Data Protection Statement for the Electronic Communication, IT, and Support Services of the University of the Arts Helsinki

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on May 16, 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

Chief Information Officer Liisa Huovinen
E-mail address: firstname.lastname@uniarts.fi, telephone: +358 40 1807265

3. Contact persons for handling personal data 

Chief Information Officer Liisa Huovinen
E-mail address: firstname.lastname@uniarts.fi, telephone: +358 40 1807265

Development Manager Mika Vidgren
E-mail address: firstname.lastname@uniarts.fi, telephone: +358 50 501 5600

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address: privacy@uniarts.fi

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Name of register

Electronic communication, IT and support services

As based on the Universities Act, the mission of the University of the Arts Helsinki is comprised of teaching, research, and artistic activities. Universities are autonomous, which ensures the freedom of science, art, and highest education. Their autonomy also entails the right to make decisions on matters related to their internal administration. The Act also states that the university community comprises teaching and research staff, other staff and students. Visiting researchers, emeritus professors, and similar persons with whom the University has concluded an agreement to this effect may also be part of the university community.

The purpose of the processing of personal data pursuant to this data security statement for the electronic communication and support services is to enable use of the electronic services by the aforementioned University users as well as by eventual subcontractors and parties in charge of carrying out tasks as well as with looking into failure situations.

In this connection, we mean by electronic communication the IT and support services, the software, and the software platforms that enable communication, co-operation, and other activities between two or more parties over an Internet connection. These include e-mail software, e-mail servers, various instant messengers, Internet phone calls, electronic co-operation and team work tools, Web-based learning platforms, space booking systems, and various service support systems such as ticketing systems as well as the device management and leasing system, the printout service, the device control systems, the means for process description, and access control.

The data processing described above is mainly based on the legitimate interest of the University acting as controller, pursuant to which the data required for the functioning of the electronic services are processed for the purposes described above. In this case, legitimate interest means the legitimate interest of the University to use the means and electronic services necessary for the arrangement of its activities in order to implement its activities and to organize the studies, research, and work of students, employees, and other people working for us. Additionally, the legitimate interest of our University means the right to document the use of electronic services in order to analyse activities, to ensure their continuity, and to fulfil various legal or contractual reporting and accountability obligations.

In the services, we do not use automated decision-making and profiling as referred to in the Data Protection Regulation.

7. What data do we process?

In electronic communication services, the personal data of the two or more parties involved in communication, i.e. senders and recipients, are processed. Parties involved in communication may include the University’s own users, subcontractors or assignment performers, present or potential customers, and partners.

Personal data processed as regards these groups include all data related to conveying communications as well as to their content and technical setup such as sender’s (senders’) and recipient’s (recipients’) first and last name or alias, e-mail address, physical address for work or workstation, role or position within the organization, user ID and password, browsing and search data, information on access rights, IP address, session ID, routing data, MAC address, device ID, and timestamp and ID data.

The contents and eventual file attachments of the message (whether in text, image, sound, or video form or in other forms of electronic communication) are, as a rule, within the scope of communication protection and are only processed in exceptional cases enabled by law.

In addition to the data required in user identification, we process the following personal data in the services:

  • Basic data on the O365 data subject: name, title of assignment, organizational unit, user ID, e-mail address(es), and telephone number; in addition, the user has the possibility to enter the data that he or she wishes in the service, e.g. a picture;
    • in a service request: service request ID, name of person, e-mail address, telephone number, user ID and, in requests concerning equipment or access rights, a link to device data and/or user information can be added into the service request.
    • in the exchange service, the exchange officer has access to data on the employee’s name, assignment title, unit, supervisor, telephone number, e-mail address, stand-in, and workstation as well as to a brief description of his or her duties and to keywords to facilitate finding the right person for the customer’s need.
    • in the device register: the name of the device user, the location of the user’s workstation or the installation location of the device, the serial and/or IMEI number of the device, and the MAC address of the web device.
    • in the printout service in addition to the basic information on the data subject: the ID of the printout card.
    • in the remote administration, support, and control of workstations and work telephones: the hostname of the device, the user ID of the latest user logged in, the serial IMEI number of the device, the MAC address of the web device, the IP address at the moment of making contact, the WiFi SSID, and the software installed.
  • in the location booking system: the name of the person booking a location, eventual other contact information, and data on the booking.
  • in the web learning system: the name and e-mail address of the person.
  • in the process description system: basic information about the data subject.
  • in the access control system: the access rights granted and their duration in addition to basic information about the data subject.
  • system-specific unique user or activity IDs may also be in use in the systems

When processing personal data, we will not make use of automated decision-making and profiling as referred to in the Data Protection Regulation.

