Privacy notice for employees

Staff of the Ģ��ֱ��

Published

11.9.2023

What should you know about the processing of your personal data?

The Ģ��ֱ�� collects personal data about you to carry out its tasks regarding your employment relationship. You have rights to this data, such as the right to access the data and the right to be sure that it’s stored securely and only for the necessary time. Above all, you have the right to know the following:

what information we collect about youand why,
for how long, and where we keep this information, and
to whom we share this information.

All of these points are explained in this privacy notice.

This privacy notice is provided for a new employee filling out the personal data form. There is a link to this privacy notice on the webpage of the personal data form and on the actual form. Employees are reminded of the privacy notice during their employment relationship.

The privacy notice for staff concerns the present, future, and former employees.

How to find the information you're looking for?

We have created this privacy notice to be as easy as possible to use and understand. That’s why you'll find the key points concisely summarized under each section. If you're interested in knowing more, follow the links in the sections or contact the Data protection officer.

Contact the Data protection officer

Why we process your personal data?

The purpose of the processing of the Ģ��ֱ��'s personnel data is the payment of salaries, fees, grants, travel and expense invoices, the planning, maintenance, monitoring and statistics of personnel, salary and employment matters, the performance of the employer's statutory duties and the provision of customer service in human resources administration. In addition, for the employer's voluntary tasks, such as international staff mobility, skills development (partly voluntary), well-being at work and anniversary and retirement acknowledgements.

What data we process and how long?

Your personal data are processed for as long as it is necessary in order to deal with the employment relationship issues and employer duties. Archiving takes place in line with the retain time instructions of the JYU Data Management Plan. Some parts of the data are archived in the University’s Registry Office and some parts in an electronic archiving system with identification information.

To get more information about what personal data we collect and how long we keep certain information, check the sections below.

Basic personal data, such as name, date of birth, personal identity code, contact information, identification number, organisation information

Contact information: no personal phone number is necessary, but an email address is needed for the identity management system

Data on the next of kin: the employee can choose to give the name and phone number of the next of kin (voluntary)

The advance information form for working abroad asks personal data on accompanying family members (name, date of birth) for cost reimbursement purposes

Sanctions screening: We perform obligatory sanctions screenings that are based on identity, nationality, domicile, or address.

Photographs in employment relationships that are permanent or at least four months long, a staff ID card with a picture, used as a library card, in access control, and as a personal ID card. You may choose to publish your picture on the university website or elsewhere.

Information on those having received first-aid training

Information about having , that an employee has separately informed the University

Employment relationship data as well as data required to establish an employment relationship

Data on goal discussions

Data related to vacations and absences, including medical certificates

Data related to travel management

Data related to work plans (for those in the total working hours system)

Data related to the allocation of working hours and cost calculations

Log data collected on the use of data systems, e.g. who has used the system, what has been done therein, what data have been processed, whose data have been handled and when. Log data are used in sorting out problems in the system, in investigating information security anomalies, or for surveillance. In addition, log data helps produce up-to-date information about the overall situation of information security.

Personal data are also used for the equal pay survey concerning JYU staff. Moreover, also a scientific analysis can be made in connection with the survey, where the role of job requirement assessments and personal performance assessments in view of the realisation of equal pay among the staff is examined more closely. In principle, the sampling is drawn from two years.

Staff’s wellbeing at work or other matters relevant to employment relationships or the University’s operation can be investigated by surveys using employees’ work email addresses. Responding to these surveys is voluntary, and the survey has to state more specifically what it is about, who is conducting it, and other necessary information concerning the processing of personal data.

