911±¬ÁÏÍø

This Privacy Notice will be updated as necessary. This version has been updated on 1 November 2024. Updates to the Privacy Notice are approved by Ella Bingham.

Processing of personal data of researchers and other experts

911±¬ÁÏÍø’s mission is to build a sustainable future. Our goal is to conduct high-quality research and achieve breakthroughs in science, art, technology, the economy, and their intersections. We develop strong centers of expertise in key areas of research. We bring together diverse expertise to solve the world’s major challenges. To support this work, the university processes personal data of researchers and other experts of the university community.

For the services and processing activities described in this Privacy Notice, we use, among others, the following services and applications:

• APL
• Aalto Current Research Information System ACRIS and its public research portal
• Other systems used in research services

Purpose for processing your personal data

911±¬ÁÏÍø needs to process your personal data for the following purposes, for example:

• We agree with you on working in the university community. This contract may be an employment contract, or a contract of a visiting researcher, adjunct professor or professor. Your contract connects you to one of the university departments. Through this contract, you will be given the university username and your personal data will be shared with the information systems that support the university’s operations.
• If you are applying for competitive research funding, we will ensure your eligibility, help you with your application and maintain information about your most important application targets. After the funding decision, we process and monitor the agreements related to your operations as well as your funding and its use in the financial management systems of research services and report the information required by the funding agencies on the use of research funding.
• We will send you newsletters about the university’s events, practices and funding opportunities and services.
• When you are looking for literature and materials to support your work, you can book materials in the Aalto Primo system or order materials using an e-form. You can publish in the university’s open access publication channels, in which case we maintain your personal data both as a user of the publication channel and as an author of the publication.
• We maintain a register of information on research and artistic and social activities. In most cases, this information is provided by you, but we can also search for publications from outside sources on your behalf. We report on the university’s research and artistic activities. Some of this reporting is voluntary and some is mandatory data collection as defined by the Ministry of Education and Culture.
• Authors affiliated with 911±¬ÁÏÍø and its predecessors are in addition to Aalto's information systems, described in the Asteri authority database of the National Library of Finland. Only public sources of information are used in the description. More information on (available only in Finnish).
• To support communication, information on research and artistic and social activities is openly available through the research portal and the university’s website.
• We record and report the users of the infrastructure.
• When we assess and develop the university’s operations, we can use your operational data in the evaluation material. Often these materials are only examined at the unit level.
• We carry out scientific research on data related to research or disclose data to scientific research.
• We provide advice and research support services such as funding search and funding use support, data management support and contract advice.
• We organize an ethical review of non-medical research on humans at the university.

With the help of data related to research, the university communicates its research activities in accordance with good scientific practice and provides the Ministry of Education and Culture with the research-related information it requires.

Legal basis to process personal data

The legal basis for processing personal data are

• article 6(1)(e) of EU General Data Protection Regulation: processing of data is necessary for carrying out tasks of general benefit and
• article 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject.
• article 6(1)(b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

In the name of general benefit, University processes, stores, analyses and publishes personal data concerning research activities and societal impact according to tasks described in Universities Act 2 §. Data may be disclosed on a discretionary basis for scientific research in the public interest. 

The organization of research ethics assessment is based on a statuory oblication (University Act, Medical Research Act, see 

Personal Data describes the activities of a person as a researcher in University, his/her research resources and output and societal impact. Data on research activities are public except for data separately agreed with funders. With the help of research information, University communicates about it’s research according to good scientific practice, and according to University Act Section 51 delivers the research information stipulated by Ministry of Education and Culture.

The Research Information Hub Act 1238/2021 3 & 4 § define which data are transferred to the .

What personal data does 911±¬ÁÏÍø collect?

In order to maintain the Aalto Project List (APL) data and to provide related support services, we process the following categories of personal data:

• work email addresses
• Information on funding applications and projects for external research funding and information on their respective responsible and contact persons
• Personal data contained in plan and contract documents for funding applications and projects
• Usernames, limited employment information
• Contact requests of persons and information on advice and service provided

The following data is stored of research active personnel to ACRIS:

• Personal, employment, user and contact details, picture, University identifier and international identifiers, research interest, social media links and other links, academic degrees and experience of thesis supervision of research staff. In addition, visibility in research portal (research.aalto.fi) and log information.
• Organizational information (university, schools, departments and research groups)
• Research projects
• Publications, activities, prizes, press/media, research data, research infrastructure, impact
• From 2020 onwards, individual identification information (name and username) is collected for master's level graduates, as well as the details of the author of the master's thesis and the duration of the study period.

