Data protection
At the University of Helsinki, we value your privacy and your right to protect your personal data. Everyone has the right to know what data concerning them are being kept and how those data are processed. On this website, we collect data protection statements pertaining to the processing of personal data at the University of Helsinki.

Information about cookies and the processing of personal information on our website can be found on the page website and cookies.

For questions about data processing, contact details are available in the relevant data protection statement. The data protection officer of the University of Helsinki can be reached at tietosuoja@helsinki.fi.

Studying and services related to studying

Contact information for question about data processing

hakijapalvelut@helsinki.fi

 

Why do we process your personal data?

The University of Helsinki processes the personal data of applicants to carry out procedures for admitting new students. When you apply for admission to the University, your personal data are processed for the following purposes:

  • Provision of information on studies and admission
  • Fulfilment of admission-related tasks
  • Marketing communication related to scholarly research and the provision of education
  • Proceedings related to any appeals and cases brought before the administrative court
  • Other admission-related purposes

Individual arrangements

We process the personal data you provide to us so as to make individual arrangements related to entrance examinations. This processing is based on the information you provide in your application for individual arrangements and its attachment(s), such as a doctor’s certificate and/or other expert statements. Based on your consent, your data can also be used to plan other study-related individual arrangements if you are offered a place and accept it.

 

What is the lawful basis for processing?

The processing of personal data is based on the performance of a task carried out in the public interest or in the exercise of official authority, compliance with a legal obligation and, in certain cases, on consent.

Relevant regulations:

  • Universities Act (558/2009) and the decrees issued pursuant to it
  • Government Decree on University Degrees and Professional Specialisation Programmes (794/2004), including amendments 
  • Act on the National Registers of Education Records, Qualifications and Degrees (884/2017), Chapter 5
  • General Data Protection Regulation (EU, 2016/679) and supplementary national legislation
  • Act on the Openness of Government Activities (621/1999)
  • Administrative Procedure Act (434/2003)
  • Non-Discrimination Act (1325/2004)
  • Act on Health Care Professionals (559/1994)

 

What kind of personal data do we process?

The University processes the following personal data:

  • Identifying information (name, personal identity code, date of birth, application/applicant number)
  • Background information (citizenship, gender, native language)
  • Contact details (email, phone, postal address)
  • Preferred application options
  • Information related to applying to a degree programme
  • Information based on the application and admission criteria
  • Information on the applicant’s education, degrees and work experience
  • Information on health issues affecting the applicant’s admission (yes/no) and, in the case of applications for specialist training in medicine, the number of sick days (if relevant for calculating work experience)
  • Entrance examination answers
  • Any motivation letters or tests associated with admission as well as recorded video interviews
  • Information on admission results (entrance examination results and other information on admission, including scores)
  • Information on acceptance of an offered place
  • Consent or prohibition by the applicant on publishing their admission result
  • Any other information related to admission

Individual arrangements

If you apply for individual arrangements, we will process not only the data mentioned above, but also the personal data you provide in your application and its attachments:

  • Information about the applicant
  • Description of the necessary arrangement and its justification
  • Other considerations

In addition, the attachments may include a copy of a doctor’s certificate. Applications for, and decisions on, individual arrangements are confidential and handled at the University by a specific group of staff.

 

What are the sources for personal data?

Information on applicants is collected from the following sources:

  • The applicant
  • The Studyinfo service, the SURE register of completed studies, the VIRTA student information system and the VTJ Population Information System
  • International application and degree systems or services that deliver documents concerning the educational background of applicants
  • Finnish and international organisers of language tests
  • Finnish and international higher education institutions
  • Online payment and registration services
  • Assessors of applications and entrance examinations
  • The JulkiTerhikki register of social welfare and healthcare professionals

Information may also be derived or obtained through observations of the use of IT services and equipment provided by the University to the applicant, or information may be collected by the management and surveillance services used at the University (e.g., camera surveillance).

 

Retention times

Storage periods are based on current legislation and the University of Helsinki’s archiving plan.

The following data are stored permanently:

  • Admitted applicants: Learner ID and personal identity code or other equivalent identifying data
  • Admitted applicants: information on the applicant’s right to study leading to a degree and information on acceptance of an offered place
  • Decisions on appeals concerning admission

In addition, other personal data concerning applicants may be stored permanently upon the decision of the National Archives of Finland.

Storage periods of personal data not stored permanently: 

  • Entrance examination answers, six months
  • Lists of scores, at least one year
  • Unsuccessful applications, two years
  • Successful applications, 10 years
  • Lists of applicants, 10 years
  • Appeals against admission decisions, 10 years

 

Do we disclose your personal data to third parties?

Personal data are disclosed to the following recipients:

  • Registers of higher education institutions involved in Finnish and international joint programmes
  • KOTA database of the Ministry of Education and Culture
  • Internationalisation Services of the Finnish National Agency for Education
  • Social Insurance Institution of Finland (Kela)
  • National Supervisory Authority for Welfare and Health Valvira through the national data warehouse for higher education
  • Employment authorities
  • Register of Aliens of the Finnish Immigration Service
  • Studyinfo service of the Finnish National Agency for Education
  • TE Services (enquiries)

In addition, the University may disclose the personal data of applicants

  • For scientific research purposes in the public interest
  • For the purpose of meeting obligations set by the Act on the Openness of Government Activities (621/1999) or other legislation
  • When verifying the educational background and/or language skills of applicants, to language test organisers or organisations responsible for providing documents concerning the educational background of applicants
  • With the consent of the applicant, contact details to parties outside the University for marketing communications and other specific purposes

Information on individual arrangements is processed at the University only by those who implement individual arrangements for entrance examinations.  We will not disclose your application data outside the University of Helsinki. In the case of cooperation related to entrance examinations with other universities, we may, if necessary, provide information on individual arrangements granted to you to the other universities involved in the cooperation.

 

Do we transfer your data outside the EU/European Economic Area? 

Personal data may be transferred outside the EU, for example, when verifying the validity of certificates granted to an applicant outside the EU.

The University exercises particular care if personal data are transferred outside the EU and the European Economic Area (EEA) to countries that do not ensure data protection in line with the General Data Protection Regulation (GDPR). Personal data are transferred outside the EU and EEA only when necessary, and the transfers are made in accordance with the requirements of the GDPR, for example, using the standard contractual clauses approved by the European Commission.

 

Contact information for question about data processing 

 registrar@helsinki.fi

Why do we process your personal data?

The University of Helsinki must process your personal data for purposes including the following:

  • Student admissions
  • Organisation of teaching and decisions concerning studies
  • Student guidance
  • Course registrations
  • Restoration of completed studies, assessment and registration
  • Preparation of degree diplomas

In addition, the University can process your personal data for the following purposes:

  • Development of teaching (e.g., with feedback collected from students)
  • Scientific research
  • the compilation of statistics and reportage
  • Marketing communications related to studies
  • The safety of students and other members of the University community, the physical safety of the study environment and the protection of data, or
  • Other specific purposes

What is the lawful basis for processing?

The use of personal data is primarily based on legislation concerning the University of Helsinki and the organisations operating in the University community. In specific cases, the basis for processing data is consent given by the student.

Therefore, the right of the University as the controller of the data file is based on

  • A task carried out in the public interest or in the exercise of official authority vested in the controller 
  • Compliance with a legal obligation to which the controller is subject 
  • In certain cases, the performance of a contract or consent given by the data subject 

As a rule, the University has the right to process sensitive data as the controller of the data file in the following cases:

  • When necessary for reasons of substantial public interest 
  • In certain cases when the data subject has given explicit consent to the processing of certain personal data 

Relevant regulations

Universities Act (558/2009)
Government Decree on University Degrees (794/2004)
Act on national study and degree registers (Laki valtakunnallisista opinto- ja tutkintorekistereistä) (884/2017)
EU General Data Protection Regulation (2016/679) and supplementing national regulations
Personal Data Act (523/1999) and the Data Protection Act (XXX/2018), which will supersede the former
Act on the Openness of Government Activities (621/1999)
Regulations of the University of Helsinki
Regulations on Degrees and the Protection of Students’ Rights at the University of Helsinki
Decisions by the University and the rector concerning teaching and studying at the University of Helsinki
Standing regulations of the University of Helsinki faculties

What kind of personal data do we process?

The University of Helsinki processes personal data from which you can be identified directly or indirectly. Direct identifiers include the personal identity code and student number. We will also process your name and contact details, in addition to which the University processes other information related to your studies from which a third party may identify you by connecting the details.