Retain times according to the Data Management Plan for the below-listed data, for example, are as follows:

personal data form 1 year
employment contract 50 years
employment certificates 10 years
tax card, retained for the validity period
applications for work exemption: study and job alternation leaves, the validity period + 2 years
applications for work exemption: rehabilitation 2 years
other applications for work exemption 10 years
pension issues 10 years
medical certificates submitted to HR 1 year (for persons undergoing non-military service 6 months, medical certificates related to an occupational accident 20 years)
resign notice 10 years
travel invoices 20 years
work plans 5 years
annual holiday issues, saved leaves and holiday pay leaves 10 years
job requirement level and personal performance level assessments 13 years
working hours and access control reports 10 years
pay calculations 50 years
warrants for the payment of trade union membership fees, retained for the validity period
photographs, the photo is deleted when a person returns his/her staff ID card without informing about further employment. The employee’s oldest photos are always replaced with more recent ones.
data processed for the equal pay investigation are kept for the period of the investigation and scientific research (more exact time is stated in the research license available in the Registry Office).

Sirius HR working capacity control and monitoring system. The personal data are pseudonymised for terminated employment relationships (2 calendar years). The personal data are erased four years after the employment relationship ended. The pseudonymisation and erasure of personal data take place at the turn of each year.

The employer must keep a list of employees who have been exposed at work hazardous biological agents. The list must be retained for at least 10 years, and in separately specified cases for 40 years (for COVID-19 exposures, the retainment obligation is 10 years). The retain time is defined in the decree issued by the Ministry of Social Affairs and Health on the classification of biological agents (748/2020).

Working time allocation data are retained in accordance with the keeping times of financial administration, and electronic data and documents related to the Aliens Act are retained according to this Act. On the funder’s demand, the forms related to the Erasmus+ programme for staff mobility have to be retained for five years. Travel funding application forms intended for the University’s own internal use are retained for two years.

We receive personal data from the persons themselves, the TE-Office, referees, the Finnish Security Intelligence Service, the Legal Register Centre, occupational health care service or other health care providers, pension insurance companies, authorities, and labour market organisations. Certain personal data can be updated through the identity management system from the student information system, which integrates with the national student number register. This applies to staff members who, in addition to their employment relationship, have an active study relationship in the JYU identity management system, i.e. in practice an active study right in the student information system. The data that could be updated through the student information system would include: first names, surname, municipality of origin, nationality and mother tongue.

What rights you have and how to exercise them?

You have the following data subject rights:

Right to access your personal data (right to check)
Right to rectification (Remember to keep your contact information up to date)
Right to erasure (“right to be forgotten”) if the processing of personal data is based on consent or agreement
Right to restriction of processing in some cases
Right of notification so that the data controller (unit responsible for the register) further informs any third-party recipients of the data about your request for the rectification or erasure, or restriction of processing of your personal data
Right to object processing if the processing is based on the data controller’s legitimate interest
Right to data portability, i.e. to have the data transferred to another system if the processing is based on consent or agreement and is performed automatically
Right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning you or similarly affect you significantly.
Right to be informed of any information security breaches causing a major Risk
Right to lodge a complaint with a supervisory authority

If you have any questions about your data subject rights, you can contact the University’s Data Protection Officer or the contact person of the register.

Get to know your rights

Use the form from the Registry office

Send an informal request to the Registry office

Right to object to the disclosure of health information

The employer is entitled to forward a medical certificate or statement that an employee has submitted to the employer, and which concerns the employee’s working capacity, further to a service provider, unless the employee has forbidden such further delivery (Act on the Protection of Privacy in Working Life 759/2004, section 5). Occupational health care services for the Ģ��ֱ�� are provided by Terveystalo. You have the right to forbid the delivery of your personal data to Terveystalo. You can do it by informing this to HR Services through HelpJYU.

Who can access your personal data?

Your personal data can be processed only by persons whose work duties require it. Access to your personal data is protected by user IDs and passwords as well as by user roles in secure data communications and data networks. Paper records and printouts are kept in locked spaces and cabinets.

Also, the service providers we use can access your personal data in their role as data processors. However, these providers do not actively process your personal data, but they have access to it for maintenance reasons.

Learn more about data processors

To whom we transfer your data?

The Ģ��ֱ�� delivers your data only to such bodies that have a statutory right to such information for a prescribed purpose, or for whom the delivery of data is necessary in order to deal with issues pertaining to employment relationships and employer’s duties, or to recipients authorised by your specific consent or if there is another acceptable reason for the disclosure, such as the provision of information system services by third parties for work purposes.

Personal data are transferred within the University

to the travel management system
to the VASARA system (a platform for the digitalisation of workflows)
to the work plan system
to the working time allocation and cost calculation system
to the working hours control and access control system
to the user and identity management system
to the data storage
to the facility management system
to the ID card printing system
to the European Commission MobilityTool reporting system
to the system for facility service requests
to the student and study register systems
to the teaching plan system
to the HelpJYU service request system
to the Quinyx system for work shift planning

The staff has received instructions for the processing of personal data, and they also receive training to understand and prevent risks that threaten personal data.

The data controller is responsible for the processing of personal data also when having outsourced it to a processor of personal data as referred in the GDPR.

Find more information about the transfer of your personal data outside the university below.

Personal data are delivered outside the University

to the Universities’ service centre Certia
to employment pension insurance companies
to an indemnity insurance company
to tax administration
to trade unions
to banks
to occupational health care service
to KELA
to the Employment and Economic Development Centre
to a travel agency
to MIGRI
to consultancy offices providing expert services for employer support in Finland and the target country
to the Confederation of Finnish Industries / Finnish Education Employers (FEE)
to Statistics Finland
to the Ministry of Education and Culture
to project funders
to accountants
to authorities, e.g. the Finnish Security Intelligence Service, Legal Register Centre, Digital and Population Data Services Agency
to mobility project funders (European Commission or Finnish National Agency for Education, FNAE) and to the national office for the Erasmus+ programme (FNAE)
to a university or other organisation hosting a teaching or staff visit
to bodies providing staff training
to a facility maintenance company for the handling of service requests
data on persons exposed to biological agents can be delivered to an occupational safety and health authority, occupational health care service, doctor in charge of communicable diseases in the municipality or in the health care district, and the occupational safety and health personnel at the workplace
to cooperation partners related to research
to a commissioned service provider in order to deal with employer duties
also data of professors are delivered to the Directory of professors
The Ģ��ֱ�� participates in the Digivisio 2030 programme for all Finnish higher education institution. Digivision's continuous and flexible learning platform will publish higher education institutions' study modules, courses, assessment items and implementations. The services will be tested before publication. As part of the course descriptions, staff names and email addresses will be part of the tested and published material (personal data will be provided to the CSC, which will act as the processor and implement the service). Other HEIs will act as processors in the Opin.fi testing and piloting environments and will have access to the course teacher/contact person information.
Data from the SAP Cats register may be provided to third parties for audit or auditing purposes and for funding applications.

Where necessary, the Ģ��ֱ�� can deliver participants’ contact information to an authority in order to trace the chains of communicable diseases.

Based on an information request, personal data can be delivered for scientific research or statistical purposes if the recipient is entitled to process the data.

Personal data are transferred outside the EU/EEA area solely in settings where the employer duties concerning an employee must be taken outside Finland in compliance with either Finland’s or the target country’s tax legislation, a tax agreement between Finland and the target country, EU’s or the target country’s pension and social security legislation, or social security agreements between Finland and the target country, or where the employee has applied for travel funding to a country outside this area (Erasmus+ global mobility, Finnish-Russian Student & Teacher Exchange programme).

As for the processors of personal data, the transfer of personal data outside the EU/EEA area is described separately in the appendix concerning them, see Processors and transfers of personal data outside the EU/EEA area— Ģ��ֱ�� (jyu.fi)

On what basis we process your personal data?

We process your personal data based on legal grounds, agreements, or your consent. If you want to dive deeper into our legal bases, such as the relevant legal provisions, you can find more information through the menu below.

