Data protection

At the University of Helsinki, we value your privacy and your right to protect your personal data. Everyone has the right to know what data concerning them are being kept and how those data are processed. On this website, we collect data protection statements pertaining to the processing of personal data at the University of Helsinki.

Information about cookies and the processing of personal information on our website can be found on the page website and cookies.

 

For questions about data processing, contact details are available in the relevant data protection statement.

 

The data protection officer of the University of Helsinki can be reached at tietosuoja@helsinki.fi.

Studying and services related to studying

Contact information for question about data processing

hakijapalvelut@helsinki.fi

 

Why do we process your personal data?

The University of Helsinki processes the personal data of applicants to carry out procedures for admitting new students. When you apply for admission to the University, your personal data are processed for the following purposes:

  • Provision of information on studies and admission
  • Fulfilment of admission-related tasks
  • Marketing communication related to scholarly research and the provision of education
  • Proceedings related to any appeals and cases brought before the administrative court
  • Other admission-related purposes

Individual arrangements

We process the personal data you provide to us so as to make individual arrangements related to entrance examinations. This processing is based on the information you provide in your application for individual arrangements and its attachment(s), such as a doctor’s certificate and/or other expert statements. Based on your consent, your data can also be used to plan other study-related individual arrangements if you are offered a place and accept it.

 

What is the lawful basis for processing?

The processing of personal data is based on the performance of a task carried out in the public interest or in the exercise of official authority, compliance with a legal obligation and, in certain cases, on consent.

Relevant regulations:

  • Universities Act (558/2009) and the decrees issued pursuant to it
  • Government Decree on University Degrees and Professional Specialisation Programmes (794/2004), including amendments 
  • Act on the National Registers of Education Records, Qualifications and Degrees (884/2017), Chapter 5
  • General Data Protection Regulation (EU, 2016/679) and supplementary national legislation
  • Act on the Openness of Government Activities (621/1999)
  • Administrative Procedure Act (434/2003)
  • Non-Discrimination Act (1325/2004)
  • Act on Health Care Professionals (559/1994)

 

What kind of personal data do we process?

The University processes the following personal data:

  • Identifying information (name, personal identity code, date of birth, application/applicant number)
  • Background information (citizenship, gender, native language)
  • Contact details (email, phone, postal address)
  • Preferred application options
  • Information related to applying to a degree programme
  • Information based on the application and admission criteria
  • Information on the applicant’s education, degrees and work experience
  • Information on health issues affecting the applicant’s admission (yes/no) and, in the case of applications for specialist training in medicine, the number of sick days (if relevant for calculating work experience)
  • Entrance examination answers
  • Any motivation letters or tests associated with admission as well as recorded video interviews
  • Information on admission results (entrance examination results and other information on admission, including scores)
  • Information on acceptance of an offered place
  • Consent or prohibition by the applicant on publishing their admission result
  • Any other information related to admission

Individual arrangements

If you apply for individual arrangements, we will process not only the data mentioned above, but also the personal data you provide in your application and its attachments:

  • Information about the applicant
  • Description of the necessary arrangement and its justification
  • Other considerations

In addition, the attachments may include a copy of a doctor’s certificate. Applications for, and decisions on, individual arrangements are confidential and handled at the University by a specific group of staff.

 

What are the sources for personal data?

Information on applicants is collected from the following sources:

  • The applicant
  • The Studyinfo service, the SURE register of completed studies, the VIRTA student information system and the VTJ Population Information System
  • International application and degree systems or services that deliver documents concerning the educational background of applicants
  • Finnish and international organisers of language tests
  • Finnish and international higher education institutions
  • Online payment and registration services
  • Assessors of applications and entrance examinations
  • The JulkiTerhikki register of social welfare and healthcare professionals

Information may also be derived or obtained through observations of the use of IT services and equipment provided by the University to the applicant, or information may be collected by the management and surveillance services used at the University (e.g., camera surveillance).

 

Retention times

Storage periods are based on current legislation and the University of Helsinki’s archiving plan.

The following data are stored permanently:

  • Admitted applicants: Learner ID and personal identity code or other equivalent identifying data
  • Admitted applicants: information on the applicant’s right to study leading to a degree and information on acceptance of an offered place
  • Decisions on appeals concerning admission

In addition, other personal data concerning applicants may be stored permanently upon the decision of the National Archives of Finland.

Storage periods of personal data not stored permanently: 

  • Entrance examination answers, six months
  • Lists of scores, at least one year
  • Unsuccessful applications, two years
  • Successful applications, 10 years
  • Lists of applicants, 10 years
  • Appeals against admission decisions, 10 years

 

Do we disclose your personal data to third parties?

Personal data are disclosed to the following recipients:

  • Registers of higher education institutions involved in Finnish and international joint programmes
  • KOTA database of the Ministry of Education and Culture
  • Internationalisation Services of the Finnish National Agency for Education
  • Social Insurance Institution of Finland (Kela)
  • National Supervisory Authority for Welfare and Health Valvira through the national data warehouse for higher education
  • Employment authorities
  • Register of Aliens of the Finnish Immigration Service
  • Studyinfo service of the Finnish National Agency for Education
  • TE Services (enquiries)

In addition, the University may disclose the personal data of applicants

  • For scientific research purposes in the public interest
  • For the purpose of meeting obligations set by the Act on the Openness of Government Activities (621/1999) or other legislation
  • When verifying the educational background and/or language skills of applicants, to language test organisers or organisations responsible for providing documents concerning the educational background of applicants
  • With the consent of the applicant, contact details to parties outside the University for marketing communications and other specific purposes

Information on individual arrangements is processed at the University only by those who implement individual arrangements for entrance examinations.  We will not disclose your application data outside the University of Helsinki. In the case of cooperation related to entrance examinations with other universities, we may, if necessary, provide information on individual arrangements granted to you to the other universities involved in the cooperation.

 

Do we transfer your data outside the EU/European Economic Area? 

Personal data may be transferred outside the EU, for example, when verifying the validity of certificates granted to an applicant outside the EU.

The University exercises particular care if personal data are transferred outside the EU and the European Economic Area (EEA) to countries that do not ensure data protection in line with the General Data Protection Regulation (GDPR). Personal data are transferred outside the EU and EEA only when necessary, and the transfers are made in accordance with the requirements of the GDPR, for example, using the standard contractual clauses approved by the European Commission.

 

Contact information for question about data processing 

 registrar@helsinki.fi

Why do we process your personal data?

The University of Helsinki must process your personal data for purposes including the following:

  • Student admissions
  • Organisation of teaching and decisions concerning studies
  • Student guidance
  • Course registrations
  • Restoration of completed studies, assessment and registration
  • Preparation of degree diplomas

In addition, the University can process your personal data for the following purposes:

  • Development of teaching (e.g., with feedback collected from students)
  • Scientific research
  • the compilation of statistics and reportage
  • Marketing communications related to studies
  • The safety of students and other members of the University community, the physical safety of the study environment and the protection of data, or
  • Other specific purposes

What is the lawful basis for processing?

The use of personal data is primarily based on legislation concerning the University of Helsinki and the organisations operating in the University community. In specific cases, the basis for processing data is consent given by the student.

Therefore, the right of the University as the controller of the data file is based on

  • A task carried out in the public interest or in the exercise of official authority vested in the controller 
  • Compliance with a legal obligation to which the controller is subject 
  • In certain cases, the performance of a contract or consent given by the data subject 

As a rule, the University has the right to process sensitive data as the controller of the data file in the following cases:

  • When necessary for reasons of substantial public interest 
  • In certain cases when the data subject has given explicit consent to the processing of certain personal data 

Relevant regulations

Universities Act (558/2009)

Government Decree on University Degrees (794/2004)

Act on national study and degree registers (Laki valtakunnallisista opinto- ja tutkintorekistereistä) (884/2017)

EU General Data Protection Regulation (2016/679) and supplementing national regulations

Personal Data Act (523/1999) and the Data Protection Act (XXX/2018), which will supersede the former

Act on the Openness of Government Activities (621/1999)

Regulations of the University of Helsinki

Regulations on Degrees and the Protection of Students’ Rights at the University of Helsinki

Decisions by the University and the rector concerning teaching and studying at the University of Helsinki

Standing regulations of the University of Helsinki faculties

What kind of personal data do we process?

The University of Helsinki processes personal data from which you can be identified directly or indirectly. Direct identifiers include the personal identity code and student number. We will also process your name and contact details, in addition to which the University processes other information related to your studies from which a third party may identify you by connecting the details.

The details most commonly processed in conjunction with studying and completed studies are the student’s name, student number and contact details, as well as details on the degrees pursued and the content of studies.

Here are examples of the data processed by the University of Helsinki:

  • Persons applying to study at the University (applicants), their basic details and application information
  • Basic student details (e.g., student number, personal identity code, name and contact details)
  • Students’ study rights
  • Students’ term registrations
  • Students’ completed studies, traineeships and theses/dissertations
  • Teachers and related information on teaching
  • Students’ registrations for teaching
  • Students’ student feedback details
  • Details related to students’ career and employment services and surveys
  • Membership in the Student Union and its special status associations
  • Data related to grants
  • Data related to international student exchange
  • Basic details on the staff involved in supporting students and teachers (e.g., name and work-related contact details)

What are the sources for personal data?

