Data protection statement for camera surveillance

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on May 14, 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Representative of controller

Attendant Mikko Ilanko

E-mail address:

Telephone: +358 400 792 031

3. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address:

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

4. Name of register

Camera surveillance register

5. Basis for processing

Legitimate interest of controller

6. Purposes for processing personal data

The use of a video surveillance system is needed for the administration and activities of the University of the Arts Helsinki. 

  • ensuring the personal safety of employees and/or of others in the employer’s premises 
  • protection of property
  • pro-active prevention of harm
  • monitoring of the appropriate functioning of production processes 
  • and prevention or clarification of situations likely to endanger any of the above.

7. Description of data subject groups

Persons moving in the premises of the University of the Arts Helsinki or in their immediate vicinity

8. Description of personal data groups

Data group

  • Video recording

Retention period

  • approx. 1 month
  • the retention period of material transferred to authorities is determined pursuant to the data protection principles of the authorities in question

9. Regular data sources

Camera surveillance equipment (including related software)

10. Availability and disclosure of data

Internal security personnel 

The video recordings can only be accessed by persons designated by the controller

11. Personal data recipient groups

Police authorities for preliminary investigation

12. Transfer of data outside the EU or the EEA

No data is transferred outside the EU or the EEA.

13. Principles of register protection

Several technical and organizational measures have been implemented to protect the video surveillance system and personal data.

The measures implemented include the following:

  • The servers intended for storing saved images are situated in protected places equipped with physical safeguards: the logical network area is protected by network-protecting firewalls; the main data systems containing data are burglary-protected.
  • the storage devices are situated in property premises to which only the personnel of the facility and IT services of the University of the Arts Helsinki have access.
  • Camera surveillance is carried out by authorized personnel only.
  • Users are given access rights only to the data that they need in order to perform their duties.
  • The controller designates the persons given access rights to the camera surveillance recordings.
  • Only the person in charge of the system designated by the controller may grant, alter, or revoke access rights.

14. Information

Notices by the entrances of University buildings 

  • The public is informed about the video surveillance with stickers at the entrances of all buildings including parking halls.

The data protection statement of camera surveillance is published on the University website (

15. Right of access by the data subject

The data subject shall have the right to access and see the data on him or her and to obtain on request a copy thereof. (Article 15 of the GDPR)

The right of access is exercised without delay.

Use of the right of access is free of charge when exercised once a year.

The right of access may be denied only in exceptional cases.

The time to inspect and grounds for the request must be indicated in the request to access.

16. Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. (Article 16 of the GDPR)

17. Right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds stated in Article 17 applies. (Article 17 of the GDPR)

18. Right to restrict processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (Article 18 of the GDPR)

  • the accuracy of the personal data is contested by the data subject
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims

19. Right to refuse

The controller may, on request, disclose a person’s name and address information to outsiders for the purposes of creating staff registers and for genealogical purposes. A data subject may, however, refuse such disclosure of his or her data (Section 16(3) of the Act on the Openness of Government Activities and Sections 17, 18, and 30 of the Personal Data Act).

20. Automated decision-making

No automated decision-making or profiling takes place on the basis of the register.

21. Filing a request with the controller

All questions on this statement are to be asked by getting in touch with the contact person named in Point two who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights are not respected, you may get directly in touch with the University Data Protection Officer named in Point three.

In case of a refusal to rectify data, the data subject is given a written notification thereof on request.

22. Right to lodge a complaint

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address to look into the matter.