LeveLappi survey privacy policy

v. 1.1
EU General Data Protection Regulation
DATE: 8.11.2023

1. Data controller

University of Lapland, business ID: FI02928005
Yliopistonkatu 8

2. Controller’s representative and contact persons

Controller’s representative: Administrative director, Ari Konu, ari.konu@lapinamk.fi 
Controller’s contact person(s) Project manager, Heikki Tikkanen, heikki.tikkanen@ulapland.fi 

The contact persons can be contacted for any questions related to the processing of personal data. You may also address any request concerning the exercise of your rights to the contact person mentioned above.

3. Contact details of the Data Protection Officer

The Data Protection Officer of the Lapland University Consortium is lawyer Jari Rantala. You can contact him at tietosuoja@ulapland.fi.

4. Purpose of processing personal data

The purpose for the processing of the personal data of the registrant is to collect background information to be used in designing study modules in the Lapland University Consortium. The work is done as part of LeveLappi / Level Up Lapland project (https://www.levelappi.fi).

5. Legal basis for processing

Personal data are processed in compliance with the Article 6(1) of the General Data Protection Regulation (GDPR 2016/679):

  •  participant’s consent

6. Categories of personal data processed and their retention periods

Specific categories of personal or sensitive data are not processed relating to the activities that this privacy applies to. Age, name and email address of the registrant are collected. Data is stored for the duration of the project, ending on March 31st 2026.

7. Data sources

Data is gathered directly from the registrant with their permission through a web survey (Webropol).

8. Safeguards to protect personal data

We keep personal data confidential and use it only for the purposes specified in this privacy notice and otherwise as permitted and required by law. We protect data as efficiently as possible and strive to prevent outsiders from accessing our information systems. Personnel handling personal data are obliged to maintain confidentiality regarding the data they process in their work. Personal data is stored and processed by implementing and maintaining appropriate security measures and information security practices.

9. Information systems used for processing

9.1 Information systems

The Webropol online survey service is used to process personal data. Personal data is not processed outside of this service.


Cookies are used in browser-based information systems for the processing of personal data. A cookie is a small text file that is saved by the browser on the user’s device. Cookies are used to provide services, to facilitate logging in to services and to enable statistics on the use of services. The user can choose to refuse the use of cookies in their system, but this may hinder the correct functioning of the system.

10. Regular transfers and disclosures of data

Any personal information is not transferred to other parties.

11. Transfer or disclosure of personal data to countries outside the EU/European Economic Area

No personal data will be transferred or disclosure outside of the areas of the European Union or the European Economic Area.

12. Automated decisions

No automated decisions are made.

13. Your rights as a data subject, and exceptions to these rights

The contact person in matters concerning the rights of the data subject mentioned in section 1 of this privacy notice.

Rights of data subjects

Right to withdraw your consent (GDPR, art. 7)
You have the right to withdraw your consent if the processing of your personal data is based on consent. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal.

Right of Access (GDPR, art. 15)
You have the right to know whether and what personal data about you is being processed. You may also request a copy of the personal data processed, if you wish.

Right to Rectification (GDPR, art. 16)
If there are inaccuracies or errors in the personal data processed, you have the right to request their correction or completion.

Right to Erasure (GDPR, art. 17)
You have the right to request the erasure of your personal data in the following cases:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) you withdraw the consent on which the processing is based and where there is no other legal ground for the processing;

c) you object to the processing (see below for a description of this right) and there are no overriding legitimate grounds for the processing;

d) the personal data have been unlawfully processed; or

e) the personal data have to be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject.

However, there is no right to erasure if, in certain individual cases, the erasure of data is not allowed on the reasons defined in the General Data Protection Regulation or Finnish data protection legislation.

Right to Restrict Processing (GDPR, art. 18)
You have the right to restrict the processing of your personal data in any of the following circumstances:

a) you contest the accuracy of the personal data, in which case the processing shall be limited for a period of time within which the University of Lapland can verify the accuracy of the personal data;

b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

c) the University of Lapland no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims

d) you have objected to the processing of personal data (see below for more details), pending verification of whether the controller’s legitimate grounds override those of the data subject.

Right to Data Portability (GDPR, art. 20)
You have the right to receive the personal data you have provided to the University of Lapland in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without the University of Lapland’s hindrance, where the legal basis for the processing is consent or a contract, and the processing is carried out automatically. If you use your right to transfer data portability, you have the right to have the personal data transferred directly from one controller to another, where technically possible.

Right to Object (GDPR, art. 21)
You have the right to object the processing of your personal data if the processing is based on a public interest or a legitimate interest. In this case, the University of Lapland may not process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or where it is necessary for the establishment, exercise or defense of legal claims. The University of Lapland may also continue to process your personal data where it is necessary for the performance of a task carried out in the public interest.

Exceptions to rights
The rights described in this paragraph may be derogated from in certain individual cases on the grounds defined in the General Data Protection Regulation and the Finnish Privacy Legislation. The need to derogate from the rights will always be assessed on a case-by-case basis.

Right to lodge a complaint
You have the right to submit lodge a complaint with the Data Protection Ombudsman’s Office if you think your rights have been breached.


Contact details:
Data Protection Ombudsman’s Office (Tietosuojavaltuutetun toimisto)
Link: Notification to the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: P.O. Box 800, 00531 Helsinki, Finland
E-mail: tietosuoja(at)om.fi

Switchboard: +358 (0)29 566 6700
Registry: +358 (0)29 566 6768