Some required personal details come from yourself, which makes you responsible for their validity. A right to study is personal. Thus, your personal details must be valid.

Certain details have been collected from other parties, including:

  • Details concerning the acceptance of a student place are gained from a national student admissions register (Act 884/2017) maintained by the Finnish National Agency for Education and from documents submitted by the student.
  • The validity of name and contact details is verified from the Population Register Centre.

Retention times

The storage period for personal data stored in University of Helsinki systems and data processed manually is based on legislation in force and the archiving plan of the University of Helsinki.

In observance of the legislation concerning universities (Sections 25 and 27 of act 884/2017), the University of Helsinki stores the following personal details related to teaching permanently:

  • Student numbers and personal identity codes or equivalent identifiers
  • Information on completed degrees and specialist training, as well as all completed studies and their grades
  • Information on rights to complete studies leading to a degree and specialist training, as well as information on the acceptance of a student place and registration for studies leading to a degree and for specialist training.

Information on storage periods for other data is available in the archiving plan of the University of Helsinki.

Do we disclose your personal data to third parties?

Personal data is primarily processed by the staff of Teaching and Learning Services and the teaching staff. In addition, personal data can be processed by the following units: IT Centre, HR Services, Financial Services, as well as Communications and Community Relations.

The University of Helsinki may also use external parties to process personal data, such as businesses that provide system services and process personal data on behalf of the University of Helsinki on the basis of a mandate.

The University of Helsinki discloses required student personal data to the following recipients, either through the national data warehouse for higher education or directly:

  • Finnish Student Health Service
  • Ministry of Culture and Education
  • Internationalisation Services of the Finnish National Agency for Education
  • Student admissions registers
  • Study credit, degree and qualification disclosure service of the Finnish National Agency for Education
  • Social Insurance Institution of Finland Kela
  • National Supervisory Authority for Welfare and Health Valvira
  • Statistics Finland
  • Employment authority
  • The Education Fund
  • Immigration authority
  • Student Union of the University of Helsinki
  • Student nations of the University of Helsinki
  • Monitoring surveys conducted by Aarresaari, a network of career and recruitment services

In addition, the University of Helsinki can disclose students’ personal data

  • For scientific research purposes
  • For the purpose of meeting obligations set by the Act on the Openness of Government Activities (621/1999) or other legislation
  • To other Finnish institutions of higher education for the processing of study rights and transferring completed studies, for example, in teaching cooperation
  • To international institutions of higher education also outside the EU or the European Economic Area for the implementation of dual or joint degree education or for the transfer of completed studies
  • With the student’s consent, regarding contact details outside the University, for restricted purposes supporting studying and other specific purposes

The primary source of transferred data is the academic administration system Oodi and the Mobility Online mobility system. Student data to be permanently stored and the mobility periods of student exchange will be transferred to Virta, the national data warehouse for higher education.

Do we transfer your data outside the EU/European Economic Area? 

According to its data protection policy, the University will exercise particular care if personal data is to be transferred outside the EU or the European Economic Area to countries where data protection regulations do not conform to the EU’s General Data Protection Regulation.

The transfer of personal data outside the EU or the EEA must be carried out in compliance with the requirements of the GDPR.

Contact details for enquiries concerning the processing of data

specialneeds@helsinki.fi

Why do we process personal data?

Individual arrangements

We process your personal data to be able to provide a recommendation on individual arrangements and/or make individual arrangements related to teaching and examinations. The processing is based on the information you provide to the University (such as a doctor’s certificate and/or other statements from experts).

What are the legal grounds for the processing?

The processing of personal data is based on the performance of a task carried out in the public interest or in the exercise of official authority, compliance with a legal obligation and, in certain cases, on consent.

Relevant regulations:

  • Universities Act (558/2009) and the decrees issued pursuant to it
  • Non-Discrimination Act (1325/2004)

What data are processed?

Individual arrangements

First name, last name, personal identity code, gender, faculty, degree programme, year of starting current studies, student number, address, phone number, email address, any information given by the student when booking an appointment, information on registration for the academic year

In addition, we process the following data:

  • Description of the necessary arrangement and its justification
  • Attachments delivered by you, such as a copy of a doctor’s certificate, and their place of storage
  • Recommendations given by the expert panel on individual arrangements and by accessibility liaisons, their validity and their place of storage

Sources of personal data

  • The applicant
  • The student information system Sisu
  • The customer support request system Efecte

Storage periods

Storage periods are based on current legislation and the University of Helsinki’s archiving plan.

  • Expert statements and recommendations given to the student are stored no longer than the duration of the student’s studies, but data are deleted at six-month intervals. The data are stored in a paper archive.
  • E-mails coming to Efecte are kept in the system for two years after the case has been processed

To whom are your data disclosed?

Data related to individual arrangements are confidential and processed at the University only by those who need the data to plan and/or make individual arrangements.

Data can be disclosed with the student’s consent to officials with the statutory right to obtain data. In this case, the official must submit a written request, indicating the legislation on which the right to obtain data is based. Data may be disclosed without the consent of the student in cases with existing separate legislation on disclosing data or on the right to obtain data. Statistical data where an individual’s personal data are not identifiable can be forwarded and used, for example, in reports and presentations which discuss the nature and extent of individual arrangements.

Are data disclosed outside the EU?

Data regarding students who have been granted individual arrangements will not be transferred outside the European Union or the European Economic Area.

Contact information for data processing questions

p. 02941 24140, email: hakijapalvelut@helsinki.fi

Why do we process your personal data?

Personal data are processed in conjunction with the application procedure to the international master's degree programmes of the University and as part of completing the student admission process. The data file is used for the production of statistical data for the purposes of disseminating information about educational opportunities, as well as for planning, evaluating and developing education.

Documents attached to applications can be used also for training the Admissions Services staff in the application process. No documents are disclosed outside Admissions Services.

What personal data do we process?

Data pertaining to an applicant:

  • Applicant’s personal and contact details
  • Applicant’s education and other data relevant to the application process
  • Data related to the processing of the applicant’s application and their admission
  • Applicant’s consent to disclosure of their personal data for the purposes of communication and marketing pertaining to education
  • Documents attached by the applicant to the application
  • Applicant’s actions in the system

Data obtained from the applicant and study right register of Finnish higher education institutions (Studyinfo):

  • Applicant’s Studyinfo applicant number (learner ID)
  • Language, country, municipality, post office and basic education codes
  • Data related to University units/departments
  • Applicant’s personal and contact details

What is the lawful basis for processing?

Lawful basis for the processing of personal data:

  • Task carried out in the public interest and exercise of official authority vested in the controller

  • Compliance with a legal obligation to which the controller is subject

What are the sources for personal data?

Applicants use the system user interface to independently store their application data.

Data on higher education studies completed after 1995 by applicants with a Finnish personal identity code are transferred from the VIRTA student information system by automated means. Data are verified directly from the relevant controllers of data files who have given their permission. From the VIRTA database, personal data and data on study rights as well as on completed degrees and studies required for the admissions process are transferred via a technical interface.

Data provided by the applicants in their application or its attachments pertaining to international studies and degrees completed outside Finland can be verified from the awarding institution or from another relevant party

Retention times

Applications and their attachments submitted by the deadline are stored in the University of Helsinki archives for 10 years.

Do we disclose your personal data to third parties?

Applicants’ identification data and data pertaining to student admissions are transferred to the Studyinfo system. Data and documents are disclosed to experts who assess applications.

With the applicant’s consent, data pertaining to them can be transferred to other third parties.

Address details can be disclosed to be used for marketing purposes by the University of Helsinki only with the consent of the data subject.

If the applicant has employed an official education agency partner of the University of Helsinki in the application process, data pertaining to the processing of the application can be disclosed to that partner.

 

Do we transfer your data outside the EU/European Economic Area? 

Data on applicants are not regularly disclosed outside the European Union or the European Economic Area. However, the disclosure of data may be necessary, for example, for the verification of studies completed outside Finland when making decisions related to student admissions. We observe special care in conjunction with any disclosure of data. Data can be transferred to third parties outside the EU or EEA also with the express consent of the applicant.

Contact information for question about data processing 

opintopsykologi@helsinki.fianu.lehtinen@helsinki.fi 

Why do we process your personal data?

Data stored in the University of Helsinki counselling psychologists’ client data file are processed for the purpose of maintaining the counselling psychologists’ client relationships. In addition, contact details and anonymised statistical data stored in the data file will be used to monitor the quality of the counselling psychologists’ services and to develop them further.

What kind of personal data do we process?

The pieces of personal data collected from the student are first name, last name, personal identity code, gender, faculty, degree programme, first year of current studies, student number, address, phone number, email address, details provided by the student when booking an appointment, appointments made with counselling psychologists and cancellations, consultation records made by counselling psychologists on sessions as well as on related events and tasks, summaries, recommendations and statements. The IP address of the device used by the student is also collected during the booking of an appointment.

