Ģ��ֱ�� system for centralised management of identity data – Privacy notice

This privacy notice applies to the Ģ��ֱ�� system for centralised management of identity data

Published

23.8.2023

What should you know about the processing of your personal data?

The Ģ��ֱ�� collects personal data about you to carry out its duties. You have rights to this data, such as the right to access the data and the right to be sure that it is stored securely and only for the necessary time. Above all, you have the right to know the following:

what information we collect about youand why,
for how long, and where we keep this information, and
to whom we share this information.

All of these points are explained in this privacy notice.

How to find the information you are looking for?

We have created this privacy notice to be as easy as possible to use and understand. That is why you will find the key points summarised under each section. If you are interested in knowing more, please follow the links in the sections or contact the data protection officer of the Ģ��ֱ��.

Contact the data protection officer

Why we process your personal data?

Ģ��ֱ�� system for centralised management of identity data, user IDs, access rights and information system resources. In addition to the management of access rights and resources, the system is also used for monitoring use and compiling user statistics, and for tasks concerning electronic approvals and work processes.

The system is also used for customer service, dealing with problem situations, management of contact information and for collecting log data in accordance with the University’s information security and data protection policy.

The university needs to organise teaching and research. The university community includes teaching and research staff, other staff and students (Universities Act).

In order to carry out teaching and research and to organise its internal activities, the University must process the data of persons belonging to the university community and maintain up-to-date information on persons entitled to the university's various digital services. The University uses IDM system to deal with the data of teaching and research staff, other staff, students and other contracted university students.

In practice, the IDM system is used e.g. to:

creating university usernames and e-mail addresses at the beginning of a contractual relationship or right to study
placing users in groups of users through which the user has access to, for example, the network disks, e-mail and other electronic tools required for their work
managing the lifecycle of a user's right of use (user ID will be closed at the end of a contractual relationship or study right, or during the investigation of certain suspected irregularities concerning university operating rules or data security)
transmitting active users' data to the login services used by the University so that students, staff and other users of university services have access to the electronic tools intended for them;

The purpose of processing personal data in user management and log information systems is to enable the processing of personal data and other data located in information systems, as well as the supervision, control, detection, prevention and detection of data security incidents.

What data we process and how long?

The time we store your personal data varies. To get more information about what personal data we collect and how long we keep certain information, check the sections below.

The data subjects are University staff members, students, pupils, guests and individuals using the University’s information system services as members of other stakeholders of the University.

The information on the data subjects stored in the register includes the

name, personal identity code, user ID, email addresses and nationality
Contact details: address, phone numbers, email addresses, office and job description
The information on staff members stored in the register includes: Employment relationship details obtained from the HR system, such as the personnel number, job title, unit, supervisor, and state of the employment relationship
The information on students kept in the register includes: details of the student status obtained from the study information system, such as the student number and the status of studies (right to study, targeted degree, study programme, etc.)
The information on pupils kept in the register includes: details of the pupil status obtained from the pupil register (such as pupil number, validity of pupil status, class and pupil code)
For guests and actors outside the University: university unit acting as the stakeholder partner
Other additional information: approval of the terms and conditions of use, marketing permit and strength of user identification

In a number of systems using the register, the users themselves may also update their information (such as additional details and contact information)

Information directly entered in the access management system or the information entered by the users (registration) and the information transferred from the HR information system (SAP), study register (ROTI) and the pupil register (Primus) are used as the main sources of data.

Information concerning strong identification are obtained from the Suomi.fi e-Identification service.

The following personal data describing the archived identities are retained:

identity number
person’s name
identity creation and end date
user IDs in use
acceptance of terms of use
marketing permit
strength of identification and verifier of identity
personal identity code
gender
nationality
University email address

Personal data (information entered by individuals or linked with them) may be stored in the University’s information systems that are outside the centralised management of access rights and resources. It must be possible to associate data kept in other systems with specific individuals when data contents or resources are removed from these systems or when efforts are made to determine their ownership. Such situations may arise when an individual has stored data files in a project workspace and has not removed the files at the expiry of their access rights (even though the project is still continuing). In such cases, when the project ends, the individuals associated with the data can be identified and it can be determined whether the data should be retained or whether it can be permanently removed. For individuals entered in the archives, the University will only retain the data that may be required for connecting unidentified data with persons who no longer have active access rights to the University’s information systems. Data used to ensure that future system users can rely on resources tailored to their needs is also retained (including data for situations in which more than one person have the same name).

