Support functions

This privacy notice concerns personal data processed by the University of Applied Sciences of South-Eastern Finland in connection with support activities. Support functions include IT access management, financial services, facility services, registry, archive and security systems.

Updated 19.4.2024

This document is based on the requirements of the EU General Data Protection Regulation (GDPR) regarding the information to be provided to data subjects, in accordance with Articles 13 and 14 of the Regulation.

South-Eastern Finland University of Applied Sciences

P.O. Box 68 (Patteristonkatu 3)

50101 Mikkeli

Business ID: 2472908-2

The person responsible for the Support Functions information group:

Kimmo Hoikka, IT Manager

040 657 0853

firstname.surname@xamk.fi

Data Protection Officer

Pekka Uotila, Manager

050 312 5087

tietosuojavastaava@xamk.fi

Personal data are processed for the purposes of customer relations and the performance of the activities and tasks assigned to the services.

The submission of personal data to the IT access management is necessary for the use of the information systems of the UAS.

The management of purchase and sales invoicing requires the creation and maintenance of a register of customers and suppliers.

The management of reloadable payment card transactions requires the existence and maintenance of the UAS student and staff registers. The management of sales invoicing in restaurant services requires the creation and maintenance of a customer register.

The implementation and management of access control requires the existence and maintenance of a customer register.

The processing of personal data is based on the performance of tasks carried out in the public interest (Article 6.1.e), for the implementation of a contract (Article 6.1.b) or on consent (Article 6.1.a).

For personal identifiers, the processing is based on the need to ensure the reliable and unambiguous identification of the data subject in order to safeguard his or her legal security and interests, rights and obligations. Otherwise, the processing of personal data in the register is based on a factual connection or the performance of a contract to which the data subject is party.

Only the information necessary for the processing is recorded in the systems for the performance of the activities.

Information related to IT access rights management:

  • student/personal number
  • surname
  • given name
  • social security number/heterosexuality code
  • address details
  • first name
  • e-mail address
  • username
  • employment contract number
  • telephone number
  • office number

Financial management systems:

  • name of customer/supplier
  • address information
  • date of birth

Restaurant service systems:

  • surname (staff/student)
  • surname (staff/student)
  • personal identity number or business identity number
  • name of client
  • address details

Information related to facility services:

  • name
  • student number
  • room identifier
  • access control number
  • telephone number

The data stored in the system is processed by the staff of the IT services. There are no regular transfers or disclosures of IT access rights management to other parties by maintenance or automation. All transfers of personal data to other systems are made by the individuals themselves and with their consent.

Where the data processed are subject to requests for clarification or information from public authorities, personal data may also be provided in response to such requests, provided that the request for clarification or information relates to a matter of that nature.

In Financial Services, customer and supplier data are processed by the staff of Financial Services. Access to register data is restricted by access rights. There are no regular transfers to other systems and no data are disclosed to third parties.

In Restaurant Services, student, staff and customer data are processed by staff in Restaurant Services. Access to register data is restricted by access rights. There are no regular transfers to other systems and no data are disclosed to third parties.

In Facilities Services, student and staff data are processed by Facilities Services staff. Access to register data is restricted by access rights. There are no regular transfers to other systems. Working room number data are available to other staff. Key holder information is accessible by the suppliers of the locking systems. Data relating to ID card images are also disclosed to the photographer.

The learner number is used to identify/identify the person and to grant access to Digivision services.

  • The learner number is retrieved from the OKM’s learner number service by the user management system (IDM). This is done automatically using interfaces. The IDM Learning Number Service receives the person’s details and returns the learning number as feedback.
  • The learner number is stored in the IDM system and when the user logs on to the HAKA credit network service it is passed on to the requesting systems. When logging in, the user gives his/her consent to the disclosure of the data before it is disclosed. It is possible to refuse to disclose the data, but in this case the login will be interrupted.
  • The retrieval of the student number, etc. is fully automatic/programmed.

There are no regular transfers or divestments of IT access management, financial management systems and facilities management systems outside the EU or EEA.

In IT access management, personal data is permanently stored after the end of employment or studies, due to legal requirements.

Customer and supplier registers remain valid as long as the customer/supplier has an active relationship with the University of Applied Sciences of South-Eastern Finland. The registers will be regularly reviewed to remove outdated customer and supplier information.

The student, staff and customer registers remain valid as long as the different user groups have an active relationship with the Southeastern Finland University of Applied Sciences. The registers are regularly reviewed to remove outdated data.

Personal data used by the facility services regarding keys will not be deleted after the person gives up the keys, otherwise the registers will be maintained in real time.

Requests concerning the rights of the data subject are made in writing to the Data Protection Officer or by using the electronic form (xamk.fi/data-protection-notification). In the request, the data subject must specify what information is requested.

Right of access to personal data. The data subject has the right to request the rectification of inaccurate or incorrect personal data without undue delay.

Right to erasure. The data subject has the right to have his or her data erased to the extent that there is no legal obligation to retain it.

Right to restriction of processing. The data subject has the right to restriction of processing where one of the following occurs:

  • If the data subject contests the accuracy of the personal data, processing is limited to a period of time during which the controller can verify the accuracy of the data.
  • The processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that the use of the data be restricted.
  • The controller no longer needs the personal data concerned for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims.
  • The data subject has objected to the processing of personal data under Article 21, pending verification whether the legitimate grounds of the controller override those of the data subject.

Right to object. The data subject shall have the right to object to the processing of his or her personal data in the situations provided for in Article 21.

The right to data portability. The data subject has the right to receive personal data concerning him or her in a machine-readable form, provided that the processing is based on consent, is automated and technically feasible.

Information about the right to withdraw consent at any time (If processing is based on consent). The data subject has the right to withdraw his or her consent to the processing of personal data where the controller processes personal data on the basis of consent. Withdrawal of consent may prevent the use of services and systems.

The right to lodge a complaint with a supervisory authority. Data subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data is unlawful. The complaint should be addressed to the Data Protection Officer. (www.tietosuoja.fi)

The IT authorisation manager divides the credentials into different groups depending on the source system from which the personal data was retrieved when the credential was created. The division is done between staff and students and based on this, access and permissions are granted to resources in the respective groups.

The personal data related to IT access management is obtained from the registers of Teaching Services and Human Resources by the automation system.