Data privacy notice for applicants
This privacy notice applies to applicants to bachelor’s, master’s and doctoral education, and contains information about how your personal data is processed and the rights that you have to your own personal data.
‘Personal data’ refers to various kinds of information by which an individual may be identified and which we use to comply with our educational duties, of which student admissions is one. In this context, you, the applicant, are referred to as a ‘data subject’ and we are referred to as the ‘controller’, that is, the party that controls the processing of the personal data for the abovementioned purposes. We will only process data necessary for the execution of our duties.
Data privacy notice for applicants
General Data Protection Regulation (EU) (2016/679), Articles 13 and 14
30 November 2018
Controller, unit in charge:
Eija Zitting, Head of Learning Services
A description of the university’s processing of personal data on applicants in order to comply with its statutory student admissions duties
A: Personal data collected directly from data subject
B: Personal data collected elsewhere than from the data subject
Anni Tuomela, Legal Counsel, Aalto University
Postal address: P.O. Box 11000, FI-00076 AALTO
Street address: Otakaari 24, 02150 Espoo
Tel.: (09) 47001 (exchange) 09 47001
The university processes personal data
- to disseminate information about studies and student admissions
- to exercise duties related to student admissions.
In addition, the university may process personal data
- for scientific research and
- for marketing communications related to the education offered by the university or other special purposes.
The university’s right to process personal data as a controller is based
- on the necessity to perform a task carried out in the public interest or in the exercise of official authority (Article 6(1) point e)
- on the necessity to comply with a legal obligation (General Data Protection Regulation, Article 6(1) point c)
- on the consent given by the data subject and, in certain cases, when necessary for the performance of a contract (Article 6(1) points a and b).
The university has a right as controller to process special categories of personal data when
- the processing is necessary for reasons of substantial public interest (Article 9(2), point g).
- Universities Act (558/2009) and the decrees given under it
- the Government Decree on University Degrees (794/2004) as amended and any prior decrees concerning degrees in science and technology, business, and art and design
- the act on national study and degree registers (laki valtakunnallisista opinto- ja tutkintorekistereistä, 884/2017)
- the General Data Protection Regulation (EU) 2016/679 and its complementary national statutes
- the Act on the Openness of Government Activities (621/1999)
Aalto University processes the following personal data categories concerning applicants:
The following necessary information is collected of the applicants:
- individual-specific identifier data (name, personal identity number, application/applicant ID, copy of passport)
- background information (nationality, sex, mother tongue)
- contact details (e-mail address, telephone number, postal address)
- study options
- details on applying for education
- details pertinent to admissions criteria:
- details of the applicant’s education, degrees and work experience
- information on factors related to the applicant’s health that affect student admission (choice of yes/no)
- in the case of applicants to the School of Arts, Design and Architecture, the applicant’s consent on having their advance assignments or entrance examination assignments published
- information concerning admission results (entrance examination results and other information related to admission, e.g. admission score)
- information on the applicant accepting the offer of admission
- admissions guidance that can be connected to the applicant in the applicant information system
Applicant information that may contain special categories of personal data (sensitive data):
- information on special arrangements
- accounts of any aberrations in student admissions and their consequences
- interviews as part of the entrance examinations
At Aalto University, the personal data is processed only by employees or contracted individuals working on behalf of Aalto who need the data for their work duties. The information is protected from unauthorised handling. Access rights are in place to restrict unauthorised access to the applicant information systems. The personal data is processed mainly by Learning Services staff and the academic staff involved in student admissions. In addition, personal data may be processed by Aalto’s facility and security services, IT services and financial services.
Aalto University may use outside parties to process personal data, such as system service providers that process personal data on behalf of Aalto on the basis of a commission contract.
Aalto University discloses personal data to parties outside the university or processes data for purposes other than the original only in situations where such disclosure or processing is permitted by law.
Aalto University has joint controllership in matters related to the Studyinfo student admissions register with the Finnish National Agency for Education and other Finnish institutions of higher education (884/2017, section 18).
Shared controller role in joint admissions: Joint admissions for the field of business and the joint admissions for engineering and architecture (DIA)
Aalto University may disclose such personal data on applicants as is necessary to the following recipients:
- registers of higher education institutions in national and international joint programmes
- for the Ministry of Education and Culture’s KOTA database
- to the internationalisation services of the Finnish National Agency for Education
- via a technical connection to the Social Insurance Institution of Finland, Kela
- via a technical connection through the National Data Warehouse for Higher Education for the use of the National Supervisory Authority for Welfare and Health
- to employment authorities
- to the immigration authorities’ Register of Aliens
- Studyinfo maintained by the Finnish National Agency for Education
- employment and economic development offices (‘TE offices’) (enquiries)
In addition, Aalto University may disclose personal data on applicants as follows:
- for scientific research
- to comply with the Act on the Openness of Government Activities (621/1999) or with other legal obligations
- to other Finnish higher education institutions in the case of such data compiled by authorities that affects student admissions and rights to study
- to institutions of higher education abroad, including outside the EU and EEA countries
- with the applicant’s consent, contact information may be disclosed to parties outside the university for marketing communications or other special purposes
The data protection policy of the university is to exercise particular care when transferring personal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR.