Counselling psychologists of the University of Helsinki maintain a client data file on individual consultations and comparable work, in addition to which they draw up consultation records on consultation sessions as well as related events and tasks. The counselling psychologists do this in their role as healthcare professionals, and in their work as psychologists they observe the following laws: the Act on Health Care Professionals (559/1994), the Act on the Status and Rights of Patients (785/1992) and the decree of the Ministry of Social Affairs and Health on patient records (298/2009). These records often contain information related to clients’ health.

What is the lawful basis for processing? 

For individual counselling, the basis for processing personal data is a legal obligation. As healthcare professionals, psychologists are obliged to observe the following legislation when providing consultation to individuals: the Act on Health Care Professionals (559/1994), the Act on the Status and Rights of Patients (785/1992) and the decree of the Ministry of Social Affairs and Health on patient records (298/2009). 

Consultation records related to group sessions outside individual counselling are based on students’ consent.

What are the sources for personal data?

From the data subject themself, the psychologist also makes records of counselling and related events and tasks, such as summaries, recommendations and statements.

Retention times

Data created in individual consultation sessions are stored in accordance with the laws concerning patient data. Booking data collected through the booking system are erased every academic year except the IP address which is stored for the time being. Details relevant to the counselling provided by the counselling psychologists, such as students’ personal data and other preliminary information provided by students, are transferred from the booking system (called Vihta, provided by Netorek Oy) associated with individual consultations to the Diarium booking system provided by Nordhealth Finland Oy.

Group consultation data that are not considered patient data are stored for four years. In the case of groups, data obtained through the booking system are erased, with the relevant information stored in the counselling psychologists’ digital archive.

Do we disclose your personal data to third parties?

The client’s data can be disclosed to the client at their request. Information can also be disclosed, with the consent of the client, to officials with the statutory right to obtain information. In this case, the official must submit a written request, indicating the legislation on which the right to obtain information is based. Information may be disclosed without the consent of the client in cases with existing separate legislation on disclosing information or on the right to obtain information.

Statistical data where an individual’s personal data are not identifiable can be forwarded and used, for example, in reports and presentations which discuss the nature and extent of students' psychological counselling. In addition, information on clients who have provided a written consent for research use can be used in scientific studies and publications in unidentifiable form.

Do we transfer your data outside the EU/European Economic Area? 

The data in the University of Helsinki counselling psychologists’ client data file will not be transferred outside the European Union or the European Economic Area. Connect platform which is used for remote appointments uses the US Twilio system. This platform does not store any information that identifies the student.

Contact details for enquiries concerning the processing of data 

tietosuoja@hy-norssit.fi  

Purpose of processing personal data 

The teacher training schools of the University of Helsinki need your personal data for the following purposes:  

BASIC EDUCATION  

  • Organisation of teaching  
  • Organisation of pupil admission  
  • Organisation of club activities  
  • Organisation of school health service 
  • Organisation of school meals  
  • Organisation of pupil welfare services (e.g., school social worker and psychologist services)  
  • Organisation of supervised practice teaching  
  • Provision of learning environments and other digital services  

GENERAL UPPER SECONDARY EDUCATION  

  • Organisation of teaching  
  • Organisation of student admission  
  • Organisation of club activities  
  • Organisation of student health service  
  • Organisation of school meals  
  • Organisation of student welfare services (e.g., school social worker and psychologist services)  
  • Organisation of the matriculation examination  
  • Organisation of supervised practice teaching  
  • Provision of learning environments and other digital services  

We store data pertaining to pupils’ and students’ school attendance, teaching arrangements and learning outcomes. The University of Helsinki teacher training schools are part of the University, and the schools conduct research with participation based on consent given by parents/carers and/or pupils and students.  

What data are being processed? 

BASIC EDUCATION  

  • Pupils’ basic and contact details (e.g., personal identity code, name, contact details, special diets, health data related to the organisation of teaching, Wilma credentials)  
  • Parents’ and carers’ names and contact details, data pertaining to custody, Wilma credentials  
  • Decisions pertaining to pupils (e.g., school transport, special needs education, permit applications and decisions)  
  • Data related to school attendance (e.g., school, class, year)  
  • Data related to pupils’ roles (e.g., mode of teaching, teaching in Finnish as a second language, language programme, religion and worldview studies) 
  • Pedagogical documents related to pupil support (general support, intensified support, special support)  
  • Data related to immigration (e.g., date of entry into Finland)  
  • Data related to certificates and assessment discussions as well as subject/course assessments  
  • Pupil-specific lesson entries (e.g., absences)  

  

GENERAL UPPER SECONDARY EDUCATION  

  • Students’ basic and contact details (e.g., personal identity code, name, contact details, special diets, health data related to the organisation of teaching, Wilma credentials)  
  • Parents’ and carers’ names and contact details, data pertaining to custody, Wilma credentials  
  • Decisions pertaining to students  
  • Data related to school attendance (e.g., school, class, year)  
  • Data related to students’ roles (e.g., mode of teaching, language programme, religion and worldview studies)  
  • Pedagogical documents related to student support  
  • Data related to certificates and subject/course assessments  
  • Student-specific lesson entries (e.g., absences)  

Data processed in special categories of personal data:  

  • Religious or philosophical beliefs  
  • Health data (e.g., allergies)  

What are the legal grounds for the processing? 

The processing of personal data is necessary to carry out the statutory duties of the controller of the data file. The teacher training schools are part of the University of Helsinki, and personal data can also be processed for the purposes of scientific research in the public interest. Pupils and students or their parents and carers are always asked to give their consent for participating in a study.  

Legislation pertaining to the operations of the teacher training schools: 

For basic education:  

  • Basic Education Act (628/1998) 
  • Basic Education Decree (852/1998) 
  • Comprehensive School Act (467/1983) 
  • Government Decree on the National Objectives for Education Referred to in the Basic Education Act and in the Distribution of Lesson Hours (1435/2001) 
  • Student Welfare Act (1287/2013) 
  • Act on the National Registers of Education Records, Qualifications and Degrees (884/2017)  

For general upper secondary education:  

  • Government decree on the application process for preparatory education after vocational education and training, general upper secondary education and basic education (294/2014) 
  • Act on General Upper Secondary Education (629/1998) 
  • Government Degree on General Upper Secondary Education (810/1998) 
  • Government Decree on the General National Objectives of General Upper Secondary Education and the Distribution of Lesson Hours (955/2002) 
  • Act on the Matriculation Examination (502/2019) 
  • Government Decree on the Matriculation Examination (915/2005) 
  • Student Welfare Act (1287/2013) 
  • Act on the National Registers of Education Records, Qualifications and Degrees (884/2017) 

Sources of personal data 

Personal data are collected from pupils and students themselves and their parents and carers. Other key sources of data include the following:  

  • Digital and Population Data Services Agency (previously Population Register Centre)  
  • KOSKI data repository  
  • Studyinfo service  
  • Matriculation Examination Board  
  • Pupils’ and students’ previous education institutions  

Storage periods 

We comply with the archiving plan of the University of Helsinki. Examples of stored data and storage periods:  

  • Education certificates and certificates of termination of studies are stored permanently.  
  • Data pertaining to pupils’ and students’ self-assessment and portfolios are stored for the duration of their compulsory education period.  
  • Lists and similar records pertaining to pupils’ and students’ schools and classes are stored for 50 years. 

To whom are your data disclosed? 

Regular disclosure of data includes  

  • Transcripts of record and study rights are stored in the KOSKI data repository (national registry and data transfer service for study rights and completed studies).  
  • Data related to the organisation of the matriculation examination are disclosed to the Finnish Matriculation Examination Board (e.g., registration data).  
  • Disclosure of data to the City of Helsinki for the organisation of school health service  
  • Pupils’ and students’ data can be disclosed to Statistics Finland, the Finnish Education Evaluation Centre (FINEEC), the Social Insurance Institution of Finland (Kela), the Finnish National Agency for Education or other authorities for organising, monitoring and compiling statistics on studies.  
  • Disclosure of data to another education provider in conjunction with transferring between education institutions  

Are data transferred outside the EU?  

We do not transfer or disclose personal data outside the EU. 

Research and Research Services

The mission of the University of Helsinki is to promote independent academic research and interact with the surrounding society. In fulfilling its mission, the University processes the personal data of researchers and specialists active in the University community.

Contact details in matters concerning the processing of your personal data 

You can contact the unit that served you about data processing related to the services. 

What is the purpose for processing personal data?

