1. Data Controller
Name: Metropolia Ammattikorkeakoulu Oy
Business ID: 2094551-1
Postal Address: PL 4000, 00079 Metropolia
Visiting Address: Myllypurontie 1, 00920 Helsinki
Phone (switchboard): + 358 9 7424 5000
Data Protection Officer: Suvi Väänänen
Email: tietosuojavastaava@metropolia.fi
2. Purpose of Processing Personal Data
The purpose of processing personal data in the AI skaalaajat project is to enable the development and scaling of companies' AI capabilities through practical development projects and to support related reporting, coordination, communication, and dissemination of results (e.g. MetroCloud, publications, workshops, training).
3. Legal Basis of Processing Personal Data
The processing is based on Article 6(1)(e) of the General Data Protection Regulation (GDPR):
In cases of communication and publication (e.g., photos, quotes), processing may be based on Article 6(1)(a): the data subject’s consent.
4. Collected Personal Data and Categories of Personal Data
The data subjects of the personnel register include company representatives, project experts, students, and stakeholders participating in the project.
The data subjects of the personnel register include company representatives, project experts, students, and stakeholders participating in the project.
5. Data Sources
Personal data is primarily collected from the data subject themselves and the organizations involved.
6. Recipients of Data and Regular Disclosures
Personal data from the personal data register is disclosed to the following recipient groups:
Personal data from the personal data register is disclosed to the following recipient groups: Main project partner Haaga-Helia University of Applied Sciences EU funding authorities (e.g. EURA2021, Uusimaa Regional Council) ICT and development platform providers (e.g. MetroCloud, AIoT Garage) Event and publication partners (only with consent) Personal data in the register is processed in various information systems and software, and access to the personal data contained in the register is granted as necessary, e.g., via a technical interface during maintenance tasks or in the event of a fault. The external system providers and service providers behind these tools can be considered recipients of personal data and regular disclosures.
7. Transfer of Data Outside the EU or EEA or to International Organizations
As a rule, personal data contained in Metropolia University of Applied Sciences’ registers is not transferred outside the European Union (EU), the European Economic Area (EEA), or to international organizations.
However, transfers of personal data outside the EU or EEA may occur when necessary for the implementation of IT services essential for work or studies. Such transfers are assessed on a case-by-case basis. The most common destination country is the United States. In some cases, personal data may also be transferred to countries such as India, particularly in situations where global ICT service providers rely on offshore support functions such as Helpdesk or technical user support.
Any international data transfers from Metropolia’s personal data registers are protected by the safeguards set out in Chapter V of the General Data Protection Regulation (GDPR). These include:
SCCs are embedded in the relevant data processing or service contracts with third-party service providers. Only data that is strictly necessary for the performance of the relevant service is transferred. All transfers are carried out in compliance with applicable data protection legislation, and the security and confidentiality of the data are ensured through legally binding contractual arrangements.
Where data is transferred outside the EU or EEA, the transfer is approved by Metropolia as the data controller and preceded by a documented Transfer Impact Assessment (TIA). The SCCs are included in the contract with the service provider. Metropolia continuously monitors and assesses the data protection practices in recipient countries. Transfers may also be carried out using another legally valid mechanism explicitly approved in writing by Metropolia.
8. Retention Period
Personal data is retained for five years following the end of the project, i.e., until 31 May 2029. This retention period is based on requirements related to EU structural fund reporting, the Universities of Applied Sciences Act, and the Data Protection Act.
9. Data Subject’s Rights
A data subject may submit a data request by providing Metropolia with a carefully completed, printed, and personally signed data subject request form, available on Metropolia's public website and/or intranet. The form can be submitted either electronically to tietosuojavastaava@metropolia.fi or in person at Metropolia's Myllypuro campus. If printing is not possible, provide similar information as requested in the form to tietosuojavastaava@metropolia.fi. You may be asked to verify your identity so that we can respond to the data request safely.
Metropolia's Myllypuro Campus
Myllypurontie 1, 00920 Helsinki
The response to a data subject request will be provided by Metropolia's Data Protection Officer. For additional information about the processing progress or the content of the response, the Data Protection Officer may be contacted.
According to the GDPR, the data controller must respond to a data subject's request to exercise their rights within one month of receiving the request.
Data subjects can submit requests regarding the following topics:
Right to Access Personal Data
The data subject has the right to obtain confirmation from the data controller on whether their personal data is being processed. They are also entitled to inspect the personal data stored about them in the register and receive copies of the data.
Right to Rectification and Restriction of Processing
The data subject has the right to request the controller to restrict processing in any of the following situations:
Right to Erasure
The data subject has the right to have their personal data erased from Metropolia's register without undue delay, provided one of the following applies:
The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
The data subject withdraws consent on which the processing is based, and there is no other legal basis for processing.
The personal data has been unlawfully processed.
The personal data must be erased to comply with a legal obligation under EU law or national legislation.
Right to Data Portability
Not applicable.
Right Not to Be Subject to a Personal Data Security Breach
The data subject has the right not to be subjected to a personal data breach, as defined in GDPR Article 33, due to negligence by the data controller or the processor handling personal data on behalf of the controller. The data subject has the right to be informed without undue delay if a personal data breach is likely to result in a high risk to their rights and freedoms.
F. Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with the supervisory authority if the data subject considers that the processing of personal data concerning him or her violates applicable data protection regulations.
Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: P.O. Box 800, 00531 Helsinki
Phone: +358 29 56 66700
Fax: +358 9 56 66735
Email: tietosuoja@om.fi
