FITech Network University Data Protection Notice

This notice describes the processing of personal data of applicants and students applying for separate study rights at FITech Network University. The notice provides the information required by the EU General Data Protection Regulation (Articles 13 and 14).

Data Controller and Contact Information

Data protection is based on a joint controller agreement between the following universities.

FITech Network member universities:

Aalto University, Aalto University Foundation sr
Business ID: 2228357-4
P.O. Box 11000, FI-00076 Aalto
Switchboard: +358 9 47001

LUT University
Business ID: 0245904-2
P.O.Box 20, FI-53851 Lappeenranta
Switchboard: +358 29 446 2111

Tampere University, The University of Tampere Foundation sr
Business ID: 2844561-8
Kalevantie 4, FI-33014 Tampere University
Switchboard: +358 (0) 294 52 11

University of Eastern Finland
Business ID: 2285733-9
Joensuu Campus: P.O. Box 111, FI-80101 Joensuu
Kuopio Campus: P.O. Box 1627, FI-70211 Kuopio
Switchboard: +358 (0)294 45 1111

University of Jyväskylä
Business ID: 0245894-7
P.O. Box 35, FI-40014 University of Jyväskylä
Switchboard: +358 (0)14 260 1211

University of Oulu
Business ID: 0245895-5
P.O. BOX 8000, FI-90014 University of Oulu
Switchboard: +358 294 480 000

University of Turku
Business ID: 0245896-3
FI-20014 Turun yliopisto
Switchboard: +358 29 450 5000

University of Vaasa
Business ID: 0209599-8
P.O. Box 700, FI-65101 Vaasa
Switchboard: +358 29 449 8000

Åbo Akademi University
Business ID: 0246312-1
Domkyrkotorget 3, FI-20500 Åbo
Switchboard: +358 2 215 31

Project-specific universities:

University of Helsinki
Business ID: 0313471-7
P.O. Box 4, FI-00014 University of Helsinki
Switchboard: +358 (0) 2941 911

Contact person: FITech Chief Operative Officer, info(at)fitech.io

Data protection officers

Aalto University: dpo(at)aalto.fi
LUT University: tietosuoja(at)lut.fi
Tampere University: dpo(at)tuni.fi
University of Eastern Finland: tietosuoja(at)uef.fi
University of Helsinki: tietosuoja(at)helsinki.fi
University of Jyväskylä: tietosuoja(at)jyu.fi
University of Oulu: dpo(at)oulu.fi
University of Turku: dpo(at)utu.fi
University of Vaasa: tietosuojavastaava(at)uwasa.fi
Åbo Akademi University: dataskydd(at)abo.fi

Purpose of Processing Personal Data and Legal Basis for Processing Personal Data

Purpose of personal data processing

  • Organisation of the processes of applying for studies, selecting students, and teaching
  • Communication with applicants and students
  • Pseudonymised reporting to authorities
  • Reporting data related to applications to education to the funding body
  • Making statistics and reporting on completed studies to the funding body
  • Creation, management, and awarding of digital badges at the student’s request
  • Marketing of future education possibilities to those who have given their consent when applying for education
  • Development of operations (e.g., processing and utilisation of statistics, surveys, and feedback for the development of operations, such as teaching and processes) and
  • Organisation of events.

Legal basis of data processing

  • Public interest or the exercise of public authority vested in the controller (related to development objectives in accordance with the principle of minimisation of personal data and the organisation of training services and communication).
  • Consent of the data subject (related to the marketing of education).
  • The controller’s legal obligation.
  • Controller’s legitimate interests.

Key Legislation

  • Universities Act 558/2009 and decrees issued under it
  • Decree 794/20024 (Valtioneuvoston asetus yliopistojen tutkinnoista 794/2004)
  • Act on the National Registers of Education Records, Qualifications and Degrees 884/2017
  • General Data Protection Regulation (EU) 2016/679 and supplementary national legislation
  • Act on the Openness of Government Activities 621/1999
  • Act 621/1999 (Laki julkisen hallinnon tiedonhallinnasta 621/1999)
  • Act 682/2021 (Laki Jatkuvan oppimisen ja työllisyyden palvelukeskuksesta 682/2021

The Roles of Data Controllers in Data Processing

Aalto University as the coordinator of the FITech Network University

  • Organises applications for FITech studies in an electronic system (Studyinfo)
  • Advises applicants
  • Communicates with applicants and students
  • Compiles study credits from universities for statistics and reporting
  • Creates course-specific digital badges in the service and awards broader milestone badges
  • Collects and analyses feedback
  • Carries out marketing activities and
  • Organises events.

All universities

  • Report completed studies to Aalto University for statistical and reporting purposes for their own courses and
  • Award digital badges upon adult students’ application.