The University of Helsinki processes your personal data for purposes including the following:

  • We conclude an agreement with you on working in the University community. Such an agreement can be an employment contract, or a contract with a visiting scholar, docent or professor. Your contract connects you to a certain unit of the University. By concluding such a contract, you will gain University account credentials, and your personal data will be entered into data systems that support the University’s operations.
  • If you are in the process of acquiring competitive research funding, we will verify your eligibility, help you in drawing up the application and maintain information on your most important application targets. After funding decisions, we will process and monitor contracts related to your activities in our contract register, as well as your funding and its use in the financial administration system.
  • We will send you notifications on University events, practices and services.
  • When looking for literature to support your work, you can reserve material in the library system or request material by using an electronic form. You can publish in the University’s open publication channels, in which case we maintain your personal data in the role of both a publication channel user and author.
  • We maintain a register on data related to research and societal activity. These data have been primarily disclosed by you, but we can look for publications from external sources on your behalf. Part of such reporting is voluntary, while other parts constitute mandatory information retrieval regulated by the Ministry of Education and Culture.
  • In support of science communication, your personal data pertaining to research and societal activity are openly available through the Research Portal and the University’s website. You can create a website dedicated to your community.
  • When assessing and developing University operations, we may use your activity data as part of assessment material. Often, these datasets are only examined at the unit level.

In the case of the special responsibility area of the Helsinki University Central Hospital, we will process your publication data for the purposes of national publication data collection.

 

What data do we process?

We process information that describes your activities as a university researcher or expert, research resources and outputs, and societal interactions. Directly identifiable information includes personal identifiers in the university's information systems and international researcher identifiers. We also process your name, unit, discipline (subject) and contact information.

 

What is the legal basis for processing personal data?

Primarily, the basis for processing your personal data is legislation concerning the University of Helsinki, processing is necessary for the performance of a task carried out in the public interest: university's task is to promote free research and scientific and artistic culture. In certain special cases you have given your consent for the processing. 

 

From which sources we collect your personal data, what is the origin of the data?

Some of the personal data are collected from you.  

Certain details have been collected from other parties, including certain details pertaining to publications and social activity.

 

Retention times

We follow the archiving plan of the University of Helsinki. We retain information about our researchers permanently for archival purposes. Retention times are described in more detail in other data protection notices (e.g. Personnel administration)

 

To whom do we disclose your personal data? 

Information on research activities are public, excluding e.g. confidential research plans or information separately agreed with the funder.

 

Is personal data transferred outside the EU?

All data are normally stored within the European Economic Area (EEA).

The transfer of personal data outside the EU or the EEA must be carried out in compliance with the requirements of the GDPR, which means that we for example use EU Commission standard contractual clauses. We may also ask your consent, which may occur in conjunction with submitting a research funding application to a funding party located outside the EEA.

Communication and Community Relations

Contact details for enquiries concerning the processing of data

helsinkiunievents@helsinki.fi. If you wish to exercise your rights, please submit a written request to the contact person for the event.

Purpose of processing personal data

The personal data of participants are collected to help organise events and communicate information about them. We collect only personal data necessary for specific purposes.

Personal data are processed only for the following pre-determined purposes:

  • To organise an event and cater for special needs
  • To distribute information on an event
  • To send invoices relating to an event
  • To collect feedback on an event
  • To market similar events

What data are processed?

The data are collected from people registering for an event and include their name, common contact details and participation information. The data requested may vary according to the event, but we only collect necessary data. The data are collected directly in connection with registration through event-specific forms. Data provided by email or phone or in person can also be stored if they are relevant for the arrangements.

In addition, information related to payments and payment methods will be stored if a participation fee is charged.

Regular sources of data include event participants, our customer information system and invoice database, and public sources.

Photography at events

The University of Helsinki may use still and/or video photography at events. The photographs or videos may be published on the University’s website or social media accounts or in other publications related to the University. The material will not be used for commercial purposes.

What are the legal grounds for processing?

Personal data are processed in the legitimate interests of the controller and based on registration for an event.

Storage periods

Data associated with a specific event will be deleted once they are unnecessary for its organisation or follow-up. Contact details may be used after the event to send out information on upcoming events in the same field, after which the details collected may be stored anonymously for the purposes of statistics. Accounting material is stored as required under the Accounting Act.

To whom are your data disclosed?

We can also outsource the processing of personal data to a third party, such as an event organiser, in which case we will make contractual arrangements to ensure that personal data are processed in accordance with data protection legislation and otherwise appropriately. A third party may also be responsible for the event facilities, safety and security, or catering.

Are data disclosed outside the EU?

Personal data is not transferred outside the EU or the European Economic Area.

Contact information for questions related to data processing

alumni@helsinki.fi  

Purpose of processing personal data

The processing of the data of our graduates, exchange students and former and current staff members (alumni) is related to the mission of the University according to the Universities Act: Societal interaction.

We process the personal data of our alumni for the following purposes:

  • Recruitment of alumni
  • Maintenance of alumni community information to enable other activities
  • Management of alumni relationships, customer service and improving it
  • Production of alumni events
  • Communications (such as announcements of events, alumni newsletters)
  • Acknowledgement and rewarding volunteers
  • Planning alumni activities, i.e., developing customer-oriented activities, such as understanding the needs of alumni, improving the quality of operations and developing new services

What data are processed?

  • Alumni status, name and contact details
  • Language of communication
  • Student number and study information
  • Employment history and current job (if you have indicated them yourself)
  • Contact with alumni
  • Volunteering for the University (such as mentoring, or speaking at an event) and an estimate of the number of hours spent volunteering
  • Attendance at events aimed at University of Helsinki alumni
  • Any feedback or responses to customer satisfaction surveys
  • Self-declared interests of alumni with regard to alumni activities

What are the legal grounds for processing?

The processing of personal data is necessary for the performance of any task carried out in the public interest as referred to in the Universities Act (Section 2 of the Universities Act; Point 1e, Article 6 of the General Data Protection Regulation). Individuals join the alumni community of their own will.

Sources of personal data

The data of those who have given their consent are transferred from the student register to the alumni community. The alumni also provide personal data. (Address) information may be checked from public sources.

Storage periods

We retain the data of those who have joined the alumni community for the time being, i.e., the data will be deleted upon request or after we have been informed of the death of the person in question.

To whom are your data disclosed?

We do not disclose data to parties outside the University of Helsinki, excluding potential partners in the implementation of events or communication campaigns.

We use the following service providers for data processing:

  • Lyyti (event registrations)
  • Salesforce (maintenance of alumni data)
  • Fluido (Salesforce usage consulting)
  • MailChimp (sending newsletters)

Are data transferred outside the EU? 

We use MailChimp to send newsletters. The service provider is based in the United States and the data are also processed in the United States. MailChimp is committed to complying with the standard contractual clauses approved by the European Commission. More information is available on theMailChimp website.   

For personal data management, we use the customer relationship management system provided by Salesforce. The service provider is based in the United States and Salesforce also has subsidiaries in other countries outside the EU. In addition, Salesforce uses subcontractors that are also partly established outside the EU. These non-EU countries may not offer the same level of data protection as within the EU. As a safeguard, Salesforce offers what are known as binding corporate rules approved by supervisory authorities (meaning legally binding rules for the transfer of personal data to third countries within the group). For non-group subcontractors, standard contractual clauses approved by the European Commission are used as a safeguard. More information is available on the Salesforce website.  

 

Contact information for questions about data processing

yhteiskuntasuhteet@helsinki.fi

Purpose of processing personal data

We process your personal data to understand the needs of current and prospective donors, enhance our customer service and other operations, develop new services and communicate about our activities. This enables the University to maximise its social impact.

For donations made, we process your data for the purposes of accounting, communications, official reporting and archiving.

What data are processed?

We process your name, contact details and other data which third parties may combine and use to identify you. Such data may include:

  • Donation amounts and targets by person
  • Other donation details (bank, payment method, information in the message field)
  • Date of birth or personal identify code of private donors supplying this information with their online donation or donating at least €850 per year
  • Communications with donors and collaboration partners
  • Information on degrees and education
  • Employment information
  • Interest in the University of Helsinki alumni activities
  • Other interests
  • First language and preferred language
  • Participation in University events
  • Any other details made public by the person in question

What are the legal grounds for processing?

Primarily, the basis for processing data is legislation applying to the University of Helsinki and, in certain special cases, consent given by you (e.g., for communications or newsletter subscriptions). 

The processing of donor data occurs in compliance with a legal obligation.

In addition, collaboration partner data are processed in the legitimate interests of the controller.

Sources of personal data

Some required personal details come from you. For increased customer insight, the University of Helsinki can search for information from public sources. The data sources we use include online search engine services, the Digital and Population Data Services Agency, the University of Helsinki student and alumni records, the University event management system, and contact detail providers.

Storage periods

We preserve information permanently on donations made. We store other data for the period necessary to establish or maintain University of Helsinki collaboration partnerships. 

To whom are your data disclosed?

As a rule, we do not disclose data outside the University of Helsinki, except when responding to data requests under the Act on Openness of Government Activities or submitting official reports (including reports to the Ministry of Education and Culture, the Tax Administration and the National Police Board of Finland). Data can also be published as part of University communications, as agreed with each donor.

We use the following service providers for data processing:

  • MailChimp (sending newsletters)
  • Salesforce (managing data)
  • Lyyti (receiving event registration details)

Are data transferred outside the EU? 

We use MailChimp to send newsletters. The service provider is based in the United States and the data are also processed in the United States. MailChimp is committed to complying with the standard contractual clauses approved by the European Commission. More information is available on the MailChimp website. 

