Aalto University

IT Services Privacy Notice

This privacy notice describes the Aalto University policy on the personal data collected and processed by the Aalto University IT Services (ITS) in connection with the services it produces and the processes it executes.
Someone working on a laptop typing.

This privacy notice was updated 10.1.2022

Updated versions of this notice will show the date of the new version at the beginning of the document. If we make changes to content of this notice, we will take appropriate measures to keep you informed in a manner consistent with the significance of the change.

Why and on what basis does Aalto University process your personal data as a provider of information technology services?

Aalto ITS processes personal data on the basis of its role as a provider of information technology services in all systems produced and administered by Aalto ITS. Some of the services are produced by contracted partners and subcontractors. Aalto ITS holds responsibility for any such services in the same way as it does for the services it produces itself.

In order to provide it services, we process personal data

  • in customer relationship management
  • customer and user identification
  • order processing and service delivery
  • service and product quality control
  • customer service and
  • repairing malfunctions and disruptions and processing complaints.

We process personal data also when communicating with customers, such as when sending notifications on our services and contacting our clients in matters related to our services.

Personal data and transactional data are processed to detect technical errors and faults and in order to ensure the information security of all our services, information systems and communication networks and to test them. We process transactional data to technically develop our communication service, such as to optimise the operations of our communication networks. In addition, we can prepare statistics for the purposes of service development or other analysis. 

The Aalto data warehouse, which is a reporting and integration service offered by Aalto to its units, also processes personal data. The data warehouse is also used for reporting to the authorities.

Aalto ITS uses advanced analysing, machine learning and artificial intelligence tools which process personal data, for instance, to improve cyber security and ensure the integrity of data.

The Aalto information system portfolio is very broad-based, and Aalto has a information system map, which is regularly updated. It describes the key features of the information systems in the portfolio, such as purpose, owner, administrator and possible contractor.

-> Read more

On what basis does Aalto University process your personal data

Personal data processing to provide IT services is often connected to the main tasks of the university, complying with legal obligations such as financial obligations and the provision of services – we need IT services for work, studying, advocacy and communication, financial management and the implementation and use of university services. The processing basis for each user group are:

  • The processing of employees' personal data is based on the performance of a contract, a legitimate interest, compliance with legal obligations or explicit consent. Further information on the processing of employees' personal data is available in

-> privacy notice for employees.

  • For students, the university's right to process personal data as a controller is based on compliance with a legal obligation, a task carried out in the public interest or in the exercise of official authority vested in the controller. In certain cases, processing is based on contract or consent. You can read more about the processing of the personal information of students in

-> Privacy notice for students

  • Regarding the personal data processing of stakeholders, visitors and alumni more information is available in the privacy notice of communication services and

-> Aalto University privacy notice for partnership services

  • In the case of non-Aalto University users accessing a system or operating enviroment the processing basis may also be a contract or consent.

IT services also handle tasks related to the information security and management of workstations of services and information systems, for example to ensure security and to protect the availability, authenticity, integrity and confidentiality of personal data. In accordance with the General Data Protection Regulation, the processing of personal data in order to prevent security breaches is based on a legitimate interest. The management of information systems, ensuring information security and organizing the disclosure of data through technical interfaces are also based on the fulfillment of a legal obligation (Act on Information Management in Public

The personal data processing in developement and management our services and associated quality control as also understanding the needs and wishes of our customers regarding the features or contents of our services are based on our legal obligations and legitimate interests.

Aalto University may provide process or service specific information about the personal data processing.

The legal processing bases of mobile applications are described in the privacy policies of these applications. In the electronic working environment the user has a chance to allow the information content he or she produces to be used by others and get information about his or her networks and friends.

What personal data does Aalto University collect and process

The personal data processed by the university may be divided into the following categories:

Identification data,such as:

  • name
  • personal identification number
  • date of birth
  • contact details, e.g. work phone number
  • employee number (staff)
  • student number (student)
  • national learner ID (student)
  • title
  • biometric identifiers (such as fingerprints)

Username and password

Access rights

Device information, such as

  • information of centrally administrated workstations
  • software and device information of centrally managed smartphones

Information collected by customer services:

  • name and related identification and other technical information
  • contact details
  • username
  • location on campus
  • information related to the service request
  • employee number (staff)
  • unit (staff)
  • supervisor (staff)
  • student number (student)
  • school (student)

In the electronic working environment, when there are two or more parties to the communication and/or users of the electronic team working environment, the following personal data are processed:

  • name
  • job title
  • organisational unit
  • username
  • email address
  • telephone number
  • in addition, the user has a chance to give optional information in the service, e.g. photo

Data collected in connection with the printing service:

  • name
  • email
  • username
  • printer ID
  • time stamp
  • card ID when using secure print

Data collected in connection with the use of IT systems generally may contain at least some of the following information:

  • time stamp
  • username
  • communication

In the electronic working environment, the contents of the message and any attached files (whether they be text, images, sound, video or other electronic communication) are primarily considered confidential data and are thus only processed in exceptional circumstances specified by law.

Aalto Univesristy also logs the use of it systems to ensure information security.

How we collect personal data

Identity management and user identification data are obtained from the basic registers for Aalto University students and staff.

Data on staff are collected also from e-service requests and from use of Aalto’s network printer service.

Data on staff is also obtained from the detected or inferred use of services and systems owned or administered by Aalto, when staff use Aalto office, computer or telephone devices and programs, including electronic communications, email and internet applications.

To whom do we disclose personal data

Personal data is processed only by those Aalto University employees or those contracted individuals working on behalf of Aalto University who have a right to process the data.

We may disclose your personal data to third parties where access to or processing personal data is necessary:

  • to comply with applicable legislation and/or court order. E.g. as an employer Aalto University has legal obligations to disclose personal data of the staff among others to authorities, banks and occupational health care.
  • to detect, prevent or otherwise address technical or security issues or malpractice.

More information about the information disclosures is available in other privacy notitces.

Transfer of personal data to third countries

The data protection policy of the university is to exercise particular care if transferring personal data outside the EU and European Economic Area (EEA) to countries that do not offer the level of data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are also done in accordance with the requirements of the GDPR.

As general rule our processing of the personal data of employees occurs only within the EU or EEA. In exceptional cases of, for instance, international assignments or the use of certain services, your personal data may need to be transferred outside the EU or EEA. In certain cases the personal data of students may be transfered outside of EEA to higher eduction institutions.  In such cases, we see to ensuring a level of personal data protection adequate to conform with the level required by legislation, such as in the standard agreement clauses approved by the European Commission.

How long is personal data is stored?

The periods for which personal data may be retained in systems is based on law and on the records management plan (TOS) of Aalto University.

Rights of the data subject concerning personal data

Controller and the personal data protection principles

Controller, person responsible and contact details

The controller is Aalto University.

The register person-in-charge is Christa Winqvist.     

Tel. (exchange): 09 47 001

Email: servicedesk(at)aalto.fi

The Aalto University communications director is responsible for university-level communications and marketing.

Your responsibility

You are responsible for the information you supply or make available to Aalto University recipients, and you must ensure the accuracy of the information.

Personal data and principles of privacy protection

Due diligence is observed in the processing of personal data and data security measures are followed as appropriate. Technical solutions such as firewalls and encryption are employed and they comply with current standards. The controller ensures that stored information, user permissions and other data critical for the security of personal data are processed according to instructions, confidentially and only by individuals whose job descriptions authorise the processing.

Other privacy notices:

People in Dipoli Building

Privacy notices

Aalto University's privacy notices

  • Published:
  • Updated: