IT Services Privacy Notice
This privacy notice was updated 10.1.2022
Updated versions of this notice will show the date of the new version at the beginning of the document. If we make changes to content of this notice, we will take appropriate measures to keep you informed in a manner consistent with the significance of the change.
Why and on what basis does Aalto University process your personal data as a provider of information technology services?
Aalto ITS processes personal data on the basis of its role as a provider of information technology services in all systems produced and administered by Aalto ITS. Some of the services are produced by contracted partners and subcontractors. Aalto ITS holds responsibility for any such services in the same way as it does for the services it produces itself.
In order to provide it services, we process personal data
- in customer relationship management
- customer and user identification
- order processing and service delivery
- service and product quality control
- customer service and
- repairing malfunctions and disruptions and processing complaints.
We process personal data also when communicating with customers, such as when sending notifications on our services and contacting our clients in matters related to our services.
Personal data and transactional data are processed to detect technical errors and faults and in order to ensure the information security of all our services, information systems and communication networks and to test them. We process transactional data to technically develop our communication service, such as to optimise the operations of our communication networks. In addition, we can prepare statistics for the purposes of service development or other analysis.
The Aalto data warehouse, which is a reporting and integration service offered by Aalto to its units, also processes personal data. The data warehouse is also used for reporting to the authorities.
Aalto ITS uses advanced analysing, machine learning and artificial intelligence tools which process personal data, for instance, to improve cyber security and ensure the integrity of data.
Personal data processed in IT Services:
- when managing centralised identity information, such as usernames and access rights and in the management of information system resources such as networks, applications, services and network drives.
- to monitor the use of systems and prepare statistics on the use, as well as to perform various tasks related to electronic approvals, electronic signatures or workflows.
- in connection with the management system of workstations, which is used to keep the workstations usable and their information secure. Usually, a workstation means a personal computer, which may be a desktop or laptop computer or other IT device (e.g. smartphone).
- in the electronic working environment (O365), which is designed to provide electronic communication services to the Aalto University staff and students, as well as to any subcontractors and performers of commissioned work who have been created an Aalto University IT account
- in connection with printing, printing management and user-based invoicing on the basis of the cost-pool code of the user
- in order to develop and manage our services and the related processes and associated quality control, for instance: analysing the supply processes and related complaints in order to streamline the processes and to find a better and faster way of serving our customers
- to understand the needs and wishes of our customers regarding the features or contents of our services
- for information security purposes related to the use of services, e.g. when looking at successful or failed login to services that require registration
- when taking care of service requests and investigating problems with IT services and information security incidents
- to identify and prevent fraud and misuse of services
The Aalto information system portfolio is very broad-based, and Aalto has a information system map, which is regularly updated. It describes the key features of the information systems in the portfolio, such as purpose, owner, administrator and possible contractor.
-> Read more
On what basis does Aalto University process your personal data
Personal data processing to provide IT services is often connected to the main tasks of the university, complying with legal obligations such as financial obligations and the provision of services – we need IT services for work, studying, advocacy and communication, financial management and the implementation and use of university services. The processing basis for each user group are:
- The processing of employees' personal data is based on the performance of a contract, a legitimate interest, compliance with legal obligations or explicit consent. Further information on the processing of employees' personal data is available in
-> privacy notice for employees.
For students, the university's right to process personal data as a controller is based on compliance with a legal obligation, a task carried out in the public interest or in the exercise of official authority vested in the controller. In certain cases, processing is based on contract or consent. You can read more about the processing of the personal information of students in
-> Privacy notice for students
- Regarding the personal data processing of stakeholders, visitors and alumni more information is available in the privacy notice of communication services and
-> Aalto University privacy notice for partnership services
- In the case of non-Aalto University users accessing a system or operating enviroment the processing basis may also be a contract or consent.
IT services also handle tasks related to the information security and management of workstations of services and information systems, for example to ensure security and to protect the availability, authenticity, integrity and confidentiality of personal data. In accordance with the General Data Protection Regulation, the processing of personal data in order to prevent security breaches is based on a legitimate interest. The management of information systems, ensuring information security and organizing the disclosure of data through technical interfaces are also based on the fulfillment of a legal obligation (Act on Information Management in Public
The personal data processing in developement and management our services and associated quality control as also understanding the needs and wishes of our customers regarding the features or contents of our services are based on our legal obligations and legitimate interests.
Aalto University may provide process or service specific information about the personal data processing.
The legal processing bases of mobile applications are described in the privacy policies of these applications. In the electronic working environment the user has a chance to allow the information content he or she produces to be used by others and get information about his or her networks and friends.