Persons can manage their own data as long as the data are not integrated from other systems of the University.

Additionally, the public portal () gathers cookies on users visiting the portal. The portal user will accept the cooking policy when visiting the portal for the first time. See more details in .

In the implementation of research ethics assessment, we handle: 

• Name, title, organizational information and contact information
• Research plan and any other information provided by the application regarding the research project

Sources of personal data

Aalto Project List APL 

• Personal data will be entered to the system by the users themselves or by Aalto personnel
• From other 911±¬ÁÏÍø systems, such as Workday 

Data are integrated to ACRIS from the following information systems

• Organizational, personal, project information is imported daily from other 911±¬ÁÏÍø’s information systems.
• PhD students and thesis supervision information (supervising professor and advisors) is imported daily from student registry automatically for 1) those students who are enrolled and have started their studies after 2019, and 2) for those students who have enrolled and started their studies before 2010 and given their unambiguous permission for the transfer of their information to ACRIS. Automatic integration can be interrupted upon request.
• Once a person gives written authorization for processing personal data, profile can be created manually to the system.
• Person can deposit data on his/her own, another person can deposit data on his/her behalf (common activities) or trusted user can deposit data (user deposits data on his/her behalf).
• Publication information can be imported via online databases like Web of Science, Scopus and ORCID.
• From 1.1.2020 onwards, bibliographic information for master's theses (excluding the School of Business) will be imported from the Aaltodoc publication repository, with the supervisor and advisor information integrated into the thesis from both Aaltodoc and the student information system (SISU). In addition, the student's study period will be included from the student information system into the view of the supervisor and advisor (SISU).

The information required to carry out the ex ante ethical evaluation is provided by those requesting the research ethics assessment themselves.

Protection of personal data, disclosures and transfers

Aalto Project List APL

• Data transfer to other 911±¬ÁÏÍø systems through integrations and/or manually
• Emails related to internal processes of 911±¬ÁÏÍø, generated by the system for a limited number of people
• Information service requests required by 911±¬ÁÏÍø management
• To carry out the audit required by the funding terms and conditions for the auditors with whom 911±¬ÁÏÍø has contracts for the work to be carried out

ACRIS

Information is imported to 911±¬ÁÏÍø’s Data Warehouse on a daily basis. The data are used for reporting and assessment, and in anonymised form for  statistical purposes. It is possible to get publication listing to be used, e.g. in webpages from Data Warehouse through API.

Publication records are sent to the Ministry of Education and Culture through VIRTA-publication channel daily. Other reporting data (e.g. travel data) is reported once a year.

In addition, data is tranferred separately or are used in the following services:

• National higher education statistics
• Research Council of Finland’s project reporting whereby researcher picks his/her own publications from VIRTA service
• Publication records are availabe through VIRTA also to University of Turku for scientific and social impact analysis of Finnish research.
• VIRTA publication information and the computing resources application system of CSC are combined so that publication information is usable for application and reporting processes of CSC’s computing resources.
• VIRTA publication information is transferred to OpenAIRE portal and APC payment information for Open APC.
• ORCID service (publication information) when the researcher activates the ORCID integration
• Personal data is disclosed to the Research Information Hub which the Ministry of Education and Culture acts as controller (The Research Information Hub Act 1238/2021 3 & 4 §: metadata and abstracts of publications and other research output; metadata and descriptions of research data; information on research infrastructures and research actors; metadata and abstracts of research projects and funding; researcher information; information of other research activities and merits of researchers). Research Information Hub's privacy policy:

Logging in to the Researcher’s Profile Tool service of the Research Information Hub is optional for the researcher. In addition to personal data (name, affiliation, title, education data, research description), the researcher can transfer activity data to the Research Information Hub.

In addition, the reported data are backed up for control and check-up purposes.  Data are published in research portal, research.aalto.fi. Person can sometimes prevent the publication of his/her own profile or some of the data linked to his or her profile (e.g. activities).

911±¬ÁÏÍø may disclose research register data and the personal data contained therein for the purpose of scientific research.

Other personal data processors of ACRIS

ACRIS is a cloud-based service provided by Elsevier B.V., Amsterdam, Netherlands (hereinafter referred to as Elsevier or the provider). 911±¬ÁÏÍø has entered into a contract with Elsevier for producing a CRIS system as a service. Elsevier's privacy notice can be found at .

How long are personal data stored?

Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed, or for as long as is required by law or regulation. The retention periods for 911±¬ÁÏÍø's documents are specified in the information management plan (TOS).

The author information of publications is stored permanently if the publication contains an affiliation with 911±¬ÁÏÍø.

