Data protection statement for employees

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on May 23, 2018; Updated on March 5, 2022

1. Data controller

University of the Arts Helsinki (hereinafter Uniarts Helsinki)

P.O. Box 1

2. Entity and person in charge of processing personal data

HR and Service Director Riikka Mäki-Ontto
E-mail address:, telephone: +358500806161

3. Contact persons for the processing of personal data

Coordinator Milja Nevalainen 
E-mail, telephone: +358 50 467 0455 

Work safety: 

Manager Jyri Pulkkinen (Sörnäinen campus) 
E-mail, telephone: +358 50 572 2058 

Chef Marko Myöhänen (Töölö campus) 
E-mail, telephone: +358 40 710 4349 

4. Data protection officer

Data protection officer of the Uniarts Helsinki is Legal Counsel Minna Eskola
E-mail address:, telephone: + 358 294 47 3490

5. Name of register and brief description

Employee register

This data protection statement describes Uniarts Helsinki’s data protection practices that apply to personal data that is processed in contexts of employment relationships and similar processes. This data protection statement is complemented by possible register-specific data protection statements.

Uniarts Helsinki requires personal data of employees to fulfil various employer obligations and to carry out both statutory and voluntary duties. In addition to managing employment relationships, the university processes personal data for many other reasons, including for authorities to carry out duties related to taxing and social security contributions as well as to perform duties related to personnel administration and supervisor work, for example. Data is also needed for managing various processes related to the university’s activities and for collecting feedback, statistics and reporting.

Processing personal data is also a prerequisite for the planning and practical arrangement of the basic tasks (i.e. teaching, research, and artistic activity), services and management of the university as well as for its internal communications.

The legal basis for processing personal data is:

  • execution of an agreement;
  • our legitimate interest because of an employment or training relationship;
  • implementation of an agreement;
  • the legitimate interest of the university due to an employment or traineeship relationship or some other operational link (e.g. an academic or artistic visitor, a recipient of fee);
  • processing is necessary in order to fulfil the university’s statutory obligations;
  • a data subject has given their explicit consent for the processing of their personal data.

We take employees’ protection of privacy into consideration, and this includes the possibility to influence the processing of their own personal data and the right to be evaluated on the basis of accurate data. We only process data that is directly necessary for managing an employment relationship and that relate to the fulfilment of rights and obligations of both parties in an employment relationship or to benefits offered by Uniarts Helsinki to its employees or to the special nature of an employee’s work duties. We do not process unnecessary data even with the consent of the employee.

We do not utilise automated decision-making or profiling as referred to in the GDPR in our processing of personal data.

7. What data do we process?

Categories of personal data that are processed in accordance with the GDPR:

  • basic data;
  • personal data that includes specific requirements (e.g. an employee’s bank account number, personal identity code, address that is subject to non-disclosure for personal safety reasons) and
  • special categories of personal data (health data, e.g. a doctor’s certificate, a treatment referral agreement)

Data included in the register is complemented as the employment relationship progresses and during the validity of the employment contract.

The data being processed include data that is kept confidential on the basis of various grounds described in section 24 of the Act on the Openness of Government Activities (health data, an employee’s personal salary element, assessments for the establishment of the basis for a salary, information on automatic deductions of membership fees from salary)

We process the following personal data that is needed for managing employment relationships:

  • Identification data:
    • Name details
    • Date of birth, personal identity code
    • Gender
    • Native language
    • Information on completed degrees
    • Personal contact information: Home address, phone number, ICE contact person, email
    • Photograph
    • Contact information for work: Phone number, email
    • Identification number created by the HR system

Data that is collected on the basis of an employment relationship and that is updated during the validity of the contract:

  • Employment contract data, including the duration of the employment relationship, working time, site of work, grounds for a fixed-term employment relationship, job title, grounds for the determination and payment of salary, collective agreement; copyright agreements and transfer of rights agreements
  • Data on the employment relationship, such as the personnel group, employment and educational history, language skills, special qualifications, information on the validity of the employment relationship, end date of the employment relationship and reason for the termination of the employment relationship;
  • Data on residence permits/work permits, validity of a passport
  • Data on a criminal records extract for working with children (Sibelius Academy, Junior Academy)
  • Data on salary and salary payment
  • Data on participations in staff training/trade union training
  • Data related to an employee’s work and performance, such as performance reviews, information about the assessments carried out in accordance with the universities’ salary system, information relating to work capacity assessments and early interventions, as well as information about disciplinary measures taken by the employer and the reasons thereof;
  • Data on the records of an employee’s annual holidays;
  • Data on the employee’s trade union membership / unemployment fund, if the employer has been authorised to deduct the employee’s membership fee in connection with salary payments;
  • Data on absences and reasons for absences, including doctor’s certificates and agreements on leaves of absences;
  • Data gathered through working hour tracking or data on allocated working hours as well as working time plans, if the employee follows the total working time system;
  • Data on access rights and building entry logs
  • Data on employee benefits, including devices that are used by the data subject but owned/managed by the employer, such as a computer and a mobile phone;
  • Data on the employee’s education and training and other data that is necessary in terms of the employee’s competence development and that relates to the employee’s competence and training needs as well as training-related information that is needed for occupational safety reasons, such as data on completed first-aid training;
  • Data on work-related trips in Finland and abroad: dates, destination, grounds of the trip, the expenses invoiced, and the daily allowances paid;
  • Data needed for managing an employment relationship where the employee works abroad
  • Data needed for managing occupational accident reports
  • Data on artistic activities, publications, visits, merits in teaching, expert duties, and projects;
  • The teaching given by the data subject per academic year as described in the information system for teaching as well as feedback collected and given on teaching, study units or degrees;
  • Distinctions and medals awarded to the employee, such as the title of docent or professor, distinctions awarded for merits in service;
  • Duties as an employee representative (shop stewards, occupational safety representatives)
  • Management of substitute facilities needed due to indoor air quality
  • Management of work in duties where the employee is exposed to risks

Additionally, your personal data is processed within the university for certain other purposes, too, and the data protection statements concerning these purposes can be found on the university’s website.

8. Where do we get the data?

We collect data primarily from individuals themselves by using the electronic systems that are in use at Uniarts Helsinki at the time. 

Data on employees is also gathered in connection with e.g. online service requests, access control, working hour tracking and camera surveillance.

Additionally, personal data may also be collected and updated from within the organisation, from publicly available sources and from authorities or other third parties for the purposes described in this data protection statement within the limits of applicable legislation. Such updating of data is performed manually or by automated means. If we collect data concerning an employee from other sources than the employee personally, we inform the employee of the information that we have received before the information is potentially used in decision-making that concerns the employee. If the matter so requires, we request the employee’s consent for collecting information from other sources.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

We disclose personal data in the manner permitted and obliged by current legislation in force to parties legally entitled to obtain information from the register, such as the tax authority, the Social Insurance Institution of Finland, the pension and accident insurance company, the employment and enforcement authorities, and the occupational healthcare provider. We also disclose data in accordance with the provisions of the general collective agreement of universities to employee representatives (shop stewards). We may also disclose information for other purposes in accordance with Finnish law.

We also disclose information to the following parties:

  • Financial administration and calculation of salaries
  • Employment health care services
  • Parties granting external funding: for the reporting required by the provider of funds
  • Trade unions: membership fee itemisations
  • Information required by the Central Statistical Office of Finland, by the Confederation of Finnish Industries, and by the Ministry of Education and Culture for reporting on staff and FTE numbers and for salary comparisons
  • Information about international conferences and scientific meetings is reported to the Finland Convention Bureau without person-specific data.
  • Compliance with the requirements determined by legislation or a competent law enforcement authority, a government agency, a court or a third party in order for us to meet the requirements relating to a judicial process or law enforcementor to exercise or defend our legal rights.

