Privacy notice for Metropolia’s business premises services and campus properties

The purpose of processing personal data in Metropolia University of Applied Sciences’ business premises services and campus properties register is to ensure the safety of individuals visiting Metropolia’s campus facilities, promote a comfortable study and work environment, protect property, prevent and investigate potential hazards, manage postal services, handle parking permits and electronic keys, and facilitate space rentals.

Additionally, the purpose is to support Metropolia’s collaboration with various partners, enhance activities that benefit higher education, promote working life and regional development, maintain visitor records, implement smart building services on campuses, collect information on property use for users, administrators, and owners of campus properties, and maintain and develop Metropolia’s campus environment.

Processing based on consent

• Visitor register
• Smart campus activities (Empathic Building services)

Processing based on public interest or legal obligation

• Security services
• Preparing contingency plans
• Collaboration with industries, businesses, and other educational institutions in Finland and abroad

The legal obligation or the exercise of public authority is based on the following laws and regulations:

Universities of Applied Sciences Act (932/2014)

EU General Data Protection Regulation (GDPR, 2016/679)

Emergency Powers Act (1552/2011)

The data subjects in Metropolia’s business premises services and campus properties register include Metropolia’s staff, students, service providers, customers and visitors at Metropolia campuses, representatives of corporate partners and stakeholders, and external visitors to Metropolia as well as tenants renting facilities.

Types of personal data that may be collected

Facilities

• Name
• Contact details
• Organizational details
• ID document
• Parking permit details
• Key issuance details
• Device borrowing details
• Space rental details
• Incoming and outgoing mail event details
• Maintenance request details
• Business ID

Smart campus activities

• Name
• Contact details
• Identifying information
• Organizational details
• Social media details
• Consent information

Visitors

• Name
• Contact details
• Organizational details
• Purpose of visit

Security services

• Name
• Social security number or employee number
• Photo (staff)
• Employment or study rights information
• Organizational details
• Access badge details
• Access data
• Individual movements and images in video recordings
• Details of alarm events and security reports

Personal data is primarily obtained directly from the data subject. Additionally, regular sources of data include user management systems maintained by Metropolia’s IT administration, Requeste service request system, OMA intranet, Metropolia network drives (Z-drive), access control system reader devices, time tracking systems, digital recordings from surveillance cameras, burglar alarm systems and staff pre-notifications, if applicable

Personal data in the register is processed in various information systems and software, with access granted as needed, e.g., through technical interfaces for maintenance or error correction tasks. External system providers and service providers managing these tools are considered recipients of personal data and regular recipients of disclosures.

Personal data contained in this register is not, as a rule, transferred outside the EU or EEA or to international organizations.

However, personal data may be transferred outside the EU or EEA when necessary for implementing IT services essential for work or studies, based on a case-by-case assessment. The primary destination country for such transfers is the United States. It is also possible that countries like India, which is often used as the operational base for global ICT service providers' helpdesk or IT support functions, may serve as the destination for data transfers.

International transfers of personal data from this register to the United States and/or other non-EU/EEA countries are safeguarded under Chapter V of the EU General Data Protection Regulation (GDPR) using the protection measures specified in Article 46. This may include reliance on adequacy decisions or, in the absence of such decisions, the use of Standard Contractual Clauses (SCCs). SCCs are included in the data processing agreements or other contracts made with ICT service providers.

Only essential data is transferred, and all transfers are conducted in compliance with data protection laws and their limitations. The security and privacy of the transfer are always agreed upon separately.

The retention periods for personal data are based on law and vary depending on the nature and purpose of the data. Personal data is retained only as long as necessary and in the scope required for the purpose of processing. Additionally, personal data may be retained based on legal, regulatory, or contractual obligations. The necessity of data retention is regularly evaluated.

The retention periods are determined by the GDPR (2016/679), Data Protection Act (1050/2018), Universities of Applied Sciences Act (932/2014), Act on the Protection of Privacy in Working Life (759/2004), the National Archives’ decision on retention periods for universities of applied sciences (AL/20757/07.01.01.03.02/2016), and Metropolia’s records management plan. Retention periods are calculated either from the date the personal data was collected or when the individual ceased using the service.

Examples of Retention Periods

• Facilities: 1 year
• Smart campus activities: 1 year
• Security services: 1 year
• Camera surveillance: 1 month