What personal data does Aalto University collect and process
The personal data processed by the university may be divided into the following categories:
Identification data,such as:
- personal identification number
- date of birth
- contact details, e.g. work phone number
- employee number (staff)
- student number (student)
- national learner ID (student)
- biometric identifiers (such as fingerprints)
Username and password
Device information, such as
- information of centrally administrated workstations
- software and device information of centrally managed smartphones
Information collected by customer services:
- name and related identification and other technical information
- contact details
- location on campus
- information related to the service request
- employee number (staff)
- unit (staff)
- supervisor (staff)
- student number (student)
- school (student)
In the electronic working environment, when there are two or more parties to the communication and/or users of the electronic team working environment, the following personal data are processed:
- job title
- organisational unit
- email address
- telephone number
- in addition, the user has a chance to give optional information in the service, e.g. photo
Data collected in connection with the printing service:
- printer ID
- time stamp
- card ID when using secure print
Data collected in connection with the use of IT systems generally may contain at least some of the following information:
- time stamp
In the electronic working environment, the contents of the message and any attached files (whether they be text, images, sound, video or other electronic communication) are primarily considered confidential data and are thus only processed in exceptional circumstances specified by law.
Aalto Univesristy also logs the use of it systems to ensure information security.
How we collect personal data
Identity management and user identification data are obtained from the basic registers for Aalto University students and staff.
Data on staff are collected also from e-service requests and from use of Aalto’s network printer service.
Data on staff is also obtained from the detected or inferred use of services and systems owned or administered by Aalto, when staff use Aalto office, computer or telephone devices and programs, including electronic communications, email and internet applications.
To whom do we disclose personal data
Personal data is processed only by those Aalto University employees or those contracted individuals working on behalf of Aalto University who have a right to process the data.
We may disclose your personal data to third parties where access to or processing personal data is necessary:
- to comply with applicable legislation and/or court order. E.g. as an employer Aalto University has legal obligations to disclose personal data of the staff among others to authorities, banks and occupational health care.
- to detect, prevent or otherwise address technical or security issues or malpractice.
More information about the information disclosures is available in other privacy notitces.
Transfer of personal data to third countries
The data protection policy of the university is to exercise particular care if transferring personal data outside the EU and European Economic Area (EEA) to countries that do not offer the level of data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are also done in accordance with the requirements of the GDPR.
As general rule our processing of the personal data of employees occurs only within the EU or EEA. In exceptional cases of, for instance, international assignments or the use of certain services, your personal data may need to be transferred outside the EU or EEA. In certain cases the personal data of students may be transfered outside of EEA to higher eduction institutions. In such cases, we see to ensuring a level of personal data protection adequate to conform with the level required by legislation, such as in the standard agreement clauses approved by the European Commission.
How long is personal data is stored?
The periods for which personal data may be retained in systems is based on law and on the records management plan (TOS) of Aalto University.
Rights of the data subject concerning personal data
According to the GDPR, you have a right to know what information on yourself is stored in the personal data file.
You have the right to request that any inaccurate or erroneous data on yourself be rectified without undue delay. If data you wish have rectified or erased is maintained by an Aalto partner, we will request that the partner take the appropriate measures.
Barring certain exceptions, the GDPR guarantees your right to have your erased, or as it is termed, your right to be forgotten. However, this right does not obtain in cases where the university’s right as the controller to process personal data is based on the university’s obligation to perform tasks carried out in the public interest or in the exercise of official authority.
If the processing of personal data is based on your consent, you may also withdraw your consent. In that case you may submit a request to us to erase data concerning yourself from our system. If there is not other legal grounds for processing your data, we will delete it.
If you contest the accuracy of the personal data or the lawfulness of the processing, or or if you have exercised your right to object to the processing, you may request that the processing of the personal data be restricted to storage only. The processing of the data is then confined to its storage only until, for example, the accuracy of the data is verified.
If you do not have the right to request erasure of the data, you may request instead that Aalto University limit its processing to only that needed in order to store the data.
You always have the right to object to the processing of your personal data when the processing is e.g. for marketing purposes.
You may exercise your rights by submitting a GDPR-compatible request via Aalto’s personal data portal: Aalto University personal data portal
Note, however, that if the matter concerns a change of contact information or other routine changes, you should contact: servicedesk(at)aalto.fi.
If you have questions regarding this privacy notice, you may contact the Aalto University data protection officer:
Data protection officer: Anni Tuomela
Tel.: (exchange) 09 47 001
Email: [email protected]
If you, the data subject, consider the processing of your personal data to be an infringement of privacy protection legislation, you have the right to lodge a complaint with the data protection ombudsman (www.tietosuoja.fi), which is the supervisory authority.
We have an obligation to communicate personally any security breach of personal data to those data subjects whom the breach concerns. The right enters into force if the breach may likely result in a high risk to the rights and freedoms of the individual, e.g. in the form of identity theft, payment fraud or other criminal activity.
An information security team operates at Aalto (email security(at)aalto.fi) to process reported data protection and information security incidents concerning the university and to help resolve them, investigating whether data breaches have occurred.
Controller and the personal data protection principles
Controller, person responsible and contact details
The controller is Aalto University.
The register person-in-charge is Christa Winqvist.
Tel. (exchange): 09 47 001
The Aalto University communications director is responsible for university-level communications and marketing.
You are responsible for the information you supply or make available to Aalto University recipients, and you must ensure the accuracy of the information.
Personal data and principles of privacy protection
Due diligence is observed in the processing of personal data and data security measures are followed as appropriate. Technical solutions such as firewalls and encryption are employed and they comply with current standards. The controller ensures that stored information, user permissions and other data critical for the security of personal data are processed according to instructions, confidentially and only by individuals whose job descriptions authorise the processing.