The purpose of this personal data policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university.
Privacy notice for Aalto University communication and events
Updated 31.5.2022 (updates accepted by communication services)
Aalto University informs protection of personal data in several privacy notices. If you are our alumni, stakeholder or donor, please find more information on your privacy here:
We communicate mainly via our websites (aalto.fi). You find more information on processing your personal data as a user of our webpages here:
Why and on what basis does Aalto University process your personal data?
Aalto University and its units use personal data for:
- communication and distribution of newsletters,
- organising events and disseminating information about them,
- providing and developing of digital and other communication services,
- handling feedback,
- carrying out surveys, and
- drawing lotteries.
Aalto University processes personal data for the purposes of events, marketing, and printed and digital communication, including communication in social media as well as handling feedback and carrying out surveys. The purpose of the processing of personal data is to allow the Aalto community members to interact with both each other and with society at large. In addition, the university may process personal data in order to protect it, as well as to prevent and investigate its abuse as necessary.
Aalto University has a legitimate interest in communicating and marketing the activities of the university. The processing of personal data is based on consent when the data is used for targeted electronic direct marketing or for participation in and drawing of lotteries.
What personal data does Aalto University collect and process?
The personal data processed by the university may be divided into the following categories:
- Data given by the data subject when registering for an event, such as contact in-formation
- Data given by the data subject upon contacting Aalto University
- Personal data contained in photographs, recordings and videos, such as an identifiable person in a photograph taken at an event.
- Personal data contained in marketing and communication material
- Personal data collected for the purposes of security arrangements
- Personal data collected by other services
The personal data processed of those who have registered for events contains usually the following information:
- required contact details
- job title
- name and contact details of information source if different from participant
In order to participate in the lottery, the information requested at the time is collected on the form, but at least the contact information for reporting the lottery winnings.
The personal data processed may also contain the following data:
- role of the participant in the event
- for international events, the home country of the participant for statistical purposes
- amount of participation fee and payment details
- dietary restrictions, if food is served at the event, and information on special arrangements (no information on illnesses are collected)
- data related to organising side events and additional services
- data related to publishing
- data related to organising travel services
- data generated when the event is recorded (e.g. photos, videos, audio recordings)
- areas of interest specified by a training participant
- feedback on the training (collected anonymously)
In addition, we may collect data on the event participation history of an individual data subject.
How do we collect personal data?
As a rule, we collect data directly from the data subjects in connection with their registration for an event or another contact made by them. Personal data may be collected and updated using other personal data files of Aalto when a legal basis for it exists, as well as from the following:
- the Finnish Trade Register;
- online services and software applications of companies;
- authorities and companies providing services concerning personal data; and
- any publicly accessible online sources.
Personal data is also collected when using other services. For the purposes of security arrangements, the university may collect personal data from its own personal data files and those of its service providers and contract partners, when a legal basis for data collection exists.
To whom do we disclose personal data
A) Service providers and distribution of photographs and videos in social media
Aalto University collaborates with selected partners in personal data processing for purposes specified in this privacy notice, such as maintaining websites and organizing events.
We disclose personal data to our partners only to the extent necessary for them to offer services to Aalto for the purposes defined in this privacy notice.
In addition, Aalto University may share photographs and videos in social media services. The processing of personal data contained in these photographs is subject to the privacy notices of the services used. See, for instance, the following social media services:
- Facebook (https://www.facebook.com/)
- Instagram (https://www.instagram.com/)
- YouTube (https://policies.google.com/privacy)
- LinkedIn, Vimeo and Panopto
Information on dietary restrictions or personal special arrangements may be disclosed to a relevant service provider, and be disclosed primarily in a format that does not allow the information to be connected to an identifiable person.
B) To teachers and researchers
We may in some instances disclose personal data for scientific research or teaching. In such cases the data is processed in accordance with the requirements of the EU’s General Data Protection Regulation and of Finland’s legislation on data protection.
C) To third parties when required under law
We may disclose your personal data to third parties where access to or processing personal data is necessary:
- to comply with applicable legislation and/or court order, or
- to detect, prevent or otherwise address technical or security issues or malpractice.
D) Other recipients
Basic information and participation history of the data subject may be saved in the university’s common customer relationship management database. We may disclose to event participants a list of the names and organisations of everyone participating in the event. We will not publish the participant list on a public platform, such as the internet.
Rights of the data subject concerning personal data
Data subjects have the right to receive confirmation from the university on whether or not it is processing personal data that concerns them. Data subjects have the right to evaluate and gain access to their personal data, as well as request corrections to, removal of, transferring of, limiting and refusing the collection of their personal data. Requests can be made at https://datarequest.aalto.fi/en-US/.
