General instructions for secure processing of personal data

Data protection and data security are part of the daily tasks of every employee. These instructions contain the key issues related to the processing and data security of personal data. These instructions are meant to ease the application of the EU General Data Protection Regulation in connection to the processing of personal data. Remember to also familiarise yourself with Aalto University’s data protection policy, which defines the main principles, responsibilities and operating methods that are used in Aalto University in connection with the processing of personal data.
Aalto University Data Protection Policy

A quick guide to the data protection and data security of personal data processing activities:

  1. Check whether your work involves the processing of personal data and follow the instructions provided in this guide on the processing of personal data. Personal data is a wide-ranging concept. Any data that can be connected to a person or that can be used to identify a person either directly or indirectly is considered personal data (e.g. name, personal identification number, phone number, credit card number, photo, etc.).
  2. Remember that privacy protection is a fundamental right. Remember to always be careful when processing personal data regardless whether the data is in digital, oral or printed form, and remember to ensure that the data does not fall in the hands of any third parties. The university’s activities involve the processing of data that falls under different levels of data security. Be especially careful when processing secret personal data (e.g. sensitive data such as health data). The quick data classification guide (see the appendix below) will help you assess the level of data security that the data that you are processing requires and which IT services are required to achieve the necessary level of data security. For more detailed instructions on data classification, see the page Data protection practices in Aalto.
  3. Whenever possible, process the data in its original data processing system – Avoid transferring the personal data outside the original system, for example to an excel spreadsheet, for no particular reason. Personal data should always be processed in its original data processing system because the system can also save a log of the processing that was done to the personal data. If it is necessary for you to process the personal data outside its original system, see special instruction 1 below.
  4. When you are about to initiate a project that involves the processing of personal data (e.g. a new service), plan the entire lifecycle of how the personal data will be processed (collection, utilisation, modifications, destruction) before you begin collecting any personal data, and remember to document the results of the planning process
  5. Minimise personal data - Think very hard about what personal data you will need to collect and store (e.g. avoid the unnecessary processing of personal identification numbers).
  6. When you are about to start a new project (e.g. a research project) remember to inform the persons whose data will be collected before you begin collecting any personal data. The information that needs to be given to potential data subjects is described in detail in the relevant legislation. This is why we recommend using the right templates when informing data subjects in research projects and other activities.
  7. Process the personal data only in connection with its intended purpose - The processing of personal data must always be done for a predefined justification and purpose, and you can check the justifications that are in accordance with the EU General Data Protection Regulation.
  8. Destroy any unnecessary and expired personal data – Do not store personal data “just in case”. Remember to take into account the storage periods specified in the Information Management Plan for personal data as well.
  9. Store all personal data in a secure manner - Not on your desk but in a locked cabinet, on Aalto’s network drives with limited access, or in encrypted form on a laptop or external memory drive such as a memory stick. See our Top 10 data security tips for encryption. Do not give the personal data to just anyone - Personal data may be processed only by those whose work tasks involve the processing of personal data.
  10. Keep the personal data up-to-date - Only correct data can be considered useful data.
  11. Be careful when transferring personal data – Always check that the recipient is who they say they are. If you intend to send any confidential or secret personal data by email, remember to send the message as an encrypted email message or include the data as an encrypted attachment (Do not send any passwords by email). If you plan to send any personal data outside Aalto University, remember that the transfer of personal data outside the EEA region includes special conditions, see special instruction 3. Remember to also ensure that you have the right to transfer the personal data (information on the transfer of personal data is included in the data protection notice or otherwise and that you have agreed on the terms of how the personal data is to be processed with the recipient, see special instruction 4.
  12. If any damage or suspicious activity has occurred in connection to any personal data, notify [email protected] – Act quickly. The best way to fix an error or prevent a threat is to tell about it immediately. Time is of the essence when preventing any further damage.

Classification of information: basic instructions and services

Aalto University utilises a great number of information systems and digital services. This document provides a collection of basic instructions on the main systems and services used at Aalto. The aim is to help you choose appropriate places for processing and storing information. In most cases, the services offered by Aalto define the site for processing the information and the information is then processed there. In those cases, the employee or student does not need to check the classification instructions for the appropriate place to process and store the information. It suffices to simply follow the service’s own instructions.

Check here what IT services to use with classified data
Bookshelves full of books at Aalto University Learning Centre

Special instructions on the processing of personal data

Take note of these special instructions when processing personal data in the following situations:

Further information

Read more detailed instructions on how personal data is to be processed in the different functions of the university, how data is classified, how long data may be retained, and data security practices related to daily work.And remember: if you don’t know something, just ask! ([email protected]; [email protected]; legal and ITS services).

Otaniemi kampus ilmakuva

Records Management Plan TOS

Aalto University Records Management Plan (tiedonohjaussuunnitelma) TOS is a set of guidelines for registration, handling, and retention of Aalto University's documents and comparable data. The Records Management Plan contains detailed information on handling, registration, publicity and retention of University's documents and data.


Aalto University Data Protection Policy

The purpose of this data protection policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university.

Personal data

How to handle personal data in research?

Recognize whether you are processing personal data and follow these instructions to handle it correctly.

This service is provided by:

Legal Services

Did you find what you were looking for? If not, please contact us.
  • Published:
  • Updated: