Data privacy

Data protection is important to us and we want to show how and for what purposes we process personal data. The purpose of data protection is to guide good practice and safeguard privacy in the processing of personal data.

The processing of personal data is regulated by data protection legislation (the EU General Data Protection Regulation and national data protection legislation as well as specific legislation), which Xamk complies with.

Data protection policy

The Management Board of the University of Applied Sciences of South-Eastern Finland has approved a data protection policy, which is followed in all processing of personal data by the University of Applied Sciences of South-Eastern Finland. The data protection policy describes the principles and responsibilities for the processing of personal data. In its data protection policy, Xamk commits itself to ensuring the data protection and security of the personal data it processes.

The basis of our activities is the processing of personal data:

  • legality
  • reasonableness
  • transparency
  • purpose limitation
  • data minimisation
  • accuracy, integrity and confidentiality

Other key principles include:

  • Limitation of data retention periods
  • Transparency towards data subjects
  • Data protection is part of the quality of operations
  • Data protection is an important part of the professional competence and development of staff and students.
  • Compliance with data protection rules is the responsibility of the controller and the processor.
  • Each employee must know and manage the data protection regulation and risks related to his or her role.
  • The Data Protection Officer (DPO) is responsible for monitoring, instructing and developing data protection issues in the organisation.
  • The Data Protection Officer is independent in his/her role and reports to senior management.
  • Employees responsible for the acquisition, definition and design of new or significantly changed systems handling personal data shall take into account the protection of personal data and carry out the necessary impact assessments.
  • The University of Applied Sciences of South-Eastern Finland processes personal data of students, staff and stakeholders, as well as research data that may contain personal data, based on its statutory tasks.
  • Alumni, marketing, customer and partner data is processed based on contract, consent, legitimate interest or legal obligation.
  • The Data Retention and Archiving Plan sets out the retention periods for personal data.
  • More detailed specifications relating to the processing of personal data are set out in the privacy notices for each category of personal data.
  • Unnecessary personal data will be destroyed in a secure manner.
  • The processing of personal data and the use of information systems are monitored and any problems identified are addressed.
  • A separate log of data protection-related observations and events is collected.
  • Xamk monitors compliance with data protection legislation in its operations through internal controls, audits, guidance and counselling.
  • A data financial statement is drawn up annually.
  • Separate and more specific guidelines on data protection can be drawn up, but the aim is to have data protection built into the operations.
  • The information channels for data protection are the public website, the intranet pages and the information bulletins of the Data Protection Officer.
  • Data protection training is provided through online training for all staff and through lectures targeted at different groups of staff.
  • Data protection is part of the induction of new staff.

Your privacy is important to us

As a data controller, the University of Applied Sciences of South-Eastern Finland is committed to protecting the privacy of users of its services and complies with the Data Protection Act and good data protection practices. The processing of personal data is necessary for Xamk to provide various services. The privacy statement on this page describes Xamk’s practices regarding the collection and processing of personal data.

It is Xamk’s responsibility to be able to demonstrate that the data protection legislation is complied with in its activities. In addition, Xamk has a duty to inform data subjects about the processing of personal data and to assess the potential impacts and risks associated with the processing of personal data.

Xamk processes personal data in order to fulfil its mission as laid down in the Universities of Applied Sciences Act. It processes personal data of students, staff and stakeholders, as well as research data that may contain personal data. Alumni, marketing, customer and partner data are processed on the basis of contract, consent, legitimate interest or legal obligation.

University of Applied Sciences (UAS) tools process personal data for the purpose of performing job functions, enabling student learning, maintaining access rights and data security. The proper provision of tools for community use is an indispensable part of the fulfilment of the tasks and responsibilities of the University of Applied Sciences.

Descriptions of categories of personal data

More detailed privacy notices are drawn up by category of personal data. In addition, individual services have their own more detailed privacy notices. For example, each RDI project has its own privacy statement, which is available on the project’s own website.

In the privacy notices below, we explain how your personal data is processed and what rights you have to your personal data. The main categories of personal data identified by the South-Eastern Finland University of Applied Sciences are:

Other explanatory notes

Notices issued by other actors

Data protection notices contain the information that must be disclosed to data subjects when processing personal data. Data protection notices help to ensure that the controller is subject to the obligation of proof. The onus of proof is a key principle of the GDPR and means that the controller must be able to demonstrate that it complies with data protection law.

Data transfers, disclosures and retention periods

The notice for each category of data describes the details of the transfer, disclosure and retention periods. The UAS may use subcontractors to provide its services. If the UAS or subcontractor processes data in a third country, this will be indicated in the relevant detailed notice.

Personal data processed by the UAS will be stored in order to comply with legal requirements and/or for as long as there is another legal basis for the processing. The retention periods and the grounds for retention are specified for each category of personal data in each data protection notice or in the UAS’s filing plan.

The personal data of the UAS are mainly processed in the information systems used by the UAS. If the data are processed outside the European Economic Area, this will be indicated in the relevant detailed notice.

Rights of the data subject

The data subject always has the right to ask the controller for access to personal data concerning him or her, to request the rectification or erasure of such data or the restriction of processing, and to object to processing. The right of erasure does not extend to personal data processed by the UAS on the basis of a statutory task, in the public interest or for which the UAS has other obligations to retain.

All requests to the controller are made via the Information and Inspection Request Form (e-form). To complete the form, you must be logged in. Advice and guidance can be obtained from Xamk’s Data Protection Officer.

Data subjects have the right to lodge a complaint with the Office of the Data Protection Ombudsman if they consider that the processing of personal data concerning them has infringed the applicable data protection legislation. For more information on data subjects’ rights, see the website of the Office of the Data Protection Ombudsman.

Technical and organisational security measures

Personal data of the UAS is protected as part of the normal maintenance of information security. All data processing in the organisation is based on access rights, which depend on the role and position of the person in the UAS and, if necessary, on the access authorisations granted by the person responsible for each register. The validity of access rights is checked on a daily basis.

The UAS’s IT systems and services are protected against unauthorised access in accordance with industry best practice, are adequately secured and have a managed lifecycle.

Contact

Markus Häkkinen
Project Manager, Data Protection Officer (DPO)
tietosuojavastaava@xamk.fi
+358 40 198 1150