EU General Data Protection Regulation (GDPR), Article 6.1c: Processing is necessary to comply with the data controller’s statutory obligations. This includes especially issues pertaining to work permits for foreigners, insurances for occupational accidents and pensions, rehabilitation and disability pension processes, degree education, salary calculation and payment, specific rights of those dismissed on the grounds of productional and financial reasons or those under the threat of dismissal, and exposure to diseases. Main laws on which the statutory obligations are based are the following:

Employment Contracts Act (55/2011), Working Hours Act (605/1996), Annual Holidays Act (162/2005), Employees’ Pensions Act (395/2006), Act on Preliminary Taxation (1118/96), Workers’ Compensation Act (459/2015), Act on Compensations for Training (1140/2013), Communicable Diseases Act (1227/2016), Occupational Safety and Health Act (738/2002), Health Insurance Act (1224/2004), Act on Third-country Citizens’ Entrance and Prerequisites for Staying in Finland (277/2022), Aliens Act (301/2004), Act on Checking the Criminal Background of Persons Working with Children (504/2002).

The employer must keep a list of employees who have been exposed at work to certain diseases or other hazardous biological agents. The Work Safety and Health Act stipulates that the list must be kept unimpeded by confidentiality regulations. Access to the list can be requested by an occupational safety and health authority, occupational health care service, a doctor in charge of communicable diseases in the municipality or in the health care district, and the occupational safety and health personnel at the workplace. Keeping the list is the employer’s statutory obligation (Occupational Safety and Health Act 738/2002, Section 40a).

The employer must assign one or several employees to first aid tasks as well as take care of their training and equipment. The need for first aid readiness at the workplace is reviewed in the workplace investigation conducted by occupational health care services. When planning the first aid readiness, the necessary first aid skills and equipment are determined for the workplace (Occupational Safety and Health Act (738/2002, Section 46).

EU GDPR, Article 6.1b: Processing is necessary in order to implement an agreement in which a data subject is an agreeing party, or to carry out relevant measures preceding the signing of such an agreement on the data subject’s request. As part of the implementation of the agreement, the University provides the staff with various instruments, the use of which involves processing of personal data. Processing is based mainly on work contracts (e.g. photographs). The employer also publishes employees’ data in contact information search /fi/yhteystiedot. These data can be published on the employer’s website without the employee’s consent when publishing is appropriately justified and necessary for the employer’s operation.

EU GDPR, Article 6.1d: Processing is necessary in order to protect the data subject’s vital interests. A vital interest can exceptionally become a relevant justification for the processing of personal data, for example, if an employee is injured at the workplace and his or her personal data are delivered to the health care staff.

Compiling statistics is based on EU GDPR (EU 679/2016), Article 6.1e, and on the national Data Protection Act (Section 4).

The equal pay survey is based on the data controller’s statutory obligation (EU 679/2016, Article 6.1c) to carry out a review on equal pay practices for staff in order to meet the obligation stipulated in the Act on the Equality between Women and Men (609/1986), Section 6b). In addition, the data are processed as part of a scientific analysis, where processing is necessary for a scientific or historical research or statistical purposes, and it is in right proportion in view of the aimed goal in accordance with public interests (Data Protection Act, Section 4.1.3). The analysis draws on statistical methods in examining the background factors and meaning of differences detected in the assessment of job requirement levels and personal work performance with regard to the realisation of the equal pay policy across the staff.

For log data, the lawful basis for the processing of personal data is to comply with the data controller’s statutory obligation (the primary rule if collecting of log data is justifiable and includes personal data). Act on Information Management in Public Administration (906/2019), Section 17, and GDPR (EU 679/2016), Articles 24, 32–34, 39.

An employee’s consent can be used only exceptionally as a lawful basis for processing (EU GDPR, Article 6.1a) if it is about a voluntary recreational or other such event that is not directly related to the employee’s work tasks or taking care of employer obligations and where participation is voluntary and/or takes place outside working hours.