The details most commonly processed in conjunction with studying and completed studies are the student’s name, student number and contact details, as well as details on the degrees pursued and the content of studies.

Here are examples of the data processed by the University of Helsinki:

  • Persons applying to study at the University (applicants), their basic details and application information
  • Basic student details (e.g., student number, personal identity code, name and contact details)
  • Students’ study rights
  • Students’ term registrations
  • Students’ completed studies, traineeships and theses/dissertations
  • Teachers and related information on teaching
  • Students’ registrations for teaching
  • Students’ student feedback details
  • Details related to students’ career and employment services and surveys
  • Membership in the Student Union and its special status associations
  • Data related to grants
  • Data related to international student exchange
  • Basic details on the staff involved in supporting students and teachers (e.g., name and work-related contact details)

What are the sources for personal data?

Some required personal details come from yourself, which makes you responsible for their validity. A right to study is personal. Thus, your personal details must be valid.

Certain details have been collected from other parties, including:

  • Details concerning the acceptance of a student place are gained from a national student admissions register (Act 884/2017) maintained by the Finnish National Agency for Education and from documents submitted by the student.
  • The validity of name and contact details is verified from the Population Register Centre.

Retention times

The storage period for personal data stored in University of Helsinki systems and data processed manually is based on legislation in force and the archiving plan of the University of Helsinki.

In observance of the legislation concerning universities (Sections 25 and 27 of act 884/2017), the University of Helsinki stores the following personal details related to teaching permanently:

  • Student numbers and personal identity codes or equivalent identifiers
  • Information on completed degrees and specialist training, as well as all completed studies and their grades
  • Information on rights to complete studies leading to a degree and specialist training, as well as information on the acceptance of a student place and registration for studies leading to a degree and for specialist training.

Information on storage periods for other data is available in the archiving plan of the University of Helsinki.

Do we disclose your personal data to third parties?

Personal data is primarily processed by the staff of Teaching and Learning Services and the teaching staff. In addition, personal data can be processed by the following units: IT Centre, HR Services, Financial Services, as well as Communications and Community Relations.

The University of Helsinki may also use external parties to process personal data, such as businesses that provide system services and process personal data on behalf of the University of Helsinki on the basis of a mandate.

The University of Helsinki discloses required student personal data to the following recipients, either through the national data warehouse for higher education or directly:

  • Finnish Student Health Service
  • Ministry of Culture and Education
  • Internationalisation Services of the Finnish National Agency for Education
  • Student admissions registers
  • Study credit, degree and qualification disclosure service of the Finnish National Agency for Education
  • Social Insurance Institution of Finland Kela
  • National Supervisory Authority for Welfare and Health Valvira
  • Statistics Finland
  • Employment authority
  • The Education Fund
  • Immigration authority
  • Student Union of the University of Helsinki
  • Student nations of the University of Helsinki
  • Monitoring surveys conducted by Aarresaari, a network of career and recruitment services

In addition, the University of Helsinki can disclose students’ personal data

  • For scientific research purposes
  • For the purpose of meeting obligations set by the Act on the Openness of Government Activities (621/1999) or other legislation
  • To other Finnish institutions of higher education for the processing of study rights and transferring completed studies, for example, in teaching cooperation
  • To international institutions of higher education also outside the EU or the European Economic Area for the implementation of dual or joint degree education or for the transfer of completed studies
  • With the student’s consent, regarding contact details outside the University, for restricted purposes supporting studying and other specific purposes

The primary source of transferred data is the academic administration system Oodi and the Mobility Online mobility system. Student data to be permanently stored and the mobility periods of student exchange will be transferred to Virta, the national data warehouse for higher education.

Do we transfer your data outside the EU/European Economic Area? 

According to its data protection policy, the University will exercise particular care if personal data is to be transferred outside the EU or the European Economic Area to countries where data protection regulations do not conform to the EU’s General Data Protection Regulation.

The transfer of personal data outside the EU or the EEA must be carried out in compliance with the requirements of the GDPR.

Contact details for enquiries concerning the processing of data

specialneeds@helsinki.fi

Why do we process personal data?

Individual arrangements

We process your personal data to be able to provide a recommendation on individual arrangements and/or make individual arrangements related to teaching and examinations. The processing is based on the information you provide to the University (such as a doctor’s certificate and/or other statements from experts).

What are the legal grounds for the processing?

The processing of personal data is based on the performance of a task carried out in the public interest or in the exercise of official authority, compliance with a legal obligation and, in certain cases, on consent.

Relevant regulations:

  • Universities Act (558/2009) and the decrees issued pursuant to it
  • Non-Discrimination Act (1325/2004)

What data are processed?

Individual arrangements

First name, last name, personal identity code, gender, faculty, degree programme, year of starting current studies, student number, address, phone number, email address, any information given by the student when booking an appointment, information on registration for the academic year

In addition, we process the following data:

  • Description of the necessary arrangement and its justification
  • Attachments delivered by you, such as a copy of a doctor’s certificate, and their place of storage
  • Recommendations given by the expert panel on individual arrangements and by accessibility liaisons, their validity and their place of storage

Sources of personal data

  • The applicant
  • The student information system Sisu
  • The customer support request system Efecte

Storage periods

Storage periods are based on current legislation and the University of Helsinki’s archiving plan.

  • Expert statements and recommendations given to the student are stored no longer than the duration of the student’s studies, but data are deleted at six-month intervals. The data are stored in a paper archive.
  • Emails that arrive in Efecte are stored in the system until further notice. Support requests sent using the Securemail service will not be removed for up to 30 days from their opening.

To whom are your data disclosed?

Data related to individual arrangements are confidential and processed at the University only by those who need the data to plan and/or make individual arrangements.

Data can be disclosed with the student’s consent to officials with the statutory right to obtain data. In this case, the official must submit a written request, indicating the legislation on which the right to obtain data is based. Data may be disclosed without the consent of the student in cases with existing separate legislation on disclosing data or on the right to obtain data. Statistical data where an individual’s personal data are not identifiable can be forwarded and used, for example, in reports and presentations which discuss the nature and extent of individual arrangements.

Are data disclosed outside the EU?

Data regarding students who have been granted individual arrangements will not be transferred outside the European Union or the European Economic Area.

Contact information for data processing questions

p. 02941 24140, email: hakijapalvelut@helsinki.fi

Why do we process your personal data?

Personal data are processed in conjunction with the application procedure to the international master's degree programmes of the University and as part of completing the student admission process. The data file is used for the production of statistical data for the purposes of disseminating information about educational opportunities, as well as for planning, evaluating and developing education.

Documents attached to applications can be used also for training the Admissions Services staff in the application process. No documents are disclosed outside Admissions Services.

What personal data do we process?

Data pertaining to an applicant:

  • Applicant’s personal and contact details
  • Applicant’s education and other data relevant to the application process
  • Data related to the processing of the applicant’s application and their admission
  • Applicant’s consent to disclosure of their personal data for the purposes of communication and marketing pertaining to education
  • Documents attached by the applicant to the application
  • Applicant’s actions in the system

Data obtained from the applicant and study right register of Finnish higher education institutions (Studyinfo):

  • Applicant’s Studyinfo applicant number (learner ID)
  • Language, country, municipality, post office and basic education codes
  • Data related to University units/departments
  • Applicant’s personal and contact details

What is the lawful basis for processing?

Lawful basis for the processing of personal data:

  • Task carried out in the public interest and exercise of official authority vested in the controller

  • Compliance with a legal obligation to which the controller is subject

What are the sources for personal data?

Applicants use the system user interface to independently store their application data.

Data on higher education studies completed after 1995 by applicants with a Finnish personal identity code are transferred from the VIRTA student information system by automated means. Data are verified directly from the relevant controllers of data files who have given their permission. From the VIRTA database, personal data and data on study rights as well as on completed degrees and studies required for the admissions process are transferred via a technical interface.

Data provided by the applicants in their application or its attachments pertaining to international studies and degrees completed outside Finland can be verified from the awarding institution or from another relevant party

Retention times

Applications and their attachments submitted by the deadline are stored in the University of Helsinki archives for 10 years.

Do we disclose your personal data to third parties?

Applicants’ identification data and data pertaining to student admissions are transferred to the Studyinfo system. Data and documents are disclosed to experts who assess applications.

With the applicant’s consent, data pertaining to them can be transferred to other third parties.