Data subjects have the right to subject the lawfulness of the university’s actions for consideration by the Data Protection Ombudsman tietosuoja(at)om.fi.
You have the right to acquaint yourself with personal data on yourself that is in the possession of Aalto University.
You have the right to rectify inaccurate or incomplete data.
You have the right to request erasure of the personal data (‘the right to be forgotten’) in the following cases:
- You have the right to have a photograph of yourself erased from the Aalto University website.
- You object to the processing of your personal data when there is no legitimate grounds for the processing.
- The processing of the personal data is unlawful.
In many cases, Aalto University has a responsibility to retain personal data, e.g. for reasons of legal obligation.
If you contest the accuracy of the personal data or the lawfulness of the processing, or or if you have exercised your right to object to the processing, you may request that Aalto University restrict the processing of the personal data to storage only. The processing of the data is then confined to its storage only until, for example, the accuracy of the data is verified. If you do not have the right to request erasure of the data, you may request instead that Aalto University limit its processing to only that needed in order to retain the data.
You always have the right to object to the processing of the personal data when the processing is for marketing purposes, for example.
We have an obligation to communicate personally any security breach of personal data to those data subjects whom the breach concerns. The right enters into force if the breach is likely to result in a high risk to the rights and freedoms of the individual, e.g. in the form of identity theft, payment fraud or other criminal activity.
An information security team operates at Aalto (email security(at)aalto.fi) to process reported data protection and information security incidents concerning the university and to help resolve them, investigating whether data breaches have occurred.
You may exercise your rights by submitting a GDPR-compatible request via Aalto’s personal data portal:
Note, however, that if the matter concerns a change of contact information or other routine changes, you should contact: viestintä@aalto.fi.
If you have questions regarding this privacy notice, you may contact the Aalto University data protection officer:
Data protection officer: Anni Tuomela
Tel.: (exchange) 09 47 001
Email: [email protected]
If you, the data subject, consider the processing of your personal data to be an infringement of privacy protection legislation, you have the right to lodge a complaint with the data protection ombudsman (www.tietosuoja.fi), which is the supervisory authority.
Transfer of personal data to third countries
The data protection policy of the university is to exercise particular care when transferring personal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR, using as a basis e.g. its reference to decisions made on the adequacy of the level of protection provided (Article 45), utilising standard agreement clauses and following other data protection measures in accordance with the GDPR.
Period for which personal data is retained
Personal data is retained for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation or unless data subject ask for removal of data.
The contact information of event participants is used in recurring events as well as in the marketing of other similar events. Due to legal requirements, for chargeable events and billing transactions, the information must be retained for at least six (6) years from the end of that calendar year
The storage of data on Aalto University staff and students follows the applicable privacy notices as well as the university’s data management plan (TOS).
Images containing personal data are processed as other data, i.e. in accordance with the privacy notice on personal data.
Personal data collected for the allotment will be deleted once the allotment has been completed. The exact date of the allotment will be announced in connection with each individual allotment.
The personal data included in the marketing and communication material will be kept until the data subject requests their deletion.
Aalto University partners who received personal data related to an event are required to destroy that information after the conclusion of the event.
The personal data of event registrants are stored pseudonymised for statistical purposes.
Personal data and principles of privacy protection
Due diligence is observed in the processing of personal data and data security measures are followed as appropriate. Technical solutions such as firewalls and encryption are employed and they comply with current standards. The controller ensures that retained information, user permissions and other data critical for the security of personal data are processed according to instructions, confidentially and only by individuals whose job descriptions authorise the processing.
You are responsible for the information you supply or make available to Aalto University recipients, and you should ensure the accuracy of the given information.
Amendments to the privacy notice
Aalto University updates this notice as needed. Updated versions of this notice will show the date of the new version at the beginning of the document. If we make changes to content of this notice, we will take appropriate measures to keep you informed in a manner consistent with the significance of the change. We encourage you to check this notice often to be aware of how Aalto University protects your data.
Other privacy notices
Aalto University maintains several privacy notices. For example, if you have university username, become our donor or stakeholder, participate our courses, or visit our campus, please find information about the processing of your personal data in order to implement these services on the University Privacy Statements page.
Controller, register person-in-charge and contact information
The controller of personal data in communication, marketing and event activities is Aalto University.
The personal responsible for communications and events is the communications director.
Tel.: (exchange) 09 47 001
Email: [email protected]
A contact person and person responsible is designated for each event and newsletter. The contacts details are given in connection with each event announcement, invitation or newsletter.
Aalto University Data Protection Policy
General provisions concerning privacy and protection of personal data are included in Aalto University Data Protection Policy. Also Records Management Plan (TOS) regulates processing personal data. In addition, Aalto University has appointed Data Protection Officer ([email protected]).