Privacy Statement

Privacy Policy for Journal.fi

Privacy Policy in accordance with Section 10 and Section 24 of the Finnish Personal Data Act (523/1999) and the EU’s General Data Protection Regulation (GDPR)

The text is partly based on the GDPR Guidebook for PKP Users (https://docs.pkp.sfu.ca/gdpr/gdpr-pkp-guide.pdf).

1. Data controllers

The Federation of Finnish Learned Societies (hereinafter referred to as “Site Administrator”) and the journals (hereinafter referred to as “Journal Managers”) using the Journal.fi service (hereinafter referred to as “Service”) are joint controllers in accordance with Article 26 of the GDPR.

Their respective responsibilities for compliance with the obligations under the regulation are determined in this document.

2. Contact persons

The Federation of Finnish Learned Societies

Antti-Jussi Nygård (antti-jussi.nygard@tsv.fi)

The contact person for each individual journal is mentioned on the journal Contact page.

3. Name of register

Journal.fi service

4. The lawful basis and purpose for processing personal data

The data collected from users of the Service falls within the scope of the standard functioning of peer-reviewed journals. It includes information that makes communication possible for the editorial process; it is used to inform readers about the authorship and editing of content; it enables collecting aggregated data on readership behaviors, as well as tracking geopolitical and social elements of scholarly communication. The collected data is not used for profiling or automated decision-making.

The basis for processing personal data is user consent.

5. Processed data

The Open Journal Systems software used in the Service processes personal data in several ways. Personal data in the Service includes a) User Registration Data, b) Contributor Metadata Information, c) Workflow Data, d) General Visitor Information.

a) User Registration Data

User accounts are Service wide. The user can register to several journals using the same account by acquiring or choosing a user role in a new journal.

The following personal information is processed and stored when the user registers:

  • First name
  • Middle name
  • Last name
  • Affiliation
  • Country
  • Password (encrypted)
  • Email address
  • Role registrations
  • Reviewing interests

By editing the user profile, the registered user can also provide and/or edit:

  • Salutation
  • Initials
  • Suffix
  • Username
  • Gender
  • Email signature
  • ORCID ID
  • Website
  • Mailing Address
  • Phone
  • Fax
  • Biography
  • Locales
  • Notification settings

The Service automatically saves:

  • Registration date
  • Last login date

Only the username, first name, last name, email and password fields are required. The Site Administrator and the Journal Managers can create new user accounts based on a request from a new user.

Storage

This information is stored in the application database. Only the user password is encrypted.

Availability and Access

This information is available to the user via their User Profile (and, with the exception of the username and dates, can be edited). The Site Administrator can access and edit the data via the application back end. Journal Managers can access and edit data for users that are only registered in their journal. The data is not otherwise publicly available.

Erasure

The data in user accounts can be erased. A written request for removal should be sent to the Site Administrator. The Site Administrator may refuse to remove the data if it is still necessary for the purpose it was collected.

b) Contributor Metadata Information

When a manuscript is submitted to a journal, contributor information is included. Contributors can be authors, translators, volume editors, and so on. This information is stored as submission metadata and is provided as part of any published manuscript record. The user who submits the manuscript usually provides the contributor data. If there are other contributors involved, the submitting user needs to have their permission to provide their personal data to the manuscript metadata. The editors of the journal may edit and/or add additional contributor details after the submission is finished.

The following contributor information is collected:

  • Salutation
  • First name*
  • Middle name
  • Last name*
  • Email address*
  • Suffix
  • ORCID ID
  • Website
  • Country*
  • Affiliation
  • Biography

Only the first name, last name, email address and country fields are required.

Storage

This information is stored in the application database.

Availability and Access

This information is available to almost any submission participant, with some restrictions to preserve the blind peer review process. In short: contributing authors, editors and editorial assistants can all see this data; in most cases, only editorial staff can edit this data after submission. Once a submission has been published, this data is made publicly available online and the data may be transferred to other services upon the journal’s request (see section 7).

Erasure

The contributor data can be erased. A written request for removal should be sent to the Site Administrator. The Site Administrator may refuse to remove the data if it is still necessary for the purpose it was collected.

