Data protection statement on the processing of the personal data of persons in a non-employment or non-study relationship with the university

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on May 23, 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

HR and Service Director Riikka Mäki-Ontto
E-mail address: firstname.lastname@uniarts.fi, telephone: +358500806161

3. Contact persons for the processing of personal data

Coordinator Milja Nevalainen
E-mail address: firstname.lastname@uniarts.fi, telephone: +358504670455

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address: privacy@uniarts.fi

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Name of register

Staff register

The recipients of a fee, a scholarship, a work/expense compensation etc. paid for by the University are entered in the University Staff Register. Personal data on and contractual information about non-University people are also entered in the register in case the University has concluded with the people in question an agreement stating their role as a member of the University community on othet grounds than an employment relationship (e.g.  a visitor, an emeritus/emerita, a trainee, a person in non-military service, a performer, etc.). 

The purpose of the processing of personal data is to attend to a mutual contractual relationship and to related obligations such as payment of scholarships and fees and to provide working conditions in accordance with the agreement as well as to plan and develop activities in consideration of visitor relationships. We also process personal data in the decision-making within multi-member organs pursuant to the University Act or on the basis of the University’s organization.

Processing personal data is also a prerequisite for the planning and practical arrangement of the basic tasks (i.e. teaching, research, and artistic activity), of the services, and of the management of the University as well as for its internal communication. 

Processing personal data of the staff is grounded on: 

  • execution of an agreement;
  • our legitimate interest because of a contractual relationship;
  • our need to fulfil our legal obligations;
  • a data subject having given his or her explicit consent for the processing of his or her personal data. 

When processing personal data, we do not make use of automated decision-making and profiling as referred to in the Data Protection Regulation.

7. What data do we process?

We process the following personal data necessary for the of a fee or a compensation or for the contractual relationship between the data subject and the University:

  • Basic information on a data subject such asname*, date of birth*, social security number*, gender, mother tongue, personnel number*, and degree; 
  • Contact information of a data subject such as e-mail address*, telephone number*, address data*, bank details* (if needed for paying a fee, a scholarship, or a compensation), the data subject’s photograph and other contact information such as the data subject’s homepage or equivalent;
  • The data subject’s contractual data, such as start and end dates, title or position, main duties, equipment, services, and premises given for him/her to use, and information about eventual compensations paid to the University by outside financiers, about other eventual expenses, about their processing, and about copyright agreements; 
  • The groundsfor the determination, amount, and payment of the data subject’s fee or compensation such as a fee, a scholarship, or a compensation;
  • The work results reported by the data subject* such as information about artistic activities, publications, visits, merits in teaching, expert tasks, and projects;
  • The teaching given by data subject study year by study year as described in the information system for teaching as well as eventual feedback given on teaching;
  • Regarding the data subject’s business travels in case the University reimburses the expenses caused by the data subject’s trip (in whole or in part); 
  • The data subjects working in high-exposure duties such as e.g. data subjects who work in duties with exposure limits in hearing protection or who have reported indoor air symptoms.
  • Additionally, your personal data are processed at the University for certain other purposes too. You will find the data protection statements concerning these purposes from the University’s website (http://www.uniarts.fi/privacy).

Providing the aforementioned information marked with an asterisk (*) is a prerequisite for us to be able to attend to our obligations in a contractual relationship.

8. Where do we get information?

We mainly get information from the data subject in person.

Additionally, personal data may also be collected and updated from within the organization, from sources publicly available and from authorities or from other third parties for the purposes described in this data protection statement within the limits of applicable legislation. Such updating of data is performed manually or by automatic means.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

We disclose personal data in the manner permitted and obliged by current legislation in force to parties legally or contractually entitled to obtain information from the register, such as the tax authority, the Social Insurance Institution of Finland, the retirement and accident insurance company as well as the employment and enforcement authorities. We may also disclose information for other purposes in accordance with Finnish law. 

The data on a given person are also available for those people answering for the agreement concluded with the person in question and for their supervisors in accordance with the organizational hierarchy of the University of the Arts Helsinki.

In processing personal data, we use subcontractors working for us e.g. in the following services:

  • Financial administration and calculation of salaries
  • Legal services
  • Telephone exchange

The data are also used, as agreed with you:

  • in the University telephone exchange (telephone directory information) and in the staff register published in the University’s internet and intranet pages 
  • in the expert database published in our internet pages and also used as a system for collecting information about scientific and artistic activities
  • by the contractual travel agency CWT Finland Ltd regarding personal data and information contractual relationships in order to arrange for eventual trips reimbursed by the University

We also hand over data to the following parties:

  • to the staff register published in the University’s internet and intranet pages 
  • to the expert database published in our internet pages which also work as a system for collecting information on scientific and artistic activities 

We have taken steps with our subcontractors to ensure your data protection by concluding agreements for the processing of personal data. In those cases where we transfer personal data outside the EU/EEA, we have taken appropriate steps to ensure safeguards in connection with the transfer. We use the standard contractual clauses adopted by the EU.

10. How do we protect data and how long will we keep them?

Only those of our employees who are authorized to process HR information in their line of work are entitled to use the system containing personal data. Each user has a personal user ID and a password into the system. The data are gathered in databases protected with firewalls, passwords, and other technical means. The databases and their backup copies are situated in locked spaces, and the data can only be accessed by certain pre-named persons. Visibility of data has also been restricted in accordance with the tasks of various user groups.

We keep personal data for as long as is necessary for the purpose for which the personal data is used given the data retention periods to be observed in accordance with the applicable legislation such as the Employment Contracts Act, the Accounting Act, the Prepayment Act, or the Archives Act. We regularly evaluate the need to preserve data in keeping with the applicable legislation. In addition, we will take reasonable steps to ensure that no personal information on data subjects that is incompatible with the purposes of data processing, outdated, or erroneous is kept in the register. We will rectify or erase such information without delay.

11. What are your rights as a data subject?

Data subjects are entitled to check the data concerning them and stored in the personal data register and require erroneous, outdated, unnecessary, or unlawful data to be rectified or erased. In case a data subject has personal access to their data, they can modify their data himself or herself. In case processing is based on a consent, a data subject also has the right to withdraw his or her consent or to alter it.

As of May 25, 2018, data subjects have, according to the Data Protection Regulation, the right to object to processing or to request restriction of processing of data as well as to lodge a complaint with a supervisory authority on processing personal data.

For specific reasons of personal nature, data subjects also have the right to object to processing activities concerning them when processing data is based on our legitimate interest. In conjunction with the request, the data subject shall specify the particular situation on the basis of which he or she objects to processing. We may refuse to execute an objection-related request only on the basis of grounds stated in law.

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address http://www.tietosuoja.fi/en/) to look into the matter.

12. With whom can you get in touch?

You may present your questions on the processing of personal data as described in this data protection statement by getting in touch with the contact person named in Point three who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point four.