Address details can be disclosed to be used for marketing purposes by the University of Helsinki only with the consent of the data subject.

If the applicant has employed an official education agency partner of the University of Helsinki in the application process, data pertaining to the processing of the application can be disclosed to that partner.

 

Do we transfer your data outside the EU/European Economic Area? 

Data on applicants are not regularly disclosed outside the European Union or the European Economic Area. However, the disclosure of data may be necessary, for example, for the verification of studies completed outside Finland when making decisions related to student admissions. We observe special care in conjunction with any disclosure of data. Data can be transferred to third parties outside the EU or EEA also with the express consent of the applicant.

Contact information for question about data processing 

opintopsykologi@helsinki.fianu.lehtinen@helsinki.fi 

Why do we process your personal data?

Data stored in the University of Helsinki counselling psychologists’ client data file are processed for the purpose of maintaining the counselling psychologists’ client relationships. In addition, contact details and anonymised statistical data stored in the data file will be used to monitor the quality of the counselling psychologists’ services and to develop them further.

What kind of personal data do we process?

first name, last name, personal identity code, gender, faculty, degree programme, first year of current studies, student number, address, phone number, email address, details provided by the student when booking an appointment, appointments made with counselling psychologists and cancellations, consultation records made by counselling psychologists on sessions as well as on related events and tasks, summaries, recommendations and statements.

Counselling psychologists of the University of Helsinki maintain a client data file on individual consultations and comparable work, in addition to which they draw up consultation records on consultation sessions as well as related events and tasks. The counselling psychologists do this in their role as healthcare professionals, and in their work as psychologists they observe the following laws: the Act on Health Care Professionals (559/1994), the Act on the Status and Rights of Patients (785/1992) and the decree of the Ministry of Social Affairs and Health on patient records (298/2009). These records often contain information related to clients’ health.

What is the lawful basis for processing? 

As healthcare professionals, psychologists are obliged to observe the following legislation when providing consultation to individuals: the Act on Health Care Professionals (559/1994), the Act on the Status and Rights of Patients (785/1992) and the decree of the Ministry of Social Affairs and Health on patient records (298/2009). Consultation records related to group sessions outside individual counselling are based on students’ consent.

What are the sources for personal data?

Methods of collecting personal data: data obtained from the data subject, consultation records on consultation sessions as well as related events and tasks, summaries, recommendations, statements

Retention times

Data created in individual consultation sessions are stored in accordance with the laws concerning patient data. Group consultation data that are not considered patient data are stored for four years. Booking data collected through electronic forms and the Vihta system are erased every academic year. Details relevant to the counselling provided by the counselling psychologists, such as students’ personal data and other preliminary information provided by students, are transferred from the booking data associated with individual consultations to the Diarium booking system. In the case of groups, data obtained through the booking system are erased, with the relevant information stored in the counselling psychologists’ digital archive.

Do we disclose your personal data to third parties?

The client’s data can be disclosed to the client at their request. Information can also be disclosed, with the consent of the client, to officials with the statutory right to obtain information. In this case, the official must submit a written request, indicating the legislation on which the right to obtain information is based. Information may be disclosed without the consent of the client in cases with existing separate legislation on disclosing information or on the right to obtain information.

Statistical data where an individual’s personal data are not identifiable can be forwarded and used, for example, in reports and presentations which discuss the nature and extent of students' psychological counselling. In addition, information on clients who have provided a written consent for research use can be used in scientific studies and publications in unidentifiable form.

Do we transfer your data outside the EU/European Economic Area? 

The data in the University of Helsinki counselling psychologists’ client data file will not be transferred outside the European Union or the European Economic Area.

Contact details for enquiries concerning the processing of data 

tietosuoja@hy-norssit.fi  

Purpose of processing personal data 

The teacher training schools of the University of Helsinki need your personal data for the following purposes:  

BASIC EDUCATION  

  • Organisation of teaching  
  • Organisation of pupil admission  
  • Organisation of club activities  
  • Organisation of school health service 
  • Organisation of school meals  
  • Organisation of pupil welfare services (e.g., school social worker and psychologist services)  
  • Organisation of supervised practice teaching  
  • Provision of learning environments and other digital services  

GENERAL UPPER SECONDARY EDUCATION  

  • Organisation of teaching  
  • Organisation of student admission  
  • Organisation of club activities  
  • Organisation of student health service  
  • Organisation of school meals  
  • Organisation of student welfare services (e.g., school social worker and psychologist services)  
  • Organisation of the matriculation examination  
  • Organisation of supervised practice teaching  
  • Provision of learning environments and other digital services  

We store data pertaining to pupils’ and students’ school attendance, teaching arrangements and learning outcomes. The University of Helsinki teacher training schools are part of the University, and the schools conduct research with participation based on consent given by parents/carers and/or pupils and students.  

What data are being processed? 

BASIC EDUCATION  

  • Pupils’ basic and contact details (e.g., personal identity code, name, contact details, special diets, health data related to the organisation of teaching, Wilma credentials)  
  • Parents’ and carers’ names and contact details, data pertaining to custody, Wilma credentials  
  • Decisions pertaining to pupils (e.g., school transport, special needs education, permit applications and decisions)  
  • Data related to school attendance (e.g., school, class, year)  
  • Data related to pupils’ roles (e.g., mode of teaching, teaching in Finnish as a second language, language programme, religion and worldview studies) 
  • Pedagogical documents related to pupil support (general support, intensified support, special support)  
  • Data related to immigration (e.g., date of entry into Finland)  
  • Data related to certificates and assessment discussions as well as subject/course assessments  
  • Pupil-specific lesson entries (e.g., absences)  

  

GENERAL UPPER SECONDARY EDUCATION  

  • Students’ basic and contact details (e.g., personal identity code, name, contact details, special diets, health data related to the organisation of teaching, Wilma credentials)  
  • Parents’ and carers’ names and contact details, data pertaining to custody, Wilma credentials  
  • Decisions pertaining to students  
  • Data related to school attendance (e.g., school, class, year)  
  • Data related to students’ roles (e.g., mode of teaching, language programme, religion and worldview studies)  
  • Pedagogical documents related to student support  
  • Data related to certificates and subject/course assessments  
  • Student-specific lesson entries (e.g., absences)  

Data processed in special categories of personal data:  

  • Religious or philosophical beliefs  
  • Health data (e.g., allergies)  

What are the legal grounds for the processing? 

The processing of personal data is necessary to carry out the statutory duties of the controller of the data file. The teacher training schools are part of the University of Helsinki, and personal data can also be processed for the purposes of scientific research in the public interest. Pupils and students or their parents and carers are always asked to give their consent for participating in a study.  

Legislation pertaining to the operations of the teacher training schools: 

For basic education:  

  • Basic Education Act (628/1998) 
  • Basic Education Decree (852/1998) 
  • Comprehensive School Act (467/1983) 
  • Government Decree on the National Objectives for Education Referred to in the Basic Education Act and in the Distribution of Lesson Hours (1435/2001) 
  • Student Welfare Act (1287/2013) 
  • Act on the National Registers of Education Records, Qualifications and Degrees (884/2017)  

For general upper secondary education:  

  • Government decree on the application process for preparatory education after vocational education and training, general upper secondary education and basic education (294/2014) 
  • Act on General Upper Secondary Education (629/1998) 
  • Government Degree on General Upper Secondary Education (810/1998) 
  • Government Decree on the General National Objectives of General Upper Secondary Education and the Distribution of Lesson Hours (955/2002) 
  • Act on the Matriculation Examination (502/2019) 
  • Government Decree on the Matriculation Examination (915/2005) 
  • Student Welfare Act (1287/2013) 
  • Act on the National Registers of Education Records, Qualifications and Degrees (884/2017) 

Sources of personal data 

Personal data are collected from pupils and students themselves and their parents and carers. Other key sources of data include the following:  

  • Digital and Population Data Services Agency (previously Population Register Centre)  
  • KOSKI data repository  
  • Studyinfo service  
  • Matriculation Examination Board  
  • Pupils’ and students’ previous education institutions  

Storage periods 

We comply with the archiving plan of the University of Helsinki. Examples of stored data and storage periods:  

  • Education certificates and certificates of termination of studies are stored permanently.  
  • Data pertaining to pupils’ and students’ self-assessment and portfolios are stored for the duration of their compulsory education period.  
  • Lists and similar records pertaining to pupils’ and students’ schools and classes are stored for 50 years. 

