Privacy notice - TUNICRIS

1. Data Controllers

Tampere University and The Wellbeing Services County of Pirkanmaa (Tampere University Hospital)

Tampere University
33014 Tampere University
Tel. 0294 5211
Business ID  2844561-8

The Wellbeing Services County of Pirkanmaa (Tampere University Hospital)
PO Box 272, 33101 Tampere
Tel. 03 311 611
Business ID 3221308-6

2. Contact person in matters concerning the register

Library
Riikka Heikkonen
E-mail: cris.tau [at] tuni.fi

Tampere University acts as the primary contact point for requests regarding the use of registered rights.

3. Data Protection Officer

Tampere University: dpo [at] tuni.fi
Tampere University Hospital: tietosuojavastaava [at] pirha.fi

4. Register name

Research Information System TUNICRIS

5. Purpose of personal data processing and legal basis for processing

The system is used to register, report and present research outputs and other research related information of the Tampere University and The Wellbeing Services County of Pirkanmaa (Tampere University Hospital).

The lawful basis for processing personal data

The data controller’s legal obligation

In accordance with Section 51 of the University Act (558/2009), all universities must submit to the Ministry of Education and Culture the information required for the evaluation, development, statistics and other monitoring and guidance of education and research. Also, according to § 61 of the Health Care Act (1326/2010), state funding is granted for University-level health research in accordance with the decision made by the Ministry of Social Affairs and Health for four years at a time.

The Ministry's decision is based on the realization of the focus areas and goals of research activities, as well as the quality, quantity and performance of research in the previous four-year period. Reporting of publication data to the Ministry of Education and Culture and the Ministry of Social Affairs and Health requires the processing of personal data of the research personnel.

Tasks carried out by the data controller in the public interest

Tampere University processes, collects statistics, analyzes, and publishes personal data related to the University's research activities and social interaction in order to perform the tasks according to Section 2 of the University Act (558/2009). The research information system TUNICRIS gathers information about the University's research activities and implements social interaction using the system's public portal at researchportal.tuni.fi.

6. Data content of the register

Personal and activity data of the Tampere University's teaching and research staff, postgraduate students or persons linked to the Tampere University in other ways, as well as the research staff of The Wellbeing Services County of Pirkanmaa (Tampere University Hospital).

Personal information includes the person's name and different versions of the name, e-mail address, telephone number, internal and external identifiers related to the person, picture, unit information related to the person, texts added by the person describing research activities and education, social media links and other links, visibility on the research portal, change history and to the person's publications and academic external persons related to the activities and the information of external units related to these persons.

Operational data, i.e., data linked to a person, include publications, research outputs, academic activities, media visibility, awards, projects, research infrastructures, research materials and impact.

Name, username, e-mail address of the main users of the system and authorized users determined separately by the units.

The public portal gathers cookies on users visiting the portal. The portal user will accept the cookie policy when visiting the portal for the first time. See more details in the portal cookie policy.

7. Regular sources of information

• Background systems of the Tampere University and The Wellbeing Services County of Pirkanmaa (Tampere University Hospital)
• Tampere University's integration platform
• International and national publication and reference databases and metadata repositories
• Information reported by individuals themselves
• Information recorded by another person (joint activity)
• Information saved by an authorized user (the user saves the information on behalf of the person)

8. Regular disclosure of data and recipient categories

Information regarding research outputs (such as publication information) is transferred daily to the VIRTA publication information service of the Ministry of Education and Culture as part of the reporting required by the ministry (University Act 558/2009 § 51).

Data is transferred daily to the University's data warehouse for internal reporting and statistics.

The full texts of the publications and related metadata are transferred daily to the University's publication archive Trepo.

Data is disclosed to the Research Information Hub which the Ministry of Education and Culture acts as controller (The Research Information Hub Act 1238/2021 3 & 4 §: metadata and abstracts of publications and other research output; metadata and descriptions of research data; information on research infrastructures and research actors; metadata and abstracts of research projects and funding; researcher information; information of other research activities and merits of researchers). The processing of personal data is based on the legal obligation to which the controller is subject (Article 6 (1) (c) of the EU General Data Protection Regulation). Read more on research Information Hub's privacy policy.

If a person wishes, she/he can prevent the release and visibility of information other than his publication information.

The processing of the register's personal data has been outsourced through an assignment agreement to system provider Elsevier B.V., Amsterdam, The Netherlands which is responsible for the technical maintenance of the system.

