Privacy notice: Personal data register of entrance examination for Bachelor´s degree programmes in International Business and Logistics and European Business Administration

Personal data register of entrance examination for Bachelor´s degree programmes in International Business and Logistics and European Business Administration

Purpose of the processing of personal data:

The purpose of the personal data register of the entrance examination for Bachelor´s degree programmes in International Business and Logistics and European Business Administration of Metropolia University of Applied Sciences and the personal data it contains is to carry out selection of students for Bachelor´s degree programmes in International Business and Logistics and European Business Administration.

Legal basis for the processing of personal data:

The processing of the personal data contained in the personal data register of the entrance examination for Bachelor´s degree programmes in International Business and Logistics and European Business Administration of Metropolia University of Applied Sciences is based on:

• legal obligation to which the controllers are subject, in accordance with Universities of Applied Sciences Act (932/2014) and Act on the National Registers of Education Records, Qualifications and Degrees (884/2017).
• In addition, processing of the personal data is based on given explicit consent obtained from the data subject when the processing concerns special categories of the personal data such as biometric data (e.g. video material and voice in which persons are identifiable). These personal data are under the special protection in Article 9 of the EU’s General Data Protection Regulation.

The legal basis for the processing of personal data contained in the personal data register is not “legitimate interests”. Therefore, this section does not apply to register of the entrance examination for Bachelor´s degree programmes in International Business and Logistics and European Business Administration of Metropolia University of Applied Sciences.

The data subjects in the personal data register of the entrance examination for Bachelor´s degree programmes in International Business and Logistics and European Business Administration of Metropolia University of Applied Sciences are applicants participating in the entrance examination (e.g. students of Metropolia, employees of Metropolia).

The following personal data are stored in the entrance examination for Bachelor´s degree programmes in International Business and Logistics and European Business Administration of Metropolia University of Applied Sciences:

For each data category the register contains the following personal data:

1. DATA CONSERNING THE ENTRANCE EXAMINATION (APPLICANT’S BACKGROUND INFORMATION)

The application data is processed in the Studyinfo -service (Opintopolku.fi-palvelu), technically maintained by Finnish National Agency for Education's, before the entrance examination, during the entrance examination and after results of the examination have been confirmed. The following application data (background information) is collected:

• Basic data of the applicant: first names, nick name, last name, learned ID, identity number, email address and telephone number
• application identifier
• Information concerning date of the entrance examination

2. DATA CONCERNING IDENTIFICATION OF THE APPLICANT

• The applicant prepares to present his/her identification card during all steps of the application process (oral and visual interview on the web conferencing tool Zoom or Teams or by telephone).
• A passport, an identity card (Finnish or another EU country) or a Finnish driving license are acceptable proofs of the card holder’s identity. No other certificates will be accepted.

3. APPLICANT’S ANSWERS

• Preliminary assignments prior to the entrance examination will be returned via Moodle, email or E-form, depending on the Bachelor’s degree programme.
• Exam answers given in the entrance examination by E-form (are stored only on the server of Metropolia University of Applied Sciences).
• Logging data related to the entrance examination answers: the exact time the answer was saved (are stored only on the server of Metropolia University of Applied Sciences).
• Video interview (oral and visual interview on the web conferencing tool Zoom or Teams or by a telephone).The videos are recorded and stored in Metropolia network drive with access limited to staff members involved in the entrance examination / student selection process.

4. APPLICANT’S ENTRANCE EXAMINATION SCORE

The data processed at the end of the entrance examination and the data transmitted from Metropolia University of Applied Sciences to My -Studyinfo service (Opintopolku.fi-palvelu),is technically maintained by Finnish National Agency for Education:

• Applicant’s entrance examination score

Metropolia University of Applied Sciences stores the scores obtained from the data subjects (applicants) and these section-specific scores of the applicants’ entrance examination are transmitted to Studyinfo -service (Opintopolku.fi-palvelu).

The personal data is obtained from the Studyinfo -service (Opintopolku.fi-palvelu) regarding to participation in the entrance examination.

Applicants’ answers to the entrance examination are obtained from the data subjects themselves during the entrance examination.

Metropolia University of Applied Sciences stores the scores obtained from the data subjects (applicants).

Access to the personal data contained in the personal data register of the entrance examination for Bachelors´s degree in international Business and Logistics and European Business Administration of Metropolia will be given, where necessary, in the systems listed below. (For the purpose of repairing a technical fault, for example, access will be given with administrator rights to the system provider or to the maintenance personnel of a measurement device.) All system/equipment/software providers used (the companies behind them) can be deemed to be recipients of personal data and recipients of regular disclosures from the register.

