PRIVACY NOTICE

This Privacy Notice is based on the EU’s General Data Protection Regulation (2016/679, “GDPR”), namely the obligation to inform the data subjects (GDPR Articles 12–14), the data controller’s obligation to maintain a record of processing activities under its responsibility (GDPR Article 30), as well as the obligations set out in the Finnish Data Protection Act (1050/2018) supplementing the GDPR.

Additionally, this Privacy Notice has been prepared with the aim of making it accessible in accordance with the requirements of the EU’s Web Accessibility Directive (Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies) and the Finnish Act on the Provision of Digital Services (306/2019) supplementing it.

1 Name of the register  Personal data register of Gamebadges  
2
Data
controller		Gamebadges – Skill Mapping and Micro-Credentials for the Game Industry -project (later ‘Gamebadges’) related surveys, interviews and workshops are carried out jointly with the following entities.  

Joint controllers:  

Metropolia University of Applied Sciences Ltd
LUCA School of Arts vzw
Neogames Finland ry
Univerzita Karlova (Charles University)
Wallonia Games Association (WALGA)
Grafisch Lyceum Utrecht
Asociace Ceskych Hernich Vyvojaru Zs (Czech Game Developers Association)
Erhvervsakademi Dania (Dania Academy)
Viden Djurs  
Contact information:  

Metropolia University of Applied Sciences Ltd
Business ID: 2094551-1
Postal address: P.O. Box 4000, FI-00079 Metropolia, Finland
Visiting address: Myllypurontie 1, 00920 Helsinki, Finland
Telephone (switchboard): + 358 9 7424 5000  

LUCA School of Arts
Business ID: 0456758944
Postal address: Paleizenstraat 70, 1030 Brussels
Visiting address: Paleizenstraat 70, 1030 Brussels
Telephone (switchboard): +32 2 447 16 00  

Neogames Finland ry
Business ID: 2500134-1
Postal address: Eteläranta 10, 00130 Helsinki, Finland
Visiting address: Eteläranta 10, 00130 Helsinki, Finland
Telephone (switchboard): +358 40 842 8736  

Charles University
Business ID: 00216208
Postal address: Charles University, Faculty of Mathematics and Physics, Ke Karlovu 3, 121 16 Praha 2, Czechia
Visiting address: Department of Software and Computer Science Education Malostranské nám. 2/25, 118 00 Praha 1, Czechia
Telephone (switchboard): +420 224 491 111  

WALGA
Business ID: BE0627.917.226
Postal address: Av. Guibal et Devillez, 1 (7000 Mons), Belgium
Visiting address: Chaussée de Liège, 624 (5100 Jambes), Belgium
Telephone (switchboard): +324 7553 6401  

Stichting Grafisch Lyceum Utrecht
Business ID: KVK nr 30156443
Postal address: Postbus 5066, 3502 JB Utrecht, Netherlands
Visiting address: Vondellaan 178, 3521 GH Utrecht, Netherlands
Telephone (switchboard): +31 30 280 7081  

Asociace českých herních vývojářů, z. s. (Czech Game Developers Association)
Business ID: 07139411
Postal address: Pobřežní 249/46, Karlín, 186 00 Praha, Czechia
Visiting address: Pobřežní 249/46, Karlín, 186 00 Praha, Czechia
Telephone (switchboard): +420 773 591 047  

Dania Academy
Business ID: DK31565162
Postal address: Minervavej 63, 8960 Randers SØ, Denmark
Visiting address: N.P. Josiassens Vej 44A, 8500 Grenaa, Denmark
Telephone (switchboard): +45 72 29 10 00  

Viden Djurs
Business ID: 10520509
Postal address: N.P. Josiassens Vej 44E, DK-8500 Grenaa, Denmark
Visiting address: N.P. Josiassens Vej 44E, DK-8500 Grenaa, Denmark
Telephone (switchboard): +45 87 58 04 00    
Person responsible for the register at the data controller:  

