Skip to Main Content

Data managent in Thesis: Thesis with a commissioning party

Thesis with a commissioning party

When a student completes a thesis as an assignment for an external party (a company, public corporation, association, university of applied sciences or other educational institution) or, for example, an RDI project, the common rules are agreed upon through a written commissioning agreement.

There are specific templates for creating the agreement:

  • Commissioning agreement for bachelor’s thesis
  • Commissioning agreement for master’s thesis

Regarding the data, the agreement specifies:

  • If the thesis involves the processing of personal data, the commissioning party is considered the data controller. As the data controller, the commissioning party agrees to process personal data in compliance with data protection legislation, such as the EU General Data Protection Regulation and Finland’s national data protection law, as well as the commissioning party's data protection practices.
  • Background data: the commissioning party commits to providing the student with all agreed-upon information and materials necessary for completing the thesis. The owner of the background data may grant access rights to their data to other parties involved in the agreement. Background data could include, for example, business data previously generated by the company, which the student receives from the company for the purpose of the thesis.
  • Ownership and usage rights of research data and results generated in the thesis project: copyright for the results of the thesis belongs to the student. If the student is employed by the commissioning party, the terms of the existing employment contract will determine the copyright. The commissioning party receives usage rights to the foreseeable and typical results of the thesis. If the results of the thesis exceed these anticipated outcomes, the commissioning party must negotiate separately with the thesis author regarding their commercial exploitation. The thesis author is obligated to report the results of the thesis to the commissioning party.
  • Confidentiality: if the commissioning party provides information that is defined as a trade secret or otherwise confidential, they are required to clearly label such documents and specify which information cannot be included in the thesis report due to its confidentiality.
  • The student, the thesis advisor, and other advisors commit to keeping confidential all information and documents defined as trade secrets or otherwise confidential by the commissioning party during the thesis process and in any negotiations prior to or following it, and not to use this information without separate permission.

Student collects personal data

A personal data register is created if you collect personal data in a commissioned thesis. A personal data register refers to structured information about research participants or other personal data collected for the study. In a commissioned thesis, the commissioning party is the data controller. The data controller defines the purposes and means of processing personal data and is fundamentally responsible for the legality of the processing and the realization of the rights of the data subjects.

The data controller must maintain a description of the processing activities for which they are responsible, as stipulated in Article 30 of the General Data Protection Regulation. The description must include the following information regarding all processing of personal data:

  • The name and contact details of the data controller, any joint data controllers, and the representative of the data controller
  • The name and contact details of the Data Protection Officer
  • The purposes of the processing
  • A description of the groups of data subjects
  • A description of the categories of personal data
  • The groups of recipients to whom personal data have been disclosed or will be disclosed
  • Information on any transfers of personal data to third countries and the basis for such transfers
  • The planned retention periods for different categories of data, where possible
  • A general description of the technical and organizational security measures, where possible.

Consult with the data protection officer of the commissioning party to understand how personal data registers are managed within the commissioning organization's practices.

For more information, refer to the Data Protection Ombudsman’s office.

Saavutettavuusseloste / Accessibility Statement