Tietosuojaseloste

Privacy Notice

28.4.2025

Privacy Notice
‍This Privacy Notice is based on the EU’s General DataProtection Regulation (2016/679, “GDPR”), namely the obligation to inform thedata subjects (GDPR Articles 12–14), the data controller’s obligation to maintaina record of processing activities under its responsibility (GDPR Article 30),as well as the obligations set out in the Finnish Data Protection Act(1050/2018) supplementing the GDPR.Additionally, this Privacy Notice has been preparedwith the aim of making it accessible in accordance with the requirements of theEU’s Web Accessibility Directive (Directive (EU) 2016/2102 of the EuropeanParliament and of the Council on the accessibility of the websites and mobileapplications of public sector bodies) and the Finnish Act on the Provision ofDigital Services (306/2019) supplementing it.
1. Name of the register
Personal data register of Health Proof Helsinki ecosystem.

2. Keepers of the Register
Metropolia University of Applied Sciences, HUS Helsinki University Hospital, City ofHelsinki

Contact information:
Metropolia University of Applied Sciences (Business ID: 2094551-1)
Postal Address: PO BOX 4000, FI-00079 Metropolia
Visiting Address: Myllypurontie 1, 00920 Helsinki
Phone (Switchboard): + 358 9 7424 5000

HUS Helsinki University Hospital (Business ID: 1567535-0)
Postal Address: PL 100, 00029 HUS
Visiting Address: Stenbäckinkatu 9, 00250 Helsinki
Phone (Switchboard): +358 9 4711

City of Helsinki / Helsinki City Board
(Business ID 0201256-6)
Postal Address: PL 10
Visiting Address: Pohjoisesplanadi 11-13
Phone (Switchboard): +358 9 310 1691

Responsible personnel:
Metropolia University of Applied Sciences
Name: Riitta Konkola
Role: President, CEO

HUS Helsinki University Hospital
Name: Matti Bergendahl
Role: CEO

City of Helsinki
Name: Marja-Leena Rinkineva
Role: Director of Economic Development
In accordance with the decision of the City Board 7.3.2022 § 182 on theResponsibilities and Duties of the City Chancellery, the person in charge ofthe register is the Director of Economic Development

Personnel responsible for the content:
Metropolia University of Applied Sciences
Name: Kati Mailander
Role: Coordinator
Address: Metropolia University of Applied Sciences, PL 4000, 00079 METROPOLIA
Email: kati.mailander@metropolia.fi
‍
HUS Helsinki University Hospital
Name: Anja Kajanne
Role: Product Manager
Address: PL 760, 00029 HUS
Email: anja.kajanne@hus.fi

City of Helsinki
Name: Sanna Hartman
Role: Business Development Advisor
Address:
Email: sanna.hartman@hel.fi

3. Data Protection Officers and contact information
Metropolia University of Applied Sciences
Name: Suvi Väänänen
Phone: +358 40 844 0690
Email: suvi.vaananen@metropolia.fi, tietosuojavastaava@metropolia.fi

HUS Helsinki University Hospital
Name: Petri Hämäläinen
Phone: 09 4711
Email: eutietosuoja@hus.fi
‍
City of Helsinki
Name: Päivi Vilkki
Phone: 09 310 1691 (Switchboard)
Email: tietosuoja@hel.fi

