Data Protection Statement for Scholarship Applicants

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on May 22, 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

University of the Arts Helsinki

3. Contact persons for handling personal data 

Tuition fee reliefs: Hanna Hakala and Sanna Kotajärvi-Söderholm

Academy of Fine Arts scholarships: Ulla Tissari, doctoral education: Jukka Tuominen

Theatre Academy scholarships: Jaakko Hannula, doctoral education: Elina Raitasalo

Sibelius-Academy scholarships: the Sibelius Academy Foundation: Heli Klemelä, international scholarships: Leena Veijonsuo, doctoral education: Hannu Tolvanen and Sirpa Järvelä

Scholarships for doctoral education and steering group: Merja Sagulin

Coordinators for study centres: Michaela Bränn (CFAR), Marja Aho-Pynttäri (Cerada), Kaarina Kilpiö (network of researchers within music history)

Contacts by e-mail or by telephone +358 294 47 2000 (exchange)

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address:

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Name of register

Scholarship register

The purpose for processing personal data is to manage the various scholarships granted by the University of the Arts Helsinki and to enable applying for and granting them. Personal data are processed in preparing decisions on scholarships and tuition fee reliefs, in making decisions, in communicating about scholarship decisions, in establishing statistics, in paying scholarships, and in informing authorities (e.g. tax authorities) about scholarships and tuition fees.

Processing personal data is based on carrying out a task of public interest and on legal grounds (notifying the tax authorities of scholarships granted to students subject to tuition fees).

When processing personal data, we do not make use of automated decision-making and profiling as referred to in the Data Protection Regulation.

7. What data do we process?

For the purpose of applying and granting a fee relief for students subject to tuition fees, an applicant shall indicate

  • grounds for applying for a scholarship and a plan for financing his or her studies
  • his or her own annual income
  • his or her parents’ annual income
  • the annual income of the eventual spouse
  • other scholarships granted for the studies
  • loans related to financing the studies
  • eventual other student financial aid (e.g. aid or scholarship from his or her country of origin)
  • other factors contributing to the financial situation (e.g. children to support)
  • success in studies

When other scholarships are applied for, we process slightly different data based on the application in question but an applicant for a scholarship is typically asked to provide the following data:

  1. Name, date of birth or personal ID, nationality and gender of applicant as well as any contact information necessary;
  2. Degree programme
  3. Target university and length of the exchange period in exchange programmes
  4. Bank details for the payment of the scholarship
  5. Connection of the scholarship being applied for with the studies, success in studies, and a transcript of study records
  6. Grounds for the application and a scholarship plan
  7. Evaluation data, decision information for evaluation and for decision-making
  8. Notification to the tax authorities and to the Farmers’ Social Insurance Institution Mela (work scholarships)
  9. Research: a research plan, a letter of motivation, a statement from the supervisor, a letter of invitation from another university, and a doctoral certificate
  10. An account/a report on how the scholarship has been used
  11. Regarding staff scholarships, data are also gathered on the employment relationship (title)

A recommendation from a professor or from the head of the degree programme or of the research unit or from the person in charge of supervising the research as well as information about other eventual scholarships granted to the applicant is also generally requested.

For minors participating in Sibelius Academy’s Junior Academy, their parents’ personal and contact information and bank details are also gathered in case the scholarship granted a Junior Academy student is paid via them.

8. Where do we get information?

We mainly get information from the applicant in person. A favourable statement to the application is given by a professor, by the person in charge of the degree programme, by the head of a research unit, or by the study supervisor.  Data on underage applicants are provided by their caregivers.

When deciding about university scholarships, student register data can also be used.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

We disclose data to the tax authorities and to the salary office through which scholarships are paid.

In processing data, we use as help subcontractors with which GDPR-compliant agreements on processing of personal data have been concluded.

We do not transfer personal data beyond the EU or outside the EEA.

10. How do we protect data and how long will we keep them?

Only those of our employees who are authorized to process scholarship information in their line of work are entitled to use the system containing personal data. Each user has a personal user ID and a password into the system. The data are gathered in databases protected with firewalls, passwords, and other technical means. The databases and their backup copies are situated in locked spaces, and the data can only be accessed by certain pre-named persons.

We keep personal data for as long as is necessary for the purpose for which the personal data is used. The data management plan of the university is followed in data storage.

We regularly evaluate the need to preserve data in keeping with the applicable legislation. In addition, we will take such reasonable steps as are necessary to ensure that no personal information on data subjects that is incompatible with the purposes of data processing, outdated, or erroneous is kept in the register. We will rectify or erase such information without delay.

11. What are your rights as a data subject?

Data subjects are entitled to check the data concerning them and stored in the personal data register and require erroneous, outdated, unnecessary, or unlawful data to be rectified or erased. In case a data subject has personal access to their data, they can modify their data himself or herself. In case processing is based on a consent, a data subject also has the right to withdraw his or her consent or to alter it.

As of May 25, 2018, data subjects have, according to the Data Protection Regulation, the right to object to processing or to request restriction of processing of data as well as to lodge a complaint with a supervisory authority on processing personal data.

For specific reasons of personal nature, data subjects also have the right to object to processing activities concerning them when processing data is based on our legitimate interest. In conjunction with the request, the data subject shall specify the particular situation on the basis of which he or she objects to processing. We may refuse to execute an objection-related request only on the basis of grounds stated in law.

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address to look into the matter.

12. With whom can you get in touch?

You may present your other questions on the processing of personal data as described in this statement by getting in touch with the contact person named in Point 3 who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point 4.