Aalto University

Aalto University privacy notice for partnership services

This privacy notice provides information to Aalto University alumni, donors and stakeholders about the processing of their personal data in CRM-system as part of the services of the Aalto University Advancement and Corporate Engagement (ADCO).

General provisions concerning privacy and protection of personal data are included in Aalto University Data Protection Policy. Also Records Management Plan (TOS) regulates processing personal data. In addition, Aalto University has appointed Data Protection Officer ([email protected]).

At Aalto, our operations take place in compliance with the Act on the Openness of Government Activities (621/1999). Pursuant to the principle of openness set out in the act, information in the possession of a university is public unless otherwise provided by law. Compliance with the act may obligate the university to disclose personal data to third parties.

Read our Policy

Read our plan

If you have been invited to attend our event, you will find more information about the processing of personal data necessary for organizing of events from this privacy notice:

Privacy notice for Aalto University communication and events

Why and on what basis does Aalto University process your personal data?

A purpose of the processing of personal data is to better understand the needs of Aalto University’s internal and external customers, alumni and partners, as well as to improve the quality of our operations, the selection of new services, and the targeting and depth of our customer services. An additional goal is to further Aalto University’s societal impact as well as the university’s relationship management and engagement with individuals and with industry.

The university may also process personal data for data protection purposes and to prevent and investigate data breaches or misuse.

Services for alumni and partnerships process personal data for three purposes, the legal grounds for which are as follows:

Alumni activities are voluntary and the related personal data is use to help administer alumni memberships, relations, activities and communications, as well as for Aalto University alumni operations and service marketing purposes. The data may also be used to generate statistical information for Aalto University’s use. The processing of personal data is based on the legitimate interest of the controller.

Stakeholder lists include individuals whom, due to their position or professional duties, Aalto may wish to contact as experts, mentors, partners, visiting lecturers, research subjects, or for other roles in Aalto University activities or those billed by Aalto University, such as tuition fees or those billing Aalto University. Personal data collected for partnership activities may be used for communications about the work of Aalto or of a part of Aalto as well as in other stakeholder communications. The processing of personal data is based on the legitimate interest of the controller and for personal data related to billing, on the controller’s legal obligations.

Personal data on donors is collected in connection with their donations. The personal data is used in communications for donors, for example, in donor newsletters and in invitations to stakeholder events. Donor information may be published and remain online permanently (e.g. donor names may be on a webpage) if the donor granted consent for this when making a donation. The processing of personal data is based on the legitimate interest of the controller and, as for receipts and permanently stored data, on the controller’s legal obligations.

If personal data collected in the context of alumni or partnership activities is used for direct marketing for commercial purposes, this practice is based on the legitimate interest. In such cases, we follow the legal provisions on electronic services and electronic direct marketing.

What personal data does Aalto University collect and process?

The personal data processed by the university may be divided into the following categories:

Identification data:

name and contact details
date of birth, gender and nationality (alumni)
personal identification number (private donors)

Links to social media pages of the data subject. Link to theses, published with consent of the author.
Information relating to alumni activities, degrees and theses, published with consent of the author
Information relating to donations.
Information relating to billing.
- bank account
Information relating to marketing impact

How do we collect personal data?

Data on alumni activities is transferred from the Aalto University student information system by consent of the data subject or received from the data subjects as they register.

With respect to other services, the data is for the most part collected from the data subjects themselves through their registrations or through other contact with them.

Personal data may be collected and updated using other personal data files of Aalto when a legal basis for it exists, as well as from the following: the Finnish Trade Register; online services and software applications of companies; authorities and companies providing services concerning personal data; and any publically accessible online sources.

To whom do we disclose personal data?

Aalto University uses external service providers, who may process personal data as part of their services. The service providers are considered data processors to the extent that they process personal data and do so in accordance with the aims defined by Aalto University.

As a part of the university’s societal impact work, we engage in broad collaboration with various businesses and public organisations, and we participate in activities of ecosystems that share the goals of the university and are in line with the university’s interests. The university requires of its partners trustworthiness and a code of conduct, and responsibility for protecting personal data is arranged according to the GDPR for each collaborative relationship.