For personal data management, we use the customer relationship management system provided by Salesforce. The service provider is based in the United States and Salesforce also has subsidiaries in other countries outside the EU. In addition, Salesforce uses subcontractors that are also partly established outside the EU. These non-EU countries may not offer the same level of data protection as within the EU. As a safeguard, Salesforce offers what are known as binding corporate rules approved by supervisory authorities (meaning legally binding rules for the transfer of personal data to third countries within the group). For non-group subcontractors, standard contractual clauses approved by the European Commission are used as a safeguard. More information is available on the Salesforce website.

Contact information for questions about data processing

tanja.remes@helsinki.fi

Why do we process personal data?

While performing activities related to the University’s advocacy and lobbying efforts, we process the data of decision-makers and the members of the University community who have participated in these efforts.

We process personal data to understand the needs of society, to look after the best interests of the University and develop our engagement with decision-makers, as well as to improve the quality of these operations and to communicate thereof. This enables the University to maximise its social impact.

In addition, we process your personal data for the purposes of official reporting (Finnish Transparency Register).

What are the legal grounds for processing?

The processing of personal data is necessary for the performance of any task carried out in the public interest as referred to in the Universities Act (Section 2 of the Universities Act; Point e, Paragraph 1, Article 6 of the General Data Protection Regulation) and for compliance with a legal obligation (Finnish Transparency Register).

What data are processed?

The University processes the following personal data related to decision-makers:

  • Contact details
  • Communications and meetings with decision-makers as well as the topics of communications
  • Employment information
  • First language and preferred language

We process the following data related to individuals participating in the University’s lobbying efforts

  • Name and job title
  • Communications and meetings with decision-makers as well as the topics of communications

Sources of personal data

Data are collected from the following sources:

  • Public sources
  • The individuals in question
  • Individuals who have participated in the University’s lobbying efforts

Storage periods

We store the data permanently or, at minimum, for the period necessary to establish or maintain University of Helsinki’s public affairs. 

To whom are your data disclosed?

We report our data to the Finnish Transparency Register: https://www.avoimuusrekisteri.fi/en

We use the following service providers for processing of personal data:

  • Salesforce (CRM system) 

Are data disclosed outside the EU?

For personal data management, we use the customer relationship management system provided by Salesforce. The service provider is based in the United States, and Salesforce also has subsidiaries in other countries outside the EU. In addition, Salesforce uses subcontractors that are also partly established outside the EU. These non-EU countries may not offer the same level of data protection as within the EU. As a safeguard, Salesforce offers what are known as binding corporate rules approved by supervisory authorities (meaning legally binding rules for the transfer of personal data to third countries within the group). For non-group subcontractors, standard contractual clauses approved by the European Commission are used as a safeguard. More information is available on the Salesforce website.

Center for information technology

The IT Centre is an independent institute of the University of Helsinki that provides IT services for the University community.

Contact details for inquiries about the processing of data

helpdesk@helsinki.fi 

Why do we process personal data?

To be able to provide IT services, we need to process various types of information that can be used to identify you. Such services include but are not limited to: login service, network connections, software, computers, storage facilities, email, Microsoft 365, Wiki, Unitube, Moodle, Examinarium facilities and consultation. See all our centralised services in the IT Centre's service catalogue.

The purposes of processing include:

  • Handling and resolution of customer service requests
  • Administration of usernames and email addresses for the University of Helsinki’s information systems
  • Electronic user identification
  • Management of user rights
  • Maintenance of work computers usability
  • Maintenance and development of telecommunications networks
  • Sharing of application installation files and licence keys (incl. managing the acceptance of terms and conditions of use)
  • Verification related to licence management
  • Allocation of costs to University units
  • Investigation of faults and misuse
  • Management of coordinators and administrators of information systems
  • Supplier management
  • Provision of information security

What are the legal grounds for processing?

The processing of personal data is necessary to enable the completion of the University’s duties under section 2 of the Universities Act (558/2009) and the implementation of agreements between you and the University (employment contract, right to study or other agreement). The processing of personal data is also necessary for compliance with our legal obligations (such as the obligation to provide a sufficient level of information security on the basis of data protection legislation and Act on Information Management in Public Administration). 

What data are processed?

To be able to provide IT services, the University needs to process personal data from which you can be identified directly or indirectly. Direct identifiers include the personal identity code and student number. The data processed depends on the service used.

Here are examples of the data processed by the University of Helsinki:

  • student contact details, usernames and student numbers
  • students’ target degrees, degree programmes, study tracks, major subjects and faculties
  • employee contact details, usernames and personal identity codes
  • employee unit details, start and end dates of employment, information on the organisational structure
  • names and contact details of supplier contact persons
  • information on work computers (i.e., laptop and desktop computers)
  • information on the use of applications installed via the works computers management system
  • persons using work computers
  • device and login data stored in the log files of the Eduroam and visitor networks
  • staff and student details related to the completion of the University of Helsinki IT Security Test
  • information on administrator roles in information systems

Further information on the processing of personal data can be found in the IT Centre’s privacy policies.

 

Sources of personal data

Some required personal details come from you. Examples:

  • your name
  • language of communication

Some personal data are connected to the identifiers the University of Helsinki has assigned you either directly or indirectly. Examples:

  • username
  • device-specific code for your workstation’s network interface card

Some personal data are related directly to your studies or work. Examples:

  • login time
  • IP address

Further information can be found in the IT Centre's privacy policies.

Storage periods

Data retention needs vary from system to system and according to the purpose for which the data are used. 

For more details, see the IT Centre's privacy policies.

 

To whom are your data disclosed?

At the University of Helsinki, data is processed only by those employees of the University or those individuals mandated by the University or working on behalf of the University who need the data in their duties. Access to the data systems is restricted by user accounts. 

The University of Helsinki may also use external parties to process personal data, such as businesses that provide system services and process personal data on behalf of the University of Helsinki on the basis of a mandate.

Personal data will only be disclosed outside the University of Helsinki or processed by the University in lawful situations.

 

Are data disclosed outside the EU?

In principle, personal data processed in the centralised services of the IT Centre will not be transferred outside the EU. If, exceptionally, personal data is transferred, it will only be transferred to countries that have been recognised by the European Commission as providing an adequate level of data protection. Alternatively, the transfer of data may be carried out using standard contractual clauses approved by the Commission.

 

Library, archive and Helsinki University Museum Flame

Contact details for enquiries concerning the processing of data

kirjasto@helsinki.finicola.nykopp@helsinki.fi

Purpose of processing personal data

The Helka libraries use a customer register to monitor library loans, including debt collection and communication relating to loan monitoring as well as statistics. Loan monitoring also includes handling cases of errors. The contact details may also be used to request feedback on the service provided.

What data are processed?

Types of customer data in the data file:

  • Name
  • Personal identity code
  • Home address
  • Email address
  • Phone number (not required)
  • Customer identifier
  • PIN code
  • Service language
  • University username and its expiry date, for University community members
  • Customer group (e.g., student, staff, international guest, external)
  • Statistical group (e.g., faculty)
  • Notes if necessary, e.g., agreed-upon replacement books, special services granted
  • Transaction data, e.g., loans and fees

What are the legal grounds for the processing?

The processing is based on an agreement between the customer and the library (loans) or customer consent (the customer discloses the information or indicates that they consent to information being transferred from the University’s backend systems). Based on our legitimate interest in our contractual relationship, we may also send you requests for feedback.  

Sources of personal data

New customers: Data is received directly from the customer or through an update from the University’s backend systems (see detailed description below).

Updating existing customer data: If the customer has outstanding obligations (loans which have not been returned or unpaid fees), erroneous contact details can be updated from University systems, data provided by a debt collection agency or data from the Digital and Population Data Services Agency. The grounds for the processing is the agreement between the library and the customer.

Data for members of the University community are updated from the University’s backend systems (consent given in conjunction with first login). When the customer logs in to the library customer interface for the first time using their University credentials and gives their consent for data transfer, the following data will be stored in the library system:

  • Username in the form username@helsinki.fi
  • First and last name
  • Personal identity code
  • Phone number
  • Email address
     

Within the next 24 hours, the following data are transferred from University systems (Oodi, Sisu, SAP):

  • Home address
  • Work address at the University
  • Indication of status as employee/student
  • Faculty
  • Service language (Finnish, Swedish or English)
  • Expiry date of username

All of these data are maintained in other University systems and cannot be altered in the library management system. Any changes made to the data are updated once a day in the library management system.

Storage periods

Once a year, the data of any customers without outstanding obligations or loans or reservations in the previous three years are removed from the system.

Customers whose data is updated from the University’s backend systems are removed from the data file one year after the expiration of their University username, unless they have by that time given notification of wishing to continue as a customer or if they have outstanding obligations (loans which have not been returned, unpaid fees).

To whom are your data disclosed?

Data are not disclosed outside systems required to provide library services.

Helka services are produced on the Alma (backend system) and Primo (customer interface) platforms, which are provided by a company called Ex Libris.

Data on loans that have not been returned and unpaid fees as well as related customer data can be transferred to a debt collection agency.

