Data Protection Statement for Personal Data in Case Management

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drafted on May 24, 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

HR and Service Director Riikka Mäki-Ontto
E-mail address:, telephone: +358500806161

3. Contact persons for the processing of personal data

Information Services Secretary  Katjuska Sandholm
E-mail address:, telephone: +358503877319

Expert Taina Turpeinen
E-mail address:, telephone: +358408609516

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address:

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Register name

Case management register

The purpose for processing personal data is the recording, follow-up, and management of cases to handle, handled, and solved by the University. Processing personal data is a prerequisite for our ability to carry out our official duties in order to handle cases pending and to execute the principle of public access to documents. 

The processing of personal data is based on: 

  • a legal obligation to carry out official duties;
  • public interest.

7. What data do we process?

In the case management register, we process the following personal data pertaining to the processing of cases: 

  • the initiator of the case and his or her contact information
  • information about the case
  • handler or person in charge
  • the persons to whom the case is forwarded for measures or for information.

8. Where do we get information?

We primarily get information from the following sources: 

  • the case pending
  • the initiator of the case

Additionally, data may be gathered for the purposes described in this data protection statement from authorities, from third parties, or from public sources within the limits of applicable legislation. Such updating of data is performed manually or by automatic means.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

In records management, we use a third-party service provider with which we have concluded the necessary data-processing agreement. We do not transfer data beyond the EU/EEA Member States. We do not disclose personal data to outside parties.

10. How do we protect data and how long will we keep them?

Only those of our employees who have the right to process cases pending in their line of work are entitled to use the records management system (to add and modify data). Each user has his or her own user ID and password into the system. The data are gathered in databases protected with firewalls, passwords, and other technical means. The databases and their backup copies are situated in locked spaces, and the data can only be accessed by certain pre-named persons.

Public cases can be accessed by the administrative staff of the University of the Arts Helsinki by logging into the system with a personal user ID and password. 

The paper printouts printed out from the case management register and registered documents are kept on file in the registry. Non-public documents are stored in a locked space. The paper printouts and the registered documents are transferred for storage in the archives of the University in accordance with the University’s data management plan.

We regularly evaluate the need to preserve data in keeping with the applicable legislation. In addition, we will take such reasonable steps as are necessary to ensure that no personal information on data subjects that is incompatible with the purposes of data processing, outdated, or erroneous is kept in the register. We will rectify or erase such information without delay.

11. What are your rights as a data subject?

Data subjects are entitled to check the data concerning them and stored in the personal data register and require erroneous, outdated, unnecessary, or unlawful data to be rectified or erased. In case a data subject has personal access to their data, they can modify their data himself or herself. In case processing is based on a consent, a data subject also has the right to withdraw his or her consent or to alter it.

As of May 25, 2018, data subjects have, according to the Data Protection Regulation, the right to object to processing or to request restriction of processing of data as well as to lodge a complaint with a supervisory authority on processing personal data.

For specific reasons of personal nature, data subjects also have the right to object to processing activities concerning them when processing data is based on our legitimate interest. In conjunction with the request, the data subject shall specify the particular situation on the basis of which he or she objects to processing. We may refuse to execute an objection-related request only on the basis of grounds stated in law.

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address to look into the matter.

12. With whom can you get in touch?

You may present your other questions on the processing of personal data as described in this statement by getting in touch with the contact person named in Point three who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point four.