In processing personal data, we use subcontractors working for us. We have outsourced IT administration of HR systems to a third-party service provider administering and protecting the server on which personal data is saved. We also use other subcontractors for processing employees’ personal data in the following services:

  • Financial administration and payroll
  • Occupational healthcare services
  • Legal team
  • Telephone exchange

We have seen to the data subject’s data protection with our subcontractors by concluding the processing agreements required.

In those cases where we transfer personal data outside the EU/EEA, we have taken appropriate steps to ensure safeguards in connection with the transfer. We use the standard contractual clauses adopted by the EU.

10. How do we protect data and for how long do we store it?

Your data is processed only by the employees of Uniarts Helsinki or by the persons working under the mandate of and on behalf of Uniarts Helsinki who have the right to process personal data.

In the role of the data controller, Uniarts Helsinki has taken the necessary technical and organisational measures and also requires the service providers it uses to do so.

We use subcontractors in the processing of personal data, and we have concluded agreements for the processing of personal data with them.

Retention periods for personal data saved in the system and documents produced in employment relationship processes are determined based on legislation and Uniarts Helsinki’s information management plan.

We do not retain any unnecessary data on our current or former employees. Personal data is retained for as long as is necessary for the purposes of personal data processing or for compliance with the statutory obligations of the controller. Thereafter, the data is destroyed or anonymised unless there is a legal basis for continued processing of the data. Retention periods take into account, for example, the limitation of action based on legislation and obligations of the employer.

In addition, we take reasonable steps to ensure that the data subject’s personal data being stored in the register is not outdated, erroneous or incompatible with the purpose of processing. We immediately correct or erase such data.

Permanent retention

  • Retention of employment history data
  • Data on awarded decorations and distinctions

Retention period of 50 years or more

  • Majority of data that is related to payroll accounting and that may have an impact on pensions
  • Contract of employment and its appendices

11. What are your rights as a data subject?

You may present your questions on the processing of personal data as described in this data protection statement by getting in touch with the contact person named in Point two who will, in case

Data subjects are entitled to check the data concerning them stored in the personal data register and demand that erroneous, outdated, unnecessary, or illegal data is rectified or erased. If a data subject has access to their data, they can check and edit the data personally. If personal data processing is based on the data subject’s consent, they have the right to withdraw or change their consent.

The data subject has the right to object to or request the restriction of the use of their personal data, and they also have the right to lodge a complaint about the processing of their personal data with the supervisory authority.

For extraordinary personal reasons, the data subject has the right to object to a set of processing operations involving their personal data when the legal basis for processing is our legitimate interest. The data subject must specify the specific reasons for the objection in their request. We have the right to refuse to comply with the request only according to legislative criteria.

If the data subject is not satisfied with the manner in which the university has processed their personal data, the subject can appeal to the national data protection supervisory authorities for an inquest into the matter. In Finland, the national data protection supervisory authority is the data protection ombudsman, whose contact details are available at

12. With whom can you get in touch?

All questions on the processing of personal data as described in this data protection statement can be directed to the contact person mentioned in item 3, who may forward the matter to the data protection officer, if necessary. If you find that your rights mentioned in item 11 are being neglected, you can contact the university’s data protection officer mentioned in item 4 directly.

13. Your responsibility

You are responsible for the information that you deliver or make available to Uniarts Helsinki. You must make sure that the information is true and accurate and in no way misleading. Please make sure that the information you give does not contain material that violates the rights of a third party or material that is harmful to Uniarts Helsinki.

14. Amendments to the data protection statement

This data protection statement is not part of an employee’s employment contract or other agreement, and we update it, when deemed necessary. When this data protection statement is updated, the date of the new version will be edited to the beginning of the statement.  If we make changes to the content of this data protection statement, we will inform you, if this is deemed necessary considering the significance of the change.