4. Purpose and legal basis of the processing of personal data:
The purpose of thepersonal data register of the Health Proof Helsinki ecosystem (Formed byMetropolia University of Applied Sciences, HUS University Hospital and City ofHelsinki) and the personal data it contains is to implement high-qualitytesting and research services in the Health Proof Helsinki project. MetropoliaUniversity of Applied Sciences acts as the main coordinator of the ecosystemHealthProof Helsinki provides companies, research institutes and public sector actorswith modern environments, flexible processes, expertise andspecialist facilities for the various stages of their product developmentactivities; Early-stage preclinical testing environments, expertise, piloting, validations andverifications (Metropolia Proof Health), research and testingenvironments and expertise in primary health care and social work (City ofHelsinki), and research environments and expertise in specialist care anddiagnostics (HUS Helsinki University Hospital).The studies and testing are carried out by volunteers,Health Proof Helsinki ecosystem organisations personnel, Metropolia students orotherwise available persons.Lawful basis for the processing of personal data:
The processing of personal data contained in the Health Proof Helsinki ecosystem personal data registerof Metropolia University of Applied Sciences, HUS and the City of Helsinki is basedon the subsection 1a of the Art. 6 of the EU General Data Protection Regulation,which refers to the consent given by the data subject. In some respects, thepersonal data contained in the personal data register of a joint researchproject is processed on the basis of general interest scientific research (Art.6 para. 1 e GDPR). In the case of experts from ecosystem-related organisations,etc., the processing may be necessary for the performance of a task carried outin the public interest.Personal data may be processed in accordance withArticle 6(1)(e) of the GDPR if the processing is necessary for scientific orhistorical research or statistical purposes and is proportionate to the publicinterest objective pursued by it or the processing of research material,cultural heritage material and personal data related to this description datafor archiving purposes is necessary and proportionate to the public interestobjective pursued by it and the rights of the data subject. (GDPR art. 3 and 4)
‍
The processing of personal data revealing racial or ethnic origin, politicalopinions, religious or philosophical beliefs, or trade union membership, aswell as the processing of genetic and biometric data for the purpose ofunambiguous identification of a person, or the processing of data concerninghealth or the sexual behaviour and orientation of a natural person pursuant toArticle 9(2)(j) of the GDPR is necessary for archiving purposes in the publicinterest or for scientific and historical research purposes or for statisticalpurposes pursuant to Article 89(1) of the GDPR in accordance with Union or Member State law,provided that it is proportionate to the objective pursued, respects theessence of the right to the protection of personal data and provides forappropriate and specific measures to protect the fundamental rights andinterests of the data subject.
5. Legitimate interests of the data controller or a third party
The legal basis for the processing of data in the personal data register ofMetropolia University of Applied Sciences, HUS and the City of Helsinki'sHealth Proof Helsinki ecosystem is not a ‘legitimate interest’. Therefore, thisitem is not applicable.

6 Description of the groups of data subjects and personal data groups
The personal data register of Metropolia University of Applied Sciences,HUS and the City of Helsinki Health Proof Helsinki ecosystem includes personsparticipating in surveys, persons participating in research and testing,persons enrolled in the joint development of experiments, persons invited toand participating in events, persons working in the ecosystem of the ecosystemactors, i.e. Metropolia University of Applied Sciences, HUS and the City ofHelsinki.

The following personaldata is stored in the Health Proof Helsinki ecosystem personal data register ofMetropolia University of Applied Sciences, HUS and the City of Helsinki:

Basic and contact information:- E.g., basic information: first name(s), last name,telephone number, e-mail address, age, gender, origin, whichcompany/organization the person represents. - Tests/studies may need research data on age, gender,or ancestry. Significant differences in research can be found in the results ofEuropeans as well as foreigners.- Sensitive data is stored on the MetroArk web diskfor the duration of the study. For the purposes of the results of the study,the data is anonymized, after which the sensitive data is destroyed and theanonymized data is stored in a permanent storage on the MetroArk web disk.Information related to customer relationship andcooperation management and communication:- Order and cancellation information for the servicesof the project- Feedback- Audiovisual recordings of events e.g., at ZoomInformation related to online behaviour:- Online behavioural information on the projectwebsite and potential services- Technical data, as well as cookies sent to the datasubject's browser and related information- Cookies are used to obtain measurable informationabout the ecosystem's website visitors, which is used, for example, when theecosystem is planning its marketing. In this way, communication can be targetedas accurately as possible.Ecosystem website:- Newsletter subscription form: name, email- Contact form: name, email, phone number, company Consents and information about the measures:- E.g., Information about measures aimed towards datasubjects: e.g., information about services/meetings provided; information aboutadvertising mail or invitations to events sent- E.g., Information on consent issues related tomeasures aimed towards data subjects in the personal data register of HealthProof Helsinki activities: e.g., consent to receive advertising mail related tothe activities.

7. Regular sources of personal data
The personal data has been obtained from the data subject himself/herself.

8. Information systems used in the processing of personal data
The data in the HealthProof Helsinki ecosystem personal data register of Metropolia University ofApplied Sciences, HUS and the City of Helsinki is processed withthe following different information systems, applications, software andelectronic services.Metropolia Office 365 Education: Employees of theecosystem use Metropolia's email system. The email system is Microsoft's Office365-based, but the email server is Metropolia's own. The sending ofnewsletters, communication with contact persons, the financier and possibleother parties also take place via e-mail. Microsoft Teams: Employees of the ecosystem useMicrosoft TEAMS for internal communication. The Microsoft TEAMS communicationtool has been acquired by Metropolia as part of the larger 0365 Microsoftpackage. In addition, employees of the ecosystem use cloud service toolsapproved by Metropolia.Dynasty Case and Contract Management System: Ecosystem contracts are managed inthe Dynasty Case and Contract Management system. Halli Project ManagementSystem: Stores information about ecosystem projects as well as those involvedin the projects.

