Privacy Notice for aalto.fi
Protecting your privacy and your personal data is of the utmost importance to us. Aalto is committed to complying with the requirements that data protection regulation places upon Aalto in the processing of your personal data.
The means and purposes of processing your personal data are described in further detail in this privacy notice.
This privacy notice is subject to change. Aalto will develop this website over the course of summer 2018, and in September 2018 the user experience will be improved by implementing user profile functionality. This privacy notice will be updated when these changes are implemented. You will always find the up-to-date version of this privacy notice on this website.
This Privacy Notice covers the following areas:
- Why does Aalto process personal data?
- What personal data does Aalto process?
- Sources of information
- Lawful basis for processing
- Transfers and disclosures of personal data
- International transfers of personal data
- Retention period
- Your rights
- Who is the controller and who can I contact?
1. Why does Aalto process personal data?
Aalto collects and processes certain personal data in order to
- enable you to use the website;
- maintain and develop the website;
- enhance or improve your experience of the website by collecting details of your visit through cookies and standard weblogs;
- enable communication and marketing
In addition, Aalto will also process personal data for the purposes of data security and to prevent and resolve possible misconduct.
2. What personal data does Aalto process?
Aalto will only process personal data that is necessary for the processing purposes defined in this privacy notice. The personal data that Aalto collects can be grouped into the following categories:
- Aalto Account data, such as login/user ID and password
- Identification information such as title, forename, surname
- Contact information: such as telephone number, email
- Newsletter user profile data: Opening of newsletter (date and time), contents, clicked links; IP address; browser type, browser version, device type
Aalto University Junior activity and the protection of children’s data
The mission of Aalto University Junior is to support Aalto University's activities for schools, children, youth, parents and teachers. The aim of junior activity is to promote the teaching and learning of natural sciences, mathematics, technology and arts at all levels and to support related activities for children and youth.
Personal data such as name and email address will be collected in conjunction with registration for events meant for this target group only with the explicit consent of the child’s parent or guardian.
To learn more about our site and the protection of children’s personal data, please contact our data protection officer.
3. Sources of information
Personal data is collected from the users themselves during their visits on our website or when they otherwise interact with Aalto. Information about Aalto Community members (employee and student information) is imported to our site from other Aalto data systems, such as Aalto University Active Directory, Aalto Current Research Information System (ACRIS) and Aalto People.
Personal data can, if necessary, be collected and updated from Aalto partners and companies or authorities providing services related to personal data, such as companies providing services related to the updating of contact details. This applies mainly to cases where the user has subscribed to our newsletter.
4. Lawful Basis for Processing
Public interest (students and researchers) or performance of contract (employees):
- Aalto Account data
- Identification information
- Contact information
Legitimate interest to maintain and develop website, to communicate and to market the university:
- Personal data processed for communication and marketing purposes
- Information collected through observing use of website
- Newsletter user profile data
- The processing of personal data for the purposes of data security and to prevent and resolve possible misconduct
5. Disclosures of personal data
Aalto disclosures personal data only to the extent necessary for the purposes personal data is processed:
I) Service providers
Aalto uses partners to maintain and provide the website and for processing purposes as specified in this privacy notice. We will transfer your personal data to these partners only to the extent that these partners need access to personal data in order to provide services to Aalto for the purposes defined in this privacy notice.
Aalto has taken appropriate measures to ensure that in these cases your personal data will only be processed for the purposes mentioned in this privacy notice and in accordance with applicable legislation.
II) Research use
In some situations, Aalto may disclose your personal data for the purposes of research. In these cases, all personal data is processed in accordance with the General Data Protection Regulation and national data protection legislation.
III) Statutory reasons
Aalto may disclose your personal data to third parties if access to personal data or other processing of personal data is required to i) fulfill statutory responsibilities or a court order; ii) detecting, preventing or handling misuses, security risks or technical issues.
