Data Protection Statement for Employees

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on May 23, 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

HR and Service Director Riikka Mäki-Ontto
E-mail address: firstname.lastname@uniarts.fi, telephone: +358500806161

3. Contact persons for the processing of personal data

Coordinator Milja Nevalainen
E-mail address: firstname.lastname@uniarts.fi, telephone: +358504670455

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address: privacy@uniarts.fi

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Name of register

Employee register

The purpose of the processing of an employee’s personal data is to attend to our employment relationship matters and to related legal employer’s obligations such as payment of salaries as well as to plan and develop activities in consideration of staff-related aspects. We also process personal data in the decision-making within multi-member organs pursuant to the Universities Act or on the basis of the University’s organization.

Processing personal data is also a prerequisite for the planning and practical arrangement of the basic tasks (i.e. teaching, research, and artistic activity), of the services, and of the management of the University as well as for its internal communication.

Processing personal data is based on: 

  • execution of an agreement;
  • our legitimate interest because of an employment or training relationship;
  • our need to fulfil our legal obligations;
  • a data subject having given his or her explicit consent for the processing of his or her personal data.

When processing personal data, we do not make use of automated decision-making and profiling as referred to in the Data Protection Regulation.

7. What data do we process?

We process the following necessary personal data on the employment/training or contractual relationship of an employee or of a fee/scholarship recipient (hereafter a data subject) in connection with the personnel register: 

  • Basic information on a data subject such as name, date of birth, social security number, ender, mother tongue, and personnel number;
  • Contact information of a data subject such as e-mail address, telephone number, address data, bank details, and, if the data subject so wishes, the contact information of next of kin, other contact information such as the data subject’s homepage or equivalent site, and the data subject’s photograph;
  • Contractual information such as the duration of the employment relationship, working time, duties, grounds for determining and paying salary, and the collective agreement;
  • Information on the data subject’s service relationship such as professional or job title, staff group, employment and education history, language skills, special competences, copyright agreements, and information about the cause for the termination of an employment relationship;
  • Documents related to a data subject’s work and performance such as performance appraisals, information about the assessment process in accordance with the universities’ hiring system, documents relating to work capacity assessments and early interventions as well as information about disciplinary measures taken by the employer and the reasons thereof;
  • Information about the records of a data subject’s annual holidays;
  • Information about a data subject’s membership in a trade union in the case of people whose membership fees are levied in connection with salary payments;
  • Information about a data subject’s absences including medical certificates and agreements on work exemptions;
  • Regarding the working hours of a data subject, information about the follow-up on or allocation of working hours and, in the case of employees subject to a fixed number of overall working hours, a working time plan;
  • Information about the data subject’s employee benefits including devices used by the data subject such as a computer and a cellular phone;
  • Information about the data subject’s education and information necessary for developing his or her competences and related to his or her competences and training needs as well as education-related information such as first-aid training;
  • Regarding the data subject’s business travels, the time, destination, and grounds for the business trip, the expenses invoiced, and the daily allowances paid;
  • The damage and accident reports submitted by the data subject;
  • The work results reported by the data subject such as information about artistic activities, publications, visits, merits in teaching, expert duties, and projects;
  • The teaching given by the data subject study year by study year as described in the information system for teaching as well as feedback collected and given on teaching, study modules, or degrees;
  • Secondary activities reported by the data subject;
  • Distinctions awarded to the data subject such as e.g. a fellowship or a professorship and distinctions awarded for merits in service;
  • The data subjects working in high-exposure duties such as e.g. data subjects who work in duties with exposure limits in hearing protection or who have reported indoor air symptoms.
  • Additionally, your personal data are processed at the University for certain other purposes too. You will find the data protection statements concerning these purposes from the website http://www.uniarts.fi/tietosuoja.

The aforementioned information is needed to organize the activities of the University and to implement a contractual relationship.