9. Data recipients or recipient groups and regular disclosures
If necessary, access to the data contained in the personal data register ofthe Metropolia Health Proof Helsinki ecosystem will be provided in the systemslisted below (using the so-called admin credentials, e.g., in the event of atechnical fault being repaired to the system supplier/measuring device serviceprovider). Personal data processing agreements in accordance withArticle 28 of the GDPR have been drawn up with the following system suppliersand service providers in Metropolia: Eduix Oy and the e-form software GoogleLLC used in Metropolia and Google-linked cloud tools approved in Metropolia(Google-linked cloud services can be found in the My-intranet tools menu)Microsoft Corporation and Microsoft-linked cloud tools approved in Metropolia(My-intranet tools menu cloud services can be found in Microsoft-linked cloudservices) Halli projectmanagement system Innofactor plc and Dynasty case and contract managementsystem.
10. Transfer of information outside the EU or EEA or to internationalorganisations
As a rule, personaldata contained in the personal data register of the Health Proof Helsinkiecosystem is not transferred outside the EU or the EEA or to internationalorganisations. The transfer of personal data outside the EU and EEA takes placein accordance with the requirements of the General Data Protection Regulationwhen using Google and Microsoft-linked cloud computing tools. The currentpersonal data processing agreement between Metropolia and Google LLC is basedon the general agreement of Google's G Suite cloud services, because allGoogle-linked applications (such as the GoogleDrive storage platformapplication) have been deployed in Metropolia as part of the G Suite cloudpackage.This set ofagreements approves the transfer of international personal data outside theGDPR area, i.e., outside the EU and EEA. Google LLC informs its Europeanpartners that in the case of international transfers of personal data, it willapply standard contractual clauses approved by the EU Commission as specificsafeguards.

The existing personaldata processing agreement between GoogleLLC and Metropolia states that thestorage platform located behind the following link always contains up-to-dateinformation on the physical locations where the customer's personal data (aperson working for Metropolia) is stored in Google's data centers/servers: “DataCenter Information. Information about the locations of Google data centers isavailable at https://www.google.com/about/datacenters/inside/locations/hamina/”

The personal data processing agreement drawn up between Metropolia andMicrosoft Corporation is based on the general agreement of Microsoft's cloudservices, because MicrosoftOffice 365 Education has been introduced inMetropolia as part of Microsoft's cloud entity. These sets of agreements approve the transfer ofinternational personal data only to the EU and EEA, i.e., the GDPR area.Microsoft Corporation informs its European partnersusing Microsoft Office 365 Education that it will apply standard contractualclauses approved by the EU Commission in respect of international transfers ofpersonal data as specific safeguards:
https://www.microsoft.com/en-us/trustcenter/Compliance/EU-Model-ClausesTheagreement related to the Microsoft cloud entity can be reviewed and checkedhere: https://www.microsoft.com/en-us/trustcenter

If such a transfer of data has been approved by the controller, a prior DTIAassessment has been performed and documented (Data Transfer Impact Assessment).If such transfer of data is approved by the controller, standard contractualclauses (SCCs) approved by the EU Commission must be included in the contractfor the transfer of data.And they are complemented by EDP8 recommendations. In addition, thecontroller must assess and monitor the level of data protection in the countryto which the data is transferred. The transfer of data can also be carried outusing another procedure approved in writing by the controller.Only necessary data is transferred and the transfer ismade in accordance with and within the limits set by the Data Protection Act.The security and data protection of the transfer are always agreed uponseparately.

11. Personal data retention times
Personal datacollected in the personal data register of the Health Proof Helsinki ecosystemand processed within the scope of the register are stored in the register for aperiod of 10 years, as a rule. The 10-year retention period is based on publicinterest archiving and the purpose of scientific or historical research.Other datais stored according to the own storage guidelines of the organisationsparticipating in the ecosystem. Personal data that does not need to be storedfor 10 years at the request of the funder will be deleted at the latest afterthe end of the project.