With respect to the systems used by the register of the entrance examination for Bachelors´s degree in international Business and Logistics and European Business Administration of Metropolia, personal data processing agreements in accordance with Article 28 of the GDPR will be concluded by the xx unit/department with the following cooperation partners:

Eduix Oy and E-form software

E-form is used for collecting entrance examination assignments.

Funet Miitti / NORDUnet, service provider CSC Oy and Zoom web conferencing tool

Zoom is a web conferencing tool (Funet Miitti / NORDUnet, service provider CSC Oy). Zoom web conferencing tool is used to identify applicants and / or conduct group discussions or interview assignments. The Center for Science Information Technology - IT Center for Science - CSC's Funet Miitti (Zoom) service is used at Universities of Applied Sciences. The service has been implemented jointly in co-operation with NORDUnet and is therefore not part of the publicly available Zoom service. In addition, the Zoom service provided by NORDUnet operates entirely in the EU, in server environments reserved for NORDUnet's own use. These servers are located in Denmark and Sweden. The services have also been agreed with NORDUnet and Zoom, taking into account the requirements of European data protection regulations (GDPR).

Microsoft Corporation (part of the O365-package) Microsoft Teams web conferencing tool

Microsoft Teams web conferencing tool is used when an applicant prepares to present his or her ID in all parts of the entrance examination or in connection with an interview.

Doodle Ltd. and Doodle

Doodle is web conferencing tool is used when an applicant prepares to present his or her ID in all parts of the entrance examination or in connection with an interview.

Telephone

During a telephone interview, notes made from audio and video material can be collected. In addition, applicants for certain entrance examinations must be prepared for the exam that the supervisor of the examination is allowed to contact the applicant during the entrance examination with the telephone number provided by the applicant on the application via the Studyinfo -service (Opintopolku.fi-palvelu).

Email system

Instructions about the entrance examination process (for example, invitations to interviews, if the data subject has given his/her express consent for this processing activity) are sent by email through Outlook Exchange email system or with a security mail solution procured by Metropolia. Although Metropolia has procured the email system as part of the Microsoft O365 service package, the system is operated on Metropolia’s own server.

Deltagon Group Oy and security mail (Deltagon’s sec@gw -security mail solution)

Deltagon's sec@gw security e-mail solution can be used to forward sensitive personal data and confidential documents to e-mail addresses outside Metropolia (when e-mail is sent to a non-“@ metropolia.fi” e-mail address, or back to Metropolia).

Finnish National Agency for Education and Studyinfo -service (Opintopolku.fi-palvelu)

Studyinfo -service (Opintopolku.fi-palvelu) maintained by the Finnish National Agency for Education, the preliminary assignments (pre-assignments) made via the E-form will be returned to StudyInfo -service (Opintopolku.fi-palvelu). Preliminary assignments are used in certain degree programmes.

In addition, the preliminary materials for group interviews of certain degree programmes are available on Studyinfo -service (Opintopolku.fi-palvelu). Metropolia University of Applied Sciences can be interpreted as the recipient of Studyinfo -service (Opintopolku.fi service) maintained by the Finnish National Agency for Education. The transfer is regulated by a transfer agreement (information service agreement) drawn up between Metropolia University of Applied Sciences and the Finnish National Agency for Education.

As a general rule, personal data contained in the personal data register of the xx activities / project of Metropolia will not be transferred outside the EU or EEA or to international organisations.

However, personal data contained in the personal data register may be transferred outside the EU or the EEA in order to provide IT services necessary for work or study, on a case-by-case basis. The destination country to which the personal data is transferred then, is mainly the United States. It is also possible that India is the destination country as global ICT service providers use often India as a host country for the international helpdesk service / ICT technical user support. International transfers of personal data from the Metropolia University of Applied Sciences' personal register to the United States and / or elsewhere outside the EU / EEA are primarily secured then by the safeguard provided for in Article 46 of Chapter V of the EU General Data Protection Regulation (GDPR), standard contractual clauses. The SCC (Standard Contractual Clauses) clauses will be included as part of the personal data processing agreement to be drawn up with the ICT service provider. Only the necessary data will be transferred and the transfer will be made in accordance with and within the limits set by data protection law. The security and data protection of the transfer are always agreed separately.

(-> If you use IT systems, softwares etc. provided by IT service provider registered in United States /outside the EU/EAA, it might be possible that the IT service provider uses servers for the data storage located in United States /outside the EU/EEA -> This might mean that personal data will be transferred to United States/ outside the EU/EEA as the storing of personal data is considered as processing of personal data according to the GDPR, and as storing personal data into the data storage servers located outside the EU/EEA, is considered as transferring personal data outside the EU/EEA according to the GDPR).