Data is disclosed to Finnish officials according to existing legislation.

Ex Libris privacy policy

Are data disclosed outside the EU? 

No data is transferred outside the EU or the European

Contact details in matters concerning the processing of your personal data 

Helsinki University Museum Flame, Observatory and Art Room: liekki@helsinki.fi

What is the purpose for processing personal data?

At the Helsinki University Museum, personal data are processed for the following purposes: 

Customers and collaboration partners 

  • Registering for and organising museum events (e.g., guided tours, public events, workshops, lectures, camps) 
  • Receiving and organising facility bookings 
  • Administering agreements on archive use 
  • Processing image requests 
  • Invoicing 
  • Organising competitions and prize drawings 
  • Distributing information on museum services and operations as well as other communication (e.g., posting Christmas cards) 
  • Receiving and drawing up feedback and opinion surveys 
  • Administering research permits 

Museum collections 

  • Administering museum collections (e.g., owners, photographers, persons appearing in the collections) 
  • Administering data on collection donors and lenders[LV1] [TJM2]  
  • Administering users of the collection maintenance system 

Museum staff 

  • Recruiting staff and on-demand employees, agreeing on work shifts and paying fees (fee-based employees, trainees) 

What data do we process?

Customers and collaboration partners 

  • Name 
  • Employer and title, if any 
  • Contact details, including phone, email and postal address 
  • Events: Information on allergies and special diets, and with regard to children, their ages and the contact details of guardians 

Museum collections 

Data relating to collections, including

  • Name 
  • Date of birth, date of death, other dates relating to the person’s lifespan 
  • Gender 
  • Photos, videos and other material related to the person 
  • Education, profession
  • Places of study, work and residence 
  • Names of family members, as well as their dates of birth and death 
  • Data belonging to special categories of personal data (e.g., person’s health, political opinions, religious or philosophical beliefs) 

Data on donors and lenders: 

  • Name 
  • Job title, degree, retiree 
  • Employer (if donation is made on behalf of the employer) 
  • Contact details, including phone, email and postal address 
  • Donor’s connection to the original owner of the donated material (e.g., family relation) 

User data in the collection management system: 

  • Name, username, employer, date of birth, and other data provided by the user 

Museum staff 

  • Name
  • Contact details, including phone and email 

What is the legal basis for processing personal data?

The processing of personal data relating to customers and collaboration partners is based on consent, a contractual relationship or legitimate interests.

In the case of collections, the processing of personal data is necessary for archiving purposes in the public interest. 

In the case of staff, the processing of personal data is based on consent or a contractual relationship.

From which sources we collect your personal data, what is the origin of the data?

Museum customers, collaboration partners or donors provide their data independently (e.g., by filling a form or by email). 

Data relating to the collections can be obtained from other archives, customers, collaboration partners or public sources. Donors provide information on the person whose property the donated material originally was. 

Retention times

Contact details relating to on-demand employees as well as events, prize drawings, feedback, communication, facility booking and invoicing are stored for as long as they are necessary for the planning and organisation of operations. 

Data relating to collections are stored permanently. 

To whom do we disclose your personal data? 

As a rule, data on customers and collaboration partners are not disclosed outside the Museum. Data can be disclosed to collaboration partners, for example, for the purpose of organising joint events.

Data relating to the collections and donor data are disclosed in accordance with the general practices of museum operations. With the consent of donors, their contact details can be disclosed for research use or to another party requesting further information.

The names and contact details (phone number) of on-demand employees can be disclosed to other on-demand employees. 

Is personal data transferred outside the EU?

As a rule, personal data are not disclosed outside the EU. Personal data may be disclosed outside the EU when using an external service provider, for example, for surveys or registration. In such cases, the applicable safeguards are implemented (e.g., standard contractual clauses approved by the European Commission).

Copies of material included in the collections and data relating to the collections can be disclosed outside the EU as well.

The National Library is a separate institution of the University of Helsinki. You can read more about the processing of personal data at the National Library on their own pages: Link to the National Library's privacy policy page.

HR Services

Contact details in matters concerning the processing of your personal data 

 rekrytointi@helsinki.fi, you can modify and erase data by yourself on our recruitment portal: https://jobs.helsinki.fi/

What is the purpose for processing personal data?

Processing of applications, assessment of aptitude, and communication related to appointee selection.

We also wish to promote equality in our recruitment as well as ensure smooth integration into Finnish society for employees arriving from abroad. 

Personal data will also be processed for statistical purposes and, in the case of professor recruitment, the personal data of the top applicanrs will be stored permanently for archiving purposes in the public interests. 

What data do we process?

  • Applicant’s personal data (name, gender, date of birth, nationality)
  • Applicant’s address and contact details (street address, country, locality, postcode, email and phone)
  • Applicant’s internet addresses (e.g., applicant’s LinkedIn profile)
  • Applicant’s educational background
  • Applicant’s prior work experience
  • Applicant’s language skills, IT skills and other skills relevant to the position
  • Applicant’s employment preferences
  • Attachments related to the application (e.g., CV, list of publications)

Other details the applicant considers relevant to the position

Certain data are required for related processes and communication. The rest, provided voluntarily by the applicant, help us assess the applicant’s aptitude for the position in question.

For external assessors involved in University of Helsinki recruitment processes, names and email addresses are stored in the system.

What is the legal basis for processing personal data?

The applicant submits his/her personal data and application voluntarily. The legal basis for processing the data are the following:

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR art 6.b)
  • processing is necessary for compliance with a legal obligation (GDPR art. 6.c)
  • processing is necessary for the performance of a task carried out in the public interest (GDPR art. 6.e, national Data Protection Act 4 §)
  • legitimate interests pursued by the controller: legal protection (GDPR art. 6.f) 

From which sources we collect your personal data, what is the origin of the data?

Data are collected from the data subject.

In the case of persons employed by the University of Helsinki, their name, date of birth and contact details are transferred to the recruitment system from the University of Helsinki’s SAP HR human resources information system.

In certain recruitment processes, data are also collected with the applicant’s consent from separate external assessors in, for example, aptitude assessments or, in professor recruitment, external academic assessments. 

Retention times

We will retain position-specific application data for approximately two years from the date of the recruitment decision, after which the applicant's direct identification data and application attachments will be deleted, with the exception of the selected candidates and top applicants for the assistant professor and professor positions, which are permanently stored for archiving purposes. The applicants' general information, e.g., date of birth, gender, nationality, graduation date and degree data, will be permanently retained and used in reporting only.

To whom do we disclose your personal data? 

In the case of recruitment processes including an aptitude assessment or another assessment by experts, personal data can be disclosed to the assessors involved in the process. In such cases, data can be processed by the assessors within or outside the European Union.

As an institution under public law, all recruitments made by the University are public. This means that, when requesting data from applicants, the Act on the Openness of Government Activities (621/1999) requires the University to disclose application documents and any data pertaining to the recruitment process.


Is personal data transferred outside the EU?

The data contained in the data file are stored within the European Union, and they are not transferred outside the EU or the European Economic Area. As an exception, personal data can be processed by external assessors outside the EU in conjunction with assessments associated with recruitment. When disclosing data outside the EU, we employ the protective measures required by law, such as the standard contractual clauses provided by the European Commission.

Contact information for question about data processing 

 HR lawyer: tuuli.siren-niskanen@helsinki.fi 

Why do we process your personal data?

The University of Helsinki processes your personal data to carry out activities related to human resources administration and employment affairs, as well as to fulfil its duties and obligations as an employer. The University of Helsinki utilises the data included in the data file when performing duties concerning data subjects required by legislation, collective agreements and separate decisions and regulations. Such duties include:

  • Human resources planning and staff cost budgeting
  • External and internal recruitment
  • Internal communication
  • Orientation, management of tools and facilities
  • Monitoring and allocation of working hours, work plans for employees observing the annual workload scheme
  • Management of employment data
  • Determination of salary and assessment of personal work performance
  • Payment of salaries, fees and grants
  • Skills development and training
  • Conduct of development discussions
  • Organisation of occupational healthcare and promotion of workplace wellbeing
  • Occupational safety duties (equality, work-related accidents)
  • Rewarding of employees (badges of merit, etc.)
  • Management of work-related travel and international assignments, travel invoicing
  • Completion of tasks related to the termination of employment
  • Statistics and reporting
  • Storage of professorship applicants’ data for research purposes

What kind of personal data do we process?

Data subjects employed by the University of Helsinki

  • Personal data: name, employee number, date of birth, personal identity code, gender, nationality, workstation address, work email, work phone
  • Education, badges of merit and medals
  • Employment and salary details, taxation details, banking details
  • Assessment of job requirements and personal job performance
  • Monitoring of working hours and absences
  • Details used in the identity management and access restrictions of systems

Fee and grant recipients, researchers, docents, visiting professors and professors emeriti

  • Personal data: name, employee number, date of birth, personal identity code, gender, nationality, workstation address, email
  • Education
  • Fee criteria and salary details, taxation details, banking details
  • Details used in the identity management and access restrictions of the system

Persons performing non-military service and agency contract workers

  • Personal data: name, employee number, date of birth, personal identity code, gender, work unit
  • Monitoring of working hours and absences
  • Details used in the identity management and access restrictions of the system

External parties attending training

  • Personal data: name, employee number, date of birth, personal identity code, gender, nationality, workplace address, email, phone
  • Education
  • Details used in the identity management and access restrictions of the system

Sensitive personal data: Health data and trade union membership data are processed in the HR systems.

