1. Data controller of the research
University of Turku, FI-20014 Turku, Finland
2. Parties involved in research conducted as a collaboration project and division of responsibilities
The research is carried out as part of the Biodiversa (BioDivProtect) project “Scenarios for protecting European Avian redistributions” SPEAR, which is funded by the European Union and the Finnish Ministry of the Environment. The research is a collaboration between the University of Turku (creation of the questionnaire and analysis), Tour du Valat (creation of the questionnaire and analysis) and Eurosite (distribution).
3. Research project leader or responsible group
Project leader: Jon Brommer
4. Contact information of the Data Protection Officer
Contact information of the Data Protection Officer at the University of Turku: firstname.lastname@example.org
5. Persons conducting research
Giorgio Zavattoni, Elie Gaget, Jon Brommer
6. Contact person in matters related to the research registry
Name: Giorgio Zavattoni
7. Name of the research registry
Questionnaire on management in Natura 2000 sites
8. Purpose of processing personal data
The survey does not collect the person’s name, contact information or similar personal information. However, we are asking respondents to specify which Natura2000 protected area they manage as well as details of the management they have been responsible for in that particular protected area. With the ID of the protected area, the identity of the respondent can be either fully or at least partially inferred. Therefore, the ID of the protected area can be considered an identifier and can, at least partly, be used to infer the respondent’s management actions. This survey data is collected to investigate the use and effectiveness of local conservation management actions, especially in connection to climate change. In addition, as the gathering of the data is funded by E.U. public money, the collected survey data is a product in itself and will be made publicly available. To facilitate future use the data will be made publicly available including the ID of the protected site.
9. Legal basis for processing personal data
The legal basis for processing personal data is the Article 6 or Article 9 of the EU General Data Protection Regulation.
The EU General Data Protection Regulation, Article 6 Section 1 (select one basis for processing data for each usage):
X consent of the data subject
☐ compliance with the data controller’s legal obligation
☐ task carried out in the public interest or in the exercise of official authority vested in the controller
X scientific of historic research or statistical purposes
☐ archiving research or cultural heritage materials
☐ legitimate interests pursued by the controller or by a third party
which legitimate interest:
Article 9 of the EU General Data Protection Regulation (special categories of personal data):
☐ consent of the data subject
x archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
10. What categories of personal data the research data includes
The survey does not collect the person’s name or contact information. We are collecting data connected to protected area, which means the identity of the respondent can be at least partially inferred by knowing who works in the management of such areas.
11. Which sources the personal data is collected from
The questionnaire is created and distributed using Shiny, an open source R package.
12. Transfers or disclosures of data outside the research group
The data will be used to create a database that will be made public upon publication of the research.
13. Transfers or disclosures of data outside the EU or the European Economic Area
The data will be used to create a public database on the basis of Article 49: derogations and safeguards, condition d): the transfer is necessary for important reasons of public interest.
14. Automated decision-making
The processing does not include automatic decision-making or profiling.
15. Principles of safeguarding personal data
Safeguarding manual data:
The data processed in the information systems is safeguarded with the following measures:
account credentials and password
Processing direct identifiers:
The data has no direct personal identifiers, but includes the identifier “protected area ID” which can be interpreted as an indirect identifier of the person responsible for that particular protected area. Data is analysed keeping the “protected area ID” because it is essential to connect the responses to the correct protected area.
16. Processing of data after the research has ended
The data will be archived in a password-protected cloud server and on external hard drives with access restricted to members of the research team. The data will be made public with the identifier (protected area ID) upon publication of the research results.
17. Rights of the data subjects and possible limitations to them
The data subject has a right to cancel the consent they have given if the processing of personal data is based on consent.
The data subject has the right to lodge a complaint with the supervisory authority if the data subject considers that the processing of personal data related to him/her has violated the information security legislation currently valid.
The rights of the data subject under the GDPR can be deviated from in scientific research with the following safety measures:
- The processing of personal data is based on the research plan.
- The research has an appointed person or a group responsible for it.
- The personal data is used and disclosed only for historic or scientific research purposes or other comparable purposes, and other actions are also implemented in a manner ensuring that data identifying an certain person is not disclosed to outsiders.
- If the research includes processing of the personal data referred to in Article 9 Section 1 of the GDPR (special categories of personal data) and Article 10 (personal data relating to criminal convictions and offences), in addition to complying with sections 1—3 mentioned above, the persons conducting the research must also compile a data protection impact assessment as defined in Article 35 of the GDPR and deliver it to the Office of the Data Protection Ombudsman 30 days before the research is started.
The following rights of the data subject under the EU General Data Protection Regulation will be deviated from in this research for the following parts:
The data subject does not have the right to erasure of their data (Article 17). The right to erasure of data is not applied in scientific or historical research purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.
The data subject does not have a right to restrict the processing of data (Article 18). The right to restrict is likely to render impossible or seriously impair the achievement of the objectives of that processing.
The data subject does not have a right to object the processing of data (Article 21). The right to restrict is likely to render impossible or seriously impair the achievement of the objectives of that processing.