This Privacy Notice is based on the EU's General Data Protection Regulation (2016/679, “GDPR”), namely the obligation to inform the data subjects (GDPR Articles 12–14), the data controller's obligation to maintain a record of processing activities under its responsibility (GDPR Article 30), as well as the obligations set out in the Finnish Data Protection Act (1050/2018) supplementing the GDPR.
Additionally, this Privacy Notice has been prepared with the aim of making it accessible in accordance with the requirements of the EU's Web Accessibility Directive (Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies) and the Finnish Act on the Provision of Digital Services (306/2019) supplementing it.
The purpose of processing personal data in Metropolia's recruiting and human resources management register is to implement the employer’s statutory employer obligations and to carry out human resources management and recruitment of employees and to implement trainee/on the job learning programs.
The purpose of processing personal data in occupational health services is to manage, monitor, and provide support for employees' work ability through cooperation between the workplace and the occupational health service provider. The purpose is also to promote work ability, provide counseling and guidance, and monitor the employee's health as part of the statutory occupational health service, as well as to support work performance, provide rehabilitation counseling, and refer employees to rehabilitation.
Metropolia University of Applied Sciences' occupational health services are maintained and provided by Terveystalo Oy. Terveystalo Oy is an independent data controller for the processing of personal data related to occupational health services in order to carry out its tasks.
Processing based on public interest, the exercise of official authority, or legal obligation:
- Human resources management
- Occupational health services
- Recruitement (partially)
- Work based learning traineeship
The legal obligation or exercise of official authority is based on, among others, the following laws and regulations:
Occupational Health Care Act (1283/2001)
EU General Data Protection Regulation (2016/679)
Data Protection Act (1050/2018)
Act on the Protection of Privacy in Working Life (759/2004)
Processing based on consent:
- Recruitment (partially)
- Surveys
The data subjects in Metropolia's recruiting and human resources management register include Metropolia staff and individuals applying through Metropolia's recruitment processes.
The following personal data is stored in Metropolia's human resources register:
Human Resources
Name
Contact information
Personal identification number
Gender
Educational background and professional skills
Mother tongue
Salary or compensation-related information
Employment details
Recruitment
Name
Contact information
Personal identification number
Educational background and professional skills
Mother tongue and other language skills
CV and job application
Occupational Health Care
Name
Contact information
Personal identification number
Employment and organizational details
Absence records
Information about accidents
Start and end dates of possible rehabilitation support decisions
Other key events related to the handling of the case
Surveys
Area of expertise/unit
Whether teaching is directed towards degree-awarding education (bachelor's/master's) or other types of education
Respondent's role in the student's competence recognition process.
Work-based learning period in Helpdesk phone support
Name
Contact details
Social security number
Information on work performance
Notes made to assess the study performance
Work certificates
Attendance records
Information on the work-based learning period
Personal data is primarily obtained from the data subject themselves. Additionally, the data controller collects personal data generated during employment or contractual relationships based on applicable laws, including the Employment Contracts Act, the Act on Cooperation within Undertakings, the Occupational Safety and Health Act, the Occupational Health Care Act, and collective agreements. Public databases or trainee’s own university may also serve as regular sources of personal data.
In matters related to occupational health, personal data may be obtained, as permitted by applicable law, from financial and payroll management, human resources, occupational health services, and employment pension insurance companies.
The following recipient groups receive personal data from the Metropolitan recruiting and human resourcesrRegister:
- Finnish Tax Administration
- Pension institutions
- Insurance companies
- Occupational health and well-being services
- Occupational safety authorities
- Municipal physician responsible for communicable diseases or the physician responsible for communicable diseases in the hospital district
- Statistics Finland
- Trade unions
- Social Insurance Institution of Finland (KELA)
- Employment and Economic Development Center (TE Office)
- Organizations arranging staff training
- Mobility project funders (European Commission or Finnish National Agency for Education) and the Erasmus+ National Agency (Finnish National Agency for Education)
- Universities or other organizations hosting educational or staff visits
- Finnish Institute of Occupational Health
- Ministry of Education and Culture
- Banks and other payroll/payment service providers
The HR department discloses personal data only to entities with a statutory right to access the information for purposes defined by law, where the disclosure is necessary for managing employment-related matters or employer operations, or where the individual has given their consent for the disclosure.
The personal data in the register are processed in various information systems and softwares. Access to the personal data in the register may be granted as necessary, for instance, through a technical interface for maintenance tasks or error correction. External system providers and service providers responsible for these tools may be considered recipients of personal data and regular recipients of disclosures.
Personal data in Metropolitan occupational health records may be disclosed to authorities with a statutory right to access the information, such as the Ministry of Social Affairs and Health and its designated expert agencies (National Institute for Health and Welfare, THL), under Section 20 of the Occupational Health Care Act.
Personal data contained in Metropolia's recruiting and human resources register is not, as a rule, transferred outside the EU or EEA or to international organizations.
However, personal data may be transferred outside the EU or EEA when necessary for implementing IT services essential for work or studies, based on a case-by-case assessment. The primary destination country for such transfers is the United States. It is also possible that countries like India, which is often used as the operational base for global ICT service providers' helpdesk or IT support functions, may serve as the destination for data transfers.
International transfers of personal data from this register to the United States and/or other non-EU/EEA countries are safeguarded under Chapter V of the EU General Data Protection Regulation (GDPR) using the protection measures specified in Article 46. This may include reliance on adequacy decisions or, in the absence of such decisions, the use of Standard Contractual Clauses (SCCs). SCCs are included in the data processing agreements or other contracts made with ICT service providers.
Only essential data is transferred, and all transfers are conducted in compliance with data protection laws and their limitations. The security and privacy of the transfer are always agreed upon separately.
The retention periods for personal data are based on applicable laws and vary depending on the nature and purpose of the data. Retention periods are determined by legislation such as the Act on the Protection of Privacy in Working Life (759/2004), the Occupational Safety and Health Act (738/2002), the Ministry of Social Affairs and Health’s Decree on Patient Documents (298/2009), and the decision of the National Archives regarding retention times for universities of applied sciences (AL/20757/07.01.01.03.02/2016). Some data is deleted when it is no longer needed and there is no legal obligation to retain it for a specified period.
Examples of retention periods include:
- Participants in recruitment processes: Data is retained for two years.
- Health records and other personal data in the occupational health register: These are retained as long as necessary for purposes based on legal processing. The need for retention is reviewed every five years.
- Health records managed by the occupational health partner Terveystalo: These are retained for 12 years after death, or, if the date of death is unknown, for 120 years from birth
- Work based learning in the Hepldesk phone service: Six months