If that is the case, you need to specify to which third countries outside the EU or EEA you are transferring personal data (list of countries/mapping of countries).

When mapping transfers, do not forget to also take into account onward transfers, for instance whether your processors outside the EEA transfer the personal data you entrusted to them to a sub-processor in another third country or in the same third country. In other words, you must know where the personal data you exported may be located or processed by the importers (map of destinations).

Keep in mind that remote access from a third country (for example in support situations) and/or storage in a cloud situated outside the EEA, is also considered to be a transfer. More specifically, if you are using an international cloud infrastructure you must assess if your data will be transferred to third countries and where, unless the cloud provider clearly states in its contract that the data will not be processed at all in third countries.

As a next step, you must identify the transfer tools (safeguards) you are relying on amongst those described in the Chapter V of the GDPR (Articles 45 - 49).

Article 46 of the Chapter V of the GDPR lists standard contractual clauses (SCCs) as a transfer tool containing “appropriate safeguards” for the data transfer.

Whatever GDPR transfer tool you choose, you must ensure that, overall, the transferred personal data will have the benefit of an essentially equivalent level of protection. “An essentially equivalent level of protection” means that the transferred personal data is afforded a level of protection in the third country that is essentially equivalent to that are guaranteed in the EEA where strict data protection legislation prevails.

It might be useful to contact Data Protection Officer of Metropolia UAS (dpo [at] metropolia.fi (dpo[at]metropolia[dot]fi); tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)) in a case considering international personal data transfers outside the EU or EEA.

The personal data collected for and processed within the personal data register of entrance examination for Bachelors´s degree in international Business and Logistics and European Business Administration of Metropolia are, as a general rule, stored in the register for a year from the date of the student selection decision.

The personal data in the register of applicants for higher education institutions is kept for five years, starting from the decision of student admission. Data concerning the right to study and National learner ID is kept forever. (Act on the National Registers of Education Records, Qualifications and Degrees 884/2017).

The following regulations have been also observed when determining the retention times:

• EU General Data Protection Regulation (“GDPR”, 2016/679)
• Data Protection Act (1050/2018)
• Universities of Applied Sciences Act (932/2014)
• Decision of the National Archives of Finland on retention times – order given to universities of applied sciences concerning the permanent storage of data in electronic format (AL/20757/07.01.01.03.02/2016)

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent for processing at any time without the withdrawal of consent affecting the lawfulness of processing based on consent before its withdrawal.

The withdrawal of consent for the processing of personal data collected by Metropolia (withdrawal request) can be submitted to one of the three above-mentioned offices of Metropolia’s Student and Admission Services (or in the case of a member of staff, to the Human Resources Management unit), where the data subject must prove their identity when submitting the request.

Information on whether the provision of personal data for processing in the personal data register of entrance examination for Bachelors´s degree in international Business and Logistics and European Business Administration of Metropolia University of Applied Sciences is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. An account has been given for each register regarding how the personal data was obtained.The personal data has been obtained from the data subjects themselves regarding the application to higher education and participation in the entrance examination.

The personal data has also been obtained from Studyinfo -service (Opintopolku.fi-palvelu), maintained by the Finnish National Agency for Education, regarding the application to higher education and participation in the entrance examination.

Applying to the University of Applied Sciences as a student is arranged in such a way that when the applicant starts to fill in personal data of herself/himself through the Studyinfo -service (Opintopolku.fi-palvelu), the applicant will be informed in this connection that the personal data will be processed by the Finnish National Agency for Education and Metropolia University of Applied Sciences.

The personal data register of entrance examination for Bachelors´s degree in international Business and Logistics and European Business Administration of Metropolia University of Applied Sciences and the data contained in it will not be used in automated decision-making or profiling.

Person responsible for the content of the register:

Name: Suvi Moll
Position: Head of degree programme in International Business and Logistics and European Business Administration
Address: Metropolia Ammattikorkeakoulu Oy, PO Box 4000, FI-00079 METROPOLIA
E-mail: suvi.moll [at] metropolia.fi (suvi[dot]moll[at]metropolia[dot]fi)

Contact details of the contact person for the register:

Name: Suvi Moll
Position: Head of degree programme in International Business and Logistics and European Business Administration
Address: Metropolia Ammattikorkeakoulu Oy, PO Box 4000, FI-00079 METROPOLIA
E-mail: suvi.moll [at] metropolia.fi (suvi[dot]moll[at]metropolia[dot]fi)

Contact details in questions concerning the purpose of the register:

suvi.moll [at] metropolia.fi (suvi[dot]moll[at]metropolia[dot]fi)