In order to measure and direct the impact of our work, we need to follow the scale and, if possible, relevance of our networks and collaborations. This requires transparency as well as effective utilisation of both human and technical resources. We may disclose needed personal data to these collaborative partners on a case-by-case basis.

Transfer of personal data to third countries

A data protection policy of the university is that particular care is to be taken when transferring personal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR, using as a basis e.g. its reference to decisions made on the adequacy of the level of protection provided (Article 45), utilising standard agreement clauses and following other data protection measures in accordance with the GDPR.

Period for which personal data is stored

Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation. The storage of data on Aalto University staff and students follows the applicable privacy notices as well as the university’s data management plan. Any data concerning the contractual employment relationship of Aalto staff will be erased at the termination of the employment relationship. Any data concerning partnership activities will be erased at the termination of the partnership. Data on donations will be stored for a minimum of six years after the last instalment.

Rights of the data subject concerning personal data

Under the GDPR, you have the right to review your information and rectify any inaccurate or erroneous personal data. In addition, with certain exceptions, you have the right to erase your data. If he processing of personal data is based on your consent, you also have the right to withdraw your consent. You find more information on your rights listed below.

According to the GDPR, you have a right to know what information on yourself is stored in the personal data file. You have the right to request that any inaccurate or erroneous data on yourself be rectified without undue delay. If data you wish have rectified or erased is maintained by an Aalto partner, we will request that the partner take the appropriate measures.

Barring certain exceptions, the GDPR guarantees your right to have your erased, or as it is termed, your right to be forgotten. However, this right does not obtain in cases where the university’s right as the controller to process personal data is based on the university’s obligation to perform tasks carried out in the public interest or in the exercise of official authority. If the processing of personal data is based on your consent, you may also withdraw your consent. In that case, you may submit a request to us to erase data concerning yourself from our system. If there is no other legal grounds for processing your data, we will erase it.

If you contest the accuracy of the personal data or the lawfulness of the processing, or or if you have exercised your right to object to the processing, you may request that the processing of the personal data be restricted to storage only. The processing of the data is then confined to its storage only until, for example, the accuracy of the data is verified. If you do not have the right to request erasure of the data, you may request instead that Aalto University limit its processing to only that needed in order to store the data.

You always have the right to object to the processing of your personal data when the processing is for marketing purposes.

You may exercise your rights by submitting a GDPR-compatible request via Aalto’s personal data portal:

Aalto University personal data portal Note, however, that if the matter concerns a change of contact information or other routine changes, you should contact: servicedesk(at)aalto.fi.

If you have questions regarding this privacy notice, you may contact the Aalto University data protection officer:
Data protection officer: Anni Tuomela
Tel.: (exchange) 09 47 001
Email: [email protected]

If you, the data subject, consider the processing of your personal data to be an infringement of privacy protection legislation, you have the right to lodge a complaint with the data protection ombudsman (www.tietosuoja.fi), which is the supervisory authority.

We have an obligation to communicate personally any security breach of personal data to those data subjects whom the breach concerns. The right enters into force if the breach is likely to result in a high risk to the rights and freedoms of the individual, e.g. in the form of identity theft, payment fraud or other criminal activity.

An information security team operates at Aalto (email security(at)aalto.fi) to process reported data protection and information security incidents concerning the university and to help resolve them, investigating whether data breaches have occurred.

Your responsibility

You are responsible for the information you supply or make available to Aalto University recipients, and you must ensure the accuracy of the information.

Amendments to the privacy notice

Aalto University updates this notice as needed. Updated versions of this notice will show the date of the new version at the beginning of the document. If we make changes to content of this notice, we will take appropriate measures to keep you informed in a manner consistent with the significance of the change. We encourage you to check this notice often to be aware of how Aalto University protects your data.

Other privacy notices

Aalto University maintains several privacy notices. For example, if you have university username, attend university events, or visit our campus, please find information about the processing of your personal data in order to implement these services on the University Privacy Statements page.

Privacy notices

Aalto University's privacy notices

Read other privacy notices (events, IT-services etc)

Controller, register person-in-charge and contact information

The controller of personal data in partnership activities is Aalto University.

The register person-in-charge is Ville Krannila.
Tel.: (exchange) 09 47 001
Email: crm-support(at)aalto.fi

Published: 25.11.2020
Updated: 20.4.2021