Customer and Stakeholder Data Processed in the Partnership Management of the University of the Arts Helsinki

Articles 13 and 14 of the EU General Data
Protection Regulation. Informing a data subject. Drawn up on May 17, 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

Communication and Society Relation Director Eveliina Olsson
E-mail address:, telephone: +358 50 461 6780

3. Contact persons for handling personal data

Senior Advisor Marja-Leena Pétas-Arjava
E-mail address:, telephone +358 50 526 1958

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address:

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Register name

Customer and stakeholder register

According to the Universities Act, the mission of the University is to is to promote independent academic research as well as academic and artistic education, to provide research-based higher education and to educate students to serve their country and humanity at large.

In carrying out its mission, the University of the Arts Helsinki shall, in accordance with the Universities Act, promote lifelong learning, interact with the surrounding society and promote the social impact of university research findings and artistic activities. Customers’ and stakeholders’ personal data are processed in order to enable the artistic activities and social interaction of the University. The purpose for the processing of personal data is to communicate on the University’s activities, to inform on its artistic activities, and to tend to customer and stakeholder relationships. 

The stakeholder groups of the University of the Arts Helsinki include various actors in the field of arts, the alumni of the various academies of the University, customers of adult education, corporate customers of the Events Service, and other partners.

The legal basis for processing personal data is comprised of agreements, of the legitimate interest of the University, and additionally of a consent thereto in so far as this is a matter of newsletters that the person has subscribed in person, and of other communication materials.

7. What data do we process?

In connection with customer and stakeholder group activities, we process the personal data of the following groups of persons: University alumni and various stakeholder groups such as strategic, key, and international partners. We also process information about the personnel of those customers active in the service business (companies, associations, public organizations) and on the private persons who are our customers. 

The personal data to be processed includes: 

Basic information on the data subject: name, e-mail address, postal address, and telephone number

Eventual information on the duties: profession, title and/or position, field of activity; name of organization, company or community; address of organization, general e-mail address and web address of organization

Account information: campaigns and events in which the person has taken part and other eventual special observations

Eventual consent to direct marketing

When processing personal data, we do not make use of automated decision-making and profiling as referred to in the Data Protection Regulation.

8. Where do we get information?

We get information from the following sources: 

  • the data subjects themselves via web forms for instance 
  • event participant lists
  • lists of other partners
  • customer information on adult and complementary education
  • the corporate customer register of the Event Services
  • the student register
  • the personal data system of the University of the Arts Helsinki
  • we also receive information from Ticketmaster’s sales platform.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

In processing personal data, we use subcontractors working for us. We have outsourced IT administration to a third-party service provider administering and protecting the server on which personal data are saved. We have taken steps with our subcontractors to ensure your data protection by concluding agreements for the processing of personal data. We transfer personal data outside the EU/EEA. We have taken appropriate steps to ensure safeguards in connection with the transfer. We use the standard contractual clauses adopted by the EU.

10. How do we protect data and how long will we keep them?

The system is used via the Internet over a protected connection from the server machines of the provider. Use is subject to a user ID and a password. All users of the partnership data system are members of the University of the Arts Helsinki staff. The system has a main user and four other Admin users (one in each of the University’s three academies and one in the joint services). Each user has a personal user ID and a password, the access rights of which expire when the person in question leaves the University services or the duties for which he or she has been given access rights. Data not used during a period of 24 months are erased from the system.

11. What are your rights as a data subject?

Data subjects are entitled to check the data concerning them and stored in the personal data register and require erroneous, outdated, unnecessary, or unlawful data to be rectified or erased. In case a data subject has personal access to their data, they can modify their data himself or herself. In case processing is based on a consent, a data subject also has the right to withdraw his or her consent or to alter it.

As of May 25, 2018, data subjects have, according to the Data Protection Regulation, the right to object to processing or to request restriction of processing of data as well as to lodge a complaint with a supervisory authority on processing personal data.

For specific reasons of personal nature, data subjects also have the right to object to processing activities concerning them when processing data is based on our legitimate interest. In conjunction with the request, the data subject shall specify the particular situation on the basis of which he or she objects to processing. We may refuse to execute an objection-related request only on the basis of grounds stated in law.

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address to look into the matter.

A person has at all times the right to withdraw his or her consent for electronic direct marketing via the Unsubscribe feature of direct-marketing letters or by contacting the contact person of account management.

12. With whom can you get in touch?

All questions on the processing of personal data as described in this data protection statement are to be asked by getting in touch with the contact person named in Point three who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point four.