To whom are your data disclosed? 

Regular disclosure of data includes  

  • Transcripts of record and study rights are stored in the KOSKI data repository (national registry and data transfer service for study rights and completed studies).  
  • Data related to the organisation of the matriculation examination are disclosed to the Finnish Matriculation Examination Board (e.g., registration data).  
  • Disclosure of data to the City of Helsinki for the organisation of school health service  
  • Pupils’ and students’ data can be disclosed to Statistics Finland, the Finnish Education Evaluation Centre (FINEEC), the Social Insurance Institution of Finland (Kela), the Finnish National Agency for Education or other authorities for organising, monitoring and compiling statistics on studies.  
  • Disclosure of data to another education provider in conjunction with transferring between education institutions  

Are data transferred outside the EU?  

We do not transfer or disclose personal data outside the EU. 

Research and Research Services

The mission of the University of Helsinki is to promote independent academic research and interact with the surrounding society. In fulfilling its mission, the University processes the personal data of researchers and specialists active in the University community.

Contact details in matters concerning the processing of your personal data 

You can contact the unit that served you about data processing related to the services. 

What is the purpose for processing personal data?

The University of Helsinki processes your personal data for purposes including the following:

  • We conclude an agreement with you on working in the University community. Such an agreement can be an employment contract, or a contract with a visiting scholar, docent or professor. Your contract connects you to a certain unit of the University. By concluding such a contract, you will gain University account credentials, and your personal data will be entered into data systems that support the University’s operations.
  • If you are in the process of acquiring competitive research funding, we will verify your eligibility, help you in drawing up the application and maintain information on your most important application targets. After funding decisions, we will process and monitor contracts related to your activities in our contract register, as well as your funding and its use in the financial administration system.
  • We will send you notifications on University events, practices and services.
  • When looking for literature to support your work, you can reserve material in the library system or request material by using an electronic form. You can publish in the University’s open publication channels, in which case we maintain your personal data in the role of both a publication channel user and author.
  • We maintain a register on data related to research and societal activity. These data have been primarily disclosed by you, but we can look for publications from external sources on your behalf. Part of such reporting is voluntary, while other parts constitute mandatory information retrieval regulated by the Ministry of Education and Culture.
  • In support of science communication, your personal data pertaining to research and societal activity are openly available through the Research Portal and the University’s website. You can create a website dedicated to your community.
  • When assessing and developing University operations, we may use your activity data as part of assessment material. Often, these datasets are only examined at the unit level.

In the case of the special responsibility area of the Helsinki University Central Hospital, we will process your publication data for the purposes of national publication data collection.

 

What data do we process?

We process information that describes your activities as a university researcher or expert, research resources and outputs, and societal interactions. Directly identifiable information includes personal identifiers in the university's information systems and international researcher identifiers. We also process your name, unit, discipline (subject) and contact information.

 

What is the legal basis for processing personal data?

Primarily, the basis for processing your personal data is legislation concerning the University of Helsinki, processing is necessary for the performance of a task carried out in the public interest: university's task is to promote free research and scientific and artistic culture. In certain special cases you have given your consent for the processing. 

 

From which sources we collect your personal data, what is the origin of the data?

Some of the personal data are collected from you.  

Certain details have been collected from other parties, including certain details pertaining to publications and social activity.

 

Retention times

We follow the archiving plan of the University of Helsinki. We retain information about our researchers permanently for archival purposes. Retention times are described in more detail in other data protection notices (e.g. Personnel administration)

 

To whom do we disclose your personal data? 

Information on research activities are public, excluding e.g. confidential research plans or information separately agreed with the funder.

 

Is personal data transferred outside the EU?

All data are normally stored within the European Economic Area (EEA).

The transfer of personal data outside the EU or the EEA must be carried out in compliance with the requirements of the GDPR, which means that we for example use EU Commission standard contractual clauses. We may also ask your consent, which may occur in conjunction with submitting a research funding application to a funding party located outside the EEA.

Communication and Community Relations

Contact details for enquiries concerning the processing of data

yhteiskuntasuhteet@helsinki.fi

Purpose of processing personal data

The University of Helsinki processes data pertaining to its alumni, donors and partners so as to ensure the implementation of its third statutory duty, i.e., public engagement.

We process your personal data to provide and develop customer-oriented operations and services, such as understanding the needs of alumni, donors and other partners; improving the quality of operations; developing new services; enhancing customer service; and communicating about our operations and services. In this way, the University promotes the societal impact of its operations.

What data are processed?

We process your name and contact details and other data relating to you from which a third party may identify you by connecting the details. Such data include the following:

  • Alumni status and registration details
  • Alumni degree details
  • Information about alumni careers
  • Alumni interest in alumni activities
  • Donation amounts and targets by person
  • Information on donations (bank, payment method, information in the message field)
  • Personal identity code (individual donors who submit their personal identity code in conjunction with online donations and donors who have donated at least €850 per year)
  • Native language and preferred language
  • Participation in events
  • Communications with alumni, donors and partners

What are the legal grounds for the processing?

Primarily, the basis for processing personal data is legislation concerning the University of Helsinki and organisations within the University community and, in certain special cases, consent given by you. 

The processing of data about alumni and mentors is based on consent. You have submitted your data into the alumni register or joined a mentor network.

The processing of data about donors is based on compliance with a legal obligation.

The processing of data about partners is based on the legitimate interests of the controller as well as the performance of a task based on legislation.

The processing of data about people registered for events is based on the legitimate interests of the controller.

Sources of personal data

Some required personal details come from you.

To increase our customer insight, the University of Helsinki can search for information about you from public sources. Such information may include the following:

  • Your contact details
  • Your educational background and employment history

The data sources we use include the Population Register Centre, the University of Helsinki student records, the University of Helsinki event management system and contact detail providers.

Storage periods

In observance of the legislation concerning universities, we permanently store the following personal data related to our operations:

  • Donations to the University of Helsinki

Storage periods for other personal data:

  • Alumni data: These data will be removed from the alumni register if the alumnus or alumna in question asks us to do so.
  • Partner data: These data will be removed at the end of the partnership.
  • Event participant data: Event participant data will be stored about alumni, donors and partners. You can ask the University to remove this data. 

Information on storage periods for other data is available in the archiving plan of the University of Helsinki. 

To whom are your data disclosed?

As a rule, we do not disclose data outside the University of Helsinki, with the exception of the processing of any information requests under the Act on the Openness of Government Activities. Data can also be published as part of University communications in a manner agreed with alumni, partners or donors.

Are data transferred outside the EU? 

According to its data protection policy, the University will exercise particular care if personal data are to be transferred outside the EU or the European Economic Area to countries where data protection regulations do not conform to the EU’s General Data Protection Regulation.

Contact details for enquiries concerning the processing of data

helsinkiunievents@helsinki.fi. If you wish to exercise your rights, please submit a written request to the contact person for the event.

Purpose of processing personal data

The personal data of participants are collected to help organise events and communicate information about them. We collect only personal data necessary for specific purposes.

Personal data are processed only for the following pre-determined purposes:

  • To organise an event and cater for special needs
  • To distribute information on an event
  • To send invoices relating to an event
  • To collect feedback on an event
  • To market similar events

What data are processed?

The data are collected from people registering for an event and include their name, common contact details and participation information. The data requested may vary according to the event, but we only collect necessary data. The data are collected directly in connection with registration through event-specific forms. Data provided by email or phone or in person can also be stored if they are relevant for the arrangements.

In addition, information related to payments and payment methods will be stored if a participation fee is charged.

Regular sources of data include event participants, our customer information system and invoice database, and public sources.

Photography at events

The University of Helsinki may use still and/or video photography at events. The photographs or videos may be published on the University’s website or social media accounts or in other publications related to the University. The material will not be used for commercial purposes.

What are the legal grounds for processing?

Personal data are processed in the legitimate interests of the controller and based on registration for an event.

Storage periods

Data associated with a specific event will be deleted once they are unnecessary for its organisation or follow-up. Contact details may be used after the event to send out information on upcoming events in the same field, after which the details collected may be stored anonymously for the purposes of statistics. Accounting material is stored as required under the Accounting Act.

To whom are your data disclosed?

We can also outsource the processing of personal data to a third party, such as an event organiser, in which case we will make contractual arrangements to ensure that personal data are processed in accordance with data protection legislation and otherwise appropriately. A third party may also be responsible for the event facilities, safety and security, or catering.

