Data Protection Records in Physical Activity Tests
NB: This document is a translation from the original document. This translation is not binding; its purpose is only to explain the contents of the original document in English. In case there are any obscurities in the translation, please check the original document for correct and binding expressions. The original document can be found on the Finnish website of SYKETTÄ.
EU’s General Data Protection Regulation, Articles 12, 13 and 14
Updated: 27.9.2023
1. Controller of the register
The Student Union of the University of Eastern Finland (Itä-Suomen yliopiston ylioppilaskunta, [ISYY])
Yliopistokatu 7, 80100 JOENSUU, tel. +358 44 576 8449
PL 1627 (Yliopistonranta 3), 70211 KUOPIO, tel. +358 44 576 8419
2. Representative of the controller
Sports Coordinator Heli Aalto, tel. +358 44 576 8445, email: liikuntasuunnittelija@isyy.fi
3. Contact persons of the controller
Service Planner Niklas Leinonen, tel. +358 44 576 8418, email: vapaa-aika@isyy.fi
4. Contact information of the Data Protection Officer
Data Protection Officer Helena Eronen, tel. +358 50 554 0000, email: tietosuojavastaava@isyy.fi
5. Purpose of processing personal data
Personal data are processed in SYKETTÄ physical activity test for the following purposes:
- Evaluation of applicability to physical activity test
- Tracking performance at the physical activity test
- Keeping statictics and possible use of data in research without personal data
6. Legal basis of processing personal data
Processing of personal data is based on Article 6 or 9 of the General Data Protection Regulation:
☒ consent of the data subject
These can be found from EU’s General Data Protection Regulation, Article 6, paragraph 1, points a-f.
7. Categories of personal data and the data retention period
Personal data on the SYKETTÄ physical activity test
When registering to SYKETTÄ physical activity test, the following personal data is asked from the user:
- Name and contact information
During the physical activity test at “active exerciser tests”, the following personal data is asked from the user:
- Name and contact information
- Age
- Sex
- Test results
During the physical activity test at “low intensity tests”, the following personal data is asked from the user:
- Name
- Age
- Sex
- Height
In addition body composition, condition and hand compression force are measured. From these measures app compiles body condition grading.
Personal data shall be deleted after two (2) years. Test statistics are used afterwards in anonymous form.
8. Information systems that are used in processing
Webropol or Google Forms
Kehonkuntoindeksi-app
InBody-device
9. Where is the personal data required in processing received from
Personal data is acquired from the data subject themselves.
10. Use of cookies
Cookies are used in the browser-based information systems of data processing. A cookie is a small text file, which is stored on the user’s device by the browser. Cookies are used for carrying out services, making it easier to log into services and making it possible to compile statistics of the service usage. A user may restrain the use of cookies in the browser system, but this may prevent the system from operating properly.
Cookies are used in the following browser-based data processing systems: Webropol, Google Forms
11. Regular transfers and disclosures
Itä-Suomen liikuntaopisto (ISLO) and Pohjois-Karjalan Liikunta ry (POKALI) which are processors of personal data during the physical activity tests. Itä-Suomen liikuntaopisto and Pohjois-Karjalan Liikunta ry has signed Data Processing Agreement with the controller.
12. Data transfer or disclosure to outside EU or EEA and the legitimate grounds for such actions
Personal data located in Google Drive maybe transferred to outside EU. Google obeys the standard contractual clauses of the European Commission in guaranteeing the required level of data protection, when personal data are transferred to outside EU. ISYY has agreed to EU’s standard contractual clause in the legal clauses of its contract’s data protection with Google.
13. Principles of protecting personal data
Access to personal data has been restricted to only selected staff members of the controller and processors. Personal data is deleted withing 2 years after the physical activity test. During the personal data processing ISYY data protection records and regulations are followed. Technical data bases and their user interfaces are defended for example by firewall. System data is backupped regularly.
Access to personal data have been given for the staff members in accordance with their tasks and responsibilities.
14. Automated decision-making
Automated decisions shall not be made.
15. Rights of a data subject
As a data subject you have the right to:
- Inspect your data
- Claim for rectification of your data
- Claim for erasure of your data
- Claim for restriction of processing
- Object processing
- Request for transferring your personal data from the controller to another controller
- Withdraw your consent, if the processing of the personal data is based on the consent given by you
As a data subject you may use the above-mentioned rights by contacting the Data Protection Officer of the Student Union.
A data subject has the right to make a complaint to the Office of the Data Protection Ombudsman, in case the data subject deems that the valid data protection legislation has been violated in processing the personal data concerning the data subject.
Advice and instructions in matters related to the rights of data subject are given by the Data Protection Officer, contact information in section 4.