Privacy notice for students
General Data Protection Regulation (EU) 2016/679, (GDPR), Articles 13 and 14
Dear current and former students,
This notice concerns degree students, exchange students, non-degree students who have a right to pursue single course(s) and Open University students. The notice contains information about how personal data on students is processed and the rights that students have to their own personal data.
In order to comply with our educational duties, such as arranging teaching, collecting and maintaining data on studies and degrees, and providing student services, we have to process various kinds of information by which an individual may be identified, ‘personal data’. In this context, the student is referred to as a ‘data subject’ and we are referred to as the ‘controller’, that is, the party that controls the processing of the personal data for the abovementioned purposes. We only process personal data that is necessary for complying with our duties. Therefore, we collect and handle personal data more regarding degree students than the other student groups.
25 May 2018
Controller, unit in charge:
A description of the university’s processing of personal data on students in order to comply with its statutory educational duties
A: Personal data collected directly from data subject
B: Personal data collected elsewhere than from the data subject
1. Contact details for the unit in charge:
Learning Services firstname.lastname@example.org
2. The data protection officer with contact details
Jari Söderström, Senior Legal Counsel, Aalto University
Postal address: P.O. Box 11000, FI-00076 AALTO
Street address: Otakaari 24, 02150 Espoo
Tel.: +358 (9) 47001 (exchange)
For questions concerning the university’s data protection policies, the present notice or other matters concerning the processing of personal data by the university, the student may contact the Aalto University data protection officer.
3. Purpose and legal grounds for the processing of personal data
The university processes personal data
- to organise teaching and to realise and attest the student’s right to study
- to manage and to report statistically on completed degrees and studies (study attainments)
- in order to develop teaching, and
- for the physical and information security of the learning environment as well as the safety of students and other members of the university community.
In addition, the university may process personal data
- for scientific research and
- for study-related marketing communications or other special purposes.
The university’s right to process personal data as a controller is based on the following
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) point e)
- the processing is necessary for compliance with a legal obligation to which the controller is subject (General Data Protection Regulation, Article 6(1) point c)
- the consent given by the data subject and, in certain cases, when necessary for the performance of a contract (Article 6(1) points a and b).
The university has a right as controller to process special categories of personal data when
- the processing is necessary for reasons of substantial public interest (Article 9(2), point g).
- Universities Act (558/2009) and the decrees given under it
- the Government Decree on University Degrees (794/2004) as amended and any prior decrees concerning degrees in science and technology, business, and art and design
- the Act on National Study and Degree Registers (laki valtakunnallisista opinto- ja tutkintorekistereistä, 884/2017, chapter 5)
- the General Data Protection Regulation (EU) 2016/679 and its complementary national statutes
- the Act on the Openness of Government Activities (621/1999)
4. Purposes of legitimate interest pursued by the controller or by a third party (applies only to Case A; processing is based on point f of Article 6(1))
5. Special categories of personal data
Aalto University processes the special categories of personal data concerning students; the following data are necessary and are collected:
- individual-specific identifier data (name, personal identity number, birthdate, student number, national learner ID, username)
- background information (such as admissions information, gender, nationality and language information)
- contact details (e-mail address, telephone number, postal address)
Information regarding the student’s studies:
- Rights to study towards a degree or towards parts of a degree
- Degrees earned
- Enrolment for the academic year
- Memberships in the student union and its special status associations
- Study attainments (incl. theses, examination responses and other completed assign-ments used to assess study attainments) and their evaluation
- Thesis publication data
- Examination and course registrations and information on participation in teaching
- Information on video-monitored electronic exam sessions
- Plans of studies and other information pertaining to supervision and advising of studies
- Information on practical training
- Information on international student exchanges
- Information on tuition-fee liabilities
- Information on grants and scholarships
- Student feedback information
- Information necessary for the organisation of student services, including IT, facility and library services
Student study information that may contain special categories of personal data (sensitive data):
- Information relating to any individual study arrangements or support received for studies
- Information on extensions or reinstatement of the right to study
- Accounts of any aberrations in the student’s studies or activities in the university environment and their consequences
6. The recipients or categories of recipients of the personal data
At Aalto University, the data is processed only by Aalto employees or contracted individuals working on behalf of Aalto who need the data for their work duties. The information is protected from unauthorised handling. Access rights are in place to restrict unauthorised access to the student information systems. The personal data is processed mainly by Learning Services staff and teaching staff. In addition, personal data may be processed by Aalto’s campus- and security services, Learning Centre services, IT services, HR services and financial services.