Are data disclosed outside the EU?

Personal data is not transferred outside the EU or the European Economic Area.

Center for information technology

The IT Centre is an independent institute of the University of Helsinki that provides IT services for the University community.

Contact details for inquiries about the processing of data

helpdesk@helsinki.fi 

Why do we process personal data?

To be able to provide IT services, we must process various identifying data, including those related to login activity, network connections, software, computers, storage facilities, email, Office 365, Wiki, Unitube, Moodle, Examinarium facilities and consultation.

The purposes of processing include:

  • Handling and resolution of customer service requests
  • Administration of usernames and email addresses for the University of Helsinki’s information systems
  • Electronic user identification
  • Management of user rights
  • Maintenance of workstation usability
  • Maintenance and development of telecommunications networks
  • Sharing of application installation files and licence keys (incl. managing the acceptance of terms and conditions of use)
  • Verification related to licence management
  • Allocation of costs to University units
  • Investigation of faults and misuse
  • Management of coordinators and administrators of information systems
  • Supplier management
  • Provision of information security

What are the legal grounds for processing?

The processing of personal data is necessary to enable the completion of the University’s duties under section 2 of the Universities Act (558/2009) and the implementation of agreements between you and the University (employment contract, right to study or other agreement). The processing of personal data is also necessary for compliance with our legal obligations (such as the obligation to provide a sufficient level of information security on the basis of data protection legislation). In addition, personal data are processed for the purpose of our legitimate interests (ensuring the security of data and information systems).

What data are processed?

The University of Helsinki processes personal data from which you can be identified directly or indirectly. Direct identifiers include the personal identity code and student number. We will also process your name and contact details, and other information on your studies or work from which a third party may identify you by connecting the details.

Here are examples of the data processed by the University of Helsinki:

  • Student contact details, usernames and student numbers
  • Students’ target degrees, degree programmes, study tracks, major subjects and faculties
  • Employee contact details, usernames and personal identity codes
  • Employee unit details, start and end dates of employment, information on the organisational structure
  • Names and contact details of supplier contact persons
  • Information on workstations (i.e., laptop and desktop computers)
  • Information on the use of applications installed via the workstation management system
  • Persons using workstations
  • Device and login data stored in the log files of the Eduroam and HUPnet visitor networks
  • Staff and student details related to the completion of the University of Helsinki IT Security Test
  • Information on administrator roles in information systems

Further information on the processing of personal data can be found in the IT Centre’s privacy policies for various systems.

 

Sources of personal data

Some required personal details come from you. Examples:

  • Your name
  • Language of communication

Some personal data are connected to the identifiers the University of Helsinki has assigned you either directly or indirectly. Examples:

  • Username
  • Device-specific code for your workstation’s network interface card

Some personal data are related directly to your studies or work. Examples:

  • Login time
  • IP address

 

Further information can be found in the privacy policies for systems.

 

Storage periods

The storage periods for personal data stored in University of Helsinki systems and data processed manually are based on current legislation and the University’s archiving plan.

 

To whom are your data disclosed?

At the University of Helsinki, data is processed only by those employees of the University or those individuals mandated by the University or working on behalf of the University who need the data in their duties. Access to the data systems is restricted by user accounts. 

The University of Helsinki may also use external parties to process personal data, such as businesses that provide system services and process personal data on behalf of the University of Helsinki on the basis of a mandate.

Personal data will only be disclosed outside the University of Helsinki or processed by the University in lawful situations.

 

Are data disclosed outside the EU?

According to its data protection policy, the University will exercise particular care if personal data is to be transferred outside the EU or the European Economic Area to countries where data protection regulations do not conform to the EU’s General Data Protection Regulation.

The transfer of personal data outside the EU or the EEA must be carried out in compliance with the requirements of the GDPR.

 

Library, archive and museum services

Contact details for enquiries concerning the processing of data

kirjasto@helsinki.finicola.nykopp@helsinki.fi

Purpose of processing personal data

The Helka libraries use a customer register to monitor library loans, including debt collection and communication relating to loan monitoring as well as statistics. Loan monitoring also includes handling cases of errors.

What data are processed?

Types of customer data in the data file:

  • Name
  • Personal identity code
  • Home address
  • Email address
  • Phone number (not required)
  • Customer identifier
  • PIN code
  • Service language
  • University username and its expiry date, for University community members
  • Customer group (e.g., student, staff, international guest, external)
  • Statistical group (e.g., faculty)
  • Notes if necessary, e.g., agreed-upon replacement books, special services granted
  • Transaction data, e.g., loans and fees

What are the legal grounds for the processing?

The processing is based on an agreement between the customer and the library (loans) or customer consent (the customer discloses the information or indicates that they consent to information being transferred from the University’s backend systems).

Sources of personal data

New customers: Data is received directly from the customer or through an update from the University’s backend systems (see detailed description below).

Updating existing customer data: If the customer has outstanding obligations (loans which have not been returned or unpaid fees), erroneous contact details can be updated from University systems, data provided by a debt collection agency or data from the Digital and Population Data Services Agency. The grounds for the processing is the agreement between the library and the customer.

Data for members of the University community are updated from the University’s backend systems (consent given in conjunction with first login). When the customer logs in to the library customer interface for the first time using their University credentials and gives their consent for data transfer, the following data will be stored in the library system:

  • Username in the form username@helsinki.fi
  • First and last name
  • Personal identity code
  • Phone number
  • Email address
     

Within the next 24 hours, the following data are transferred from University systems (Oodi, Sisu, SAP):

  • Home address
  • Work address at the University
  • Indication of status as employee/student
  • Faculty
  • Service language (Finnish, Swedish or English)
  • Expiry date of username

All of these data are maintained in other University systems and cannot be altered in the library management system. Any changes made to the data are updated once a day in the library management system.

Storage periods

Once a year, the data of any customers without outstanding obligations or loans or reservations in the previous three years are removed from the system.

Customers whose data is updated from the University’s backend systems are removed from the data file one year after the expiration of their University username, unless they have by that time given notification of wishing to continue as a customer or if they have outstanding obligations (loans which have not been returned, unpaid fees).

To whom are your data disclosed?

Data are not disclosed outside systems required to provide library services.

Helka services are produced on the Alma (backend system) and Primo (customer interface) platforms, which are provided by a company called Ex Libris.

Data on loans that have not been returned and unpaid fees as well as related customer data can be transferred to a debt collection agency.

Data is disclosed to Finnish officials according to existing legislation.

Ex Libris privacy policy

Are data disclosed outside the EU? 

No data is transferred outside the EU or the European

Contact details in matters concerning the processing of your personal data 

Helsinki University Museum and Art Room: yo-museo@helsinki.fi 

Observatory customer service: observatorio@helsinki.fi

 

What is the purpose for processing personal data?

At the Helsinki University Museum, personal data are processed for the following purposes: 

Customers and collaboration partners 

  • Registering for and organising museum events (e.g., guided tours, public events, workshops, lectures, camps) 
  • Receiving and organising facility bookings 
  • Administering agreements on archive use 
  • Processing image requests 
  • Invoicing 
  • Organising competitions and prize drawings 
  • Distributing information on museum services and operations as well as other communication (e.g., posting Christmas cards) 
  • Receiving and drawing up feedback and opinion surveys 
  • Administering research permits 

Museum collections 

  • Administering museum collections (e.g., owners, photographers, persons appearing in the collections) 
  • Administering data on collection donors and lenders[LV1] [TJM2]  
  • Administering users of the collection maintenance system 

Museum staff 

  • Recruiting staff and on-demand employees, agreeing on work shifts and paying fees (fee-based employees, trainees) 

What data do we process?

Customers and collaboration partners 

  • Name 
  • Employer and title, if any 
  • Contact details, including phone, email and postal address 
  • Events: Information on allergies and special diets, and with regard to children, their ages and the contact details of guardians 

Museum collections 

Data relating to collections, including

  • Name 
  • Date of birth, date of death, other dates relating to the person’s lifespan 
  • Gender 
  • Photos, videos and other material related to the person 
  • Education, profession
  • Places of study, work and residence 
  • Names of family members, as well as their dates of birth and death 
  • Data belonging to special categories of personal data (e.g., person’s health, political opinions, religious or philosophical beliefs) 

Data on donors and lenders: 

  • Name 
  • Job title, degree, retiree 
  • Employer (if donation is made on behalf of the employer) 
  • Contact details, including phone, email and postal address 
  • Donor’s connection to the original owner of the donated material (e.g., family relation) 

User data in the collection management system: 

  • Name, username, employer, date of birth, and other data provided by the user 

Museum staff 

  • Name
  • Contact details, including phone and email 

What is the legal basis for processing personal data?