The contributor data is an integral part of the manuscript metadata and will be erased only in special circumstances. The Site Administrator is not obliged to erase contributor data that was transferred to other services.

c) Workflow Data

The Service tracks workflow information, mostly as submission-specific editorial history. The system tracks:

  • All actions taken on a submission, and by whom;
  • All notifications sent regarding a submission (including who sent and received the notification);
  • All reviewer recommendations and reports;
  • All editorial decisions;
  • All files uploaded as part of the submission process, including files that may have personally identifying information in the form of file metadata or in the files themselves.

Storage

This information is stored in the application database, with the exception of any uploaded submission files, which are stored in the application’s submission files directory on the web server.

Availability and Access

Submission participants have access to different amounts of workflow data depending on their role. Site Administrator can access all data. Journal Managers and editors can access all submission data; section editors and editorial assistants can access all submission data only for those submissions to which they have been assigned; authors have limited access to their own submissions and are only able to see the data they have supplied, or that editorial staff have explicitly made available to them. Reviewers only see the data required for the review.

Erasure

The workflow data can be erased. A written request for removal should be sent to the Site Administrator. The Site Administrator may refuse to remove the data if it is still necessary for the purpose it was collected. The workflow data is an integral part of the journal’s archive and will be erased only in special circumstances.

d) General Visitor Information

The Service also collects general visitor usage data, including:

  • Cookie information, to manage session history. Cookies are required to maintain a login session in the Service. The cookie itself does not contain personal data. The session stored to the database contains the IP address and the user browser information.
  • Usage log data (IP address; pages visited; date visited; and browser information). Additionally, some journals may collect country, region and city information based on the IP address.

Other data may be tracked, either on the server or via third parties:

  • Script loads from CDN servers;
  • IP address information (including date, browser, etc.) in web server logs

Storage

  • Cookies: A cookie named “OJSSID” is created when first visiting the Service and is stored on the visitor’s computer. Detailed session data is stored in the application database.
  • Usage Statistics: The Service stores usage statistics to log files to the file system and the data is transferred to the application database once a day.

Availability and Access

  • Cookies: the user can access the cookie from the browser settings. The Service can read and write data to the cookie. Only the Site Administrator can access the session data stored to the database.
  • Usage Statistics: Only the Site Administrator can access the usage statistics log files. The Journal Managers can only access the processed usage statistics saved to the database. Single users cannot be traced using this data, including the geolocation data. The journal may publish some usage statistics online, such as article download counts. Single users cannot be traced using this data.

Erasure

  • Cookies: The user can delete cookies at any time. The session data stored to the database is automatically removed when the session has expired.
  • Usage Statistics data can be erased. A written request for removal should be sent to the Site Administrator. The Site Administrator may refuse to remove the data in its anonymized form.

6. Sources of personal data

The sources of data include the registration forms and the submission metadata forms. The users of the Service fill these forms and they give their consent to process the data. The Site Administrator and the Journal Managers may create new user accounts upon request.

Visitor Information is collected automatically using the information visible for the web server.

7. Data transfers

Contributor data for published manuscripts stored to the Service is transferred on a regular basis to other services designed to index and disseminate scientific publications. Contributor data for published manuscripts is also openly available for harvesting through an OAI-PMH service. Examples of services used are DOAJ, Crossref and ARTO article database. Indexing services used by a journal may vary. Some of the services may be located outside of the EU and ETA.

Other personal data is not transferred to third parties.

8. Principles of protecting personal data

The data is collected into databases and file systems that are protected with appropriate technical measures. The servers are located in locked facilities where only selected individuals have access. The data controllers provide access to the data only to selected data handlers taking part in the editorial process of the journals.

9. Right of access and rectification

Individuals have the right to be informed about the collection and use of their personal data. Individuals also have the right to have inaccurate personal data rectified, or completed if it is incomplete. Most of the personal data stored in the Service is accessible and editable for the user. The confidentiality of the editorial process especially in the case of peer reviews will limit the user’s right of access.

Written requests for right of access and rectification should be sent to the Site Administrator. The Site Administrator may require identification. The response will be given within 30 days in accordance with GDPR.

10. Other rights

The users of the Service have the right to erase their personal data (“Right to be forgotten”) with the exceptions mentioned in section 5. The users also have the rights mentioned in the GDPR. Written requests should be sent to the Site Administrator. The Site Administrator may require identification. The response will be given within 30 days in accordance with GDPR.

11. Changes to privacy policy

Changes to this policy will be made by updating this document. If the changes are significant, we will inform users by publishing a notification or by email.