Policy and guidance on the processing of personal data
Personal data are being processed in every educational institution, higher education institution and innovative digital education. This processing of personal data includes students, employees and interest groups data. This is especially the case at Metropolia University of Applied Sciences.
Processing of personal data takes place all the time at Metropolia’s Educational activities, RDI activities, in the processing of employee data and all collaborative projects and projects to which Metropolia has embarked. Due to the nature of personal data, the processing of it involves certain statutory obligations. These obligations are called controller obligations.
Therefore, the Privacy Policy of Metropolia has been established, which is approved by senior management and concerns data processing of Metropolia's own staff, students and third parties (including further education and business clients).
Metropolia's data security policy has also been updated in February 2019 and it reflects data protection policy. Both are in comply with the GDPR. Data Security and decisions on information systems reflect on data protection and vice versa.
Both “Metropolia’s data protection policy” and “data security policy” documents are in comply with statutory obligations, based on both EU and national law (such as General Data Protection Regulation “GDPR”, Act on the Protection of Privacy in Working Life, ePrivacy directive, Act on Openness of Government activities, EU’s directive on the accessibility of the websites and mobile applications of public sector bodies, national Act on the Provision of Digital Services and Act on Information Management in Public Administration).
Metropolia does also apply Finnish Institutions of Higher Education Code of Conduct which is accepted by Finnish Institutions of Higher Education and approved by the Finnish Data Protection Ombudsman’s office. First part of the Code of Conduct, which has been approved by the Data Protection Ombudsman’s office and already published, concerns data protection of study information administration.
Finnish Institutions of Higher Education are working on Code of Conduct for Study Data and Research Data Protection, which both will be ready by 2020-2021. When these are ready, Metropolia starts to apply them.
Legislation on personal data
Please note that English translations from Finnish laws are not official, only Finnish and Swedish versions are legally binding. English translations might not be up to date with the established law in Finnish and Swedish.
EU’s General Data Protection Regulation or GDPR for short has been applied in all EU/EEA member states from 25.5.2018.
Finnish Data Protection Act has been applied from 1.1.2019 and it repealed Personal Data Act. Data Protection Act complements EU’s General Data Protection Regulation.
The Finnish Office of the Data Protection Ombudsman is enacted to be the highest authority overseeing data protection laws in the Data Protection Act. This includes the right to impose an administrative fine on breach of data protection laws described in the GDPR Article 83. The Office of the Data Protection Ombudsman has the right to impose an administrative fine to a data controller or data processor up to 20 000 000 euros or four per cent of the annual global revenue of the preceding financial year (applies only to enterprises), whichever of these is greater.
Data Protection Ombudsman Anu Talus or other officials in the Office of the Data Protection Ombudsman has the right to carry out inspection visits while carrying out their job, and to ask data controller to present a record on processing activities pursuant to Article 30 of the GDPR.
Act on the Protection of Privacy in Working Life. The act covers key labor privacy issues by creating procedures for working life needs.
The translation of the name of the law is outdated in this case, Information Society Code. The law regulates the confidentiality of electronic communications, direct marketing and privacy.
Act on Openness of Government Activities determines, for example, which personal data can be released from the Authority and to whom.
Act on Information Management in Public Administration regulates and determines from 1.1.2020, for example, common data security requirements for the use of information systems throughout Finnish Public Administration. Risk management requirements are tightened, change management is required to document, log requirements for certain systems enter into force and transition to electronic case management and archiving is enshrined in the Act.
Act on the Provision of Digital Services (doesn’t have an English translation). The Act implements the EU Accessibility Directive in Finland. The Act on the Provision of Digital Services, which entered into force in Finland on 1 April 2019, obliges that, for example, all websites of public sector bodies in Finland and mobile apps to be accessible for blind people and other people who need accessibility.