The periods for which personal data saved in systems and manual material are stored are based on the law and the records management plan of Aalto University.
Permanent storage (under the Act on National Study and Degree Registers 884/2017, sections 25 and 27):
- admitted applicants: learner ID, ID number or a similar individual-specific identifier data;
- admitted applicants: data on the person’s rights to study in degree programmes and information on accepting the offer of admission
By decision of the National Archives of Finland, other personal data of the applicant may also be stored permanently.
Main types of personal data not stored permanently:
- entrance examination details and lists of scores for a minimum of 2 years, excluding the advance assignments and entrance examination assignments for the field of arts, design and architecture, which are stored for a minimum of 6 months.
- rejected applications for a minimum of 2 years
- accepted applications for a minimum of 5 years or until the graduation of the student
- Sensitive data are stored as long as necessary but for no more than 4 years.
- Admissions guidance in the applicant information system for a minimum of two years
Periods for which data are stored may vary in individual cases and they may be revised.
The applicant (data subject) may submit any requests related to his or her rights to access information as a data subject to: [email protected]
Right of data subjects to access their data
Data subjects have a right to know what personal data are being processed of them and what data concerning them have been stored. The data subject may submit an information request to the university. In such cases, the following procedure is to be followed:
- The university provides the information requested without undue delay. The person making the request must prove their identity upon request. The requested information or the additional information related to the request must be provided no later than one month after receiving the request. If the information request is complex and comprehensive, the deadline may be extended by two months.
- As a rule, the information shall be provided free of charge. For any further copies requested by the data subject, the university may charge a fee based on administrative costs. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the university may either charge a fee based on administrative costs or refuse to act on the request. The university shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
- If the university does not provide the information requested, the data subject will be provided with a written account of the matter. The written account will also include an explanation of the data subject’s rights to judicial remedies, for instance, the right to lodge a complaint with the supervisory authority.
Right of the data subject to rectification of data
- The data subject has a right to have any inaccurate or incomplete personal data concerning him or her rectified or completed without undue delay. In addition, the data subject has a right to demand that all personal data concerning him or her that is no longer necessary be erased.
- If the university does not accept the data subject’s request for rectifying his or her personal data, the data subject will be given a written account specifying the reasons for rejecting his or her request. The written account will also include an explanation of the data subject’s rights to judicial remedies, for instance, the possibility of lodging a complaint with the supervisory authority.
Right of the data subject to erasure of data
- Depending on the legal basis, the data subject may have a right to have their personal data erased from the register of the school. This right shall not apply to cases where data processing is necessary for compliance with a legal obligation or for a task carried out in the exercise of official authority vested in the school. The storage and erasure of data shall comply with the records management plans of the university and the data storage periods required by legislation.
Right to restrict processing
- In certain situations, data subjects may have the right to restrict the processing of their personal data until the legal basis for the data or their processing has been duly checked and rectified or completed.
Right to data portability
- The right to data portability means that the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the university, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the university. This right shall apply only to situations where the processing is carried out by automated means and is based on consent or contract.
- This right shall not apply to cases where data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a result, this right shall not apply, as a general rule, to the personal data files of the university.
The applicant may submit any requests related to his or her rights to access information as a data subject to: [email protected]
Right to object to processing of personal data
- Applicants to the university shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or in the exercise of official authority or the legitimate interest of the university. In such cases, the university shall no longer process the personal data unless the university demonstrates compelling legitimate grounds for the processing.
- Where personal data are processed for direct marketing purposes, the applicant shall have the right to object at any time, even without giving reasons for it, to processing of personal data concerning him or her for such marketing.
- In situations where the processing of personal data is based solely on consent, the applicant shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- As a rule, the withdrawal of consent is communicated to the party to which the original consent was given. If this is impossible, the applicant may e-mail to: [email protected]
- The applicant shall have the right to lodge a complaint with a supervisory authority, if they consider that the processing of personal data relating to him or her infringes the General Data Protection Regulation (EU) 2016/679. In addition, the applicant has a right to use other administrative or judicial remedies. Additional information: https://tietosuoja.fi/en/home
- The applicant shall have the right to bring proceedings against the controller or the organisation processing the personal data before a court if the applicant considers that the processing of his or her personal data infringes the General Data Protection Regulation.
The applicant shall provide all personal data necessary for the process in question and is responsible for their accuracy. Providing personal data is often necessary for completing a process task.
Information concerning applicants is collected directly from the following sources:
- Studyinfo, register of completed studies (SURE) and the Population Information System (VTJ)
- international application and degree systems
- higher education institutions in Finland and abroad
- online payment and registration services
- reviewers of Aalto University applications and entrance examinations
- verification services for international standardised tests, e.g. English language tests
Information may be observed, inferred or derived from the use of the IT services or systems provided for applicant use by the university or collected by the security and monitoring services used by the university (e.g. camera surveillance).
List of the key systems and services used to process personal data of applicants:
Application and admission systems (DIAkone, Apply, Full Fabric, eAge, Salesforce service platform)
Personal data of applicants are also processed at Aalto schools otherwise than in the shared information systems, in some cases manually, in the form of:
records of completed entrance examinations
Aalto University Admission Services
individual examination arrangements
Aalto University Admission Services