What is the lawful basis for processing?

Data subjects employed by the University of Helsinki:

  • performance of a contract to which the data subject is party
  • compliance with a legal obligation to which the controller is subject
    • Legislation on which the processing is based: Employment Contracts Act (55/2001), Occupational Safety and Health Act (738/2002), Collective agreement
  • task carried out in the public interest/exercise of official authority vested in the controller:  Scientific or historical research purposes or statistical purposes
  • for the purposes of the legitimate interests pursued by the controller or by a third party: reporting required by funders, skills assessment
  • consent given by the data subject

Data subjects not employed by the University of Helsinki, such as grant-funded researchers, docents and fee recipients:

  • compliance with a legal obligation to which the controller is subject
  • performance of a contract to which the data subject is party
  • consent given by the data subject

What are the sources for personal data?

Personal data originate from the following sources:

  • Data subject
  • Authorities and insurance companies
  • Decisions related to human resources administration
  • Academic administration information systems (such as Oodi)
  • University of Helsinki identity management system and staff role register 

Retention times

The storage periods are based on the Archives Act (831/1994) and other relevant legislation, as well as the University of Helsinki's guidelines and archiving plan. Personal data are only stored for as long as they are needed. Most common storage periods: Employees’ employment contract data are stored for at least 10 years after the termination of employment and payroll data for 50 years. However, working hour monitoring data are only stored for two years. In the case of applicants to professorships for whom assessor statements have been requested, application documents are stored permanently for scientific research purposes.

Do we disclose your personal data to third parties?

Data may be disclosed to other university units when needed. At the university, personal data can be collected and processed by those whose job duties require it, eg supervisors and HR personnel, IT Center.

Data is also disclosed to authorities, employer and employee organisations, insurance companies, banks, subcontracted companies and consultants within the limits set by valid legislation and to the extent required by the provision of services, f.ex. Kela, providers of occupational health and travel agency services and the Finnish Education Employers association. 

Do we transfer your data outside the EU/European Economic Area? 

Data will only be transferred outside the EU or the EEA in cases where legislation, tax treaties or social security agreements stipulate that employer obligations pertaining to the employee are to be implemented outside the EU or the EEA.

Finance and payment traffic

Contact details for enquiries about the processing of data

jere.reinikainen@helsinki.fi

 

Why do we process personal data?

The University’s Financial Services processes personal data for the following purposes:

  • Managing purchase invoices (verification and approval)
  • Managing sales invoices (confirmation of accuracy)
  • Receiving online payments
  • Sending reminders for the purpose of invoice management
  • Managing travel requests and travel expense reports
  • Managing external funding (e.g., Academy of Finland)
  • Allocating working hours (allocating hours to the correct projects and profit centres)
  • Reporting (internally and to funders)
  • Accounting

Our partner in travel management is CWT. For further information on how CWT processes personal data, please click here: CWT global privacy policy and notice.

 

What are the legal grounds for processing?

The processing of personal data is necessary to fulfil obligations arising from legislation (management of sales and purchase invoices, including reminders; accounting). In addition, the processing of personal data may be necessary to implement a contract or an agreement to which you are a party (travel management, management of external funding, and allocation of working hours).

 

What data are processed?

The following personal data of employees are processed:

  • Name, contact details, job position or title, unit, WBS code, banking details
  • If necessary, year of birth, nationality, gender, highest level on the career path hierarchy for researchers, and personal identity code

The following personal data of non-employees are processed:

  • Name, contact details, job title, organisation, banking details

 

Sources of personal data

Personal data are collected from individuals themselves and, in the case of employees, from HR management systems.

 

Storage periods

Data are stored in accordance with accounting legislation and other obligations, such as funder requirements.

 

To whom are your data disclosed?

We disclose data to the Finnish Tax Administration, auditors and funders.

 

Are data disclosed outside the EU?

Data are processed within the EU and are not, as a rule, disclosed outside the EU. However, if you travel to a country outside the EU, your personal data will be disclosed if necessary to arrange the trip. Data may also be disclosed to funders outside the EU if you are involved in a project that receives funding from outside the EU. 

Administrative services

Contact details for inquiries about the processing of data

whistleblowing@helsinki.fi 

Why do we process personal data?

Personal data are processed to investigate and process notifications received through the whistleblower channel. 

What are the legal grounds for processing?

The University of Helsinki has a statutory responsibility to process notifications related to possible misconduct or illegal activities received through the whistleblower channel.

To the degree that special categories of personal data (such as health, religious beliefs, political opinions) need to be processed, the processing is necessary for the establishment, exercise or defence of legal claims, or reasons of substantial public interest based on legislation on whistleblower channels.

Legislation related to whistleblower protection:

  • The act on the protection of persons who report breaches of Union and national law (1171/2022)
  • Act on whistleblower protection (1771/2022)

What data are processed?

For the whistleblower: Name and contact information (if the whistleblower has enclosed/provided them). Whistleblowers can submit their notifications either using their own name or anonymously.

Object of the notification: Information related to illegal or unethical activities given in the notification or that have surfaced while investigating the notification.

Notification data irrelevant to investigating the notification will not be processed.

Sources of personal data

The data is received from notifications submitted through the whistleblower channel and from individuals participating in the investigation of the notification, as well as other parties necessary for the investigation of the notification.

Storage periods

As a rule, data received through the whistleblower channel will be stored for five (5) years at maximum.

Data can be stored for longer if it is necessary for the implementation of rights and obligations provided for in legislation or necessary for the establishment, exercise or defence of legal claims.

To whom are your data disclosed?

Data are processed among a predetermined processing group at the University of Helsinki. Information on suspected misconduct is disclosed to the specialist group handling the matter as well as the director of administration and the rector.

Depending on the case, data may be disclosed outside the University, if handling the matter requires contacting authorities, for example, reporting criminal activities with the police.

Are data disclosed outside the EU?

Data are not disclosed outside the EU.

Contact information for questions concerning the processing of personal data

lakipalvelut-yleishallinto@helsinki.fi, tel. 0294140855

Why do we process your personal data?

The purpose of processing your personal data is election of members for the administrative bodies of the University of Helsinki.

What is the lawful basis for processing data?

The lawful basis for processing is that the processing is necessary to comply with a legal obligation. We process sensitive data if the data subject has manifestly made the data public.

The Universities Act, chapter 3 prescribes on the administrative bodies of the university and electing members for them. The regulations and electoral regulations for the University of Helsinki, decreed on the basis of the Universities Act, sections 13, 15, 27, 28 and 29, give more detailed instructions on elections. In addition the University organizes elections on the basis of the Act on Occupational Safety and Health Enforcement and Cooperation on Occupational Safety and Health at Workplaces.

What kind of personal data do we process?

 

The University of Helsinki processes the following data:

  • name
  • e-mail address (for uniquely identifying the person)
  • data on staff group, duties, employment contract or agreement on research
  • registration of University Services staff member in the on-site campus services as a staff member entitled to vote and eligible for election in the elections of the faculty councils
  • candidature or acting as a nominator
  • data on a person’s right to vote and eligibility for election in the electoral roll
  • data on appeals concerning the electoral roll
  • decisions on appeals concerning the electoral roll
  • presentations of candidates
  • data on number of votes for a candidate

The following sensitive data may be processed, as candidates may make this data public in their presentations should they so wish:

  • political opinions
  • trade union membership

The list is not exhaustive, even other data will be processed if processing is necessary for organizing elections. 

What are the sources for personal data?

The persons themselves:

  • registration of University Services staff member in the on-site campus services as a staff member entitled to vote and eligible for election in the elections of the faculty councils
  • candidature or acting as a nominator
  • data on appeals concerning the electoral roll
  • presentations of candidates

The University staff data system

  • name
  • e-mail address (for uniquely identifying the person)
  • data on staff group, duties, employment contract or agreement on research

Electoral roll

  • data on a person’s right to vote and eligibility for election

Minutes of the University Elections Committee

  • decisions on appeals concerning the electoral roll

The University elections data system Vakka

  • data on number of votes for a candidate

Retention times

Retention times for data are determined in the University Archiving plan (AMS). The archives institution orders which data or documents are retained permanently. In accordance with an order of the archives institution the University Archiving plan determines that elections documents are retained permanently.

Do we disclose your personal data to third parties?

Data on members elected to administrative bodies (name, staff group) is published on the University external webpages. Results of elections (name, staff group, number of votes) and data on members elected to administrative bodies is published on the University internal webpages. Publishing of the data is based on

  • the legal obligation of the University to publicise its activities, as well as the rights and obligations of private individuals and corporations in matters falling within its field of competence
  • the legal obligation of the University to organize its administration by administrative bodies

Contact details for inquiries about the processing of data

pekka.launonen@helsinki.fi

Why do we process personal data?

