GDPR4CHLDRN (’project’) is a two-year joint project by the Office of the Data Protection Ombudsman and TIEKE Finnish Information Society Development Centre (’TIEKE’) focusing on data protection for children and young people. The project is funded by the European Union’s Citizens, Equality, Rights and Values programme. More information on the project is available at https://tieke.fi/en/hankkeet/gdpr4chldrn/.
During the project, the Office of the Data Protection Ombudsman and TIEKE will organise online webinars and workshops for the Boards of clubs and associations, parents, and companies, as well as online training sessions for the organisers of hobby and leisure activities. This data protection statement describes the processing of personal data in connection with the project’s online webinars, workshops, and online training sessions.
1. Purpose and legal basis of the processing of personal data
The purpose of processing personal data in connection with the project’s online webinars, workshops and training is to communicate about events to participants and report on them to the EU programme funding the project. The project promotes gender equality and compliance with the prohibition of discrimination, so its gender and equality impacts are reported to the programme funding the project.
The basis for the Office of the Data Protection Ombudsman’s processing of personal data in connection with the project’s online webinars, workshops and training is the performance of a task carried out in the public interest (point (e) of Article 6(1) of the GDPR and section 4, paragraph 2 of the Data Protection Act). The tasks and powers of the Data Protection Ombudsman are provided for in Articles 55–59 of the GDPR and sections 8, 14 and 16–17 of the Data Protection Act. According to Article 57 of the GDPR, the tasks of the Office of the Data Protection Ombudsman include promoting the awareness of controllers and processors of their obligations under the GDPR. In addition, the Office of the Data Protection Ombudsman must pay specific attention to activities addressed specifically to children when promoting public awareness and understanding of the risks, rules, safeguards, and rights in relation to the processing of personal data.
The basis for TIEKE’s processing of personal data in connection with the project’s online webinars, workshops and training is legitimate interest (point (f) of Article 6(1) of the GPDR).
2. The personal data being processed
Participants register in advance for the webinars, workshops and training, and the participant’s contact details (name and email address) are collected in connection with registration, along with the participant’s gender (female, male or other) and target group(s) under the project as background information. The participant’s organisation is also recorded in connection with registration.
Registration for the events is implemented through the Webropol service. Webropol uses cookies necessary for the functioning of the service, which are related to the service’s functionalities and quality assurance, and collects data such as IP addresses with them.
The webinars, workshops and training sessions are implemented in the Microsoft Teams service. In connection with the webinars, workshops and training, the service can process data such as: name used to join the meeting, email address, IP address, any profile picture, video feed, audio and messages typed into the chat field. Data such as the name of the participant can be visible to other participants in the webinar, workshop or training. In some cases, participants can change their names in the service.
Surveys for collecting feedback on the event and charting the participants’ needs, wishes and ideas for the planning and implementation of the project can also be conducted in connection with webinars, workshops and training. Personal data is not collected in connection with answering such surveys, unless the person provides their personal data or other identifiable data in their answers. No special categories of personal data are collected in connection with the surveys. People completing the survey should not include data falling under special categories of personal data in the survey’s open text fields.
The surveys will be created with Webropol’s survey tool. When the user is completing the survey, Webropol collects data from a session cookie, which is a technical cookie necessary for taking the survey.
The personal data are obtained from the individuals themselves.
3. Disclosures and processors of personal data
A list of participants in the webinars, workshops and training is provided to the party funding the project (the European Union’s Citizens, Equality, Rights and Values programme) for reporting purposes. The privacy statement of the EU Funding & Tenders portal maintained by the European Commission is available at https://ec.europa.eu/research/participants/data/support/legal_notice/h2020-ssps-grants-sedia_en.pdf.
Webropol, Microsoft and the Government ICT Centre (Valtori) serve as processors with regard to the personal data processed in connection with online webinars, workshops and training.
4. Transfers of personal data outside the EU/EEA
The Office of the Data Protection Ombudsman, TIEKE, Valtori or Webropol do not transfer the personal data processed by them in connection with the project outside the EU/EEA.
Personal data processed by Microsoft can also be processed outside the EU or EEA, for example in the United States. Such transfers of personal data are based on the standard clauses adopted by the Commission under point (c) of Article 46(2) of the GDPR.
5. Storage of personal data
The programme funding the project requires data collected during the project to be stored for five years from the project’s conclusion.
Webropol stores data collected with cookies in connection with event registration for 14 days. Data collected from the session cookie in connection with using Webropol’s survey tool is not stored, as it is erased from the user’s device at the latest when they close their browser. It is thus recommended that users close their browsers after taking the survey.
Microsoft stores personal data processed in the Teams service in connection with webinars, workshops and training for 180 days after which it is erased.
6. Your rights with regard to the processing of personal data
Right to obtain information on the processing of personal data
- You have the right to know for which purposes and by which means we process your personal data.
- You can ask further questions about the processing of personal data from us at any time by using the contact details provided at the end of this statement.
Right of access to data
- You have the right to know whether we are processing personal data that concern you. If we are, you have the right to obtain a copy of such data unless we have lawful grounds for refusing to fulfil this right.
Right to the rectification of data
- If we are processing inaccurate personal data concerning you, you can ask us to rectify the data.
- If we rectify data based on your request, we are obliged to communicate the rectification to all parties to whom the data have been disclosed in the past if viable.
Right to the erasure of data
- In certain situations, you have the right to have your personal data erased.
Right to object to the data processing
- You have the right to object to the processing of your personal data by us should you wish. You can object to the processing of your data at any time on grounds relating to your particular situation.
- If you do, we are no longer allowed to process your personal data, unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing is necessary for the establishment, exercise or defence of legal claims.
Right to the restriction of processing
- If you consider your personal data being processed by us to be inaccurate or the processing to be unlawful, or if you have objected to the processing of your personal data, you can request us to restrict the processing of your personal data.
- If you do, we will only be allowed to process your data with your consent;
- if we need the data for the establishment, exercise or defence of legal claims;
- in the public interest; or
- in order to safeguard the rights of another person.
- If we restrict the processing of your personal data based on your request, we must communicate the restriction to all parties to whom the data have been disclosed in the past if viable.
No decisions based on automated processing are made or data subjects profiled based on their personal data in connection with the GDPR4CHLDRN project’s online webinars, workshops or training.
You can submit requests concerning the exercise of your rights by contacting the Office of the Data Protection Ombudsman or TIEKE using the contact details provided below.
If you consider that your personal data have been processed unlawfully, you have the right to file a complaint to the Data Protection Ombudsman. The lawfulness of the Office of the Data Protection Ombudsman’s activities is supervised by the supreme overseers of legality, i.e. the Parliamentary Ombudsman and the Chancellor of Justice.
7. Controllers
The Office of the Data Protection Ombudsman and TIEKE Finnish Information Society Development Centre serve as joint controllers for the personal data collected by the project.
Office of the Data Protection Ombudsman
PL 800, 00531 Helsinki, Finland
tietosuoja(at)om.fi
+358 29 566 6700
TIEKE Finnish Information Society Development Centre
Työpajankatu 13, 2nd floor
00580 Helsinki, Finland
tieke(at)tieke.fi
+358 9 4763 0400
The contents of this publication only represents the views of its authors, who take sole responsibility for them. The European Union or CERV programme are not responsible for the contents of this publication.