List of active policies

Name Type User consent
Privacy notice Site policy All users


CSC online learning platform eLENA (Moodle, Mediamaisteri) privacy notice

Valid from: 01 March 2022

This privacy notice describes the purpose for which your personal data is used and the rights you have as a data subject on the CSC online learning platform eLena.

Full policy

Data controller

CSC - IT Center for Science Ltd (0920632-0)
P.O. Box 405 (Keilaranta 14)
02101 Espoo
+ 358 9 457 2001 (switchboard)

Contact information for matters related to the register

CSC customer service
CSC - IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo
Tel. +358 9 457 2821 (switchboard)

Data protection officer contact details

CSC Data Protection Officer
CSC - IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo
tel. +358 9 457 2821 (switchboard)

What are the purposes for which your personal data is used and what is the legal basis for the processing?

The eLena online learning platform provides learning content organised and provided on request by CSC. Personal data is used to:

  • Identify course participants, teachers and administrators

  • Guide learning and assess performance

  • Communicate about learning content

  • Log into integrated services

  • Solve problems

  • Ensure the safety of services

  • Investigate any misuse

  • Invoice commissioned learning content

  • Collect feedback for the development of learning content

  • Compile statistics: number of participants and completed learning contents

CSC's right to process your data as a controller is based on an agreement (data protection regulation 6.1 b) when you participate in the training as a member of CSC's staff or when a customer relationship is established between you and CSC when you register for the training. The processing of your data is based on consent (GDPR 6.1 a) when you enter data into the training system for purposes other than completing the training. The legitimate interest of the controller (data protection regulation 6.1 f) is the basis for processing when CSC protects its online learning environment and the data processed in it or uses the said data. A legitimate interest also consists of a service or customer relationship between the controller and the data subject when we process personal data to manage a service or customer relationship, for invoicing or for statistical purposes. We have assessed that we can use the legitimate interest as a basis for processing in the above-mentioned situations.

Which personal data concerning you is collected, and from where?

When you log into the service, the following information is retrieved from your home organisation and stored in the service:

  • name

  • username

  • email address

  • your home organization

We may obtain your personal information from you or your home organization when it enrols you onto training content or defines you as the training contact person. The online learning environment stores information about actions taken by users, such as messages you send. Discussions, surveys, assignments, and performance assessments within the course are saved as part of the data to be saved. The user's IP address and login time are stored in the service's technical log. The log is used to diagnose technical problems and misconduct. The information may be used to establish, present or defend a legal claim.

In our e-learning platform, we use session cookies that are necessary to operate a site that requires login. Session cookies are removed from your device when you log out of the service or close your browser. Blocking them in your browser settings may interfere with your use of the service. We also use a functional cookie that facilitates use in some situations. Blocking it in your browser settings does not prevent you from using the service. The cookies we use are:

Cookie name





Moodle Session ID, required to maintain login for authenticated users


1st party (CSC) cookie


A functional cookie maintains a user ID in your browser between sessions, so you don't have to type it when you log on again.

The 'session' is destroyed when the user logs out or at the latest 2h after the user last visited eLena.

1st party (CSC) cookie


Maintains the session for authenticated users


1st party (CSC) cookie


SAML Authentication ID maintains logon for authenticated users


1st party (CSC) cookie;


Saves the SAML session ID to maintain authenticated user login.


1st party (CSC) cookie

Who has access to your personal data?

By logging in to the service, you can view the information concerning you that saved in the online learning environment. The course teacher has access to the information of the course participants. The name of the course teacher appears in the course information and may appear to enrolled users. Participants in the same course will see each other's name in the list of participants and information stored in the course workspace, if necessary for the implementation of the training. The training contact persons designated by your home organisation will have access to your information. Our partner maintaining the system has access to all information, if necessary. Our contractual partner's learning environment supplier Mediamaisteri Oy and Ficolo Oy, which produces a storage service for the system, process the data on behalf of and for CSC. Course completion information can be handed over to the organization that ordered the learning content. For CSC's personnel training, the performance data is transferred to CSC's HRM system, in which data can be accessed by the user's supervisor and other persons authorised by the controller to access the data, in addition to the user themselves.

Is your personal data transferred outside the EU/EEA?

Personal data shall not be transferred outside the European Union or the European Economic Area.

How long will your personal data be stored and archived?

The participant's access to the course will end within (1) month of the end of the course. Data for course participants will be deleted from the course data six (6) months after the opportunity to complete the course has expired. CSC will erase all information on the participants and performance of commissioned learning content within one (1) month of the submission of the information to those who ordered the course. Participants will not be notified of the deletion of data and the data cannot be restored after deletion. CSC does not archive the performance data of commissioned courses or the performance data of courses open to everyone.

CSC transfers the performance data of CSC's personnel training courses to its HRM system for storage, in which they are stored for the period specified in the personnel's privacy statement. Data is not archived.

If no end date is specified for the course, its data will be deleted from the e-learning platform two (2) years after the start date of the training (example: Training starting in September 2022 will be removed at the beginning of October 2024), unless otherwise agreed with the client or owner of the learning content. Courses for CSC staff will be removed one (1) year after the last use, i.e. from the last time a user who has enrolled onto the course or a course teacher has logged into the course. Before deleting a course, its teacher or owner is notified by email of the plan to delete the course and given the opportunity to ‘opt-out’, i.e. to keep the course available or transfer the course material to a new course. If the course teacher or owner does not respond to the request within one (1) month, the course will be deleted.

Any users who do not use the system for 180 days are considered inactive and their account information is erased. The user must log in at least once every 180 days (6 months) if they want their account and information to remain in the learning environment. The data deletion process is automated. The user will not be notified and the data cannot be recovered after the deletion.

Technical log data of the service is stored for 365 days.

Your personal data will be stored for longer than described above if it is necessary to prepare, present or defend a legal claim.

What kinds of rights do you have as a data subject?

You have the right to receive information on the processing of your personal data (Articles 12-14 of the GDPR).

You have the right to know whether we process your personal data and have access to the data collected about you (Article 15 of the GDPR). If you are registered with the service, you will see the information about you on the service when you are logged in. At your request, a copy of your information may be provided to you.

You have the right to ask us to rectify any inaccurate information about you and to delete any unnecessary information about you (Article 16 of the GDPR).

You may have the right to have your personal data completely deleted (right to be forgotten, Article 17 of the GDPR). However, there is no such right if the learning content is for CSC personnel or if it is a training commissioned by CSC, and the data is needed to fulfil CSC's obligations and rights.

You have the right to restrict the processing of your personal data (Article 18 of the GDPR) in the following situations:

  • You have reported an error in your information and CSC is inspecting the matter

  • In your opinion, your data is processed in an unlawful manner, but you do not want it to be deleted

  • CSC no longer needs your information, but you need it to prepare, present or defend a legal claim

  • You have opposed the processing of personal data on the basis of the legitimate interest described above and you expect the justification for the processing from CSC to be verified.

You have the right to receive personal data regarding yourself in a structured, commonly used and machine-readable format and, if you wish, to transfer it to another controller in another system (Article 20 of the GDPR).

If you are a registered user of the service, you can submit a request concerning your rights through the functions provided. As a registered user, you can view your personal information and make copies of it yourself. You can also submit a request for your rights to CSC by email or by post. You can find the contact information at the beginning of the privacy notice.

You have the right to lodge a complaint with the data protection supervisory authority of your permanent residence or place of work or the location where the suspected data breach took place, if you consider that the processing of personal data concerning you is in breach of the EU General Data Protection Regulation (EU) 2016/679. In Finland, the Data protection Ombudsman acts as the supervisory authority (