Data Protection, personal data (EU General Data Protection Regulation)

The EU General Data Protection Regulation (GDPR) is applied as of 25 May 2018 in all of the EU member states.

The GDPR is applicable legislation as such and it applies to all processing of personal data.

The Data Protection Regulation is supplemented and clarified by Finnish national law (Data Protection Act, 1050/2018, into force on 1 January 2019, text in Finnish).

Aalto University Data Protection Policy

The President of Aalto University has adopted on 23 May 2018 the university´s Data Protection Policy.

The purpose of the personal data policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university. In addition, to further ensure the protection of data at the university, there are codes of conduct and other forms of instruction in place that, combined with this data policy, form a cohesive whole.

The aim of this data policy is to ensure the university’s compliance to the demands set by the EU General Data Protection Regulation (GDPR), national data protection legislation and other legislation that relates to the processing of personal data. In addition, the aim of this policy is to ensure that this compliancy is demonstrable with documentation.

Aalto University Data Protection Policy

The purpose of this data protection policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university.


General instructions for handling personal data

Instructions of the Aalto University list the main points for the data protection and data security when handling personal data. Instructions are written to help process personal data in compliance with the EU general data protection regulation.

For detailed instructions from EU bodies, check these links:

General instructions for secure processing of personal data

These instructions contain the key issues related to the processing and data security of personal data.

Students at the Unite! Summer School 2023

Vaikutustenarviointi (DPIA)

Vaikutustenarviointi (Data Protection Impact Assessment, DPIA) on tehtävä tietosuoja-asetuksen mukaisesti kaikista sellaisista yliopiston tutkimushankkeista, palveluista, prosesseista ja järjestelmistä, joissa tehtävä henkilötietojen käsittely aiheuttaa todennäköisesti korkean riskin niille henkilöille, joiden henkilötietoja käsitellään. Täältä löydät ohjeita vaikutustenarvioinnin tarpeen arviointiin ja sen toteuttamiseen:

Kaksi henkilöä pöydän ääressä kirjojen ja kannettavien tietokoneiden kanssa.

Ethical review of research and DPIA

Information when and how to prepare DPIA in research as an appendix for research ethics statement request

For personnel – highlights and support for your work

Detailed data protection guidance

Here are links to detailed guidance for data protection in the processes of teaching, learning, research and HR.

Teaching and learning

Processing of personal data - Research

Research is a basic task of the university. Every research project define its personal data processing needs separately and informs its research subjects of these processing activities.

How to handle personal data in research?

Recognize whether you are processing personal data and follow these instructions to handle it correctly.

Personal data


Processing of personal data - Staff

The reasons why and situations where we process your personal data

Security of IT services and applications on the web

There are many free IT services available for anyone using a web browser, often referred as cloud services. These are intended for consumers, and the level of data protection and security in these services doesn't always meet the requirements for Aalto University's data. Therefore, use only approved systems with Aalto University account for any handling of personal data.

To learn more about the security aspects of some popular cloud services, visit these sites:

Privacy notices

Privacy notice (GDPR Article 13 and 14) is the information given to the data subject, including but not limited to the legal basis for processing, the purpose of processing, what information is being gathered and the data subject’s rights. Earlier descriptions of personal data file are replaced by privacy notices.

Aalto privacy notice templates (requires login):

Technical and organisational security measures

The university’s personal data is protected as part of its regular data security maintenance activities.

The university’s data processing is based on access rights that depend on the individual’s role and position in the university, and, when necessary, on the access rights granted by the party responsible for each register. The validity of all access rights is checked daily.

The university’s IT systems and services are protected from unauthorised access in accordance with the standard practices of the field, their operability has been secured to an adequate degree, and their lifecycle is managed.​​​

Rights of the data subject

The data subject has the right to request access to the personal data pertaining to them from the data controller and to request the correction or removal of said data. This right of removal does not extend to personal data that the university processes on the basis of a statutory task, its benefit to the general public, or personal data that is subject to some other preservation obligation by the university. The data subject has, in some specific cases, the right to demand the restriction of the processing of personal data and to resist the processing.

The controller, e.g. Aalto University, must facilitate the exercise of the rights of the data subject. To this end, the university has introduced a personal data portal. Requests under the GDPR concerning the processing of personal data can be submitted through the portal.

Aalto university personal data portal

Please note, that regular service addresses for different services will still be used primarily for contact information changes and other routine changes.

For more information on the rights of data subjects, see the website of the Data Protection Ombudsman.

The data subject also has the right to submit a complaint to the supervisory authority. The supervisory authority in Finland is the Data Protection Ombudsman (P.O. Box 800, 00521 Helsinki, 6700, tietosuoja(at)


Data protection officer

The university’s data protection officer is responsible for providing information and guidance on matters related to personal data, supervising the observation of this data policy and data protection legislation in the university and reporting any deviations thereof to the university leadership. The data protection officer functions as the contact person for the university in matters relating to the relevant supervisory authority, the Data protection ombudsman.

Contact details: Legal Counsel Anni Tuomela, [email protected] 

This service is provided by:

IT Services

Did you find what you were looking for? If not, please contact us.
  • Published:
  • Updated: