Data Protection Statement for Personal Data in Case Management
Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drafted on May 24, 2018; Updated on August 7, 2020
1. Entity and person in charge of processing personal data
HR and Service Director Riikka Mäki-Ontto
E-mail address: email@example.com, telephone: +358500806161
2. Contact persons for the processing of personal data
Information Services Secretary Katjuska Sandholm
E-mail address: firstname.lastname@example.org, telephone: +358503877319
Expert Taina Turpeinen
E-mail address: email@example.com, telephone: +358408609516
3. Register name
Case management register
4. What are the purpose and the legal basis for processing personal data?
The purpose for processing personal data is the recording, follow-up, and management of cases to handle, handled, and solved by the University. Processing personal data is a prerequisite for our ability to carry out our official duties in order to handle cases pending and to execute the principle of public access to documents.
The processing of personal data is based on:
- a legal obligation to carry out official duties;
- public interest.
5. What data do we process?
In the case management register, we process the following personal data pertaining to the processing of cases:
- the initiator of the case and his or her contact information
- information about the case
- handler or person in charge
- the persons to whom the case is forwarded for measures or for information.
6. Where do we get information?
We primarily get information from the following sources:
- the case pending
- the initiator of the case
Additionally, data may be gathered for the purposes described in this data protection statement from authorities, from third parties, or from public sources within the limits of applicable legislation. Such updating of data is performed manually or by automatic means.
7. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?
In records management, we use a third-party service provider with which we have concluded the necessary data-processing agreement. We do not transfer data beyond the EU/EEA Member States. We do not disclose personal data to outside parties.
8. How do we protect data and how long will we keep them?
Only those of our employees who have the right to process cases pending in their line of work are entitled to use the records management system (to add and modify data). Each user has his or her own user ID and password into the system. The data are gathered in databases protected with firewalls, passwords, and other technical means. The databases and their backup copies are situated in locked spaces, and the data can only be accessed by certain pre-named persons.
Public cases can be accessed by the administrative staff of the University of the Arts Helsinki by logging into the system with a personal user ID and password.
The paper printouts printed out from the case management register and registered documents are kept on file in the registry. Non-public documents are stored in a locked space. The paper printouts and the registered documents are transferred for storage in the archives of the University in accordance with the University’s data management plan.
We regularly evaluate the need to preserve data in keeping with the applicable legislation. In addition, we will take such reasonable steps as are necessary to ensure that no personal information on data subjects that is incompatible with the purposes of data processing, outdated, or erroneous is kept in the register. We will rectify or erase such information without delay.
9. With whom can you get in touch?
You may present your other questions on the processing of personal data as described in this statement by getting in touch with the contact person named in Point two who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights are not respected, you may get directly in touch with the Uniarts Data Protection Officer.