This is the privacy notice for AboCRIS, the Åbo Akademi University Research Information System (later AboCRIS) and its portal https://research.abo.fi.

Data controller:

Åbo Akademi University
Tuomiokirkontori 3
20500 TURKU
FINLAND

Person responsible for the registry:

Mats Lindfelt, Director of Research Services

Contact Person:

Kimmo Borg, Project Leader, Research Services, abocris@abo.fi

Data Protection Function:

Förvaltningsämbetet, Åbo Akademi University
dataskydd@abo.fi, phone: 02 21531
Postal address: Dataskydd vid Åbo Akademi, Domkyrkotorget 3. 20500 Åbo
Visiting address: Domkyrkotorget 3. 20500 Åbo

1. The basis for processing personal data in Abo Akademi University (hereafter ÅAU)

   ÅAU processes personal data in order to fulfil our assignment as a public authority (university), i.e. to provide first-class research and education and collaborate with society. We also do it to review and develop our operations, and to comply with the law.
   All processing of personal data at ÅAU occurs in order to promote these purposes. Processing must also have a legal basis. Only the personal data needed for a particular purpose is processed.

2. Processing personal data in AboCRIS

   The following personal data is processed in AboCRIS.

   • Personal employment, user and contact details of ÅAU staff and other affiliated research personnel: ÅAU user id, external person ids such as ORCID or Scopus author id
   • Research projects and their funding information, research outputs like publications, patents, research activities and impacts.
   • Funding applications may include budgeted monthly salaries (not actual salaries for participants in an awarded project). Applications are confidential and the access is restricted to those users to whom it is necessary to access to the information.
   • Organizational affiliations such as affiliation with a ÅAU department or research group
   • Information on previous employments and education which users can freely add and edit themselves.
   • Log information on user activity

3. Data are integrated into AboCRIS from the following systems

   • The name, title, organizational affiliation, user id and contact details (ÅAU email address/phone number) for staff are daily synchronized from the ÅAU HR system
   • The name, organizational affiliation, user id and contact details (ÅAU email address) for doctoral students are daily synchronized from ÅAU student registry
   • The name, organizational affiliation, user id and email address for honorary staff and other non-staff persons like private grant researchers are occasionally synchronized from an intermediary store used to administer users and their affiliations
   • Publications and Datasets can be imported from several external data sources. This data typically includes author names, their organizational affiliations and international identifiers such as ORCID and Scopus author id.

4. AboCRIS portal

   The public portal gathers cookies on users visiting the portal. The portal user will accept the cooking policy when visiting the portal for the first time. See more details in the portal cookie policy.

5. Other processors

   AboCRIS is a cloud based service by Elsevier B.V, Amsterdam, The Netherlands (hereafter Elsevier or Supplier)
   Åbo Akademi University has entered into a contract with Elsevier for producing a CRIS system as a service where ÅAU is the controller and Elsevier processor. In the contract the supplier has committed to comply with all GDPR regulations and other European data protection legislation. This applies to all supplier staff, subcontractors and processes as well as technical implementation of the service.

6. How does ÅAU safeguard personal data in AboCRIS

   The supplier (see Other processors above) implements all organizational and technical measures required according to the contract between ÅAU and the supplier so that the service meets all GDPR and other legal requirements regarding processing of personal data. More detailed description in the Supplier Data Processing Addendum.
   All users are authenticated by ÅAU authentication service. By default, users have access only to public data and their personal data. Access to data for administrators and editors is controlled with user and organization specific roles and rights so that the users have access only to the data that is necessary for them to perform their tasks in the system.

7. Recipient of personal data

   Publication metadata including authors and their organizational affiliations are sent to the Ministry of Education and Culture through VIRTA publication channel. Also project participants and basic metadata of selected publications are synchronised to the Åbo Akademi institutional web site. This data includes author names and project roles.

8. Time of storage

   The personal data is stored as long as it is necessary to meet the requirements for which the data is collected and stored in the first place. The person’s public portal profile will be automatically hidden when their affiliation with the university ends. Their name, organizational affiliations and necessary identifiers are kept in the database for reporting and administrative purposes. The author information on ÅAU publications is stored permanently.

9. Period of stored data

   The data has been collected in AboCRIS as of 1.1.2014 and is continuously updated by ÅAU researchers and editors.

10. Public data

    Publication metadata, including author names and organizational affiliations are public. The part of project and funding data that is important for showcasing the university research activities is public. The researchers themselves can control the visibility of other research related data they add to their profile. These include activities, media visibility and impacts.

11. Secret data

    Highly sensitive or secret data is not stored in AboCRIS. The system user ids, log information and funding applications are confidential and only accessible to few global administrators and editors with organization specific roles and rights.

12. Transfer of data to third countries

    There is no regular transfer of data to third countries from AboCRIS. The service and AboCRIS servers are located within the EU.
    The researchers can themselves authorize export of their publication metadata into international ORCID registry. As a data processor ORCID applies Standard Contractual Clauses (SCCs) under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA. ORCID also obtains the consent of its users at the time of registration to the transfer of personal data from the EU to the US.

13. Rights under the General Data Protection Regulation

    You will find more information about the rights of the data subject in the general privacy notice of ÅAU.