Identity life cycle model: Creating identity → activation of user ID, resources and access rights → use of information systems and resources → end of employment relationship or student, pupil or guest status → end of access rights and resources → grace period → archiving the identity → removal of resources and data contents.

Role Grace period Removal of resources and data contents

Students End date + 61 days End date + 184 days

Staff members End date + 14 days End date + 184 days

Teacher Training School End date + 14 days End date + 184 days

Guests End date + 0 days End date + 184 days

Table 1: Life cycle of data and resources in centrally managed information systems

What rights you have and how to exercise them?

You have the following rights:

Right to access your data.
Right to have any incorrect information corrected.
Right to have your data erased (right to be forgotten), in certain situations.
Right to restrict processing.
Right to have the responsible unit inform the party to which your data is disclosed of your data being corrected, erased, or the processing being restricted.
Right to object processing, e.g. direct marketing.
Right to have your data transferred from one system to another, when processing is based on an agreement or your consent.
Right to be notified of any information security breaches resulting in a high risk.
Right to file a complaint with the supervisory authority.
Right to withdraw consent

You can exercise your rights by sending a request to the university's Registry Office. You can use the form on the Registry Office's website or send your request informally. Keep in mind that withdrawing your consent doesn’t change the processing that happened before the withdrawal.

Get to know your rights

Use the form of the Registry Office

Send an informal request to the Registry Office

Who can access your personal data?

The disclosure of the information required for the use of the services attached to the Haka trust network is based on an authorisation granted separately by the user when they log into the service.

The user has separately approved the disclosure of the data connected with Microsoft O365 and Google Apps for Education services and activated the data. The Ģ��ֱ�� has concluded a data processing agreement on these services with the service provider.

Also, the service providers we use can access your personal data in their role as data processors. However, these providers do not actively process your personal data, but they have access to it for maintenance reasons.

Learn more about data processors

To whom we transfer your data?

Within the university, your data is transferred to siirretäänkö? Minne?

Personal data required for providing the services can be disclosed to external service providers. As a rule, no personal data within the meaning of the Personal Data Act is relayed or stored.

Personal data may be transferred outside the EU in cases where the user accepts the transfer of specific data to the service provider in connection with the service use. No data is transferred to these services on a regular basis or without the consent of the user.You can find a list of transfers outside the EU/EEA through the link below.

Personal data processors and transfers outside the EU/EEA

On what basis we process your personal data?

We process your personal data based on legal grounds, agreements, or your consent. If you want to dive deeper into our legal bases, such as the relevant legal provisions, you can find more information through the menu below.

The processing of personal data described above is primarily based on the university's tasks and public interest, i.e. the obligation to organise its tasks based on the Universities Act. For certain support functions, the processing basis is the legal obligation of the university acting as controller. The obligation relates to the fact that the University must detect, prevent and investigate errors in its information systems and unintentional and intentional data protection exceptions in order to ensure the continuity of the University's operations and to avoid and minimise damage. This obligation also includes the right to monitor the use, access, addition, modification and deletion of information systems containing personal data and other confidential information.

Sanctions screening (legal obligation) which are based on based on identity, nationality, domicile, or address
Where do we get the personal data from? Sanction lists (held by international organisations such as the EU and UN as well as national organisations such as Office of Foreign Assets Control (OFAC), registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons. From the person him-/herself or from organization to which a person is connected in a manner relevant to sanctions.

How to contact us?

If you want more information about the processing of your personal data, do not hesitate to contact our data protection officer via email or phone (+358 40 805 3297).

Contact our data protection officer

Contact information of units

Below you find the contact information of the responsible unit. If you wish, you can directly contact the responsible unit (Digital services) instead of the data protection officer.

If you want to exercise your rights (withdraw your consent for example) you can contact the Registry Office by email:

Send a request to the Registry Office

Ģ��ֱ��