8. Where do we get information?

We mainly get information from the following sources: 

  • the data subject in person
  • the authorities

Additionally, personal data may also be collected and updated from within the organization, from sources publicly available and from authorities or other third parties for the purposes described in this data protection statement within the limits of applicable legislation. Such updating of data is performed manually or by automatic means.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

We disclose personal data in the manner permitted and obliged by current legislation in force to parties legally entitled to obtain information from the register, such as the tax authority, the Social Insurance Institution of Finland, the retirement and accident insurance company as well as the employment and enforcement authorities. We may also disclose information for other purposes in accordance with Finnish law. 

The data on a given person are also available for the employee’s supervisor in accordance with the organizational hierarchy of the University of the Arts Helsinki.

In processing personal data, we use subcontractors with whom we have concluded agreements on processing personal data. We have outsourced IT administration to a third-party service provider administering and protecting the server on which personal data are saved. We also use other subcontractors for processing employees’ personal data in the following services:

  • Financial administration and calculation of salaries
  • Employment health care services
  • Legal services
  • Telephone exchange 

We have seen to the data subject’s data protection with our subcontractors by concluding the processing agreements required.

We also disclose information to the following parties:

  • Parties granting complementary funding for the reporting required by the provider of funds
  • Trade unions (membership fee itemizations)
  • Information required by the Central Statistical Office of Finland, by the Confederation of Finnish Industries, and by the Ministry of Education and Culture for reporting on staff numbers and man-years in view of salary comparisons
  • Information about international conferences and scientific meetings is forwarded to the Finland Convention Bureau without person-specific information. 

The data are also used

  • in the staff register published in the University’s internet and intranet pages 
  • in the expert database published in our internet pages and also used as a system for collecting information about scientific and artistic activities

We have taken steps with our subcontractors to ensure your data protection by concluding agreements for the processing of personal data. In those cases where we transfer personal data outside the EU/EEA, we have taken appropriate steps to ensure safeguards in connection with the transfer. We use the standard contractual clauses adopted by the EU.

10. How do we protect data and how long will we keep them?

Only those of our employees who are authorized to process HR information in their line of work are entitled to use the system containing personal data. Each user has a personal user ID and a password into the system. The data are gathered in databases protected with firewalls, passwords, and other technical means. The databases and their backup copies are situated in locked spaces, and the data can only be accessed by certain pre-named persons. Visibility of data has also been restricted in accordance with the tasks of various user groups.

We keep personal data for as long as is necessary for the purpose for which the personal data is used given the data retention periods to be observed in accordance with the applicable legislation such as the Employment Contracts Act, the Accounting Act, the Prepayment Act, or the Archives Act. We regularly evaluate the need to preserve data in keeping with the applicable legislation. In addition, we will take reasonable steps to ensure that no personal information on data subjects that is incompatible with the purposes of data processing, outdated, or erroneous is kept in the register. We will rectify or erase such information without delay.

11. What are your rights as a data subject?

Data subjects are entitled to inspect the data concerning them and stored in the personal data register and require erroneous, outdated, unnecessary, or unlawful data to be rectified or erased. In case a data subject has personal access to their data, they can modify their data himself or herself. In case processing is based on a consent, a data subject also has the right to withdraw his or her consent or to alter it. 

As of May 25, 2018, data subjects have, according to the Data Protection Regulation, the right to object to processing or to request restriction of processing of data as well as to lodge a complaint with a supervisory authority on processing personal data. 

For specific reasons of personal nature, data subjects also have the right to object to processing activities concerning them when processing data is based on our legitimate interest. In conjunction with the request, the data subject shall specify the particular situation on the basis of which he or she objects to processing. We may refuse to execute an objection-related request only on the basis of grounds stated in law.  

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address http://www.tietosuoja.fi/en/) to look into the matter.

12. With whom can you get in touch?

You may present your questions on the processing of personal data as described in this data protection statement by getting in touch with the contact person named in Point three who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point four.