Aalto University may also use outside processors, such as system service providers that process personal data on behalf of Aalto on the basis of a commission contract.
Aalto University discloses personal data to parties outside the university or processes data for purposes other than the original only in situations where such disclosure or processing is permitted by law.
Aalto University may disclose such personal data on students as is necessary to the following recipients:
- Aalto University Student Union (AYY)
- Finnish Student Health Service
- the Ministry of Education and Culture’s KOTA database
- Finnish National Agency for Education
- via a technical interface through the National Data Warehouse for Higher Education for the use of the student admissions register
- via a technical interface to the Social Insurance Institution of Finland, Kela
- via a technical interface to the National Data Warehouse for Higher Education for the use of the National Supervisory Authority for Welfare and Health
- as a technical record via the National Data Warehouse for Higher Education to Statistics Finland
- the employment authorities
- immigration authorities
In addition, Aalto University may disclose personal data on students as follows:
- for scientific research
- to comply with the Act on the Openness of Government Activities (621/1999) or with other legal obligations
- to other Finnish institutions of higher education in order to process a right to study or to transfer information on completed studies as a part of cooperation in teaching, for example
- to institutions of higher education abroad, including outside the EU and EEA area, for the implementation of double and joint degrees or for transferring information about completed studies
- with the student’s consent, contact information may be disclosed to parties outside the university for marketing communications or other special purposes
The main sources of information that may be disclosed include the Oodi student information system and the MoveOn mobility system. Part of the permanently stored student information and information on mobility periods by the student are transferred to Virta, the National Data Ware-house for Higher Education.
7. Planned transfers of personal data to third countries or international organisations
The data protection policy of the university is to exercise particular care when transferring per-sonal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR.
8. Period for which personal data are stored / Criteria used to determine the period for which data are stored
The periods for which personal data saved in systems and manual material are stored are based on the law and the records management plan of Aalto University.
Permanent storage (under the Act on National Study and Degree Registers 884/2017, sections 25 and 27):
- learner ID, ID number or a similar individual-specific identifier data;
- data on the degrees and professional specialisation programmes completed by the student, as well as on all study attainments and their grades
- data on the persons rights to study in degree programmes or professional specialisation programmes and information on accepting an offer of admission and enrolment as a student in degree programmes or professional specialisation programmes.
By decision of the National Archives of Finland, other personal data of the student may also be stored permanently.
Main types of personal data not stored permanently:
- Course and examination registration data are stored for a minimum of 2 years
- Saved study attainments are stored for a minimum of 6 months
- Any personal data related to study processes other than those stored permanently are stored until the graduation of the student or alternatively for a minimum of 5 years.
- Sensitive data are stored as long as necessary but for no more than 4 years.
Periods for which data are stored may vary in individual cases and they may be revised.
9. Right of access by the data subject, right to rectification, right to erasure, right to restrict processing and right to data portability (Articles 15,16,17,18 and 20 of the General Data Protection Regulation)
Please note! Students wishing to access or rectify personal data only in a specific information system do not have to request access to all their data.
Many of the university’s systems allow students to access their own personal data with an Aalto University IT account. The student can obtain information on his or her saved study attainments by contacting a course staff person or other person specified (6 months). A list of the key systems and services where student personal data are processed is provided at the end of this document.
To make any information requests related to his or her rights as a data subject, the student may send an e-mail to: email@example.com
Right of students to access their data
Students have a right to know what personal data are being processed and what data concerning them have been saved.
- The student may make an information request to the university. In such cases, the following procedure is to be followed:
- The university provides the information requested without undue delay. The person making the request must verify his/her identity as necessary. The requested information or the additional information related to the request must be provided no later than one month after receiving the request. If the information request is complex and comprehensive, the deadline may be extended by two months.
- As a rule, the information shall be provided free of charge. For any further copies requested by the student, the university may charge a fee based on administrative costs. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the university may either charge a fee based on administrative costs or refuse to act on the request. The university shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
- If the university does not provide the information requested, the student will be provided with a written account of the matter. The written account will also include an explanation of the student’s rights to judicial remedies, for instance, the right to lodge a complaint with the supervisory authority.
