Privacy notice for Metropolia’s case management

The purpose of processing personal data in Metropolia’s case management register is to support the execution of tasks related to legal and administrative services, financial management, and procurement services.

Legal and administrative services’ tasks include, but are not limited to data protection officer duties, whistleblower reports, management, processing, storing and archiving of various documents, records, and contracts. Financial management’s responsibilities include, but are not limited to processing and paying invoices and grants and billing for products and services

Procurement services process personal data in connection with handling bids submitted for procurement notices and requests for proposals, managing procurement-related competitive tendering processes at Metropolia University of Applied Sciences and ensuring the transparency of procurement documents, access rights for stakeholders, and facilitating appeals processes

Processing based on public interest or legal obligation

• Long-term and permanent retention
• Legal and archiving services (partially)
• Public procurement
• Financial management tasks

The legal obligation or the practice of public authority is based on the following laws and regulations, among others:

Universities of Applied Sciences Act (932/2014)

EU General Data Protection Regulation (2016/679)

Act on Information Management in Public Administration (906/2019)

Act on the Openness of Government Activities (621/1999)

Archives Act (831/1994)

Decision by the National Archives regarding permanent electronic retention for universities of applied sciences (AL/20757/07.01.01.03.02/2016)

Processing based on contract

• Execution of contracts in which the data subject is a party
• Implementation of pre-contractual measures at the request of the data subject

Processing based on consent

• Legal and archiving services (partially)

Data subjects in Metropolia’s case management register include Metropolia students, staff/employees, Metropolia alumni, customers, and other stakeholders (for example, contact persons of external partners and other organizations), as well as other external individuals in contact with legal and administrative services. For public procurement, data subjects include suppliers (natural persons) or natural persons acting on behalf of legal entities (contact persons) who participate as candidates or bidders in procurement procedures, as well as suppliers selected during competitive tendering (natural persons or natural persons acting on behalf of legal entities).

Types of personal data that may be collected:

Legal and archiving services

• Name
• Contact details
• Date of birth or social security number
• Organization and employment details, or educational details

Financial management

• Name
• Contact details
• Social security number or date of birth
• Gender
• Organization and employment details
• Billing and payment details
• Information about employee purchases, acquisitions, and travel reservations

• Network identifier

Procurement

• Name
• Contact details
• Organization details
• Professional qualification details
• Licenses and consents
• Information on winning bids

Archiving and contract management

• Name
• Contact details
• Social security number

• Student number

Long-term and permanent retention

• Name
• Contact details
• Social security number
• Organization details
• Professional qualification details
• Recruitment and employment details
• Student number
• Study and admissions data
• Membership in bodies, boards, committees, advisory boards, or leadership teams
• Feedback
• Participation in international cooperation
• Salary and remuneration details
• Relationship management (representation, visits, events, etc.)
• Photos and video recordings

The personal data has been obtained from the data subject themselves, public databases, authorities, as well as various stakeholders and associated organizations.

The data in this register is processed in various information systems and softwares, and access to the personal data contained in the register is granted as necessary, for example, through a technical interface during maintenance tasks or error correction. The external system providers and service providers behind these tools are considered recipients of personal data and regular recipients of disclosures.

Personal data contained in Metropolia's case management register is not, as a rule, transferred outside the EU or EEA or to international organizations.

However, personal data may be transferred outside the EU or EEA when necessary for implementing IT services essential for work or studies, based on a case-by-case assessment. The primary destination country for such transfers is the United States. It is also possible that countries like India, which is often used as the operational base for global ICT service providers' helpdesk or IT support functions, may serve as the destination for data transfers.

International transfers of personal data from this register to the United States and/or other non-EU/EEA countries are safeguarded under Chapter V of the EU General Data Protection Regulation (GDPR) using the protection measures specified in Article 46. This may include reliance on adequacy decisions or, in the absence of such decisions, the use of Standard Contractual Clauses (SCCs). SCCs are included in the data processing agreements or other contracts made with ICT service providers.

Only essential data is transferred, and all transfers are conducted in compliance with data protection laws and their limitations. The security and privacy of the transfer are always agreed upon separately.

Metropolia University of Applied Sciences’ ICT service provider is not permitted to transfer or disclose personal data outside the EU/EEA or process data outside the EU/EEA without the prior explicit written consent of the data controller.

If such a transfer is approved by the data controller, it must be preceded by a documented Transfer Impact Assessment (TIA). In cases where the data controller has approved the transfer, the agreement regarding the data transfer must include the EU Commission’s approved Standard Contractual Clauses (SCCs). Additionally, the data controller must assess and monitor the level of data protection in the destination country. Transfers may also be carried out using other procedures explicitly approved in writing by the data controller.

Personal data contained in the register may also be transferred outside the EU/EEA in connection with and to facilitate international mobility, travel, and collaboration, as well as in cases where personnel participate in international activities.

The retention period for personal data is based on law and varies depending on the nature and purpose of the data. Retention periods are determined by, among others, the Act on Information Management in Public Administration (906/2019), the Data Protection Act (1050/2018), the Universities of Applied Sciences Act (932/2014), the Archives Act (831/1994), and the National Archives’ decision on retention periods for universities of applied sciences (AL/20757/07.01.01.03.02/2016). Some data is deleted when it is no longer needed, and there is no legal obligation to retain it for a specified period. Retention periods are calculated either from the date the personal data was collected or from the date the individual ceases to use the service.

Examples of Retention Periods:

• Purchase ledgers, sales ledgers, receipts, and payment lists: Six years
• Contracts, minutes, presentations, annexes, statements, agendas, memos, bids collected in the procurement register, procurement proposals, procurement decisions, contracts and related personal data, financial statements, annual reports, balance sheets, accounting, account lists, and lists of accounting records and materials: 10 years
• Core documents, such as:
  • Diary entries
  • Key preparatory documents
  • Group guidelines for subsidiaries
  • Management systems, rules, strategies, programs, and annual reports
  • Documents related to foundation and fund management
  • Board meeting and decision-making documents
  • Quality management descriptions and manuals
  • Statistical data covering the entire university of applied sciences
  • Personnel guidance and planning documents
  • Cooperation meeting minutes with annexes
  • Payroll, compensations, and reimbursement documents
  • Budgets or similar documents
  • Key marketing brochures and press releases
  • Real estate registers, deeds, donations, and related contracts
  • Documents on property ownership and management, such as water, land, and forestry assets
  • Educational planning and guidance documents
  • Admission criteria and information on main, supplementary, and special applications
  • Appeals on study performance evaluations, thesis statements, and feedback
  • Student self-assessments and grade proposals
  • Data entered in student and study administration systems, such as student rights, registrations, degrees, and performance data
  • Data transferred to the VIRTA study information database
  • Business collaboration documents and consortium documents: Permanently

Regulations considered for retention periods:

• EU General Data Protection Regulation ("GDPR," 2016/679)
• Data Protection Act (1050/2018)
• Universities of Applied Sciences Act (932/2014)
• National Archives’ decision on retention periods for universities of applied sciences (AL/20757/07.01.01.03.02/2016)
• Act on the Protection of Privacy in Working Life (759/2004)