Data protection and processing of personal data at Uniarts Helsinki

Read about our data protection policy and procedures.

Read about Uniarts Helsinki’s data protection policy and privacy notices.

  1. What do we mean with data protection?
  2. Processing of personal data
  3. Automated decision-making and profiling
  4. Data protection policy
  5. Data controller
  6. Data protection officer
  7. Rights of the data subject
  8. Use of rights
  9. Privacy notices
  10. Data protection in research
  11. Description of user administration

What do we mean with data protection?

Data protection refers to the consideration of laws and provisions concerning the processing of personal data. The objective of data protection is to implement, in the processing of personal data, the protection of personal data and private life and the protection of basic rights that safeguard personal data and the right to privacy, as well as to promote the development of and compliance with good processing practice. Data security is one way of implementing data protection. It is intended to secure data and systems. Among other things, data security refers to organisational and technical measures to ensure the confidentiality, integrity and usability of data and systems and the rights of data subjects.

Processing of personal data

Personal data refers to all data that can be used to identify a person directly or indirectly. A person’s name, personal identity code, profession, location data, email address, photograph, voice, IP address or even a car registration number, for example, can constitute personal data that must be processed in accordance with data protection and right to privacy.

A personal data file is a set of personal data that belongs together due to the data’s purpose of use. A data file means any structured set of data which is accessible according to specific criteria, regardless of whether the data file is centralised, decentralised or dispersed on a functional or geographical basis. The data file may be processed manually or in part or in full by automated means. Personal data can be retained in physical personal data files (e.g. as paper copies, lists, card files, video recordings) or in electronic personal data files (e.g. as files, databases, sound and video recordings).

Uniarts Helsinki adheres to its provisions and guidelines on data security to secure the use of information systems for processing personal data. Information systems and their interfaces are technically protected by firewalls, for example, and a backup copy of the system data is created regularly. Different user groups have different access rights to information systems so that each user only has access to the data needed in their job duties.

Persons who are employed by Uniarts Helsinki or who serve as shop stewards at Uniarts Helsinki must observe confidentiality in accordance with section 23 of the Act on the Openness of Government Activities. In addition, Uniarts Helsinki employees may not take advantage of or disclose the employer’s professional or business secrets to others (chapter 3, section 4 in the Employment Contracts Act (55/2001)).

What is considered confidential data, along with the retention period, archiving, or erasure of the confidential data, is defined in Uniarts Helsinki’s Archival Records Management Plan. We assess the need for retention of the data on a regular basis, taking into account any applicable legislation. In addition to this, we take reasonable steps to ensure that the data subject’s personal data being retained in the register is not outdated, erroneous or incompatible with the purpose of processing. We immediately rectify or erase such data.

Automated decision-making and profiling

In accordance with the EU General Data Protection Regulation (EU 2016/679, article 22), automated processing refers to processing of personal data where decisions based solely on automated processing produce legal effects or otherwise produce significant effects on the data subject. Automated decision-making may include profiling of the data subject, but decisions can be made by automated means also without profiling.

In particular, profiling refers to the analysis or prediction of aspects concerning the data subject’s performance at work, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling can be automated or manual.

In processing of personal data, Uniarts Helsinki does not use automated decision-making and profiling that would have legal or otherwise significant effects on the data subject.

Data protection policy

Uniarts Helsinki’s data protection policy describes the main principles, obligations and procedures that the university adheres to in the processing of personal data. Uniarts Helsinki respects the right to privacy and the privacy of personal data it processes as well as the rights of data subjects.

In its data protection policy, Uniarts Helsinki agrees to ensure the data protection and security of the personal data it processes. In processing of personal data, Uniarts Helsinki complies with the EU’s General Data Protection Regulation (EU 2016/679), Finnish legislation and the authorities’ provisions and instructions.

Data protection is managed at Uniarts Helsinki with the help of the following measures, for example:

  • planning the processes of personal data processing in advance, while taking into account the whole life cycle of personal data processing (data protection by design and by default)
  • following the basic principles of the GDPR in the processing of personal data
  • informing the data subjects about data processing
  • making sure the collected personal data is correct
  • defining the retention period of personal data
  • ensuring the validity of necessary agreements when outsourcing the processing of personal data

Data controller

Uniarts Helsinki acts as the data controller of the personal data it processes. As regards artistic and scientific research, the data controller is the party responsible for carrying out the research.

Uniarts Helsinki

Switchboard: +358 294 47 2000
Postal address: P.O. Box 1, 00097 Uniarts

Data protection officer

In accordance with the EU’s GDPR (EU 2016/679, article 37), universities must have designated data protection officers.

The duty of a data protection officer is to supervise the legality of personal data processing and to help the university fulfil the obligations regarding data protection. The data protection officer works as the university’s contact person and provides support for data subjects and staff if they have questions regarding the processing of personal data.

Legal Counsel Minna Eskola

Telephone: 029 447 3940
Postal address: P.O. Box 1, 00097 Uniarts

Rights of the data subject

A data subject is a person whose personal data is being processed. Read more about the data subject’s rights on the website of the Office of the Data Protection Ombudsman ( and

Data subjects have the right

  • to obtain information on the processing of personal data, unless otherwise laid down in legislation
  • of access to check their data
  • to rectification of their data
  • to the erasure of their data (not applicable if the basis for processing is a statutory duty or a duty in the public interest)
  • to restrict the processing of their data
  • to object to the processing of their data (if the basis for processing is public or legitimate interests)
  • to request for transferring the personal data that they have provided from one data controller to another (if the basis for processing is consent or agreement)
  • to withdraw their consent
  • notification obligation regarding rectification or erasure of personal data or restriction of processing (when data has been rectified or erased or when the processing has been restricted, the data controller is obligated to notify the parties to which it possibly has transferred data concerning the data subject)
  • not to be subject to a decision based solely on automated processing (the data subject may give their consent to allow automated decision-making)

The data subject also has the right to lodge a complaint with the Data Protection Ombudsman’s Office if they find that the processing of their personal data is an infringement of the valid data protection legislation (

Use of rights

You can launch the process of exercising your rights by filling in a form that can be signed electronically, by choosing the form option that applies to your case (the link takes you to an electronic Visma form that is signed with strong authentication):

Request for access to personal data (electronic form)
Rectification and erasure of personal data (electronic form)
Restricting / objecting to the processing of personal data (electronic form)

If you do not have access to electronic identification, you can also print a pdf format of the form.

Fill in a form for requesting access to your personal data.
Fill in a form to rectify and erase your personal data.
Fill in a form to restrict the processing of your personal data.

Sign the form by hand and send it by post to the Uniarts Helsinki Registry.

Note: Forms that have not been signed digitally or by hand will not be processed. Do not send a scanned form to the Uniarts Helsinki Registry via unencrypted email.

After the signed form has arrived at the Uniarts Helsinki Registry, Uniarts Helsinki will be in contact with you within 30 days. You may also be asked to provide details that are necessary for fulfilling the request/demand.

Privacy notices​

Uniarts Helsinki informs the data subjects on matters related to them with the help of e.g. privacy notices. See all privacy notices here:



University services to students, employees and other members of the community

Uniarts Helsinki’s partners, customers and target groups in communications and marketing

Customers of the Uniarts Helsinki Library


The research group or the researcher is in charge of passing on information to those who are participating in a research project. The privacy notices of research projects are not published on this website.

Data protection in research

The freedom of science and the arts is guaranteed in the Constitution (731/1999, section 16). In accordance with the EU General Data Protection Regulation (EU 2016/679, article 89), artistic and scientific research is a special case of processing personal data. As regards artistic and scientific research, the GDPR includes so-called national leeway, which allows the member states to lay down provisions on the processing of personal data in artistic and scientific research in their national legislation.

The GDPR is applied to personal data that is processed in artistic and scientific research. Article 6 of the GDPR lays down provisions on the lawfulness of processing of personal data, but it does not separately mention artistic or scientific research as a basis for processing. In accordance with article 5 of the GDPR, personal data must always be collected for specified, explicit and legitimate purposes, and the data cannot be further processed in a manner that is incompatible with those purposes even later on. However, artistic or scientific research purposes are not considered to be incompatible with the initial purposes. The Finnish Data Protection Act (1050/2018, section 31) lays down more detailed provisions on the processing of personal data in artistic and scientific research. Data controller refers to a body that determines the purposes and methods of personal data processing, either alone or in cooperation with others. In artistic and scientific research, the data controller may be a researcher or Uniarts Helsinki; or some other institution, research institution, or organisation; or two or several of the aforementioned may collectively act as the data controller. Only a natural person or a legal person can act as a data controller; for example, an association must be a registered association to be able to act as a data controller.

Description of user administration

The description of user administration states the functionalities and key data content of the UniAulis register (general access rights database) and user databases (LDAP and eDIR directories).