The University of Helsinki is responsible for publishing Finland’s Official Government Directory and has the right, under the Universities Act, to obtain the information required for this purpose from government authorities. The Official Government Directory provides an overview of the structure of Finnish public administration and the individuals exercising public power or otherwise making decisions relevant to the public.

The directory has been published as a book since 1811. It is used as a reference work in the public and private sectors in Finland and abroad. Editing the directory requires taking into account its role in announcing foreign honours and decorations. 

What are the legal grounds for processing?

The legal grounds for processing personal data are compliance with a legal obligation and performance of a task in the public interest (Universities Act 558/2009, section 73; Data Protection Act 1050/2018, section 4).  

What personal data are published in the Official Government Directory?

The directory contains information on the senior public officials of government agencies and institutes and on contractually employed staff holding senior positions. For private companies and organisations, only senior management is presented.

Your following personal data are published in the directory:

  • First and last name
  • Professional title
  • Title of nobility
  • Academic degrees and titles
  • Honorary titles and decorations
  • Year of birth
  • First year in current position
  • Leave of absence, if any, lasting six months or more

Sources of personal data

Data are collected from government agencies and institutes, municipalities, and key associations. Individuals updating information on their organisations submit the relevant personal data to the Official Government Directory via its online service once a year.

Storage periods

The data are published in print and electronically on the Official Government Directory website. They are updated annually for the latest version of the directory.  

To whom are your data disclosed?

Alma Talent collects data annually for the Official Government Directory. If necessary, Alma Talent can disclose data for the layout of the book to the company responsible for it.

Are data disclosed outside the EU?

In producing the publication, personal data are not transferred outside the EU or EEA. 

 

Facilities and security

Contact details for enquiries about the processing of data

turvallisuusvalvomo@helsinki.fi

Purpose of processing personal data

The University of Helsinki uses access control and closed-circuit television (CCTV) to protect its assets, prevent criminal activity and misconduct, investigate criminal activity and misconduct that has already occurred, and provide a safe, secure and peaceful environment for staff and students.

The University’s access control systems collect and store data about the opening of doors with access control tags that are registered in the systems. This prevents and minimises unauthorised access to University premises, enables appropriate access and accessibility to authorised individuals, and helps maintain safe, secure and comfortable facilities for work, study and research.

What data are processed?

  • Name
  • Date of birth
  • Job title
  • Phone number
  • Number of office or location of building
  • Date of application for and issue of keys and access control tags
  • Log data for access control tags issued
  • Identifying data for keys returned and date of return
  • Digital video recordings in which persons captured on camera can be identified

What are the legal grounds for processing personal data?

The processing of personal data is based on legislation concerning the University of Helsinki and on legitimate interests. The University of Helsinki is obliged by law to provide its students with a safe learning environment (Universities Act, 559/2009, section 41a) and its staff with a safe working environment (Occupational Safety and Health Act, 738/2002).

Sources of personal data

For access control, the personal data of staff are derived from the University’s HR Services or from key application forms completed by the staff or their supervisors. Student data are obtained from the Sisu student information system. For CCTV, data are derived from the digital images recorded by cameras that are installed in the University’s premises or their immediate vicinity.  

Storage periods

For access control, personal data are deleted at the earliest when the relevant individual has returned the keys that have provided them with access to University facilities. Access control data (log data) are stored in the relevant systems for an average of approximately one year. 

CCTV recordings are stored depending on the capacity of the systems. Well-grounded suspicions of criminal activity or misconduct may lead to the storage of data for a longer period. 

To whom are your data disclosed?

Data are not disclosed regularly to parties outside the University of Helsinki or University of Helsinki Property Services Ltd.

Data from the systems can be disclosed to the authorities, for example, for the purpose of criminal investigations.

Are data disclosed outside the EU? 

We store all data within the European Economic Area (EEA). 

 

Contact information for question about data processing

Teaching facilities: tilavaraus@helsinki.fi 

Ceremonial and other bookable event facilities:

helsinkiunivenues@helsinki.fi 

 

Why do we process your personal data?

Data needed to organise events are collected from event organisers and processed for the following purposes:

  • Accepting the facility booking
  • Organising event services and catering for special needs 
  • Communicating on relevant services and activities, as well as on other matters, such as the collection of feedback 
  • Invoicing for the facility booking and services 
  • Collecting customer data for statistical purposes 

 

What is the lawful basis for processing?

The legal ground for the processing is the contractual relationship. The personal data are needed for us to book the agreed facility for the desired purpose and to provide other services related to the booking.

 

What kind of personal data do we process?

The data requested may vary according to the event, but we only collect necessary data. The data to be processed include

  • Name  
  • Details on the employer or other organisational information (booking organisation), if any  
  • Contact details, including phone, email and postal address 
  • Invoicing information 

 

Photography and filming in rented facilities

Upon agreement, still and/or video photography is permitted in events held at University of Helsinki facilities. Upon separate agreement, the photographs or videos may be published on the University’s website or social media accounts or in other publications related to the University. The material will not be used for commercial purposes.

 

What are the sources for personal data?

The data are collected directly from the individual or event organiser in conjunction with a written enquiry concerning the event facility. Data provided by email or phone or in person can also be stored if they are relevant for the arrangements. The booker of the facility will provide the details of the person responsible for the event arrangements, for example, in the booking form or by email.  

 

Retention times

Contact details relating to facility booking, events and invoicing are stored for as long as they are necessary for the planning and organisation of operations. 

Accounting material is stored as required under the Accounting Act. 

 

Do we disclose your personal data to third parties?

We can outsource the processing of personal data to a third party, such as a provider of event services, in which case we will make contractual arrangements to ensure that personal data are processed in accordance with data protection legislation and otherwise appropriately. A third party may also be responsible for the event facilities, safety and security, or catering. 

 

Do we transfer your data outside the EU/European Economic Area? 

As a rule, the data of bookers of facilities at the University of Helsinki are processed in the EU.

According to its data protection policy, the University will exercise particular care if personal data are to be transferred outside the EU or the European Economic Area (EEA) to countries where data protection regulations do not conform to the EU’s General Data Protection Regulation. 

If personal data are transferred outside the EU or the EEA, and the European Commission has not deemed the level of data protection in the target country to be sufficient, data protection will be ensured under the relevant legislation using the standard contractual clauses approved by the European Commission.

Your Rights

You can make a request for information about your personal data to tietosuoja@helsinki.fi

As for the exercise of other rights, practices vary depending on the context in which your data are processed and you can deal directly with the unit processing your data or, in certain cases, for example, delete, add or edit your data yourself. In case of doubt, you can contact the above address.

If the processing of personal data is based on your consent, you have the right to withdraw your consent. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent prior to its withdrawal. 

You have the right to know whether your personal data is being processed and what data is processed. You may also request us to give you a copy of your personal data. 

If there are inaccuracies or the personal data processed about you are incomplete you have the right to request us to rectify or complete your personal data. 

You have the right to request the deletion of your personal data in the following cases:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

b) You withdraw your consent on which the processing was based and there is no other legal ground for the processing

c) You object for the processing and there are no overriding legitimate grounds for the processing

d) The personal data have been unlawfully processed

e) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject

 

You do not have the right to erasure, if the processing is necessary:

a) For compliance with a legal obligation which requires processing by law

b) For the performance of a task carried out in the public interest or in the exercise of official authority

c) For archiving purposes in the public interest, scientific of historical research purposes or statistical purposes if the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing

d) For the establishment, exercise or defense of legal claims

You have the right to restrict the processing of your personal data. This means that we retain your information but do not process it in any other way. 

You have this right in the following cases: 

a) The accuracy of the personal data is contested by you. Then the processing will be restricted until the accuracy of the data is verified.

b) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead

c) The university no longer need the data for the purposes of the processing, but you need the data for the establishment, exercise or defense of legal claims

d) You have objected to processing that is based on legitimate interest. Then the processing will be restricted for the time it is verified whether the legitimate ground for the controller override those of the data subject

When the processing is done by automatically means and the processing is based on your consent or a contract between you and the University, you have the right to have your data that you have provided, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller. 

When it is technically feasible, you have the right to have the data transmitted directly to the other controller.

You have the right to object for the processing of your personal data. Then we shall no longer process the data unless we demonstrate compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. University can also continue to process your personal data if it is necessary for the performance of a task carried out in the public interest.

You have the right to lodge a complaint with the Data Protection Ombudsman’s Office if you think your personal data has been processed in violation of applicable data protection laws.

 

Contact details:

www.tietosuoja.fi 

Office of the Data Protection Ombudsman

Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki

Postal address: PL 800, 00521 Helsinki

Switchboard: 029 56 66700

E-mail: tietosuoja@om.fi

Data requests under the Act on the Openness of Government Activities

Do you want information about documents or data held by the university? You can submit a request for information to the university in accordance with the Act on the Openness of Government Activities. Please refer to the description of document publicity and make a request for information according to the guidelines. 

Link to the document disclosure statement