The processing of personal data relating to customers and collaboration partners is based on consent, a contractual relationship or legitimate interests.

In the case of collections, the processing of personal data is necessary for archiving purposes in the public interest. 

In the case of staff, the processing of personal data is based on consent or a contractual relationship.

From which sources we collect your personal data, what is the origin of the data?

Museum customers, collaboration partners or donors provide their data independently (e.g., by filling a form or by email). 

Data relating to the collections can be obtained from other archives, customers, collaboration partners or public sources. Donors provide information on the person whose property the donated material originally was. 

Retention times

Contact details relating to on-demand employees as well as events, prize drawings, feedback, communication, facility booking and invoicing are stored for as long as they are necessary for the planning and organisation of operations. 

Data relating to collections are stored permanently. 

To whom do we disclose your personal data? 

As a rule, data on customers and collaboration partners are not disclosed outside the Museum. Data can be disclosed to collaboration partners, for example, for the purpose of organising joint events.

Data relating to the collections and donor data are disclosed in accordance with the general practices of museum operations. With the consent of donors, their contact details can be disclosed for research use or to another party requesting further information.

The names and contact details (phone number) of on-demand employees can be disclosed to other on-demand employees. 

Is personal data transferred outside the EU?

As a rule, personal data are not disclosed outside the EU. Personal data may be disclosed outside the EU when using an external service provider, for example, for surveys or registration. In such cases, the applicable safeguards are implemented (e.g., standard contractual clauses approved by the European Commission).

Copies of material included in the collections and data relating to the collections can be disclosed outside the EU as well.

The National Library is a separate institution of the University of Helsinki. You can read more about the processing of personal data at the National Library on their own pages: Link to the National Library's privacy policy page.

HR Services

Contact details in matters concerning the processing of your personal data 

 rekrytointi@helsinki.fi, you can modify and erase data by yourself on our recruitment portal: https://rekry.helsinki.fi/start 

What is the purpose for processing personal data?

Processing of applications, assessment of aptitude, and communication related to appointee selection.

We also wish to promote equality in our recruitment as well as ensure smooth integration into Finnish society for employees arriving from abroad. 

Personal data will also be processed for statistical purposes and, in the case of professor recruitment, the personal data of the top applicanrs will be stored permanently for archiving purposes in the public interests. 

What data do we process?

  • Applicant’s personal data (name, gender, date of birth, nationality)

  • Applicant’s address and contact details (street address, country, locality, postcode, email and phone)

  • Applicant’s internet addresses (e.g., applicant’s LinkedIn profile)

  • Applicant’s educational background

  • Applicant’s prior work experience

  • Applicant’s language skills, IT skills and other skills relevant to the position

  • Applicant’s employment preferences

  • Attachments related to the application (e.g., CV, list of publications)

Other details the applicant considers relevant to the position

Certain data are required for related processes and communication. The rest, provided voluntarily by the applicant, help us assess the applicant’s aptitude for the position in question.

For external assessors involved in University of Helsinki recruitment processes, names and email addresses are stored in the system.

What is the legal basis for processing personal data?

The applicant submits his/her personal data and application voluntarily. The legal basis for processing the data are the following:

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR art 6.b)
  • processing is necessary for compliance with a legal obligation (GDPR art. 6.c)
  • processing is necessary for the performance of a task carried out in the public interest (GDPR art. 6.e, national Data Protection Act 4 §)
  • legitimate interests pursued by the controller: legal protection (GDPR art. 6.f) 

From which sources we collect your personal data, what is the origin of the data?

Data are collected from the data subject.

In the case of persons employed by the University of Helsinki, their name, date of birth and contact details are transferred to the recruitment system from the University of Helsinki’s SAP HR human resources information system.

In certain recruitment processes, data are also collected with the applicant’s consent from separate external assessors in, for example, aptitude assessments or, in professor recruitment, external academic assessments. 

Retention times

We will retain position-specific application data for approximately two years from the date of the recruitment decision, after which the applicant's direct identification data and application attachments will be deleted, with the exception of the top applicants for the assistant professor and professor positions, which are permanently stored for archiving purposes. The applicants' general information, e.g., date of birth, gender, nationality, graduation date and degree data, will be permanently retained and used in reporting only.

To whom do we disclose your personal data? 

In the case of recruitment processes including an aptitude assessment or another assessment by experts, personal data can be disclosed to the assessors involved in the process. In such cases, data can be processed by the assessors within or outside the European Union.

As an institution under public law, all recruitments made by the University are public. This means that, when requesting data from applicants, the Act on the Openness of Government Activities (621/1999) requires the University to disclose application documents and any data pertaining to the recruitment process.

Is personal data transferred outside the EU?

The data contained in the data file are stored within the European Union, and they are not transferred outside the EU or the European Economic Area. As an exception, personal data can be processed by external assessors outside the EU in conjunction with assessments associated with recruitment. When disclosing data outside the EU, we employ the protective measures required by law, such as the standard contractual clauses provided by the European Commission.

Contact information for question about data processing 

 HR lawyer: tuuli.siren-niskanen@helsinki.fi 

Why do we process your personal data?

The University of Helsinki processes your personal data to carry out activities related to human resources administration and employment affairs, as well as to fulfil its duties and obligations as an employer. The University of Helsinki utilises the data included in the data file when performing duties concerning data subjects required by legislation, collective agreements and separate decisions and regulations. Such duties include:

  • Human resources planning and staff cost budgeting
  • External and internal recruitment
  • Internal communication
  • Orientation, management of tools and facilities
  • Monitoring and allocation of working hours, work plans for employees observing the annual workload scheme
  • Management of employment data
  • Determination of salary and assessment of personal work performance
  • Payment of salaries, fees and grants
  • Skills development and training
  • Conduct of development discussions
  • Organisation of occupational healthcare and promotion of workplace wellbeing
  • Occupational safety duties (equality, work-related accidents)
  • Rewarding of employees (badges of merit, etc.)
  • Management of work-related travel and international assignments, travel invoicing
  • Completion of tasks related to the termination of employment
  • Statistics and reporting
  • Storage of professorship applicants’ data for research purposes

What kind of personal data do we process?

Data subjects employed by the University of Helsinki

  • Personal data: name, employee number, date of birth, personal identity code, gender, nationality, workstation address, work email, work phone
  • Education, badges of merit and medals
  • Employment and salary details, taxation details, banking details
  • Assessment of job requirements and personal job performance
  • Monitoring of working hours and absences
  • Details used in the identity management and access restrictions of systems

Fee and grant recipients, researchers, docents, visiting professors and professors emeriti

  • Personal data: name, employee number, date of birth, personal identity code, gender, nationality, workstation address, email
  • Education
  • Fee criteria and salary details, taxation details, banking details
  • Details used in the identity management and access restrictions of the system

Persons performing non-military service and agency contract workers

  • Personal data: name, employee number, date of birth, personal identity code, gender, work unit
  • Monitoring of working hours and absences
  • Details used in the identity management and access restrictions of the system

External parties attending training

  • Personal data: name, employee number, date of birth, personal identity code, gender, nationality, workplace address, email, phone
  • Education
  • Details used in the identity management and access restrictions of the system

Sensitive personal data: Health data and trade union membership data are processed in the HR systems.

What is the lawful basis for processing?

Data subjects employed by the University of Helsinki:

  • performance of a contract to which the data subject is party
  • compliance with a legal obligation to which the controller is subject
    • Legislation on which the processing is based: Employment Contracts Act (55/2001), Occupational Safety and Health Act (738/2002), Collective agreement
  • task carried out in the public interest/exercise of official authority vested in the controller:  Scientific or historical research purposes or statistical purposes
  • for the purposes of the legitimate interests pursued by the controller or by a third party: reporting required by funders, skills assessment
  • consent given by the data subject

Data subjects not employed by the University of Helsinki, such as grant-funded researchers, docents and fee recipients:

  • compliance with a legal obligation to which the controller is subject
  • performance of a contract to which the data subject is party
  • consent given by the data subject

What are the sources for personal data?

