Data Protection, personal data (EU General Data Protection Regulation)
The GDPR is applicable legislation as such and it applies to all processing of personal data.
- EU General Data Protection Regulation
- EU Commission: Rules for the protection of personal data inside and outside the EU.
The Data Protection Regulation is supplemented and clarified by Finnish national law (Data Protection Act, 1050/2018, into force on 1 January 2019, text in Finnish).
Aalto University Data Protection Policy
The President of Aalto University has adopted on 23 May 2018 the university´s Data Protection Policy.
The purpose of the personal data policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university. In addition, to further ensure the protection of data at the university, there are codes of conduct and other forms of instruction in place that, combined with this data policy, form a cohesive whole.
The aim of this data policy is to ensure the university’s compliance to the demands set by the EU General Data Protection Regulation (GDPR), national data protection legislation and other legislation that relates to the processing of personal data. In addition, the aim of this policy is to ensure that this compliancy is demonstrable with documentation.
The purpose of this personal data policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university.
General instructions for handling personal data
Instructions of the Aalto University list the main points for the data protection and data security when handling personal data. Instructions are written to help process personal data in compliance with the EU general data protection regulation.
For detailed instructions from EU bodies, check these links:
- European Commission: Rules for the protection of personal data inside and outside the EU.
- European Union Agency for Fundamental Rights: Handbook on European data protection law - 2018 edition
Vaikutustenarviointi (Data Protection Impact Assessment, DPIA) on tehtävä tietosuoja-asetuksen mukaisesti kaikista sellaisista yliopiston tutkimushankkeista, palveluista, prosesseista ja järjestelmistä, joissa tehtävä henkilötietojen käsittely aiheuttaa todennäköisesti korkean riskin niille henkilöille, joiden henkilötietoja käsitellään. Täältä löydät ohjeita vaikutustenarvioinnin tarpeen arviointiin ja sen toteuttamiseen:
Tietosuojan toteuttamiseen liittyviä muita ohjeita
Detailed data protection guidance
Here are links to detailed guidance for data protection in the processes of teaching, learning, research and HR.
Teaching and learning
- How to handle personal data in research?
- Data management guidelines (Finnish Social Sciences Data Archive)
- Open science and use of images: Photographs as personal information
Research is a basic task of the university. Every research project define its personal data processing needs separately and informs its research subjects of these processing activities.
Recognize whether you are processing personal data and follow these instructions to handle it correctly.
Security of IT services and applications on the web
There are many free IT services available for anyone using a web browser, often referred as cloud services. These are intended for consumers, and the level of data protection and security in these services doesn't always meet the requirements for Aalto University's data. Therefore, use only approved systems with Aalto University account for any handling of personal data.
To learn more about the security aspects of some popular cloud services, visit these sites:
Privacy notice (GDPR Article 13 and 14) is the information given to the data subject, including but not limited to the legal basis for processing, the purpose of processing, what information is being gathered and the data subject’s rights. Earlier descriptions of personal data file are replaced by privacy notices.
Aalto privacy notice templates (requires login):
Technical and organisational security measures
The university’s personal data is protected as part of its regular data security maintenance activities.
The university’s data processing is based on access rights that depend on the individual’s role and position in the university, and, when necessary, on the access rights granted by the party responsible for each register. The validity of all access rights is checked daily.
The university’s IT systems and services are protected from unauthorised access in accordance with the standard practices of the field, their operability has been secured to an adequate degree, and their lifecycle is managed.
Rights of the data subject
The data subject has the right to request access to the personal data pertaining to them from the data controller and to request the correction or removal of said data. This right of removal does not extend to personal data that the university processes on the basis of a statutory task, its benefit to the general public, or personal data that is subject to some other preservation obligation by the university. The data subject has, in some specific cases, the right to demand the restriction of the processing of personal data and to resist the processing.
The controller, e.g. Aalto University, must facilitate the exercise of the rights of the data subject. To this end, the university has introduced a personal data portal. Requests under the GDPR concerning the processing of personal data can be submitted through the portal.
Please note, that regular service addresses for different services will still be used primarily for contact information changes and other routine changes.
For more information on the rights of data subjects, see the website of the Data Protection Ombudsman.
The data subject also has the right to submit a complaint to the supervisory authority. The supervisory authority in Finland is the Data Protection Ombudsman (P.O. Box 800, 00521 Helsinki, 6700, tietosuoja(at)om.fi).
Data protection officer
The university’s data protection officer is responsible for providing information and guidance on matters related to personal data, supervising the observation of this data policy and data protection legislation in the university and reporting any deviations thereof to the university leadership. The data protection officer functions as the contact person for the university in matters relating to the relevant supervisory authority, the Data protection ombudsman.
Contact details: Legal Counsel Anni Tuomela, [email protected]