Processing of Personal Data and Privacy Protection Notice

The IT Center is an independent institute at the University of Helsinki which is responsible for providing shared IT services for the university. Our main service point is situated at the Viikki campus and we also have on-site support teams that serve university staff and students on all the campuses. We are also responsible for the user support of our services. For a more detailed description of our services, see our Services list in Helpdesk instructions site.

To be able to offer you IT services, we must process different types of data through which you can be identified, i.e. personal data. This makes us, or the University of Helsinki, a data controller that controls the processing of your personal data.

We only process personal data that are necessary for our tasks.

The purpose of this notice is to inform you of the ways in which we process your personal data and the types of rights that you have.
 

Why is your personal data processed, i.e. what is the purpose of processing?

The IT Center needs your personal data in order to produce IT services, such as:

Logging in, network connections, software, computers, storage space, e-mail, Office365, Wiki, Unitube, Moodle, examination aquarium and consultation.
 

Why is the University of Helsinki permitted to process your personal data, i.e. what is the legal basis of processing?

The use of personal data is primarily based on legislation concerning the University of Helsinki and organisations operating within the academic community, employer legislation and, in certain special cases, consent.

The university’s right to process personal data as a data controller is thus based on:

  • the performance of a task carried out in the public interest or in the exercise of official authority
    (General Data Protection Regulation, Article 6(1)(e)
  • compliance with a legal obligation
    (General Data Protection Regulation, Article 6(1)(c)
    • especially concerning to the Act on the Protection of Privacy in Working Life
  • and in special cases on a contract or consent
    (General Data Protection Regulation, Article 6(1)(a and b)

As a rule, the university has the right to process sensitive data as a data controller if:

  • processing is necessary for reasons of substantial public interest
    (Article 9(2)(g)
  • processing is necessary in view of employer obligations

Primary regulations:

  • Universities Act (558/2009)
  • Government Decree on University Degrees (794/2004)
  • Act on the National Registers of Education Records, Qualifications and Degrees (884/2017)
  • General Data Protection Regulation (EU) 2016/679 and supplementary national regulations
  • Personal Data Act (523/1999) and the replacing Data Protection Act (XXX/2018)
  • Act on the Openness of Government Activities (621/1999)
  • University of Helsinki’s Regulations
  • Regulations on Degrees and the Protection of Students’ Rights at the University of Helsinki
  • Decisions of the university and the Rector concerning teaching and studying at the University of Helsinki
  • Standing orders of the faculties of the University of Helsinki
     

What types of personal data does the University of Helsinki process?

The University of Helsinki processes personal data on the basis of which you can be identified directly and indirectly. Directly identifiable data include personal identity codes and student numbers. We also process your name and contact details. In addition, the university processes other data related to your studies and working, through the combination of which you can be identified by an outsider.

Examples of data processed by the University of Helsinki:

  • Students’ contact details, user accounts and student numbers
  • Student’s target degree, degree programme, specialisation, main subject and faculty
  • Employees’ contact details, user accounts and person numbers
  • Employees’ unit data, employment start and end date, data related to the organisational structure
  • Data related to the workstation (i.e. a laptop or desktop computer)
  • usage volumes of applications installed through the workstation management system
  • persons having used the workstation
  • Data on equipment and log-ins stored in the log files of Eduroam and Hupnet visitor networks
  • Student and Employee information required for the University of Helsinki IT Security Test

For further information on the personal data processed, see the privacy statementsof the IT Center’s systems, in which all personal data processed are specified in detail.
 

What rights do you have?

Right to inspection and rectification

  • You have the right to know whether the University of Helsinki processes your personal data. You also have the right to know how your personal data are processed.
  • If there are inaccuracies or mistakes in your personal data that are processed, you have the right to request their rectification or supplementation.

Right to cancel consent

If the University of Helsinki processes your personal data based on your consent, you have the right to cancel such consent. Note that usually the processing of data related to studying is based on laws and public interest, not on your consent.

  • Withdrawing consent will not affect the lawfulness of the processing performed on the basis of your consent before cancellation.
  • Cancellation is primarily submitted to the party to whom the consent was given.

Right of erasure

You have the right to request the erasure of your personal data in the following cases:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • You withdraw the consent on which the processing was based, and there is no other legal ground for the processing.
  • You object the processing of your personal data (see below for a description of the right to object) and there are no overriding legitimate grounds for the processing.
  • Your personal data have been unlawfully processed; or
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

There is no right of erasure of the personal data if their processing is necessary for the fulfilment of the University’s legal obligation or if the data are processed for the execution of a task related to public interest or for the exercise of public power belonging to the university. Therefore, as a rule, the right is not applied to personal data files maintained by the university. The university’s archive compilation plans and data storage times laid down in legislation are observed in retaining and erasing the data.

