Privacy Notice (CAAI)

“Civic Agency in AI (CAAI)” Privacy Notice

This privacy notice describes how your personal data will be used in the research study as a participating individual. You have also been provided with document called “Participant Information Sheet”, which explains in more detail how the study is carried out. 


Latest changes highlighted.

1.   What is being studied in this research study and the purpose of processing personal data


This research study assesses perspectives and practices among experts, providers and citizens for an inclusive and democratic ecosystem of future AI governance. We conduct interviews and case studies of public AI services to highlight practices and challenges for AI-based technologies in the public sector. Our goal is to explore and evaluate citizen perspectives, agency, and imaginaries on digital citizenship and algorithmic literacy for the democratization of public services to design frameworks for stakeholder participation in AI governance in Finnish society and the EU.


This research is funded by the Kone Foundation (01.01.2022-31.12.2025) and Research Council of Finland (01.09.2023 – 31.08.2027)


2.   What personal data is processed in the research study


For this study, we collect:

·       Names 

·       Emails

·       Work affiliations and roles 

·       Age range 

·       Gender

·       Audiovisual data (e.g., photos, audio/video recordings).

·       Findings or notes made by the researcher about the research participant

·       Interview responses

·       Consent forms (include name)

Name and contact information is collected and used to enable communication with the participants and may also be used to invite the participants to participate in later parts of the research. Other collected personal data is relevant in order to conduct the research.


Data belonging to special categories of personal data or other specially protected personal data will not be processed in the research study. Personal data is collected from the following sources: From the participant during the interview process and ethnographic observations. The methods of collecting personal data and the research methods are described to you in the “Participant Information Sheet” -document.


3.   Processing of necessary personal data and removal of the direct identifiers from the data


The research study only processes personal data that is necessary for the purpose of the study. We will use codes to pseudonymise our collected data, meaning direct identifiers such as names are replaced with random identifiers. We keep professional affiliations and roles of participants for the purpose of contextualizing our study findings. Before collecting personal data such as gender or age range we will assess the contingent need for it. The audio recordings will be transcribed and audio files are deleted upon verification. Any notes and transcriptions will be pseudonymised when stored. During ethnographic observations we may capture some of the participants observations and interactions via field-notes and audio recordings, upon consent of all parties present. The name and work affiliations and roles of the participants may be disclosed upon ad-hoc consent, as explained in the information sheet and depending on the given consent. For vulnerable groups, a code for identification will be offered instead of gathering name and contact details.


4.   Legal basis for the processing of personal data

The legal basis is scientific research, a task in the public interest

5.   Sharing personal data

Research data containing your personal data is shared with the following parties:


Independent controllers: The data may be shared with researchers from Tampere University, a research collaborator of this research project. The research project data may be shared with independent researcher collaborators and partners of the project, who may join the project in a later stage.


Processors: We may use a transcription service provider for transcribing interviews, as needed. In such cases, we will base the sharing of data according to the agreement from the service provider. Any research data provided to research collaborators or partners in the future will be in a form in which the data subject’s direct identifiers, such as name, have been removed or replaced with a random identifier. Transcription service provider can include either a company providing transcription done by personnel, or automatic transcription service such as Word, which does not process the data for purposes other than transcription.


Any research data provided to research collaborators or partners will be in a form in which the data subject’s direct identifiers, such as name, have been removed or replaced with a random identifier.


6.   International data transfers

Research data containing personal data will not be transferred outside the European Union/ European Economic Area or to international organizations.


7.   Storage and protection of personal data

Protection of manual material: Manual paper materials (e.g., consent forms, handwritten field notes, etc.) are stored in a locked cabinet in the Principal Investigator’s room at Aalto University facilities.


Protection of digital material: Aalto University’s internal secure data storage with strictly controlled access and monitored storage space.


Information processed in information systems:

[X] username

[X] password

[X] registration of use (logging or other monitoring)

[X] the data is stored on a university network drive, restricted access, user IDs and firewall


Processing of direct identifiers:

[X] Direct identifiers are deleted during the analysis phase


Information processed in IT systems: Your personal data is processed and preserved in secure IT systems, which are approved by Aalto University and suitable for personal data. Access to all computers and IT systems are protected by username and strong personal password. Access to IT systems containing personal data is technically restricted in a manner, that only researchers participating in the study and persons necessary for the implementation of the study have access to your personal data.


8.   Retention and deletion of personal data


Deletion of identifying information

The research participant’s direct identifiers, such as the name are removed and replaced with a random identifier. During analysis and processing: 

·       The identification data of the interviewees is pseudonymized when the interview record data is transcribed in written form.

·       In case of vulnerable groups, any personal data is removed at this stage. For expert interviews the data is pseudonymized and codes to connect the person to the data are stored separately.


Deletion during and after the study

Consent forms with name and contact information will be deleted at the end of the study,

December 2025.

·       Code key data, i.e., information that can be used to link data to an identified person, will be deleted after the conclusion of the study.

·       Other research data containing personal data is retained for 5 years after the last publication stemming from this data set in order to enable later verification of the research results. 

Research data containing personal data may be retained in order for research data to be used for further scientific research in the same scientific discipline or in other disciplines that support this research study.


When research data has been processed such that identifying details have been removed, such processed research data may also be transferred to other universities, research organisations or public sector partners for further research projects. Same retaining period applies. Currently this can mean transferral of data collected in collaboration with Kela, to Kela for future research purposes by Kela’s internal researchers or outside researchers with a research permit approved by Kela.


9.    Rights of the research participant

According to the General Data Protection Regulation (GDPR), a data subject has the right to:


·       receive information on the processing of their personal data

·       right to access the personal data collected and processed

·       right to rectification of inaccurate personal data

·       request that the processing of personal data be restricted

·       object the processing of personal data

·       right to erasure of personal data if the conditions of Article 17(1) of the Data Protection Regulation are met and processing is no longer necessary for archiving purposes in the public interest or for scientific research or statistical purposes in accordance with Article 89(1)


If the research purpose does not require, or no longer requires the identification of the data subject, the controller shall not be obliged to obtain further information so that the data or the data subject may be identified only for purposes to able the data subject to exercise his/her rights. If the controller is unable to link the data to a particular data subject, the data subject does not have the right to access or correct the personal data, object the processing, or delete the personal data. However, if the data subject provides additional information that allows their identification from the research data, the rights will not be restricted. 

10.                 Contact details of the controller

The controller of this research study is Aalto University Foundation sr., operating as Aalto University.


Person in charge of the research study

Questions regarding the conduct of the research study may be addressed to the person in charge of the study: Nitin Sawhney, Ph.D. Professor of Practice, +358 45 270 8868,


Data Protection Officer

If the research participant has questions or requests related to data protection or the processing of personal data, the research participant should contact the Data Protection Officer of Aalto University: tel. +358 9 47001 (exchange),


In this Aalto data request service, you can request the exercise of your rights under GDPR from Aalto University as the controller.


If a participant of the research study feels that his or her personal data has been processed in violation of data protection legislation, the participant has the right to lodge a complaint with the supervisory authority, the Data Protection Ombudsman’s office  (read more: