Privacy Policy

This privacy policy describes how we process your personal data as part of the publication process as well as provides information on how you could exercise rights stemming from the European General Data Protection Regulation (GDPR).

1. Data Controller

University of Lapland
Business ID: 0292800-5

P.O. Box 122
FI-96101 Rovaniemi

Tel. +358 16 341 341

2. Contact Person

Dr. Mikko T. Huttunen
Vice Dean of Education
Faculty of Law

3. Data Protection Officer

The Data Controller has appointed organisation-wide Data Protection Officer (DPO). Please find down below the contact details of the DPO.

Mr. Hannu Mikkola
Administration, Research Services
Tel. +358 40 735 6200

4. Name of the Register

Nordic Journal of Legal Studies

5. Purpose of the Data Processing

Personal data is processed as part of the academic publishing activity.

5. Purpose of the Data Processing

The following data is collected directly from the users on the platform:

  • Name
  • Email
  • Phone number
  • Affiliation (University, Institution, Employer or similar)
  • Consent information
  • Technical data (browser details, cookies etc.)
  • Statistical data
  • Submitted articles
  • Other similar details that relate to the publishing process

In addition to the data which is directly received from the user, there might be data which has been obtained by the authors of the articles from public sources i.e. sources.

6. Regular Data Sources

Data is obtained in a regular manner from the following data sources:

  • University other systems such as email
  • Directly from the user through the platform
  • Other public sources

7. Data Processors and Subprocessors

Name Data Location   Purpose
OVH Cloud EU/EEA Hosting
Nordic Digital Publishing      EU/EEA Distribution
Cookiebot EU/EEA Cookie Consent
PostHog EU/EEA Statistics
Crossref US DOI Identifiers
DOI Foundation US DOI Identifiers

8. Regular Data Disclosure

Published articles are made accessible i.e. disclosed to the public internet as part of the publication process. Articles which has been refused to be published or other data that doesn't relate to published articles will not be by principle disclosed to the public internet.

The Editorial Board and Advisory Board may disclose details about submissions to the university Disciplinary Board in case of suspected plagiarism. The process and processing of personal data in such a circumstance follow the university guidelines on plagiarism.

9. Data transfers outside of the EU/EEA

As published articles will be disclosed to the public internet it means that those are accessible from outside of the EU and EEA. The servers and systems of the Data Controller are located within the EU and EEA thus being in line with the requirements of the GDPR. Personal data may also be disclosed as part of the plagiarism detection process as typically plagiarism detection softwares use the submitted articles as future reference material and could be accessed in some cases outside of the EU/EEA. 

10. Data Security

The Data Controller has taken appropriate measures to mitigate the risk related to the processing of personal data. The platform data is stored in a secure data centre located in the EU/EEA that complies with the ISO 27001 standard regarding security management systems and control activities.

11. Excercise of Rights

The Data Subject may exercise rights stemming from the GDPR including inter alia the right to access and the right to be forgotten. Please note that some exercise of the rights may be limited due to the fact that the data processing relates to academic activity, in particular academic publishing.

Forms and details for exercising rights could be found here. The Editorial Board suggests contacting first the Editorial Board as the majority of the exercise could be directly performed by the Editorial Board. You may still always lodge a formal exercise of rights request to the university DPO.

12. Complain

In case Data Subject consider that the Data Controller processes personal data unlawfully the Data Subject may lodge a complaint to the national Data Protection Authority (DPA).

The competent DPA depends on the location of the Data Subject thus unfortunately the Data Controller is unable to instruct explicitly which DPA to contact. In the case of Finland, the Data Subject shall contact the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
P.O. Box 800
FI-00531 Helsinki

Switchboard: +358 29 566 6700

A listing of national DPAs could be found on the European Data Protection Board website.