Name: Riitta Konkola
Position: President, CEO of Metropolia University of Applied Sciences  

Name: Simon Van Damme
Position: President & Dean, LUCA School of Arts  

Name: KooPee Hiltunen
Position: Director of Neogames Finland ry  

Name: Sandra Beentjes
Position: Chairman executive board of Grafisch Lyceum Utrecht  

Name: Bruno Urbain
Position: Chairman of board, WALGA  

Name: Pavel Barák
Position: Chairman, Czech Game Developers Association  

Name: doc. RNDr. Mirko Rokyta, CSc.
Position: Dean of the faculty, Charles University  

Name: Marianne Holck
Position: Head of Administration, Viden Djurs  

Name: Anders Graae Rasmussen
Position: Rector, Dania Academy    

—————————————————–

Person responsible for the content of the register:  

Name: Saija Heinonen
Position: Project Manager, Metropolia University of Applied Sciences
Address: Metropolia University of Applied Sciences, PO Box 4000, FI-00079 METROPOLIA
E-mail: saija.heinonen@metropolia.fi  

Name: Steven Malliet
Position: Lecturer
Address: C-mine 5, B-3600 Genk
E-mail: steven.malliet@luca-arts.be  

Name: Elina Tyynelä
Position: Coordinator, Neogames Finland ry
Address: Eteläranta 10, 00130 Helsinki, Finland
E-mail: elina@neogames.fi  

Name: Laura Endert
Position: Lead international projects for gaming department, Teacher Game art at Grafisch Lyceum Utrecht
Adress: Grafisch Lyceum Utrecht, Postbus 5066, 3502 JB Utrecht
E-mail: lendert@glu.nl  

Name: Jean Gréban
Position: Coordinator, WALGA
Adress: Av. Guibal et Devillez, 1 (7000 Mons), Belgium
E-mail: jgreban@gmail.com  

Name: Pavel Barák
Position: Chairman, Czech Game Developers Association Adress: Pobřežní 249/46, Karlín, 186 00 Praha, Czechia
Email: pavel.barak@gda.cz  

Name: PhDr. Ivana Herglová, Ph.D.
Position: Department of Grants and Projects, Vice-Head, Charles University
Address: Ke Karlovu 2027/3, 121 16 Praha 2
Email: ivana.herglova@matfyz.cuni.cz  

Name: Alex Townley Porsborg
Position: Head of 3D College, Viden Djurs
Address: N.P. Josiassens Vej 44E, DK-8500 Grenaa, Denmark
E-mail: atp@videndjurs.dk 

Name: Jonatan Korsbek Yde
Position: Executive Director of Campus, Dania Academy
Address: N.P. Josiassens Vej 44A, 8500 Grenaa, Denmark
E-mail: jyd@eadania.dk    

—————————————————–

Contact details of the contact person for the register:  

Name: Saija Heinonen
Position: Project Manager, Metropolia University of Applied Sciences
Address: Metropolia University of Applied Sciences, PO Box 4000, FI-00079 METROPOLIA
E-mail: saija.heinonen@metropolia.fi  

Name: Steven Malliet
Position: Lecturer
Address: C-mine 5, B-3600 Genk
E-mail: steven.malliet@luca-arts.be  

Name: Elina Tyynelä
Position: Coordinator, Neogames Finland ry
Address: Eteläranta 10, 00130 Helsinki, Finland
E-mail: elina@neogames.fi  

Name: Laura Endert
Position: Lead international projects for gaming department, Teacher Game art at Grafisch Lyceum Utrecht
Adress: Grafisch Lyceum Utrecht, Postbus 5066, 3502 JB Utrecht
E-mail: lendert@glu.nl  

Name: Jean Gréban
Position: Coordinator, WALGA
Adress: Av. Guibal et Devillez, 1 (7000 Mons), Belgium
E-mail: jgreban@gmail.com  

Name: Pavel Barák
Position: Chairman, Czech Game Developers Association
Adress: Pobřežní 249/46, Karlín, 186 00 Praha, Czechia
Email: pavel.barak@gda.cz  

Name: PhDr. Ivana Herglová, Ph.D.
Position: Department of Grants and Projects, Vice-Head
Address: Ke Karlovu 2027/3, 121 16 Praha 2
E-mail: ivana.herglova@matfyz.cuni.cz  

Name: Alex Townley Porsborg
Position: Head of 3D College
Address: N.P. Josiassens Vej 44E, DK-8500 Grenaa, Denmark
E-mail: atp@videndjurs.dk  

Name: Jonatan Korsbek Yde
Position: Executive Director of Campus, Dania Academy
Address: N.P. Josiassens Vej 44A, 8500 Grenaa, Denmark
E-mail: jyd@eadania.dk  
3 Data Protection OfficerContact details of the Joint Controllerse’ Data Protection Officers:  

Metropolia University of Applied Sciences Ltd
Name: Sanna Saarnia
Position : Metropolia University of Applied Sciences Ltd, Head of Legal
Email: tietosuojavastaava@metropolia.fi  

LUCA School of Arts
Name: Vincent Himpe
Position: Data Protection Officer
Email: verantwoordelijkegdpr@luca-arts.be  

Neogames Finland ry
Name: KooPee Hiltunen
Position: Director
Email: koopee@neogames.fi  

Charles University
Name: Petra Kubáčová
Position: Data Protection Officer
Email: gdpr@cuni.cz  

WALGA
Name: Jean Gréban
Position: Coordinator of WALGA
Email: jgreban@gmail.com  

Stichting Grafisch Lyceum Utrecht
Name: Paul ‘t Lam
Position: Beleidsondersteuning (policy support employee)
Email: plam@glu.nl  

Asociace českých herních vývojářů, z. s. (Czech Game Developers Association)
Name: Pavel Barák
Position: Chairman
Email: pavel.barak@gda.cz  

Dania Academy
Name: Anne Lene Pugholm Position: Data Protection Officer Email: dpo@eadania.dk  

IT Center Nord, Viden Djurs  
Name: Anne Lene Pugholm
Position: DPO
Email: dpo@itcn.dk    
4 Purpose and legal basis of the processing of personal dataPurpose of the processing of personal data: The purpose of this personal data registerof Gamebadges and the personal data it contains is to process the data collected in Gamebadges related surveys, interviews and workshops that help to achieve Gamebadges project goals    

Legal basis for the processing of personal data:
The processing of the personal data contained in the register is based on consent obtained from the data subject (attendee). The consent is given voluntarily.  
5 Legitimate interests of the data controller or a third party  The legal basis for the processing of personal data contained in the personal data registerof Gamebadges is not “legitimate interests”. Therefore this section does not apply.  
6 Description of the groups of data subjects and personal data groupsThe data subjects in the personal data registerof data register of Gamebadges are people connected to the Game Industry: students, teachers and professionals working in the game industry.  

The following personal data may be stored in the personal data register of Gamebadges    

BASIC INFORMATION AND CONTACT DETAILS
first name, surname, job title, email address, phone number, company, study background, job experience (including years in industry, field of expertise), job title, city and country of residence.  

CONSENT FOR AND INFORMATION ON CERTAIN ACTIONS Information on consent given for actions targeted at the data subjects in the personal data register of the Gamebadges  
7 Regular sources of personal dataThe personal data are obtained from the data subjects themselves while filling out the survey.
8 Data recipients or recipient groups and regular disclosuresAccess to the personal data contained in the personal data register of the Gamebadges will be given, where necessary, in the systems listed below. (For the purpose of repairing a technical fault, for example, access will be given with administrator rights to the system provider or to the maintenance personnel of a measurement device.) All system/equipment/software providers used (the companies behind them) can be deemed to be recipients of personal data and recipients of regular disclosures from the register.  