9. Transfer of data outside the EU and EEA

Will the register data be transferred to a third country or international organization outside the EU or EEA area:
Yes, where:

The public TUNICRIS portal can be read openly outside the EU or EEA. The public portal produces publication and person lists as an RSS feed, which can be shared on any website.

It is possible for a person to apply for an international ORCID researcher identifier through the system and to give permission for the automatic transfer of their own publication data from the system to the ORCID service. In this case, the person's name, e-mail address, affiliation, other researcher identifiers (such as Scopus author ID, ResearcherID), a link to the profile page of the system's public portal, and publication information validated by the library and publicly visible are transferred to the ORCID service.

The researchers can themselves authorize export of their publication metadata into international ORCID registry. As a data processor ORCID applies Standard Contractual Clauses (SCCs) under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA. ORCID also obtains the consent of its users at the time of registration to the transfer of personal data from the EU to the US.

10. Principles of registry protection

A manual material

There is no manual material associated with the system.

B electronically processed data

The system is maintained by the supplier Elsevier B.V., Amsterdam, The Netherlands, and the servers are located in the EU or EEA region. The supplier takes care of the protection of the system in accordance with the contract.

Tampere University Library is responsible for the maintenance and development of the system's data.

The rights to process personal data belong to the system administrators and to the authorized users assigned separately by the units. In data transfers, personal data is processed by the IT experts of the University and the system supplier.

Tampere University has appropriate and up-to-date technical, organizational, and administrative procedures in place to protect the personal data stored in the system.

11. Personal data retention period or retention period determination criteria

Personal data is stored as long as it is necessary in relation to the purposes for which it was collected and processed, or as long as it is required by law or regulation.

The person’s public portal profile will be automatically hidden when their affiliation with the university ends. The person’s name, organizational affiliation and necessary identifiers are kept in the database for reporting and administrative purposes. The author information of Tampere University and The Wellbeing Services County of Pirkanmaa (Tampere University Hospital) publications is stored permanently.

12. Information about the existence of automatic decision-making or profiling, as well as information about the logic and significance of the processing for the data subject

The information in the register is not used for automated individual decision-making, including profiling.

13. Rights of the data subject concerning personal data

Data subjects have the following rights under the EU’s General Data Protection Regulation (GDPR):

• Right of access
  • Data subjects are entitled to find out what information the University holds about them or to receive confirmation that their personal data is not processed by the University.
• Right to rectification
  • Data subjects have the right to have any incorrect, inaccurate or incomplete personal details held by the University revised or supplemented without undue delay. In addition, data subjects are entitled to have any unnecessary personal data deleted from the University’s systems.
• Right to erasure
  • In exceptional circumstances, data subjects have the right to have their personal data erased from the Data Controller’s records (‘right to be forgotten’).
• Right to restrict processing:
  • In certain circumstances, data subjects have the right to request the University to restrict processing their personal data until the accuracy of their data, or the basis for processing their data, has been appropriately reviewed and potentially revised or supplemented.
• Right to object
  • In certain circumstances, data subjects may at any time object to the processing of their personal data for compelling personal reasons.
• Right to data portability
  • Data subjects have the right to obtain a copy of the personal data that they have submitted to the University in a commonly used, machine-readable format and transfer the data to another Data Controller.
• Right to lodge a complaint with a supervisory authority
  • Data subjects have the right to lodge a complaint with a supervisory authority in their permanent place of residence or place of work if they consider the processing of their personal data to violate the provisions of the GDPR (EU 2016/679). In addition, data subjects may follow other administrative procedures to appeal against a decision made by a supervisory authority or seek a judicial remedy.

Contact information

Office of the Data Protection Ombudsman
Postal address: PO Box 800, FI-00531 Helsinki, Finland
Switchboard: tel. +358 29 56 66700
Fax: +358 29 56 66735
Email address: tietosuoja [at] om.fi

The Data Controller follows a GDPR-compliant procedure for responding to subject access requests.

14. Updates to the privacy notice

Tampere University is constantly developing its operations and reserves the right to update this privacy notice. Changes may also be based on changes in legislation. We recommend that you check this notice from time to time.

In the event of significant changes to this privacy notice, we may also provide you with other information prior to these changes taking effect.

This privacy notice was last updated on July 27, 2023.

Changes on July 27, 2023: Updates regarding The Wellbeing Services County of Pirkanmaa, cookie policy, ORCID

Changes on May 3, 2022: General updates, joint controllership, research information hub