Skip to content

Finnish Meteorological Institute’s METIS / B2SHARE premium -service’s Privacy Notice#

1. Name of the register#

Finnish Meteorological Institute’s METIS / B2SHARE PREMIUM -service’s user and metadata register

2. Data Controller#

Finnish Meteorological Institute
P.O.Box 503, 00101 Helsinki
Finland
Data Protection Officer: Jaana Palmunoksa
Data Protection Officer’s email address: jaana.palmunoksa (at) fmi.fi
Data Protection Officer’s telephone number: +358 29 539 2310

3. Data Processor#

CSC - Finnish IT Center for Science Ltd.
P.O.Box 405, 02101 Espoo
Finland
Email address: servicedesk (at) csc.fi
Telephone switch: +358 (0)9 457 2001

4. Jurisdiction and authority#

Finland

Complaint can be filed:
Office of the Data Protection Ombudsman
P.O.Box 800, 00531 Helsinki, Suomi
Email address: tietosuoja (at) om.fi
Telephone switch: +358 (0)29 566 6700
Registry: +358 (0)29 566 6768

5. Data content of the register#

5.1. Groups of personal data#

  • Service end users (including users external to the Data Controller, random users who are not logged into the online service), such as:
    • IT management data, and
    • security data.
  • Data Controller’s employees (including temporary or occasional employees, assignees, trainees, aptitude test takers and others acting on behalf of the Data Controller), such as:
    • user data,
    • descriptive data,
    • IT management data, and
    • security data.
  • The employees of the partners participating in joint projects managed by the Data Controller (including temporary or occasional employees, assignees, trainees, aptitude test takers and others acting on behalf of the Data Controller), such as:
    • user data,
    • descriptive data,
    • IT management data, and
    • security data.
  • The employees of the partners of the Data Controller (including temporary or occasional employees, assignees, trainees, aptitude test takers and others acting on behalf of the Data Controller), such as:
    • descriptive data,
    • IT management data, and
    • security data. Subjects of research, sich as:
    • the information contained in datasets about the research subjects and the personal data collected from them, which are described in detail in the data management plan of each research project or in a similar document, and which are the responsibility of the researcher(s) to whom the service has been made available, and
    • security data.

5.2. Types of personal data#

  • User data, such as:
    • name,
    • user identity,
    • email address,
    • affiliation, and
    • ownership of datasets stored in the service.
  • Descriptive data of persons participating in research, such as:
    • name,
    • email address,
    • author information and other provenance information of the research dataset, and
    • personal data defined by the research project, which is described in the project’s own documentation, such as a data management plan or similar.
  • Data contained within the research dataset, such as:
    • personal data defined by the research project, which is described in the project’s own documentation, such as a data management plan or similar.
  • IT management data, such as:
    • equipment information related to the services offered,
    • technical identifiers,
    • communication data, and
    • metadata and technical transactions, which are related to offered services, including system and application log data needed to provide the service.
  • Security data, such as:
    • security log data,
    • information system control data, and
    • information security incident data.

6. Nature and purpose of processing#

  • User data, such as:
    • identification (login) to the FMI METIS / EUDAT B2DROP PREMIUM -service provided by CSC,
    • access right allocation to service end users,
    • service resource allocation to service end users,
    • statistics collection and reporting for customer and service development needs, and
    • logging into the system for experts appointed by the Registrar to enable the use of the service’s application programming interface (API) and the client’s related software development.
  • Descriptive data, such as:
    • allocation of access rights to users of the service,
    • statistics collection and reporting for customer needs and service development, and
    • creating persistent identifiers (PID) for datasets.
  • The information contained in the datasets, such as:
    • storage of materials in the IT service environment according to service contract.
  • IT management information, such as:
    • usage analysis, monitoring and maintenance of service, and
    • statistics and reporting for service development.
  • Security information such as:
    • usage analysis and monitoring of service to ensure information security and to manage possible incidents.

7. Personal data protection techniques and organizational measures#

  • General measures, such as:
    • designation of Data Protection Officers by customer and CSC,
    • publishing and maintaining service documentation and providing customer support to ensure confidentiality,
    • training of CSC personnel in GDPR procedures and responsibilities, and
    • training of CSC personnel in proper service administration procedures
  • User data related measures, such as:
    • password protection with a cryptographic hash,
    • limiting access to personal data for service administration, i.e. CSC personnel,
    • limiting access to systems containing personal data to CSC’s internal network, as well as IP access limitations for experts appointed by the Data Controller for the allocation of service resources to users, and for experts appointed by the Data Controller for use of the application programming interface adn the duration of the related client’s software development, and
    • encryption of data transfer connections (HTTPS).
  • Descriptive data related measures, such as:
    • limiting the right to edit data based on user identification.
  • Measures related to the information contained in the datasets, such as:
    • limiting the right to edit data based on user identification.
  • IT management information related measures, such as:
    • limiting access to personal data for service administration, i.e. named CSC personnel,
    • limiting access to systems containing personal data to CSC’s internal network, and
    • anonymizing data during the collection of usage statistics.
  • Security information related measures, such as:
    • limiting access to personal data for service administration, i.e. named CSC personnel, and
    • limiting access to systems containing personal data to CSC’s internal network.

As a principle, the service does not process data listed in Articles 9 and 10 of the General Data Protection Regulation (GDPR) that belong to Special Categories of Personal Data or otherwise very personal data. When implementing the Service, the service provider does not check whether they are included in the processing.

8. Regular transfers and transfers of data#

Personal data is not processed outside the EU or EEA area.

The controller and the processor of personal data may use subcontractors as subprocessors for the processing of personal data in compliance with the obligations under laws, data protection and data security in accordance with their contracts and this privacy statement.

9. Duration of personal data processing#

Personal data is processed during the validity of the agreement between the Controller and the Personal Data Processor and for the periods specified in it, unless the parties agree otherwise. After the end of the agreement, the Personal Data Processor delivers the Personal Data of the Service to the Controller and destroys the Personal Data in its possession processed for the implementation of the service, unless otherwise agreed with the Controller or unless the Personal Data Processor has a legal obligation to store Personal Data.

10. Rights of the data subject#

The registered person has rights according to data protection legislation.

The registered person has the right to check the personal data stored in the register concerning him and to receive a copy of the personal data being processed.

The registered person also has the right to demand correction or deletion of his personal data if the data is incorrect, unnecessary, incomplete or out of date.

The data subject has the right to demand that the data controller limit the processing of his personal data, for example in the situation where the data subject is waiting for a response to a request to correct or delete his data.

The registered person has the right to object to the processing of personal data citing a special personal reason.

Requests related to the aforementioned rights of the data subject are basically free of charge. Users can address their requests directly to the controller using the contact information indicated in point 2 of the description.

The registered person has the right to file a complaint with the competent supervisory authority if the data controller has not complied with applicable data protection regulations in its operations.

11. Changes to the Privacy Notice#

The Finnish Meteorological Institute, or CSC authorized by the Finnish Meteorological Institute, can make changes to this register statement if the methods or purposes of processing personal data change. E.g. registrants can be informed of material changes on a case-by-case basis, if the applicable legislation requires this.