With respect to the systems used by the Gamebadges, personal data processing agreements in accordance with Article 28 of the GDPR have been concluded with the following cooperation partners:  

e-Lomake
Google Forms
Google Drive
Microsoft Forms
Microsoft Teams
Gruppo CRM
Mailchimp
Open Badge Factory
Zoom  
9 Transfer of information outside the EU or EEA or to international organisations  As a general rule, personal data contained in the personal data registerof Gamebadges will not be transferred outside the EU or EEA or to international organisations.  

However, personal data contained in the personal data register may be transferred outside the EU or the EEA in order to provide IT services necessary for work or study, on a case-by-case basis. The destination country to which the personal data is transferred then, is mainly the United States. It is also possible that India is the destination country as global ICT service providers use often India as a host country for the international helpdesk service / ICT technical user support.  

The ICT service providers of Gamebadges may not transfer or grant access to personal data or process personal data of Gamebadges outside the EU or the EEA without prior consultation and prior written consent received from Gamebadges data controllers.  

In the case of written consent has been received from the data controllers (Gamebadges) for the personal data transfer outside the EU or the EEA, a documented TIA ((Data) Transfer Impact Assessment) must be conducted and approved by the data controller. Before personal data can be transferred outside the EU or the EEA, the data exporter (Gamebadges) of personal data must ensure that an adequate level of data protection is guaranteed for the personal data to be transferred. If the basis for the transfer does not guarantee adequate protection in itself, it can be supplemented in certain cases with different kinds of technical, organisational or agreement-based additional safeguards.  

The controllers and processors of personal data that are transferring the data must check on a case-by-case basis if the legislation of the third country guarantees a level of protection for the personal data to be transferred that is essentially equivalent to that of the EU and of the EEA. The assessment must take account of the case-by-case conditions of the transfer, the legislation of the third country in question and the applicable basis for the transfer. The data exporter (Gamebadges) is responsible for drawing up a concrete assessment. The assessment must also be documented carefully.  

In the case of written consent received from the data controller /data exporter (Gamebadges) for the personal data transfer outside the EU or the EEA, the contract bounding the data transfer must include Standard Contractual Clauses (SCC) adopted by the EU Commission. In addition, the data controller /data exporter (Gamebadges) must assess and follow-up on a regular basis the level of data protection in the destination country. The data controller /data exporter (Gamebadges) may negotiate with the ICT service provider whether some additional safeguards – like technical, organizational or agreement-based additional safeguards – might be used when transferring data from the EU or the EEA outside the EU or the EEA. The data transfer might be conducted also by using an other data controller’s written approved mechanism.  

The SCC (Standard Contractual Clauses) clauses will be included as part of the personal data processing agreement to be drawn up with the ICT service provider. Only the necessary data will be transferred and the transfer will be made in accordance with and within the limits set by data protection law. The security and data protection of the transfer are always agreed separately.  
10 Personal data retention timesThe personal data collected for and processed within the personal data register of Gamebadges are, as a general rule, stored in the register for maximum 5 years after the project ends.  

The following regulations have been observed when determining the retention times  
– EU General Data Protection Regulation (“GDPR”, 2016/679)
– Data Protection Act (1050/2018)
– Universities of Applied Sciences Act (932/2014)
– Decision of the National Archives of Finland on retention times – order given to universities of applied sciences concerning the permanent storage of data in electronic format (AL/20757/07.01.01.03.02/2016)  
12 Rights of the data subjectData subject may submit a request for information by delivering the data subjects’ information request form to info@gamebadges.eu or directly to any of the Joint Controllers’ Data Protection Officers, mentioned in chapter 3.  

Under the GDPR, the data controller must respond to requests by the data subjects to exercise their rights within one month of receiving such a request.  

A. Right of access to personal data  

The data subjects have the right to check whether their personal data are stored in the personal data register. The data subjects have the right to review and receive copies if the personal data that has been stored of them.  

