Data protection concepts
Article sections
The following table summarizes the concepts related to data protection.
| Concept (FI) | Concept (Eng) | Description | Example | Additional instructions |
| Erityiset henkilötiedot | Special categories of personal data | personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. (GDPR Article 9) | Employee union membership. Information related to the health status of the employee or student. | What is personal data and specific (sensitive) personal data? |
| Henkilötietojen käsittelijä | Processor | A processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (GDPR Article 4) | Subcontractors and cloud service providers (like Microsoft and Google) and external research data analysts. | |
Agreements on the processing of personal data (or annexes to agreements)
|
Data processing agreement (DPA) | An agreement between the controller and the processor in which the processing of personal data is agreed (GDPR article 28). | Annex to the agreement with, for example, HAMK and subcontractors / cloud service providers. | Data protection agreements (DPA) |
| Henkilötieto | Personal data | means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (GDPR Article 4) | For example, a name, personal identification number, location information, domain identification information (such as an IP address), one or more characteristics of a physical, physiological, genetic, mental, economic, cultural, or social factor that make it identifiable. | What is personal data and specific (sensitive) personal data? |
| Pseudonymisointi | Pseudonymisation | means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. (GDPR Article 4) | For example, replacing identifiable information in the material with codes. | Finnish social sciences data archive instructions. |
| Rekisterinpitäjä | Controller | Controller determines the purposes and means of the processing of personal data (GDPR Article 4) | HAMK is the controller of personal data of HAMK’s students and staff. The student is typically the controller of the thesis. | |
| Tietosuojailmoitus | Privacy notice | The concept used in HAMK for informing the data subject. | https://www.hamk.fi/tietosuoja/ and https://www.hamk.fi/privacy-policy/?lang=en . | Data protection – informing the data subject |
| Data protection impact assessment (DPIA | Data protection impact assessment (DPIA) | An assessment to be made of the processing of personal data where the processing is likely to pose a high risk to the rights and freedoms of the individual. (GDPR Article 35) | It is necessary to do, for example, camera surveillance, in certain situations in the introduction of new technology, etc. | Data protection impact assessment |