Personal data originate from the following sources:

  • Data subject
  • Authorities and insurance companies
  • Decisions related to human resources administration
  • Academic administration information systems (such as Oodi)
  • University of Helsinki identity management system and staff role register 

Retention times

Storage periods for data are described in the archiving plan of the University of Helsinki: https://flamma.helsinki.fi/content/res/pri/HY358990 (in Finnish only).

The storage periods are based on the Archives Act (831/1994) and other relevant legislation, as well as the University of Helsinki's guidelines and archiving plan. Personal data are only stored for as long as they are needed. Most common storage periods: Employees’ employment contract data are stored for at least 10 years after the termination of employment and payroll data for 50 years. However, working hour monitoring data are only stored for two years. In the case of applicants to professorships for whom assessor statements have been requested, application documents are stored permanently for scientific research purposes.

Do we disclose your personal data to third parties?

Data may be disclosed to other university units when needed. At the university, personal data can be collected and processed by those whose job duties require it, eg supervisors and HR personnel, IT Center.

Data is also disclosed to authorities, employer and employee organisations, insurance companies, banks, subcontracted companies and consultants within the limits set by valid legislation and to the extent required by the provision of services, f.ex. Kela, providers of occupational health and travel agency services and the Finnish Education Employers association. 

Do we transfer your data outside the EU/European Economic Area? 

Data will only be transferred outside the EU or the EEA in cases where legislation, tax treaties or social security agreements stipulate that employer obligations pertaining to the employee are to be implemented outside the EU or the EEA.

Administrative services

Contact information for questions concerning the processing of personal data

lakipalvelut-yleishallinto@helsinki.fi, tel. 0294140855

Why do we process your personal data?

The purpose of processing your personal data is election of members for the administrative bodies of the University of Helsinki.

What is the lawful basis for processing data?

The lawful basis for processing is that the processing is necessary to comply with a legal obligation. We process sensitive data if the data subject has manifestly made the data public.

The Universities Act, chapter 3 prescribes on the administrative bodies of the university and electing members for them. The regulations and electoral regulations for the University of Helsinki, decreed on the basis of the Universities Act, sections 13, 15, 27, 28 and 29, give more detailed instructions on elections. In addition the University organizes elections on the basis of the Act on Occupational Safety and Health Enforcement and Cooperation on Occupational Safety and Health at Workplaces.

What kind of personal data do we process?

 

The University of Helsinki processes the following data:

  • name
  • e-mail address (for uniquely identifying the person)
  • data on staff group, duties, employment contract or agreement on research
  • registration of University Services staff member in the on-site campus services as a staff member entitled to vote and eligible for election in the elections of the faculty councils
  • candidature or acting as a nominator
  • data on a person’s right to vote and eligibility for election in the electoral roll
  • data on appeals concerning the electoral roll
  • decisions on appeals concerning the electoral roll
  • presentations of candidates
  • data on number of votes for a candidate

The following sensitive data may be processed, as candidates may make this data public in their presentations should they so wish:

  • political opinions
  • trade union membership

The list is not exhaustive, even other data will be processed if processing is necessary for organizing elections. 

What are the sources for personal data?

The persons themselves:

  • registration of University Services staff member in the on-site campus services as a staff member entitled to vote and eligible for election in the elections of the faculty councils
  • candidature or acting as a nominator
  • data on appeals concerning the electoral roll
  • presentations of candidates

The University staff data system

  • name
  • e-mail address (for uniquely identifying the person)
  • data on staff group, duties, employment contract or agreement on research

Electoral roll

  • data on a person’s right to vote and eligibility for election

Minutes of the University Elections Committee

  • decisions on appeals concerning the electoral roll

The University elections data system Vakka

  • data on number of votes for a candidate

Retention times

Retention times for data are determined in the University Archiving plan (AMS). The archives institution orders which data or documents are retained permanently. In accordance with an order of the archives institution the University Archiving plan determines that elections documents are retained permanently.

Do we disclose your personal data to third parties?

Data on members elected to administrative bodies (name, staff group) is published on the University external webpages. Results of elections (name, staff group, number of votes) and data on members elected to administrative bodies is published on the University internal webpages. Publishing of the data is based on

  • the legal obligation of the University to publicise its activities, as well as the rights and obligations of private individuals and corporations in matters falling within its field of competence
  • the legal obligation of the University to organize its administration by administrative bodies
Facilities and security

Contact details for enquiries about the processing of data

turvallisuusvalvomo@helsinki.fi

Purpose of processing personal data

The University of Helsinki uses access control and closed-circuit television (CCTV) to protect its assets, prevent criminal activity and misconduct, investigate criminal activity and misconduct that has already occurred, and provide a safe, secure and peaceful environment for staff and students.

The University’s access control systems collect and store data about the opening of doors with access control tags that are registered in the systems. This prevents and minimises unauthorised access to University premises, enables appropriate access and accessibility to authorised individuals, and helps maintain safe, secure and comfortable facilities for work, study and research.

What data are processed?

  • Name
  • Date of birth
  • Job title
  • Phone number
  • Number of office or location of building
  • Date of application for and issue of keys and access control tags
  • Log data for access control tags issued
  • Identifying data for keys returned and date of return
  • Digital video recordings in which persons captured on camera can be identified

What are the legal grounds for processing personal data?

The processing of personal data is based on legislation concerning the University of Helsinki and on legitimate interests. The University of Helsinki is obliged by law to provide its students with a safe learning environment (Universities Act, 559/2009, section 41a) and its staff with a safe working environment (Occupational Safety and Health Act, 738/2002).

Sources of personal data

For access control, the personal data of staff are derived from the University’s HR Services or from key application forms completed by the staff or their supervisors. Student data are obtained from the Sisu student information system. For CCTV, data are derived from the digital images recorded by cameras that are installed in the University’s premises or their immediate vicinity.  

Storage periods

For access control, personal data are deleted at the earliest when the relevant individual has returned the keys that have provided them with access to University facilities. Access control data (log data) are stored in the relevant systems for an average of approximately one year. 

CCTV recordings are stored depending on the capacity of the systems. Well-grounded suspicions of criminal activity or misconduct may lead to the storage of data for a longer period. 

To whom are your data disclosed?

Data are not disclosed regularly to parties outside the University of Helsinki or University of Helsinki Property Services Ltd.

Data from the systems can be disclosed to the authorities, for example, for the purpose of criminal investigations.

Are data disclosed outside the EU? 

We store all data within the European Economic Area (EEA). 

 

Contact information for question about data processing

Teaching facilities: tilavaraus@helsinki.fi 

Ceremonial and other bookable event facilities:

helsinkiunivenues@helsinki.fi 

 

Why do we process your personal data?

Data needed to organise events are collected from event organisers and processed for the following purposes:

  • Accepting the facility booking
  • Organising event services and catering for special needs 
  • Communicating on relevant services and activities, as well as on other matters, such as the collection of feedback 
  • Invoicing for the facility booking and services 
  • Collecting customer data for statistical purposes 

 

What is the lawful basis for processing?

The legal ground for the processing is the contractual relationship. The personal data are needed for us to book the agreed facility for the desired purpose and to provide other services related to the booking.

 

What kind of personal data do we process?

The data requested may vary according to the event, but we only collect necessary data. The data to be processed include

  • Name  
  • Details on the employer or other organisational information (booking organisation), if any  
  • Contact details, including phone, email and postal address 
  • Invoicing information 

 

Photography and filming in rented facilities

Upon agreement, still and/or video photography is permitted in events held at University of Helsinki facilities. Upon separate agreement, the photographs or videos may be published on the University’s website or social media accounts or in other publications related to the University. The material will not be used for commercial purposes.

 

What are the sources for personal data?

The data are collected directly from the individual or event organiser in conjunction with a written enquiry concerning the event facility. Data provided by email or phone or in person can also be stored if they are relevant for the arrangements. The booker of the facility will provide the details of the person responsible for the event arrangements, for example, in the booking form or by email.  

 

Retention times

Contact details relating to facility booking, events and invoicing are stored for as long as they are necessary for the planning and organisation of operations. 

Accounting material is stored as required under the Accounting Act. 

 

Do we disclose your personal data to third parties?

We can outsource the processing of personal data to a third party, such as a provider of event services, in which case we will make contractual arrangements to ensure that personal data are processed in accordance with data protection legislation and otherwise appropriately. A third party may also be responsible for the event facilities, safety and security, or catering. 

 

Do we transfer your data outside the EU/European Economic Area? 

As a rule, the data of bookers of facilities at the University of Helsinki are processed in the EU.