Universities act as independent data controllers for the following activities

  • Processing applications for their university’s own courses in an electronic system (Studyinfo)
  • Granting study rights and issuing separate study rights in their own information systems (Peppi, Sisu)
  • Communicating with students on their own courses
  • Registering study achievements in their own information systems (Peppi, Sisu)
  • Collecting feedback on their own teaching and
  • Making statutory reports to national data repositories.

Processing and Disclosure of Data

The data will only be processed by employees of the FITech network universities or persons acting on behalf of and on the instructions of the universities who need it for their work. The applicant’s application will only be processed by the universities to which the applicant has applied with the application in question.

Universities may also use external personal data processors, such as companies providing system services, which process personal data on behalf of the university, based on a commission agreement.

Universities will only disclose personal data outside the university or process it for purposes other than its original purpose in situations permitted by law.

Universities may disclose personal data to the funder of an education project, such as the Ministry of Education and Culture and the Service Center for Continuing Education and Employment (SECLE), in accordance with the law.

Data Content of the Register

Basic information:

  • Name, student ID number (OID), age/date of birth, gender, nationality, native language, personal identification number, municipality of residence, user ID, IP address

Contact information:

  • Home address (address details subject to a security ban will not be disclosed), email address, phone number

Student information:

  • Details of the student’s right to study at their home university and details of their right to study at the target university
  • Information on studies for which the student has submitted a registration request and related course registration information
  • Student number

Other:

  • Is the applicant employed, unemployed, or other (outside the labor force)?

Information on completion of courses:

  • Information on course completion by the student, insofar as they have applied for a digital performance mark from the service used by FITech.

Regular Sources of Information

  • Applicants and students themselves
  • Studyinfo
  • FITech universities’ study information systems (Peppi, Sisu)
  • Aalto University’s customer and registration systems, such as Webropol, Aalto University’s Zoom environment (located in the EU), Salesforce
  • Email lists Dynamics (Aalto), Salesforce case management (Aalto)
  • Continuing Education and Employment Service Center (SECLE) case management system

Regular Disclosure of Data and Transfer of Data Outside the EU or EEA

The data protection policy of the universities is to exercise particular caution when transferring personal data outside the EU and the European Economic Area (EEA) to countries that do not offer data protection in accordance with the EU Data Protection Regulation. The transfer of personal data outside the EU and the EEA is carried out in accordance with the requirements of the General Data Protection Regulation. Currently, no data is transferred outside the EU and the EEA.

Principles of Register Protection

Electronic

  • User ID
  • Password
  • Two-factor authentication
  • Access control
  • Logging

Physical access control

Retention Period and Criteria for Determining Personal Data

  • Applicants’ and students’ data is stored in accordance with the Act on the National Registers of Education Records, Qualifications and Degrees, and the supplementary decisions of universities. The principles are described in the universities’ privacy notices.
  • Personal data collected for marketing purposes is stored until the data subject requests its deletion.
  • Personal data collected for the purpose of organising events is deleted after the event.
  • Personal data collected in connection with surveys and feedback is stored in pseudonymised form for statistical purposes.

Use of personal data for automated decision-making, including profiling

Personal data is not used for automated decision-making.

Rights of the Data Subject

The right to obtain information on the processing of personal data

  • The data subject has the right to know what personal data is being processed about them or to obtain confirmation that no data concerning them is being processed.

The right to rectification

  • Data subjects have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed without undue delay. In addition, the data subject has the right to request that unnecessary personal data concerning them be deleted.

Right to erasure (right to be forgotten)

  • Depending on the legal basis for data processing, the data subject may have the right to have their personal data removed from the registers of higher education institutions. This right does not apply, for example, in cases where the processing of personal data is necessary for compliance with a legal obligation or for the exercise of public authority vested in the higher education institution.

Right to restriction of processing

  • In certain situations, the data subject may have the right to request the restriction of the processing of personal data until the legal basis for the data or its processing has been properly verified, corrected, or supplemented.

Right to object

  • Based on their personal, specific situation, data subjects have the right to object at any time to the processing of their personal data when the legal basis for the processing is the performance of a task carried out in the public interest, the exercise of official authority, or the legitimate interests of the university. In such a case, the data may only be further processed if there is a compelling and legitimate reason for the processing that can be demonstrated.
  • The data subject has the right to object to the processing of their personal data for direct marketing purposes at any time without giving any specific reason.

Right to lodge a complaint with a supervisory authority

  • The data subject has the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data violates the EU General Data Protection Regulation (EU 2016/679) or other data protection legislation.

When the basis for data processing is consent, the data subject may submit requests concerning their rights to info(at)fitech.io.

In matters concerning FITech studies, the data subject may contact the data protection officer of the university where they are studying or the data protection officer of Aalto University.