Metropolia's guidelines concerning coronavirus

Read about the impact of coronavirus on Metropolia's operations.

Data protection at Metropolia’s acquisitions, system development, new educational digital innovations and projects.

When in Metropolia, such new projects including personal data, projects requiring the processing of personal data, system development are planned or a new tool (which processes personal data) in education is going to be introduced, employees and students are supposed to act according to the following guide:

  1. Please take a look at the “Tunnista DPIA” (only in Finnish at the moment)-site on Metropolia’s Intranet and check out the instructions there on the consideration of data protection and security requirements in development activities, in digitalisation of education, acquisitions, system development and projects.
  2. Please also take a look at the PowerPoint presentation on DPIA (Data Protection Impact Assesment described in the GDPR article 35) made by the Data Protection Officer. The national DPIA list made by the Finnish Office of the Data Protection Ombudsman is taken into account in the said presentation. The DPIA list is a list of  on the types of processing operations which require an assessment described in the GDPR article 35.
  3. If you notice or suspect that you might be in a situation which requires a DPIA, such as a new project, system acquisition etc., please fill out the DPIA form and conduct, if necessary, pre-consultation of the data subjects. If you are not sure whether you should fill the DPIA form, please call the Metropolia’s Data Protection Officer Tuulia Aarnio, tel. +358 40 8440690 and/or send email to tuulia.aarnio [at]; dpo [at] and ask for help on the matter.
  4. Filled Electronic DPIA Form will be automatically forwarded to Metropolia’s DPO.
    • if you haven’t been able to answer all the questions on the form, DPO might ask you supplementary questions and will fill the form with the sender.
    • there are spots on the form which require a statement by the DPO and possible by the Information Administration representative and by the enterprise architecture.
  5. DPO draws up a suggestion to the senior management on whether or not the DPIA can be approved. Senior management will either approve or disapprove the DPIA.

The management of data protection at Metropolia

There is a Data Protection Organisation at Metropolia - in-house data protection task force, which is lead by

Metropolia’s Data Protection Officet Tuulia Aarnio
tel. +358 40 844 0690
tuulia.aarnio [at]
dpo [at]

Task force inspects, comments and makes suggestions for improvement on privacy documents and guidelines related to GDPR tentatively sketched by the DPO.

DPO acts as specialist on GDPR and other data protection laws reporting to the senior management on data protection issues. DPO cannot make decisions or formation of policy on data protection because they have a role of advisor. Ultimately, the organization has responsibility for these issues.

DPO is required to monitor evolving national and EU legislation, educate and guide in GDPR and data protection matters, draw up documents required by GDPR and help organization to comply with data protection laws.

More info

You can ask more info from:

Data Protection Officer, Tuulia Aarnio
tel. +358 40 844 0690
tuulia.aarnio [at]
dpo [at]

Legal counsel, Timo Hynynen
timo.hynynen [at]

The Finnish Data Protection Ombudsman Anu Talus and other official at The Office of the Data Protection Ombudsman guide activities of controllers operating in Finland and processing of personal data.

At the EU-level activities are guided by European Data Protection Board (EDPB) which consist of national Offices for Data Protection Ombudsman.

Data protection guidelines and templates

You can find Metropolia’s internal data protection guidelines and templates from Metropolia’s intranet’s GDPR and data protection site. Metropolia’s user account is needed in order to access the said site.