According to its data protection policy, the University will exercise particular care if personal data are to be transferred outside the EU or the European Economic Area (EEA) to countries where data protection regulations do not conform to the EU’s General Data Protection Regulation. 

If personal data are transferred outside the EU or the EEA, and the European Commission has not deemed the level of data protection in the target country to be sufficient, data protection will be ensured under the relevant legislation using the standard contractual clauses approved by the European Commission.

Your Rights

If the processing of personal data is based on your consent, you have the right to withdraw your consent. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent prior to its withdrawal. 

You have the right to know whether your personal data is being processed and what data is processed. You may also request us to give you a copy of your personal data. 

If there are inaccuracies or the personal data processed about you are incomplete you have the right to request us to rectify or complete your personal data. 

You have the right to request the deletion of your personal data in the following cases:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

b) You withdraw your consent on which the processing was based and there is no other legal ground for the processing

c) You object for the processing and there are no overriding legitimate grounds for the processing

d) The personal data have been unlawfully processed

e) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject

 

You do not have the right to erasure, if the processing is necessary:

a) For compliance with a legal obligation which requires processing by law

b) For the performance of a task carried out in the public interest or in the exercise of official authority

c) For archiving purposes in the public interest, scientific of historical research purposes or statistical purposes if the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing

d) For the establishment, exercise or defense of legal claims

You have the right to restrict the processing of your personal data. This means that we retain your information but do not process it in any other way. 

You have this right in the following cases: 

a) The accuracy of the personal data is contested by you. Then the processing will be restricted until the accuracy of the data is verified.

b) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead

c) The university no longer need the data for the purposes of the processing, but you need the data for the establishment, exercise or defense of legal claims

d) You have objected to processing that is based on legitimate interest. Then the processing will be restricted for the time it is verified whether the legitimate ground for the controller override those of the data subject

When the processing is done by automatically means and the processing is based on your consent or a contract between you and the University, you have the right to have your data that you have provided, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller. 

When it is technically feasible, you have the right to have the data transmitted directly to the other controller.

You have the right to object for the processing of your personal data. Then we shall no longer process the data unless we demonstrate compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. University can also continue to process your personal data if it is necessary for the performance of a task carried out in the public interest.

You have the right to lodge a complaint with the Data Protection Ombudsman’s Office if you think your personal data has been processed in violation of applicable data protection laws.

 

Contact details:

www.tietosuoja.fi 

Office of the Data Protection Ombudsman

Visiting address: Ratapihantie 9, 6. krs, 00520 Helsinki

Postal address: PL 800, 00521 Helsinki

Switchboard: 029 56 66700

E-mail: tietosuoja@om.fi

Data requests under the Act on the Openness of Government Activities

The data stored in the student information system (Sisu/Oodi) are considered documents in the public domain, as referred to in the Act on the Openness of Government Activities (621/1999), to which access is given upon request. Public documents are disclosed as requested in accordance with sections 13 and 16 of the above Act. 

A person requesting the disclosure of student data must explain to the data file controller the purpose of using the data, provide the controller with other information required to determine the conditions for disclosing the data and, if necessary, describe how the data will be protected.

Please use this application form to request the disclosure of student data: Data disclosure application.

Further information: Sari Zitting, head of student register

Disclosure of name and address data with the student’s consent

With the consent of data subjects (i.e., students), the University of Helsinki discloses their address data to associations, foundations and public authorities for restricted purposes that support studying. Students can consent to the disclosure of such data, or withdraw their consent, by contacting Student Services. Students can consent to the disclosure of their name and address data

  1. For purposes that support studying to associations and foundations, professional associations and mainly regional authorities for distributing by post information that
    1. Is related to students’ duties or rights as members of the University community, or
    2. Is intended to promote studies, professional skills or employment, or
    3. Is intended to enhance the conditions of study or work, or
    4. Is intended to promote students’ connections to their home region
  2. To Helsinki University Library
  3. To UniSport
  4. For other purposes that support studying, such as small-scale surveys or opinion polls
  5. For career and recruitment purposes
  6. For direct marketing, in cases where a coordinator of the student register considers the disclosure of data possible
     

Students can also prohibit the disclosure of their data to Ylioppilaslehti for the purpose of posting the magazine.

A personal identity code may be disclosed (Data Protection Act 1050/2018, section 29) for the purposes of data processing performed to update address information or to prevent redundant postal traffic, if the personal identity code is already available to the recipient.

The University complies with good registration practice and requires that applicants for data disclosure have an appropriate connection with the target group whose data are requested.

 

Fee criteria for the data service of the student register

1. The University charges a fee per person unit for the data it provides by bulk disclosure in accordance with these criteria, unless otherwise stipulated or agreed in the case of a specific disclosure of data. A person unit refers to the data, or part of the data, connected to a single person in the student register. The disclosure of data refers to their transfer from the student register for purposes other than student registration.

2. The fee per person unit is €0.28 (+ VAT). However, the fee for the University of Helsinki Student Union, student nations and faculty organisations for data required for their operations, with the exception of commercial and business activities, is €0.06 (+ VAT) per person unit.

3. In addition to the fee per person unit, a fee of €42.05 per hour (+ VAT) is charged for staff costs.

4. The fee per person unit is waived

  • In the case of government agencies or institutions which have a statutory right to access the data if this exemption is based on reciprocity or general practice
  • In the case of University departments or institutes
  • When the data are disclosed for the purposes of a thesis or scholarly research or for educational purposes
  • When disclosing a considerable amount of data at the same time to foundations that provide student health or housing services
  • For reports, statistics and other data disclosed on the basis of a request, from which no individual persons can be identified

5. When disclosing a considerable amount of data at the same time for a purpose for which the data recipient simultaneously commits to regularly obtaining any amendments to the data, the fee per person unit can be lower than that indicated in item 2 above.

6. When the total costs incurred from the disclosure of data are smaller than the market price for similar services provided by others, the fee charged for the disclosure of data can equal the market price.

7. The University may charge advance and part payments. The final fee is invoiced after the data disclosure request has been fulfilled.

Guidelines for data disclosure to third parties

Requests for the verification of the study-related data of a current or former student can be sent via email to registrar(at)helsinki.fi. For the data to be disclosed in writing, the request must be accompanied by a consent to the data disclosure signed by the current or former student.

The processing of personal data in the student information system, and the disclosure of such data, are governed by the EU’s General Data Protection Regulation (2016/679) and other applicable data protection legislation, such as the Data Protection Act (1050/2018) and the Act on the Openness of Government Activities (621/1999).

Finance and payment traffic

Contact details for enquiries about the processing of data

jere.reinikainen@helsinki.fi

 

Why do we process personal data?

The University’s Financial Services processes personal data for the following purposes:

  • Managing purchase invoices (verification and approval)
  • Managing sales invoices (confirmation of accuracy)
  • Receiving online payments
  • Sending reminders for the purpose of invoice management
  • Managing travel requests and travel expense reports
  • Managing external funding (e.g., Academy of Finland)
  • Allocating working hours (allocating hours to the correct projects and profit centres)
  • Reporting (internally and to funders)
  • Accounting

Our partner in travel management is CWT. For further information on how CWT processes personal data, please click here: CWT global privacy policy and notice.

 

What are the legal grounds for processing?

The processing of personal data is necessary to fulfil obligations arising from legislation (management of sales and purchase invoices, including reminders; accounting). In addition, the processing of personal data may be necessary to implement a contract or an agreement to which you are a party (travel management, management of external funding, and allocation of working hours).

 

What data are processed?

The following personal data of employees are processed:

  • Name, contact details, job position or title, unit, WBS code, banking details
  • If necessary, year of birth, nationality, gender, highest level on the career path hierarchy for researchers, and personal identity code

The following personal data of non-employees are processed:

  • Name, contact details, job title, organisation, banking details

 

Sources of personal data

Personal data are collected from individuals themselves and, in the case of employees, from HR management systems.

 

Storage periods

Data are stored in accordance with accounting legislation and other obligations, such as funder requirements.

 

To whom are your data disclosed?

We disclose data to the Finnish Tax Administration, auditors and funders.

 

Are data disclosed outside the EU?

Data are processed within the EU and are not, as a rule, disclosed outside the EU. However, if you travel to a country outside the EU, your personal data will be disclosed if necessary to arrange the trip. Data may also be disclosed to funders outside the EU if you are involved in a project that receives funding from outside the EU.