This Privacy Notice is based on the EU's General Data Protection Regulation (2016/679, “GDPR”), namely the obligation to inform the data subjects (GDPR Articles 12–14), the data controller's obligation to maintain a record of processing activities under its responsibility (GDPR Article 30), as well as the obligations set out in the Finnish Data Protection Act (1050/2018) supplementing the GDPR.
Additionally, this Privacy Notice has been prepared with the aim of making it accessible in accordance with the requirements of the EU's Web Accessibility Directive (Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies) and the Finnish Act on the Provision of Digital Services (306/2019) supplementing it.
The purpose of processing personal data in Metropolia University of Applied Sciences’ information systems and tools register includes providing high-quality tools and services for students, staff, and stakeholders, conducting internal audits, reporting, and communication, implementing IT services, assisting Metropolia’s end-users with queries related to IT systems, software, tools, or IT services, and managing service requests submitted by students and staff concerning IT, facilities, security, and library and information services.
Processing based on consent
- Secure email (Turvaposti)
- Use of the service request system (partially)
Processing based on public interest, exercise of public authority, or legal obligation
- Use of the service request system (partially)
- IT management tasks
- Use of IT services
- Use of library services (partially)
The legal obligation is based on the following laws and regulations:
Universities of Applied Sciences Act (932/2014)
Act on Information Management in Public Administration (906/2019)
Processing based on contract
- Use of library services (partially)
The data subjects in Metropolia’s information systems and tools register include Metropolia staff and students, the student union, and all other individuals who hold a Metropolia user account, as well as users of library and information services and associated systems (e.g., administrators, users).
Types of personal data that may be collected:
Library and information services
Name
Contact details
Date of birth
Customer group
Degree information (for students)
IT management and IT services
Name
Contact details
Social security number
Username and user role
Employment information
Organizational information
Feedback
Requeste service system
Name
Contact details
Social security number
User information
Employment information
Organizational information
Language preferences
Study and degree information (for students)
Service request details (e.g., workstation information, location, and IP address)
Feedback
Secure email (Turvaposti)
Name
Contact details
User information
Social security number
IP address
Location information
Log data
Internal audits
Name
Contact details
Organizational information
Personal data is primarily obtained from the data subject. Additionally, data is collected from other Metropolia registers, LDAP directories, and other user data management directories.
Service requests are directed within the system to recipients based on the service address used in contacting. Only individuals whose job duties require the use of the register have access to service requests. Each service address has its own group of handlers within the system, who process service requests in their respective queues.
Personal data on this register is processed in various information systems and software. Access to personal data may be granted as necessary, e.g., through technical interfaces during maintenance or troubleshooting tasks. External system providers and service providers managing these tools are considered recipients of personal data and regular recipients of disclosures.
Personal data contained in this register is not, as a rule, transferred outside the EU or EEA or to international organizations.
However, personal data may be transferred outside the EU or EEA when necessary for implementing IT services essential for work or studies, based on a case-by-case assessment. The primary destination country for such transfers is the United States. It is also possible that countries like India, which is often used as the operational base for global ICT service providers' helpdesk or IT support functions, may serve as the destination for data transfers.
International transfers of personal data from this register to the United States and/or other non-EU/EEA countries are safeguarded under Chapter V of the EU General Data Protection Regulation (GDPR) using the protection measures specified in Article 46. This may include reliance on adequacy decisions or, in the absence of such decisions, the use of Standard Contractual Clauses (SCCs). SCCs are included in the data processing agreements or other contracts made with ICT service providers.
Only essential data is transferred, and all transfers are conducted in compliance with data protection laws and their limitations. The security and privacy of the transfer are always agreed upon separately.
The retention period for personal data is based on law and varies depending on the nature and purpose of the data. Personal data is retained only as long as necessary for the purpose of processing, as determined by applicable laws, regulations, or contractual obligations. The necessity of retention is regularly assessed.
Retention periods are based on the GDPR (2016/679), the Data Protection Act (1050/2018), the Universities of Applied Sciences Act (932/2014), the Archives Act (831/1994), and the National Archives’ decision on retention periods for universities of applied sciences
(AL/20757/07.01.01.03.02/2016). Retention periods are calculated from the date the personal data was collected or when the individual ceases using the service.
Examples of Retention Periods:
- Library operational plans and reports: Permanently
- Requeste service request matters: From one year to several years, depending on the nature and content of the service request
- Self-assessment survey data: For the duration of self-assessment processing