Suomeksi | På svenska

Privacy notice for students
General Data Protection Regulation (EU) 2016/679, (GDPR), Articles 13 and 14                            

Dear current and former students,

This notice concerns degree students, exchange students, non-degree students who have a right to pursue single course(s) and Open University students. The notice contains information about how personal data on students is processed and the rights that students have to their own personal data.

In order to comply with our educational duties, such as arranging teaching, collecting and maintaining data on studies and degrees, and providing student services, we have to process various kinds of information by which an individual may be identified, ‘personal data’. In this context, the student is referred to as a ‘data subject’ and we are referred to as the ‘controller’, that is, the party that controls the processing of the personal data for the abovementioned purposes. We only process personal data that is necessary for complying with our duties. Therefore, we collect and handle personal data more regarding degree students than the other student groups.


Student information


1 July 2020, contact details for controller updated, updates to items 3, 5, 6, 14
9 September 2019, contact details updated in items 2, 9, 10 and 11 , updates to item 5
26 June 2019, updates to item 14
30 April 2019, updates to item 6
27 March 2019, updates to item 3 and 6 and the appendix
1 January 2019, updates to items 3,6 and 7
25 May 2018, original document

 Controller, unit in charge:

Aalto University
Aalto University Foundation
Postal address: P.O. Box 11000, FI-00076 AALTO
Street address: Otakaari 24, 02150 Espoo
Tel.: +358(9) 47001 (exchange)

Learning Services
Eija Zitting, Director, Learning Services

Short description

A description of the university’s processing of personal data on students in order to comply with its statutory educational duties

A: Personal data collected directly from data subject


B: Personal data collected elsewhere than from the data subject


1.    Contact details for the unit in charge:

Learning Services

2.    The data protection officer with contact details

Anni Tuomela, Legal Counsel, Aalto University
Postal address: P.O. Box 11000, FI-00076 AALTO
Street address: Otakaari 24, 02150 Espoo
Tel.: +358 (9) 47001 (exchange)

For questions concerning the university’s data protection policies, the present notice or other matters concerning the processing of personal data by the university, the student may contact the Aalto University data protection officer.

3.    Purpose and legal grounds for the processing of personal data

The university processes personal data

In addition, the university may process personal data

The university’s right to process personal data as a controller is based on the following

The university has a right as controller to process special categories of personal data when

Main statutes

4.    Purposes of legitimate interest pursued by the controller or by a third party (applies only to Case A; processing is based on point f of Article 6(1))


5.    Special categories of personal data

Aalto University processes the special categories of personal data concerning students; the following data are necessary and are collected:

Individualising information:

Information regarding the student’s studies:

Special categories of data (sensitive data) concerning studies:

Special categories of data concerning students may be handled during processes involving:

6.    The recipients or categories of recipients of the personal data

At Aalto University, the data is processed only by Aalto employees or contracted individuals working on behalf of Aalto who need the data for their work duties. The information is protected from unauthorised handling. Access rights are in place to restrict unauthorised access to the student information systems. The personal data is processed mainly by Learning Services staff and teaching staff. In addition, personal data may be processed by other Aalto services, such as campus- and security services, Learning Centre services, IT services, HR services and financial services. Personal data of doctoral students are processed also in the data management system of the university’s research support services.

Starting from academic year 2019-2020 the necessary identifier data and contact details on new degree students are transferred also to the customer database of the Aalto University Learning Centre.

Aalto University may also use outside processors, such as system service providers that process personal data on behalf of Aalto on the basis of a commission contract.

Aalto University discloses personal data to parties outside the university or processes data for purposes other than the original only in situations where such disclosure or processing is permitted by law.

Aalto University may disclose such personal data on students as is necessary to the following recipients:

In addition, Aalto University may disclose personal data on students as follows:

The main sources of information that may be disclosed include the Oodi student information system and the MoveOn mobility system. Part of the permanently stored student information and information on mobility periods by the student are transferred to Virta, the National Data Ware-house for Higher Education.

7.    Planned transfers of personal data to third countries or international organisations

The data protection policy of the university is to exercise particular care when transferring per-sonal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR.

Personal data are transferred to institutions of higher education outside the EU and EEA area.

When processing personal data, Aalto University uses cloud services that may transfer personal data outside the EU and EEA area.

8.    Period for which personal data are stored / Criteria used to determine the period for which data are stored

The periods for which personal data saved in systems and manual material are stored are based on the law and the records management plan of Aalto University.

Permanent storage (under the Act on National Study and Degree Registers 884/2017, sections 25 and 27):

By decision of the National Archives of Finland, other personal data of the student may also be stored permanently.

Main types of personal data not stored permanently:

Periods for which data are stored may vary in individual cases and they may be revised.

9.    Right of access by the data subject, right to rectification, right to erasure, right to restrict processing and right to data portability (Articles 15,16,17,18 and 20 of the General Data Protection Regulation)

Please note! Students wishing to access or rectify personal data only in a specific information system do not have to request access to all their data.
Many of the university’s systems allow students to access their own personal data with an Aalto University IT account. The student can obtain information on his or her saved study attainments by contacting a course staff person or other person specified (6 months). A list of the key systems and services where student personal data are processed is provided at the end of this document.

To make any information requests related to his or her rights as a data subject, the student may use the personal data portal

Right of students to access their data

Students have a right to know what personal data are being processed and what data concerning them have been saved.

Right of the student to rectification of data

Student right to erasure of data

Depending on the legal basis, the student may have a right to have their personal data erased from the register of the school. This right shall not apply to cases where data processing is necessary for compliance with a legal obligation or for a task carried out in the exercise of official authority vested in the school. The storage and erasure of data shall comply with the records management plans of the university and the data storage periods required by legislation.

Right to restrict processing

Right to data portability

10.    Right of the data subject to object to processing of personal data (General Data Protec-tion Regulation, Article 21

Right to object to processing of personal data

To make any information requests related to his or her rights as a data subject, the student may use the personal data portal

11.    The right of the data subject to withdraw consent

12.    The right of the data subject to lodge a complaint with a supervisory authority

13.    Is the provision of personal data a statutory or contractual requirement, or a requirement necessary to enter into a contract, and is the data subject obliged to provide the personal data? / What are the possible consequences of failure to provide such data

The student shall provide all personal data necessary for the process in question and is respon-sible for their accuracy. Providing personal data is often necessary for completing a process task.

14.    Origin of personal data other than from the data subject

Information concerning students is collected directly from the following sources:

Information may be observed, inferred or derived from the use of the IT services or systems provided for student use by the university or collected by the security and monitoring services used by the university (e.g. camera surveillance).

15.    Processing of personal data for automated decision-making, incl. profiling



List of the key information systems and services where student personal data are processed

Aalto University’s shared teaching and study administration systems where student personal data are processed:

Personal data are also processed otherwise than in the shared information systems, in some cases manually

Stored examinations as well as other study attainments
Aalto University school departments

Student files (Aalto University schools of technology – CHEM, ELEC, ENG and SCI): documents concerning the student’s study-related processes
Degree programme offices

Individual study arrangements
School contact persons for accessibility

In addition, personal data are processed as necessary in other Aalto University’s shared infor-mation systems and services such as IT identity management.