However, personal data may need to be stored longer ifrequired by applicable law or there are other legal grounds for the processingof personal data.
12. Rights of the data subject
The data subjecthas the right to obtain confirmation from the controller as to whether or notpersonal data concerning him or her are being processed. In addition, the datasubject has the right to access the personal data concerning him/herself, aswell as the right to inspect and obtain copies of the data concerning himself/herselfstored in the register. In accordance with the General Data ProtectionRegulation and data subjects’ rights, the controller must respond to the datasubject within one month of receiving the request.
‍
A. Right of access to personal data
‍
The data subject hasthe right to inspect what data concerning him or her is stored in the personaldata register. The data subject may submit a request for information bysubmitting a carefully completed, printed and personally signed registeredrequest form found on Metropolia's public website and/or Metropolia's intranetto one of the three Metropolia’s Student and Admissions service offices. If thedata subject is a staff representative, he or she may submit a request form toMetropolia's Human Resources unit. When submitting a request, the data subjectmust prove his or her identity in some reliable way (e.g., by presenting anofficial identity card or driver's license to the Metropolia employee receivingthe request).Visitingaddresses to Metropolia's Student and Admissions service office:
‍
Metropolian Myllypuro campus
Myllypurontie 1, 00920 Helsinki

Metropolian Arabia campus
Hämeentie 135 D, 00560 Helsinki

Metropolian Myyrmäki campus
Leiritie 1, 01600 Vantaa

Visiting address toMetropolia Human Resources Unit:
Metropolia Myllypuro campus (C- ja D-building, 5.floor) Myllypurontie 1, 00920Helsinki

The request fromMetropolia's Office of Student and Admissions Services and/or the HumanResources Unit is directed centrally to Metropolia's Data Protection Officer, (email: tietosuojavastaava@metropolia.fi). The answer to the data subject'srequest for information is given by Metropolia's Data Protection Officer. Ifnecessary, the Data Protection Officer can be contacted for further informationon the progress of processing the request or the content of the response.
‍
B. Right to rectify personal data and to restrict processing
The datasubjects have the right to request the data controller to restrict theprocessing of their personal data in the following cases:
‍
-The data subject disputes the correctness of their personal data (right torectify personal data), in which case processing will be restricted until thedata controller can ascertain that the data is correct;

-Processing violates the law and the data subject objects to the erasure oftheir personal data, instead requesting that the processing of the data berestricted;

-The data controller no longer needs the personal data for the purposes of theprocessing, but the data subject needs them in order to establish, exercise ordefend a legal claim.
‍
Such a request for rectifying personal data in a Metropolia personal dataregister or restricting processing can be submitted in person to one of theabove-mentioned offices of Metropolia’s Student and Admission Services orMetropolia’s Human Resources Management unit (staff only), where the datasubject must prove their identity in a reliable manner when submitting therequest.
C. Right to erase personal data

The data subject has the right to obtain from the controller the erasure oftheir personal data from a Metropolia register without undue delay if any ofthe following conditions are met:-The personal data are no longer necessary in relationto the purposes for which they were collected or otherwise processed;-The data subject withdraws consent on whichprocessing is based and there is no other lawful basis for processing;-The personal data have been unlawfully processed; or-The personal data have to be erased for compliancewith a legal obligation in Union or Member State law to which the controller issubject.
‍
Such a request for the erasure of personal data in a Metropolia personal dataregister can be submitted in person to one of the three above-mentioned officesof Metropolia’s Student and Admission Services or Metropolia’s Human ResourcesManagement unit (staff only), where the data subject must prove their identityin a reliable manner when submitting the request.
D. Right to data portability (transfer of data from one system to another)
Partly applicable. Article 20 of the General DataProtection Regulation (GDPR) introduces a new right of data portability of adata subject. This right allows for data subjects to receive the personal datathat they have provided to a data controller, in a structured, commonly usedand machine-readable format, and to transmit those data to another datacontroller without hindrance. The new right to data portability aims to empowerdata subjects regarding their own personal data, as it facilitates their abilityto move, copy or transmit personal data easily from one IT environment toanother (whether to their own systems, the systems of trusted third parties orthose of new data controllers). In this respect, the right to data portability complements the right toaccess one's own data.
The right to data portability in accordance withArticle 20 GDPR also means the right of the data subject to have access to thepersonal data processed by the controller concerning him or her in astructured, commonly used and machine-readable format so that the data subjectcan easily transfer that data from one system to another controller. At the request ofthe data subject, the data may be transferred directly from one controller toanother, if this is technically possible (Article 20(2)). Controllers areencouraged to develop interoperable formats that allow data to be transferredfrom one system to another, without creating an obligation for controllers toadopt or maintain data processing systems that are technically compatible.
13. Right to object
According to Article 21 of the EU’s General Data Protection Regulation, thedata subjects have the right to object, on grounds relating to their particularsituation, at any time to processing of personal data concerning them which isbased on point (e) of Article 6(1) (processing is necessary for the performanceof a task carried out in the public interest or in the exercise of officialauthority vested in the controller), such as profiling based on theseprovisions. The data controller may no longer process the personal data unlessthe controller demonstrates compelling legitimate grounds for the processingwhich override the interests, rights and freedoms of the data subject or forthe establishment, exercise or defence of legal claims.The request to stop processing of collected personaldata can be submitted to one of the three above-mentioned offices ofMetropolia’s Student and Admission Services or Metropolia’s Human ResourcesManagement unit (staff only), where the data subject must prove their identitywhen submitting the request.
14 Right to withdraw consent
If the processing of personal data is based on the data subject’s consent,the data subject has the right to withdraw their consent for processing at anytime without the withdrawal of consent affecting the lawfulness of processingbased on consent before its withdrawal.The withdrawal of consent for the processing ofpersonal data collected by Metropolia (withdrawal request) can be submitted toone of the three above-mentioned offices of Metropolia’s Student and AdmissionServices (or in the case of a member of staff, to the Human ResourcesManagement unit), where the data subject must prove their identity whensubmitting the request.