The employer can process an employee’s health data when:

it is necessary for the payment of sick pay or equivalent benefits related to the health status.
in order to find out if the absence from work is justified.
the purpose is to investigate an employee’s working or functional capacity on the employee’s or employer’s initiative and on the basis of health status data (Occupational Health Care Act 1383/2001, Section 13) The investigation is made in collaboration and joint agreement with the employee and the occupational health service. The procedure is recorded in the operation model for early intervention and also in the action plan of the occupational health service. The employee takes up the case-specific data that he or she wants to be addressed as regards his or her health status. Only work-related matters and things that the employee wishes to bring forth are recorded in memos, not health data (Act on the Protection of Privacy in Working Life 759/2004, Section 5).

In addition, the employer is entitled to process these data in those situations and within the scope as separately prescribed elsewhere in the law:

The Occupational Health Care Act stipulates on the obligation to report absences lasting for 30 days. According to the JYU operation model for early intervention, the limits are set at 14 days for continuous absences and 20 days of absences cumulatively over a year. The notification is made in Sirius and involves medical certificates.
Discussion memos (early intervention, occupational health negotiations). The memos are saved in Sirius, but no health status data should be recorded in them. Persons assigned at HR are authorised to handle the memos.
When considering grounds for dismissal: Employment Contracts Act, Sections 7.2.1 and 7.2.3: At least illness, disability or accident affecting the employee cannot be regarded as proper and weighty reasons, unless working capacity is substantially reduced thereby for such a long term as to render it unreasonable to require that the employer continue the contractual relationship. For the basis of assessment, it can be checked whether the absence from work is continuous or is it about repetitive short absences; length, absence percentage, the same or different illness. When necessary, this is sorted out in Sirius, if the information needed is not available from Mepco.

The medical certificates and/or diagnostic data in Sirius can also be processed on the following grounds:

If the need for processing is based on another law (e.g. Occupational Safety and Health Act, Section 8)
The employer’s concern about working capacity, further actions, for example, referral to treatment

Thus, the processing of health status data is necessary in order to comply with the data controller’s or the data subject’s obligations and specific rights in the field of labour law, social security, and social protection, insofar as it is allowed in the EU or national legislation or in the collective agreement complying with the Member State’s legislation, which stipulates on appropriate protective measures concerning data subjects’ fundamental rights and interests (EU 679/2016, Article 9, Section 2e).

A data subject’s explicit identification is important:

to perform a legal duty and
to fulfil the data subject’s or the data controller’s rights and obligations (Data Protection Act, Section 27).

The employer can ask for a security clearance from the Finnish Security Intelligence Service for certain posts and on the grounds prescribed in the Security Clearance Act.

Under the Act on Checking the Criminal Background of Persons Working with Children (504/2002), a criminal record extract is requested for: work done in an employment relationship, which constantly and essentially involves education, teaching, nursing or other care for a minor taking place without the presence of the child’s guardian, or other working in personal interaction with a minor (Section 2). In such cases, the employer has to ask the person to show a criminal record extract in accordance with the Criminal Records Act , when the person is hired or appointed for the first time to such an employment relationship that includes duties described in Section 2 or when assigning the person with such duties for the first time (Section 3).

The section 4 above concerns people working at the Teacher Training School as well as employees involved in research or other work conducted with minors.

Based on the Act on Public Procurement and Concession (1397/2016), a company / community can receive, for their procurement procedures, from the Legal Register Centre criminal record extracts on members of an administrative, executive or supervisory body or exert representative, decision, or supervisory authority (Sections 80, 81, 88).

How to contact us?

If you want more information about handling your personal data, don't hesitate to contact our Data protection officer via email or phone (040 805 3297).

Reach out to our Data protection officer

You can also contact the responsible unit. Contact person for the staff register of the Ģ��ֱ�� is the HR Development Specialist. You will find more detailed contact information below.

If you want to exercise your rights (withdraw your consent for example) you can contact the Registry office by email:

Send a request to the Registry office

Ģ��ֱ��