Transfer of personal data to third countries

The data protection policy of the 911±¬ÁÏÍø is to exercise special care when transferring personal data outside the EU and the European Economic Area (EEA) to countries that do not provide data protection in accordance with the EU General Data Protection Regulation. The transfer of personal data outside the EU and EEA is carried out in accordance with the requirements of the General Data Protection Regulation using, for example, adequacy decision, using standard contractual clauses or other safeguards in accordance with the General Data Protection Regulation.

How does 911±¬ÁÏÍø safeguard personal data?

It is important to 911±¬ÁÏÍø to take care of data security. University has at its disposal current technical, organisational and administrative security protocols that safeguard all personal data against disappearance, misconduct, unlawful conduct, transfer, changes and erasure.

Aalto Project List APL and ACRIS

• The data is located on secure servers in the EU/EEA.
• The rights to process personal data are limited. Personal data can be accessed by 911±¬ÁÏÍø personnel, who have grounds for processing the data on behalf of their work.
• 911±¬ÁÏÍø has agreements with system suppliers and others working with the system.
• When transferring data, data are processed by IT specialists of the university and service providers (e.g. Elsevier see the provider's data processing addendum:  ). 

The services we use have been security-checked and the agreements required by the GDPR have been made with the service providers. 

Contact information for questions related to data processing

You can contact the 911±¬ÁÏÍø unit that served you about data processing related to the services.

1.4.2023. 911±¬ÁÏÍø updates this notice as needed. Updated versions of this notice will show the date of the new version at the beginning of the document. If we make changes to content of this notice, we will take appropriate measures to keep you informed in a manner consistent with the significance of the change. We encourage you to check this notice often to be aware of how 911±¬ÁÏÍø protects your data. 

Processing the personal data of academic visitors

911±¬ÁÏÍø processes academic visitors' personal data in order to organise academic visits and to support the mobility of the visitors. Please note, that when participating our research activities, also privacy information for researchers and academic professionals further on this page is relevant.

Purpose of processing personal data

The visitor's personal data is processed:

• to review the purpose and prerequisites of the visit
• to enable the use of the services, premises and equipment offered to the visitor
• to draw up a visitor agreement
• to get access to information needed to manage the costs that may be related to the visit
• to collect the follow up and reporting data on academic visits

Legal basis to process personal data

The legal basis for processing personal data are

• article 6(1)(e) of EU General Data Protection Regulation: processing of data is necessary for carrying out tasks of general benefit and
• article 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject.
• article 6(1) (b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

911±¬ÁÏÍø processes visitors' personal data to prepare and execute visitor contracts, expert appointment agreements and employment contracts.

The university is bound by statutory obligations to ensure compliance with export control and dual-use regulations and rules and regulations regarding sanctions when organizing visits, cooperation, and support for research activities.

What personal data does 911±¬ÁÏÍø collect?

Regarding visitors, we process the following groups of personal data:

• name and contact information at the place of departure and during the visit, as well as other identification information
• information of the visitor’s home organisation as well as other affiliations
• the visitor's home country and citizenship
• information about the visitor's financiers and sponsors
• information about the visitor's research field and career (e.g. academic resume)
• information about the duration and purpose of the visit and other cooperation
• information about the visitor's host
• information about the possible grants, fees and salary that may be paid to the visitor, as well as the costs of the visit
• information about possible sanctions concerning the person, the university of origin or other affiliations, as well as information about the connection of the visitor's activity or visit to controlled products or sanctions
• information about the equipment, services and technologies needed by the visitor

Sources of personal data

The visitor provides the necessary information to organize the visit themselves. We may verify the information reported by a visitor from public information sources, the visitor's previous organizations, and other reported sources.

Handling of personal data

Visitors' personal data is processed by 911±¬ÁÏÍø employees participating in the organization of the visit. The information about the visits is stored in the ACRIS information system within the host's information, where it is publicly available.

How long are personal data stored?

Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed, or for as long as is required by law or regulation. The retention periods for 911±¬ÁÏÍø's documents are specified in the information management plan (TOS).

Transfer of personal data to third countries

A data protection policy of the university is that particular care is to be taken when transferring personal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR, using as a basis e.g. its reference to decisions made on the adequacy of the level of protection provided (Article 45), utilising standard agreement clauses and following other data protection measures in accordance with the GDPR.

Rights of the data subject concerning personal data 

Under the GDPR, you have the right to review your information and rectify any inaccurate or erroneous personal data. In addition, with certain exceptions, you have the right to erase your data. If he processing of personal data is based on your consent, you also have the right to withdraw your consent. You find more information on your rights here.