Tietosuojaseloste perustuu EU:n tietosuoja-asetuksen (2016/679, General Data Protection Regulation, ”GDPR”) rekisteröityjen informointivelvoitteeseen (GDPR:n artiklat 12-14), GDPR:n artiklan 30 mukaiseen rekisterinpitäjän velvoitteeseen ylläpitää selostetta vastuullaan olevista käsittelytoimista sekä GDPR:ää täydentävän kansallisen tietosuojalain (1050/2018) velvoitteisiin.
Tämä tietosuojaseloste on lisäksi pyritty laatimaan saavutettavaksi EU:n ns. saavutettavuusdirektiivin ja sitä täydentävän kansallisen digipalvelulain vaatimuksiin pohjautuen (Euroopan parlamentin ja neuvoston direktiivi (2016/2102) julkisen sektorin elinten verkkosivustojen ja mobiilisovellusten saavutettavuudesta (2016/2102); Laki digitaalisten palvelujen tarjoamisesta (306/2019)).
The purpose of processing personal data in Metropolia's business operations communications and publishing register is to manage registrations for various events and training sessions, conduct communications, marketing, and information dissemination about Metropolia's activities and services, organize participatory workshops and other interactive activities, implement high-quality activities in sustainable development work, manage publishing and publication activities, fundraising, and maintain alumni relations (e.g., alumni events, mentoring, labor market activities, and fundraising).
Personal data may also be processed in a manner that is considered marketing when we are in contact with people who have participated in events and training organised by Metropolia by providing further training or events that may be of interest to them and when we are in contact with potential partners based on their workstation.
Processing based on consent
- Sustainable development network activities
- Alumni activities (partially)
- Newsletters and marketing activities
- Publishing activities (partially)
- Participatory activities (partially)
Processing based on the controller's legitimate interest
- Alumni activities (partially)
- Fundraising and donation activities (partially)
- Direct marketing and other customer communications and information
- Sales of Metropolia's educational services
Processing based on public interest, exercise of public authority, or legal obligation
- Fundraising and donation activities (partially)
- Participatory activities (partially)
- Educational activities conducted by Metropolia
The legal obligation is based on the following laws or regulations:
Universities of Applied Sciences Act (932/2014)
Act on National Study and Degree Registers (884/2017)
Processing based on contract
- Activities related to customer relationships and partnerships
- Podcast activities (partially)
- Educational activities conducted by Metropolia
The data subjects in Metropolia's communications and publishing register include Metropolia staff and students, stakeholders using Metropolia's communication services, subscribers to Metropolia newsletters, individuals participating in the creation of publications, alumni, representatives of legal entities donating to Metropolia, private individuals making donations to Metropolia, and potential representatives of external stakeholders connected to the network.
Types of personal data that may be collected:
Publishing activities
Name
Contact details
Organizational and employment details
Information about publications
Photo, video, and audio recordings
Descriptions of authors
Event management
Name
Contact details
Educational background
Job title/work role
Company/organization details
Dietary preferences
Consent for direct marketing
Educational details of participants in tailored training, coaching, or other services
Customer relationship details with Metropolia
Communication and marketing services
Name
Contact details
Employment-related information, such as job title, photo, social media details, and other employee data (for employees)
Degree details (for students)
Resource reservations
Organizational details
Some data on the data subject's online behavior
Photos and videos from events
Audio recordings from podcasts
Blog posts
Fundraising and donation activities
Donor’s name (company/entity/private individual)
Donor’s contact details
Business ID/social security number
Details of the company’s representative
Donation details
Donor’s bank account information
Consent details
Alumni activities
Name
Date of birth
Contact details
Degree and graduation details
Sustainable development network
Contact details
Background information
Recordings of events
Metrospektiivi
Name
Contact details
Organizational details
Introduction text
Audio and video recordings
Photo
Personal data is primarily obtained directly from the data subject. Data may also be sourced from the human resources system, student register and collaboration partners or publicly available sources of information such as corporate websites.
Access to personal data in this register is granted to authorities in situations required by law. The data is processed in various information systems and software, and access may be granted as necessary, e.g., through a technical interface during maintenance or error correction. External system providers and service providers operating these tools are considered recipients of personal data and regular recipients of disclosures.
Personal data may be transferred to service providers/partners as needed and for purposes defined by Metropolia. During activities, events, or training sessions organized by Metropolia, photos and videos may be taken and shared on social media platforms. With the explicit consent of the data subject, personal data may be used for the controller's information dissemination and/or other communications. Personal data may also be disclosed to the Ministry of Education and Culture for evaluating matching fund eligibility. Donation details may be disclosed to the Ministry of Education and Culture, the tax authority, and/or the police board in compliance with laws and guidelines.
Personal data contained in this register is not, as a rule, transferred outside the EU or EEA or to international organizations.
However, personal data may be transferred outside the EU or EEA when necessary for implementing IT services essential for work or studies, based on a case-by-case assessment. The primary destination country for such transfers is the United States. It is also possible that countries like India, which is often used as the operational base for global ICT service providers' helpdesk or IT support functions, may serve as the destination for data transfers.
International transfers of personal data from this register to the United States and/or other non-EU/EEA countries are safeguarded under Chapter V of the EU General Data Protection Regulation (GDPR) using the protection measures specified in Article 46. This may include reliance on adequacy decisions or, in the absence of such decisions, the use of Standard Contractual Clauses (SCCs). SCCs are included in the data processing agreements or other contracts made with ICT service providers.
Only essential data is transferred, and all transfers are conducted in compliance with data protection laws and their limitations. The security and privacy of the transfer are always agreed upon separately.
Personal data collected in the register is retained only as long as necessary and to the extent required for the purposes of processing. Data is removed as needed on an annual basis.
Retention periods examples
Alumni data: For the duration of the alumni relationship and two years thereafter.
Donation data: Retained for 10 years to comply with accounting obligations.
Publishing activities: Retained as long as the publications remain publicly available.
Permanently: Credit-bearing study records.
Event management: For the duration of the customer relationship and two years thereafter.
Other customer data for marketing and communications, including personal data of potential customers and partners: two years from the last contact
Regulations considered for retention periods:
Act on National Study and Degree Registers
Accounting Act (1336/1997)