metropolia

Visiting Address: Myllypurontie 1, 00920 Helsinki

Phone (switchboard): + 358 9 7424 5000

Data Protection Officer: Suvi Väänänen

Email: tietosuojavastaava@metropolia.fi

2. Purpose of Processing Personal Data

Metropolia Urban Mobile Robotics project and the purpose of processing the personal data con-tained therein is to promote SMEs’ marketability, to drive new sustainable innovations, and the re-porting, coordination, communications, and sharing of the results relating to the project’s objectives.

3. Legal Basis of Processing Personal Data

The processing is based on Article 6(1)(e) of the General Data Protection Regulation (GDPR): 

• Performance of a task carried out in the public interest (related to the university of applied sciences’ statutory RDI mission). 

In cases of communication and publication (e.g., photos, quotes), processing may be based on Article 6(1)(a): the data subject’s consent.

4. Collected Personal Data and Categories of Personal Data

The data subjects of the personnel register include the employees, students, specialists, and other additional contacts of the co-organizers and other participating organizations.

The following personal data are stored in the personal data register:

• Name
• Contact information (email, phone number)
• Organization and title
• Participation in events, workshops, and projects
• Photos, videos, or audio recordings (with consent)

5. Data Sources

Personal data is primarily collected from the data subject themselves and the organizations involved.

6. Recipients of Data and Regular Disclosures

Personal data from the personal data register is disclosed to the following recipient groups:

• Co-organizer of the project (Forum Virium Helsinki)
• Authorities monitoring EU's funding programmes
• Potential co-organizers and/or co-publishers of events and publications (based on consent)

Personal data in the register is processed in various information systems and software, and access to the personal data contained in the register is granted as necessary, e.g., via a technical interface during maintenance tasks or in the event of a fault. The external system providers and service providers behind these tools can be considered recipients of personal data and regular disclosures.

7. Transfer of Data Outside the EU or EEA or to International Organizations

As a rule, personal data contained in Metropolia University of Applied Sciences’ registers is not transferred outside the European Union (EU), the European Economic Area (EEA), or to international organizations.

However, transfers of personal data outside the EU or EEA may occur when necessary for the implementation of IT services essential for work or studies. Such transfers are assessed on a case-by-case basis. The most common destination country is the United States. In some cases, personal data may also be transferred to countries such as India, particularly in situations where global ICT service providers rely on offshore support functions such as Helpdesk or technical user support.

Any international data transfers from Metropolia’s personal data registers are protected by the safeguards set out in Chapter V of the General Data Protection Regulation (GDPR). These include:

• An adequacy decision by the European Commission (Article 45), or
• The use of Standard Contractual Clauses (SCCs) approved by the Commission (Article 46).

SCCs are embedded in the relevant data processing or service contracts with third-party service providers. Only data that is strictly necessary for the performance of the relevant service is transferred. All transfers are carried out in compliance with applicable data protection legislation, and the security and confidentiality of the data are ensured through legally binding contractual arrangements.

Where data is transferred outside the EU or EEA, the transfer is approved by Metropolia as the data controller and preceded by a documented Transfer Impact Assessment (TIA). The SCCs are included in the contract with the service provider. Metropolia continuously monitors and assesses the data protection practices in recipient countries. Transfers may also be carried out using another legally valid mechanism explicitly approved in writing by Metropolia.

8. Retention Period

Personal data is retained for five years after the completion of the project, i.e. until 31.5.2032. The retention period is based on the organizers’ reporting duties to EU’s funding programmes, on the Universities of Applied Sciences Act, and the Data Protection Act.

9. Data Subject’s Rights

A data subject may submit a data request by providing Metropolia with a carefully completed, printed, and personally signed data subject request form, available on Metropolia's public website and/or intranet. The form can be submitted either electronically to tietosuojavastaava@metropolia.fi or in person at Metropolia's Myllypuro campus. If printing is not possible, provide similar information as requested in the form to tietosuojavastaava@metropolia.fi. You may be asked to verify your identity so that we can respond to the data request safely.

Metropolia's Myllypuro Campus

Myllypurontie 1, 00920 Helsinki

The response to a data subject request will be provided by Metropolia's Data Protection Officer. For additional information about the processing progress or the content of the response, the Data Protection Officer may be contacted.

According to the GDPR, the data controller must respond to a data subject's request to exercise their rights within one month of receiving the request.

Data subjects can submit requests regarding the following topics:

Right to Access Personal Data

The data subject has the right to obtain confirmation from the data controller on whether their personal data is being processed. They are also entitled to inspect the personal data stored about them in the register and receive copies of the data.

Right to Rectification and Restriction of Processing

The data subject has the right to request the controller to restrict processing in any of the following situations:

• The data subject disputes the accuracy of their personal data (right to rectification), in which case processing is restricted for the period needed to verify the accuracy of the data.
• The processing is unlawful, and the data subject opposes the deletion of their personal data and instead requests the restriction of its use.
• The data controller no longer needs the personal data for processing purposes, but the data subject requires it for establishing, exercising, or defending legal claims.

Right to Erasure

The data subject has the right to have their personal data erased from Metropolia's register without undue delay, provided one of the following applies:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

The data subject withdraws consent on which the processing is based, and there is no other legal basis for processing.

The personal data has been unlawfully processed.

The personal data must be erased to comply with a legal obligation under EU law or national legislation.

Right to Data Portability

Not applicable.

Right Not to Be Subject to a Personal Data Security Breach

The data subject has the right not to be subjected to a personal data breach, as defined in GDPR Article 33, due to negligence by the data controller or the processor handling personal data on behalf of the controller. The data subject has the right to be informed without undue delay if a personal data breach is likely to result in a high risk to their rights and freedoms.

F. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the supervisory authority if the data subject considers that the processing of personal data concerning him or her violates applicable data protection regulations.

Office of the Data Protection Ombudsman

Visiting address: Lintulahdenkuja 4, 00530 Helsinki

Postal address: P.O. Box 800, 00531 Helsinki

Phone: +358 29 56 66700

Fax: +358 9 56 66735

Email: tietosuoja@om.fi