6. International transfers of personal data
The server on which the Aalto website is operated is located in the European Economic Area (EEA). We strive to carry out all services related to our website using operators and services located within the EU or the EEA. In some cases, however, services related to the use of our website may also be carried out by operators and on servers located in third countries. In such cases, your personal data may also be transferred outside the EU or EEA in accordance with applicable legislation. In regards to transfers of personal data to countries where local data protection legislation does not provide an adequate level of data protection, transfers are protected utilizing appropriate safeguards, such as standard contractual clauses approved by the European Commission, a competent supervisory authority, or binding corporate rules. To learn more about the appropriate safeguards we use, please contact us by using the contact information provided below.
7. Retention period
Personal data will be retained for the period of validity of the legal basis for processing and for as long as necessary for the processing purposes mentioned in this privacy notice.
For example, after the termination of your employment we will delete employee contact information from our website. The information of other users is retained for as long as Aalto´s legitimate interests can reasonably be deemed valid. We determine the validity of our legitimate interest by, for example, your use of our online services as well as the communication between us. Generally, personal data of other users will be retained for a period of one year from their last login or other use of our website, after which the personal data will be deleted.
8. Your rights
The General Data Protection Regulation grants the data subject a number of rights with which the data subject can govern the processing of their personal data. The data subject may use the following rights in relation to Aalto insofar as Aalto acts as the controller for the data subject’s personal data:
Right of access and right to rectification
You have the right to receive confirmation on whether we process personal data relating to you and the right to access any such personal data. Aalto may ask you to specify your request where necessary, for example with regard to the details of the provision of information.
In addition, you have the right to request the rectification of incorrect personal data relating to you, or to supplement incomplete personal data that Aalto is processing.
Right to data erasure
You have the right to request erasure of your personal data from our data systems. Aalto will comply with your request, provided that there is no legitimate reason to retain the data, such as a statutory obligation to continue processing the personal data. Personal data may not be deleted instantly from backup copies and other such data systems, but will be deleted through regular database retention practices.
Right to object
You also have the right to object to the processing of your personal data if your personal data is processed for other purposes than the fulfillment of legal responsibilities or the provision of services. You may object to the processing of your personal data for purposes of direct marketing, even if the basis for such processing is consent given by you in the past. Objecting to the processing of your personal data may lead to limitation of the usage of the Aalto website. You have the right to prohibit direct marketing by following the instructions contained in all of our marketing messages.
Right to restriction of processing
If you contest the correctness of the data which we have registered about you or the lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data to only storage. The processing will only be restricted to storage, until the correctness of the data can be established, or until it is assured that our legitimate interests override your interests.
If you are not entitled to erasure of the data which we have registered about you, you may instead request that we restrict the processing of these data to only storage. If the processing of the data which we have registered about you is solely necessary to assert a legal claim, you may also demand that other processing of these data be restricted to storage. We may process your data for other purposes if this is necessary to assert a legal claim or if you have granted your consent to this.
Right to data portability
You have the right to receive your personal data from us in a structured, commonly used format so that you may transfer your personal data to another controller, provided that the processing of your personal data is based on consent or a contract between you and Aalto.
9. Who is the controller and who can I contact?
You can use your rights by contacting Aalto's data protection officer at [email protected] The extent of your rights is subject to the legal basis for processing, and exercising your rights requires identification.
Aalto-korkeakoulusäätiö sr, which functions as Aalto University
Mailing address: PO BOX 11000, FI-00076 AALTO
Phone number: +358 (9) 47001
Visiting address: Otakaari 24, 02150 Espoo
Data protection officer:
Contact information: [email protected]
Right to lodge a complaint
If the processing of your personal data is in breach of applicable legislation, you have the right to lodge a complaint with the national supervisory authority. You can lodge the complaint with a competent supervisory authority. In Finland, this is the Data Protection Ombudsman, and the complaint must be lodged in accordance with instructions provided by the Office of the Data Protection Ombudsman. Please see https://tietosuoja.fi/en/home for more information.