8. Where do we get information?

We get the data on University users automatically from the user and access management of the University of the Arts Helsinki. As a rule, personal data are obtained from the electronic message services themselves by automatically following data subjects’ communication and from the data subjects themselves during log-in and use of the services.

The user in person enters a description of the service need or of the problem to be solved in the service requests.

The telephone directory used by the exchange service is compiled from the data provided by the telephone operator on the University telephone accounts and from the user and access management register and is enriched with task information in co-operation with HR, communications, and supervisors.

Basic device information in the device register is entered by the data management when a user receives a device for use.

The data gathered in the remote control of workstations and telephones are enriched with data from the device register.

Basic information on people for the access control systems are obtained from user management and, when needed, a user is created manually in the Facility Services when a person comes over to fetch a tag or key.

In printing out, the user activates his or her printout card with the multi-function printer and enters his or her user ID and password.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

Personal data collected from the activities of the electronic communication services are not disclosed to third parties without the explicit prior consent of the data subjects in situations other than those in which an authority or another party has the right, on the basis of national or EU law, regulation or any other peremptory provision, to demand information about data subjects’ personal data and about their processing for inspection. In these cases, data are only disclosed in the extent necessary given the provision in question.

In order to process data in accordance with this data protection statement, the University uses subcontractors assisting in the provision of electronic services and in related data processing. An eventual subcontracting chain notwithstanding, the University remains at all times the controller of the personal data described in this statement and assumes the same responsibility for the activities as it does for its own actions. The University ensures, with data-processing agreements concluded with its subcontractors, the commitment of these parties to the protection of data subjects’ personal data in the manner described in this statement.

Personal data related to electronic communication services are processed both in the EU/EEA area and outside it. When personal data are processed outside the EU/EEA area, the University sees to it that its subcontractor has committed to the EU Commission’s standard on the processing of personal data and/or is party to the Privacy Shield protection system.

10. How do we protect data and how long will we keep them?

Use of the systems is subject to a valid user ID and to a valid authorization.

Only those employees of the University of the Arts Helsinki and the service provider are entitled to perform system maintenance use who are charged with processing system user data in their line of work. Each maintenance user has their own user ID and system password.

Technically and administratively, the data security of the services has been organized in accordance with the best practices in the field. The server devices of the systems are protected both by software and physically with firewalls, data protection software, hardening, passwords, and access control. The machine rooms in which the servers are physically situated are locked and subject to access control.

Personal data in accordance with this data protection statement are kept in the data systems for as long as their data content is of use in using the service in question or in monitoring or documenting use. In practice, data are stored, depending on the communication service, in accordance with the agreements concluded with subcontractors and taking the nature of the communication service in consideration. When an employment relationship, a study right, or any other contractual relationship with the University comes to an end, the user’s ID is shut and the information about the user is erased from the systems after a period of caution of up to nine months.

When use of personal data for the purposes described above is no longer possible after the expiry of their storage period, the data are automatically erased from the user management and log system. Some data may be unintentionally saved in the backup copies made from the University services. These are regularly erased in accordance with the backup copy schedule.

11. What are your rights as a data subject?

Data subjects whose personal data are processed in the manner described in this data protection statement for the purposes described in Point 6 above and on the basis thereof are entitled to exercise the rights granted them by law in so far as any legitimate interest of the University or of another person as described in this statement does not override this right of a data subject.

A data subject has the right to ask the data concerning him or her and stored in the data system for inspection if he or she has no access to the system. The University provides the data subject with the information requested in the extent that the University has access to them.

Having examined his or her data, a data subject has the right to ask for any erroneous or incomplete data on him or her to be rectified. A data subject may also ask that some or all of the personal data on him or her be erased from the data systems related to the electronic services of the University. The University fulfils the request after the termination of the person’s employment relationship or study right to the extent possible.  

While the University looks into the processing of a data subject’s personal data on his or her request, he or she also has the right to refuse further processing of his or her personal data. The University fulfils this right to the extent possible.

Should the data subject not be satisfied with the way the University has processed his/her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address http://www.tietosuoja.fi/en/) to look into the matter.

12. With whom can you get in touch?

All questions on the processing of personal data as described in this data protection statement are to be asked by getting in touch with the contact person named in Point three who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point four.