B. Right to rectify personal data and to restrict processing  
The data subjects have the right to request the data controller to restrict the processing of their personal data in the following cases:  
– the data subject disputes the correctness of their personal data (right to rectify personal data), in which case processing will be restricted until the data controller can ascertain that the data is correct;
– processing violates the law and the data subject objects to the erasure of their personal data, instead requesting that the processing of the data be restricted;
– the data controller no longer needs the personal data for the purposes of the processing, but the data subject needs them in order to establish, exercise or defend a legal claim.  

C. Right to erase personal data  

The data subject has the right to obtain from the controller the erasure of their personal data from a Metropolia register without undue delay if any of the following conditions are met:  
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– the data subject withdraws consent on which processing is based and there is no other lawful basis for processing;
– the personal data have been unlawfully processed;
– or the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.  

D. Right to data portability (transfer of data from one system to another)  

Data subject has the right to receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance.  

E. Right to not be subjected to a personal data breach  

The data subject has the right to not be subjected to a personal data breach, as referred to in Article 33 of the EU’s General Data Protection Regulation, due to the data controller’s negligence in data protection and/or data security matters or due to negligence on the part of a data processor used by the controller in data protection and/or data security matters. The data subject has the right to be informed without undue delay if a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons.  
13 Right to objectAccording to Article 21 of the EU’s General Data Protection Regulation, the data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller), such as profiling based on these provisions. The data controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.  

The request to stop processing of collected personal data can be submitted to info@gamebadges.eu or directly to any of the Joint Controllers’ Data Protection Officers, mentioned in chapter 3.    
14 Right to withdraw consentIf the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent for processing at any time without the withdrawal of consent affecting the lawfulness of processing based on consent before its withdrawal.  

The withdrawal of consent for the processing of personal data collected by Metropolia (withdrawal request) can be submitted to info@gamebadges.eu or directly to any of the Joint Controllers’ Data Protection Officers, mentioned in chapter 3.  
15 Right to lodge a complaint with a supervisory authorityEvery data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of their personal data infringes the applicable data protection regulations.  

The national supervisory authority in Finland is the Office of the Data Protection Ombudsman. Contact details:  

Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Postal address: PO Box 800, FI-00531 Helsinki  

Telephone (switchboard): + 358 29 56 66700
Registry: +358 29 566 6768
Email: tietosuoja@om.fi  
16 Principles of data protection in the registerGeneral description of the technical and organisational security measures aiming at protecting the personal data of the data subjects and the personal data registers at Gamebadges:  

– The data controller (Gamebadges) and the system providers have agreed on the protection of the register. If necessary, the responsibilities have been described in adequate detail in the appropriate agreements.  
– The employees and other personnel of the data controller (Gamebadges) have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.  
– The system providers (personal data processors that act on behalf of the data controller, Gamebadges) undertake to maintain the register and the personal data relating to it in accordance with good data processing practices and comply with the obligation to absolute secrecy and confidentiality.  
– The data security of the personal data register of the data controller (Gamebadges) and the confidentiality of the data contained therein are ensured with appropriate technical and administrative means in accordance with good data processing practices.  

– The data controller (Gamebadges) has restricted user rights and authorisations to data systems, tools and other storage platforms in such a way that they can only be accessed and processed by the persons who are necessary for such processing due to their job duties or position.  

– The system containing personal data may only be used by employees who are entitled to process personal data due to their job duties and/or position. Such employees will be given the appropriate training for their duties.  

– Every user of a tool/system must identify themselves with their personal codes, which are issued when the right to access the tool/system is granted. The right of access will expire once the employee resigns or is transferred from the duties for which they were granted the right at Gamebadges.  

– The data are collected in databases that are protected logically and physically.  

– The databases and their back-up copies are located in locked premises, and the data can only be accessed by certain pre-appointed persons.