Privacy Notice – FinnGen Sandbox

EU General Data Protection Regulation 

Art. 12 to 14 

Date: 29.1.2026

 

1. Controller for the processing of personal data 

The organization responsible for the processing of personal data is the University of Helsinki.

Contact information:

University of Helsinki

P.O.Box 3

00014 Helsingin yliopisto

Contact persons for the processing described in this notice is: 

The Data Protection Officer of the FinnGen study can be contacted at dpo-finngen@helsinki.fi

The Data Protection Officer of the University of Helsinki can be contacted at tietosuoja@helsinki.fi

 

2. Why do we process your personal data and what is the lawful basis for processing? 

The purpose for the processing of your personal data is to provide you, a FinnGen researcher, access to the secure research environment FinnGen Sandbox. Personal data is also processed for the purpose of ensuring information security in the FinnGen Sandbox. University may also use personal data collected for the purposes of scientific research.

The purposes of processing include:

-Provision of the requested service, including user identification, administration of user accounts, management of user rights

-Ensuring information security and the lawfulness of personal data processing inside the FinnGen Sandbox

-Resolving technical issues

-Handling and resolution of customer service requests

-Investigation of faults and misuse

-Scientific research

The processing of personal data is necessary for compliance with our legal obligations (such as the obligation to provide a sufficient level of information security on the basis of data protection legislation and Act on the Secondary Use of Social and Health Data). The processing is also necessary for the purposes of scientific research.

 

3. What personal data do we process?

We process the following data:

-Name and contact details (phone number, email address, ORCID ID)

-Name of employer 

-User account details

-User logs, such as user login data and FinnGen data usage logs 

-Details related to the completion of the annual FinnGen Sandbox Data Security Test and any mandatory data security trainings

-Usage of research tools in FinnGen 

We do not process any categories of sensitive personal data.

 

4. What are the sources for personal data? 

Some required personal details come from you, such as name and contact details. Some personal data are connected to the identifiers the University has assigned you either directly or indirectly, such as FinnGen user account details. Some information is collected while accessing FinnGen Sandbox and during research activities within the FinnGen Sandbox.

 

5. To whom are your data disclosed?

Data is processed only by those employees of the University or those individuals mandated by the University or working on behalf of the University who need the data in their duties. Access to the data systems is restricted by user accounts. 

We use service providers as subcontractors in connection with the technical processing environments, technical solutions, as well as data security testing and investigations. Such processors include the cloud environment service provider Google Ireland Ltd. 

 

6. For how long do we process and retain your personal data?

University of Helsinki retains personal data for as long as necessary to fulfill the purposes defined in this privacy notice, unless legislation requires the personal data to be retained for a longer period.

 

7. Transfers of personal data to countries outside the EU/European Economic Area

In principle, personal data processed for the above purposes will not be transferred outside the EU. If, exceptionally, personal data is transferred, it will only be transferred to countries that have been recognised by the European Commission as providing an adequate level of data protection. Alternatively, the transfer of data may be carried out using standard contractual clauses approved by the Commission.

8. What rights do you have? 

The contact details in matters concerning the rights of the data subject is the contact point mentioned in section 1 of this notice.

Right to access

You have the right to know whether we process your personal data and what data we process about you. You have also the right to request for the access to that data.

 

Right to rectification

You have the right to request for the rectification of inaccurate personal data concerning you. You also have the right to have incomplete personal data completed. 

 

           Right to erasure and right to be forgotten

You have the right to request for the erasure of your data from our systems. The data will be erased in the following cases:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

  2. You withdraw your consent on which the processing was based and there is no other legal ground for the processing

  3. You object for the processing and there are no overriding legitimate grounds for the processing

  4. The personal data have been unlawfully processed

  5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject

You do not have the right to erasure, if the processing is necessary:

  1. For compliance with a legal obligation which requires processing by law 

  2. For the performance of a task carried out in the public interest or in the exercise of official authority

  3. For archiving purposes in the public interest, scientific of historical research purposes or statistical purposes if the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing

  4. For the establishment, exercise or defense of legal claims

 

Right to restriction of processing

You have the right to request for the restriction of processing. This means that we store the data but do not process it in any other way. 

You have this right when: 

  1. The accuracy of the personal data is contested by you. Then the processing will be restricted until the accuracy of the data is verified. 

  2. The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead 

  3. We no longer need the data for the purposes of the processing, but you need the data for the establishment, exercise or defense of legal claims

  4. You have objected to processing that is based on legitimate interest. Then the processing will be restricted for the time it is verified whether the legitimate ground for the controller override those of the data subject. 

 

Right to object

You have the right to object for the processing of your personal data. Then we shall no longer process the data unless we demonstrate compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. University can also continue to process your personal data if it is necessary for the performance of a task carried out in the public interest.

 

Right to lodge a complaint with a supervisory authority

You can always contact us if you have any questions or concerns about the processing of your personal data. However, you have also the right to lodge a complaint with the Data Protection Ombudsman’s Office if you think your personal data has been processed in violation of applicable data protection laws. 

Contact details:

Office of the Data Protection Ombudsman

Visiting address: Lintulahdenkuja 4, 00531 Helsinki

Postal address: PL 800, 00531 Helsinki

Switchboard: 029 56 66700

E-mail: tietosuoja@om.fi