Right of the student to rectification of data
- The student has a right to have any inaccurate or incomplete personal data concerning him or her rectified or completed without undue delay. In addition, the student has a right to demand that all personal data concerning him or her that is no longer necessary be erased.
- If the university does not accept the student’s request for rectifying his or her personal data, the student will be given a written account specifying the reasons for rejecting his or her request. The written account will also include an explanation of the student’s rights to judicial remedies, for instance, the possibility of lodging a complaint with the supervisory authority.
Student right to erasure of data
Depending on the legal basis, the student may have a right to have their personal data erased from the register of the school. This right shall not apply to cases where data processing is necessary for compliance with a legal obligation or for a task carried out in the exercise of official authority vested in the school. The storage and erasure of data shall comply with the records management plans of the university and the data storage periods required by legislation.
Right to restrict processing
- In certain situations, students may have the right to restrict the processing of their per-sonal data until the legal basis for the data or their processing has been duly checked and rectified or completed.
Right to data portability
- The right to data portability means that the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the university, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the university. This right shall apply only to situations where the processing is carried out by automated means and is based on consent or on a contract.
- This right shall not apply to cases where data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a result, this right shall not apply, as a general rule, to the personal data files of the university.
10. Right of the data subject to object to processing of personal data (General Data Protec-tion Regulation, Article 21
Right to object to processing of personal data
To make any information requests related to his or her rights as a data subject, the student may send an e-mail to: firstname.lastname@example.org
- The student shall have the right to object, on grounds relating to his or her particular situ-ation, at any time to processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or in the exercise of official authority or the legitimate interest of the university. In such cases, the university shall no longer process the personal data unless the university demonstrates compelling legitimate grounds for the processing.
- Where personal data are processed for direct marketing purposes, the student shall have the right to object at any time to processing of personal data concerning him or her for such marketing.
11. The right of the data subject to withdraw consent
- In situations where the processing of the personal data is based solely on consent, the student shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- As a rule, the withdrawal of consent is communicated to the party to which the original consent was given. If this is impossible, the student may e-mail to: email@example.com
12. The right of the data subject to lodge a complaint with a supervisory authority
- The student shall have the right to lodge a complaint with a supervisory authority, if they consider that the processing of personal data relating to him or her infringes the General Data Protection Regulation (EU) 2016/679. In addition, the student has a right to use oth-er administrative or judicial remedies. Further information www.tietosuoja.fi
- The student shall have the right to bring proceedings against the controller or the organi-sation processing the personal data before a court if the student considers that the pro-cessing of his or her personal data infringes the General Data Protection Regulation.
13. Is the provision of personal data a statutory or contractual requirement, or a requirement necessary to enter into a contract, and is the data subject obliged to provide the personal data? / What are the possible consequences of failure to provide such data
The student shall provide all personal data necessary for the process in question and is respon-sible for their accuracy. Providing personal data is often necessary for completing a process task.
14. Origin of personal data other than from the data subject
Information concerning students is collected directly from the following sources:
- national student application systems or those of the higher education institution
- international student application systems
- Finnish or foreign higher education institutions
- online payment and registration services
- university staff
Information may be observed, inferred or derived from the use of the IT services or systems provided for student use by the university or collected by the security and monitoring services used by the university (e.g. camera surveillance).
15. Processing of personal data for automated decision-making, incl. profiling
List of the key information systems and services where student personal data are processed
Aalto University’s shared teaching and study administration systems where student personal data are processed:
- Student register (the Oodi student information system)
- Enrolment management for new degree-students (Oili)
- Personal study plan (on SISU)
- Course information management (MyCourses)
- Management of informational and electronic processes for international student mobility (MoveOn)
- Electronic services for students (eAge and Nintex)
- Similarity check for written assignments (Turnitin)
- Electronic examinations (EXAM)
- Course feedback system
- Media service for recording teaching and presentations (Panopto)
- Online booking and scheduling (Vihta)
- The Open University customer register and course registration system (AIMO)
Personal data are also processed otherwise than in the shared information systems, in some cases manually
Stored examinations as well as other study attainments
Aalto University school departments
Student files (Aalto University schools of technology – CHEM, ELEC, ENG and SCI): documents concerning the student’s study-related processes
Degree programme offices
Individual study arrangements
School contact persons for accessibility
In addition, personal data are processed as necessary in other Aalto University’s shared infor-mation systems and services such as IT identity management.