This Privacy Notice is based on the EU's General Data Protection Regulation (2016/679, “GDPR”), namely the obligation to inform the data subjects (GDPR Articles 12–14), the data controller's obligation to maintain a record of processing activities under its responsibility (GDPR Article 30), as well as the obligations set out in the Finnish Data Protection Act (1050/2018) supplementing the GDPR.
Additionally, this Privacy Notice has been prepared with the aim of making it accessible in accordance with the requirements of the EU's Web Accessibility Directive (Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies) and the Finnish Act on the Provision of Digital Services (306/2019) supplementing it.
The purpose of processing personal data in Metropolia University of Applied Sciences' student register is to implement and test the student admissions process at Metropolia, offer preparatory education for higher education, and conduct research and surveys related to entrance exams.
Processing based on consent
- Electronic supervision of entrance exams and preparatory education
- Research and surveys (partially)
Processing based on public interest, exercise of public authority, or legal obligation
- Joint application process and entrance exams
- Electronic suitability tests
- Preparatory studies for immigrants
- Research and surveys (partially)
The legal obligation is based on the following laws and regulations:
Universities of Applied Sciences Act (932/2014)
Act on Information Management in Public Administration (906/2019)
Act on National Study and Degree Registers (884/2017)
Government Decree on Joint Application to Higher Education Institutions (293/2014)
Government Decree on the Admission Procedure for Post-Secondary Education (294/2014)
Act on the Openness of Government Activities (621/1999)
EU General Data Protection Regulation (GDPR, 2016/679)
Data Protection Act (1050/2018)
The data subjects in Metropolia's student admissions register include applicants participating in entrance exams and their testing, applicants for preparatory studies for immigrants, individuals evaluating student academic records, applicants participating in electronic suitability tests, and respondents to research and surveys.
Types of personal data that may be collected:
Joint application process and entrance exams
Name
Contact details
Social security number and ID
Learner number
Application identifier
Details of entrance exams and pre-assignment tasks
Preparatory studies for immigrants
Name
Contact details
Social security number and alien identity code
Learner number
Nationality
Date of birth
Gender
Prior education
Language skills
Moodle username information
Application details
Permit information
Entrance exam details
Study performance details
Electronic suitability tests
Name
Contact details
Social security number
Learner number
Application identifier
Details of suitability tests
Research and surveys
Name
Contact details
Student ID
Date of birth
Gender
Language skills
Education details
School details
Personal data is primarily obtained directly from the data subject. Additionally, regular sources of data include:
- CSC - IT Center for Science Ltd.
- The national Studyinfo.fi service maintained by the Finnish National Agency for Education
- VIRTA - Finnish National Data Warehouse for Higher Education
The data controller transfers or discloses personal data for processing to the Finnish National Agency for Education and the Studyinfo.fi service.
The data is processed in various information systems and software, and access to personal data may be granted as necessary through technical interfaces for maintenance or error correction. External system providers and service providers operating these tools are considered recipients of personal data and regular recipients of disclosures.
The data controller transfers or discloses personal data for processing to the Finnish National Agency for Education and the Studyinfo.fi service.
The data is processed in various information systems and software, and access to personal data may be granted as necessary through technical interfaces for maintenance or error correction. External system providers and service providers operating these tools are considered recipients of personal data and regular recipients of disclosures.
The retention periods for personal data are based on law and vary depending on the nature and purpose of the data. Retention periods are determined by the Act on National Study and Degree Registers (884/2017), the Universities of Applied Sciences Act (932/2014), the Archives Act (831/1994), and the National Archives' decision on retention periods for universities of applied sciences (AL/20757/07.01.01.03.02/2016). Some data is deleted when no longer needed, and there is no legal obligation to retain it. Retention periods are calculated from the date the personal data was collected or from when the individual stopped using the service.
Examples of retentionpPeriods
Entrance exam and suitability test data: 1 year
Data in higher education applicant registers: 5 years
Applicant data for preparatory studies for immigrants: 5 years
Data related to accepting a place of study, learner numbers, enrollment records, degrees, and study performance, as well as other data stored in student and academic administration systems: Permanently
Research and survey data: For the duration of the research.