15.Right to lodge a complaint with a supervisory authority
Every data subject has the right to lodge a complaint with a supervisoryauthority if the data subject considers that the processing of their personaldata infringes the applicable data protection regulations.
‍
The national supervisory authority in Finland is the Office of the DataProtection Ombudsman. Contact details:Office of the Data Protection OmbudsmanStreet address: Lintulahdenkuja 4, 00530 Helsinki,FinlandPostal address: PO Box 800FI-00531 HelsinkiTelephone (switchboard): + 358 29 56 66700Email: tietosuoja@om.fi
16. Registry Security Principles
General description of the technical and organisational security measuresaiming at protecting the personal data of the data subjects and the personaldata registers:
‍
- The data controllers(Metropolia, HUS and the City of Helsinki) and system providers have agreed onthe protection of the register. If necessary, the responsibilities have beendescribed in adequate detail in the appropriate agreements.
- The employees of the controllers (Metropolia, HUS and the City of Helsinki)and other persons are committed to complying with the confidentialityobligation and to keeping the information they receive in connection with theprocessing of personal data confidential.
- The systemproviders (processors of personal data acting on behalf of the Metropolia datacontroller) handle the storage of the register and related data in accordancewith good data processing practice and comply with strict confidentiality andconfidentiality obligations.
- The data security of the personal data register of the data controllers andthe confidentiality of the data contained therein are ensured with appropriatetechnical and administrative means in accordance with good data processingpractices.
- The data controllers have restricted user rights and authorisations todata systems, tools and other storage platforms in such a way that they canonly be accessed and processed by the persons who are necessary for suchprocessing due to their job duties or position.
- The system containing personal data may only be used by employees who areentitled to process personal data due to their job duties and/or position. Suchemployees will be given the appropriate training for their duties.
- Every user of a tool/system must identify themselves with their personalcodes, which are issued when the right to access the tool/system is granted.The right of access will expire once the employee resigns or is transferredfrom the duties for which they were granted the right at Metropolia.
- The data arecollected in databases that are logically and physically protected.
- The databases and their back-up copies are located in locked premises, andthe data can only be accessed by certain pre-appointed persons.

17. Information on whether the provision of personal data is a statutory orcontractual requirement necessary to enter into a contract, as well as whetherthe data subject is obliged to provide the personal data and the consequencesof failure to provide such data. The processing of the personal data register of theHealth Proof Helsinki ecosystem and the data it contains in relation to whetherthe provision of the data is a statutory, contractual or contractualrequirement and whether the data subject is obliged to provide the personaldata and the consequences of not providing the data. It has also beendetermined on a register-by-register basis where the personal data wasobtained.The personal data register of the Health Proof Helsinki-ecosystem is a personal data register based on voluntary joining, which is usedto manage the operations and/or services of the Health Proof Helsinkiecosystem, communications, and to market the functions and services produced bythe ecosystem. No one is obliged to join the Health Proof Helsinki ecosystem'spersonal data register. As a rule, the personal data stored in the register hasbeen obtained from the data subject himself/herself.

18. Automated individual decision-making, including profiling
The personal datacontained in the personal data register of Health Proof Helsinki-ecosystem are not usedfor automatic decision making or profiling.