There is no right to have the data erased either if their erasure would prevent or considerably impair the implementation of the purpose of the processing in scientific research.

Right to restriction of processing 

You have the right to restrict the processing of your personal data where one of the following applies:

  • You contest the accuracy of the personal data, in which case processing is restricted for a period enabling the university to verify the accuracy of the personal data.
  • The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
  • The university no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims.
  • You have objected to the processing of personal data (see below for more information) pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to transfer data from one system to another

You have the right to obtain the personal data you have submitted to the university in an organised, generally used, and machine-readable format, and the right to transfer the data to another data controller without being prevented by the university if the legal basis of the processing is consent or an agreement and the processing is performed automatically.

  • When you exercise your right to transfer the data from one system to another, you have the right have the personal data transferred directly from one data controller to another if this is technically possible.
  • However, the right does not concern such processing of personal data that is necessary for the completion of a task concerning public interest or the fulfilment of the data controller’s statutory obligation. Therefore, as a rule, the right is not applied to personal data files maintained by the university.

Right to object the processing of personal data

You have the right to object, on grounds relating to your particular situation, to processing of your personal data where the legal basis of the processing is the execution of a task concerning public interest, the exercise of public power or the university’s legitimate interest. In this case, the processing of your personal data may only be continued if there is a very important, justified, demonstrable cause for such processing.

Right to lodge a complaint to a supervisory authority

You have the right to subject the lawfulness of the university’s actions for consideration by the Data Protection Ombudsman.

Contact information

Office of the Data Protection Ombudsman

Street address: Ratapihantie 9, 6th floor, 00520 Helsinki
Postal address: P.O. Box 800, FI-00521 Helsinki
Switchboard: +358 29 56 66700
Fax: +358 029 56 66735
E-mailtietosuoja@om.fi
 

From where were the personal data obtained, i.e. what is their source?

Some of the necessary personal data were obtained from yourself. Example:

  • Contact language
  • Your name
     

Some of the personal data are related to the identifiers issued to you by the University of Helsinki directly or indirectly. Examples of such data include:

  • User account
  • Computer-specific code of your workstation’s network interface card
     

Some of your personal data are directly related to your studies or working. Example:

  • Log-in time
  • IP address

For more detailed information, see system privacy statements.
 

How long are your personal data retained?

The retention times of the personal data and manual material stored in the University of Helsinki’s systems are based on valid legislation and the University of Helsinki’s archive compilation plan.

For data retention times, see the University of Helsinki’s archive compilation plan. The retention times are based on the Archives Act (831/1994) and other legislation.
 

Places of data disclosure, i.e. the recipients or recipient groups of personal data

At the University of Helsinki, data are only processed by those university employees or persons commissioned by or acting on behalf of the University of Helsinki who need them in their tasks.  Access to information systems is protected with user rights. 

The University of Helsinki can also use outsiders for the processing of personal data, such as companies offering system services, which process personal data on behalf of the University of Helsinki based on an assignment agreement.

The University of Helsinki only discloses personal data to outside of the university or processes them in lawful situations.
 

Transfer of data outside the EU or the EEA

According to its data protection policy, the university exercises special care if personal data are transferred to countries outside the EU and the European Economic Area (EEA) and the countries do not provide data protection complying with the EU’s General Data Protection Regulation.

Personal data are transferred outside the EU and EEA in accordance with the requirements of the General Data Protection Regulation.
 

Does the University of Helsinki make automated decisions?

We do not make automated decisions based on your personal data of the kind that would have any legal consequences on you or that would have any corresponding major effects on you.
 

Additional information about the processing of personal data at the University of Helsinki

For the list of the IT Center’s services list, please see Helpdesks's instructions site. For system privacy statements, see the IT Center website Terms of use and privacy policy of IT services.
 

Data controller’s contact details and the data protection officer of the University of Helsinki

University of Helsinki
P.O. Box 3
FI-00014 University of Helsinki
Telephone: +358 (0)2 941 911 (switchboard)

The data controller’s contact person is lawyer Tuomas Tähtinen.
The University of Helsinki's Data Protection Officer is Lotta Ylä-Sulkava.

The contact person and the data protection officer can be contacted by e-mail: tietosuoja@helsinki.fi