UTUsign electronic signature service

Purpose of processing data

The electronic signature service UTUsign of the University of Turku is used to electronically sign documents related to the University's activities. The information necessary for the signing process of the users with the UTU username is imported into the service. As part of the signature process, the service stores information about the signatories and document handlers, as well as the documents to be signed. 

 

Processed personal data and retention periods

UTUsign processes only the personal data that is mandatory to create an authentic electronic signature on a document. In addition to user management data, the service processes any personal data contained in the documents that are to be signed.

The service processes personal data, which may include, but is not limited to:

  • person's first name and last name
  • telephone number
  • username (UTU username)
  • language selection
  • email address
  • name of organisation
  • job title
  • information on the user’s signature transactions
  • the user’s IP address from which the login was made (including single sign-on)

The information related to your UTU username will be kept in the service until the username is deleted. Data related to identification are permanently stored in the system.

Signed documents are stored in the signature service for 90 days after the last signature, i.e. the completion of the document. Information on the various document storage systems is maintained in the University's information management plan TOS. It describes, as required by law, all the University's official documents, their storage systems, retention periods, publicity information, grounds for collecting personal data, and other metadata. The information management plan is available upon request from the Registry of the University of Turku (see contact information below). The log data related to the signature verification is permanently stored in the service provider's system.

 

Basis for processing data

The University's right to process personal data as a controller is based primarily on the performance of a task carried out in the public interest, the execution of public authority, and compliance with the controller's legal obligations.

 

Contact information

UNIVERSITY OF TURKU

Records Services

Yliopistonmäki

20014 University of Turku

kirjaamo@utu.fi

tel. +358 29 450 5126

 

Source of data

Following data is imported of the users with the UTU username from the user administration:

  • UTU username
  • person’s first name and last name
  • organisation
  • job title
  • email address

Other information is entered into the system by the sender of the signature request for the purpose of signing the document or it is obtained from the persons themselves during the use of the service.

 

Disclosure of data

Data is not regularly disclosed outside the University.

The electronic signature service is integrated with the Asta case management system, so that the signature request can also be initiated directly from the case management system. In this case, the information required for the signature request about the signatories and the document to be signed are transferred via the integration to UTUsign, and are returned signed to Asta after the signature request is completed. In Asta, the documents and their metadata are stored in accordance with the University's information management plan (see section Processed personal data and retention periods).

In addition, the electronic signature service is integrated into the ELSA monitoring and evaluation system for specialist training in medicine and dentistry. The UTUsign signature request can be initiated in the ELSA system. The information of the document to be signed and its signatory is transferred via integration to UTUsign for signing.

When applicable, information about transfer of data to a third country or an international organisation

Personal data is not transferred to countries outside the European Union or the European Economic Area. 

Rights of the data subject

You can make requests concerning the rights of the data subject to kirjaamo@utu.fi.

 

Access to your own data

  • You have the right to know what personal data is being processed about you and what data has been stored about you.
  • You may submit an information request to the University. In such cases, the following procedure will take place:
    The University will submit the requested information as soon as possible without undue delay. The requester must provide a separate proof of their identity if they are asked to do so. The deadline for disclosing the information or additional information related to the request is one month from receiving the request. If the information request is complex and wide-ranging, the deadline may be extended by two months.
    The information is generally provided free of charge. If you request several copies, a fee based on administrative costs will be collected. If the information request is clearly without basis or unreasonable or you submit information requests repeatedly, the University may collect the administrative costs caused by the delivery of the information or entirely refuse to deliver the information. In such cases, the University must justify the decision it has made. If the University does not deliver the information, a written statement on the matter will be provided to you. In connection with this, you will be informed of your right to legal remedies, for example, of your right to submit a complaint to the supervisory authority.
     

Right to rectification

  • You have the right to demand that any erroneous, inaccurate or deficient personal data that applies to you is corrected or supplemented without undue delay. In addition, you have the right to demand the removal of any unnecessary personal data that applies to you.

  • If the University does not approve the correction request, a written statement is provided on the matter specifying the reasons due to which the demand was not approved. In connection with this, you will be informed of your right to legal remedies, for example, of your right to submit a complaint to the supervisory authority.

     

Right to erasure

  • Based on the legal basis for the processing of the data, you may have the right to demand the erasure of your personal data from the register. This right does not apply to such cases where the processing of personal data is necessary due to a legal obligation or the exercise of the official authority vested in the University of Turku. The storage and erasure of data is conducted in accordance with the University’s information management plan and statutory data storage periods.

Right to object to processing

  • Based on a personal and special situation, you have the right to object the processing of your personal data at any time when the legal basis for the processing is the completion of a task concerning the public interest, the execution of public authority or the University’s legitimate interest. In such cases, the data may only be processed further if an especially and justified reason can be presented for the processing of the data.
  • You have the right to object to the processing of your personal data for direct marketing purposes for no special reason and at any time.

Right to lodge a complaint with the supervisory authority

  • You may submit a complaint to the supervisory authority if you feel that the processing of your personal data violates the EU’s General Data Protection Regulation (EU) 2016/679. In addition, you also have the right to exercise other administrative appeal methods and legal remedies. For more information, see www.tietosuoja.fi. Contact information of the Data Protection Officer at the University of Turku: dpo@utu.fi.

  • You also have the right to bring an action against the controller or organisation processing the personal data if you feel that your rights have been violated due to the fact that the processing of the personal data has not been done in accordance with the General Data Protection Regulation.

     

Further information

  • The use of the service creates log entries which are used for ensuring the information security of the service, developing the technology of the service, and for detecting, preventing or investigating technical faults or errors (917/ 2014, Sections 138, 141, 142, 144, 146, and 272). The logs are retained for these purposes for the required time period and they will not be used for any other purposes.
  • The principles of personal data security are described on a separate page: https://www.utu.fi/en/privacy/data-security-description