Privacy Notice of Processing Personal Data of Students in Education

 

This privacy notice includes the following information:

 

Purpose of the Processing and Categories of Personal Data

1. Personal Data
2. Contact Information
3. Student Admission
4. Study Rights
5. Data on the students and trainees who have departed for an exchange
6. Data on the students who have applied for an exchange and on the students who have departed for an exchange
7. Data on the students and trainees who have arrived for an exchange
8. Credits
9. Degrees
10. Exam Registrations
11. Course Registrations
12. Personal Study Plan
13. Graduation
14. Open University
15. Teaching


Legal Basis for the Processing
Contact Information of the Controller
Possible Receivers or Receiver Groups of the Personal Data
The Source of the Personal Data
Publicity and Confidentiality
Rights
Principles for Protection of Personal Data

 

Purpose of the Processing and Categories of Personal Data

 

In order to offer and manage studies appropriately the staff at the University of Turku processes personal and study data of the degree and non-degree students. Personal, payment and study data of the Open University’s applicants and students are processed for the same purposes. The processing does not include supplementary studies. Part of the purpose of the processing is archiving of the data (e.g. archiving of the degrees and credits). Retention periods of the data are based on the Archives Act (831/94) 8 § and on the Decree on the Openness of Government Activities and on Good Practice in Information Management (1030/99) and to the Records Retention Schedule of the University of Turku.

Registered data is processed only by the staff whose work tasks include processing of the student information.The current study administration data system is called Opsu and the systems attached with it are Nettiopsu, Open University's Nettiopsu, Rekka, eHops, Väinö and Venla. You can access the privacy noticess of the other systems through the links found in this privacy notice. As part of the development of the study administration data system the staff also uses the student information when testing new operations. The staff apply for a permission to handle student information in the study administration data system with a specific application. Students process only their own information. Both students and staff log in to the study administration data system with the username permitted by the IT Services of the University of Turku.

The following information about degree and non-degree students is processed (retention periods in brackets):

1. Personal Data (permanent, unless otherwise stated)

  • student number
  • date of birth
  • Finnish ID number
  • last name
  • given name(s)
  • first name
  • sex
  • nationality
  • native language (Finnish/Swedish/other)
  • home municipality 1.1.
  • home municipality of the starting year of studies
  • first university registration date
  • yearly information of attendance/absence
  • temporary suspension of studies, ended 1.1.2013
  • Student Union membership
  • The Turku Student Newspaper payment (1 year)
  • previous education
  • release permission for personal data
  • information concerning student year group (Licentiate in Medicine and Licentiate in Dentistry) (1 year)

Student study information that contains sensitive data is not recorded to the study administration data system. However, information relating to any individual study arrangements or support received for studies, information on extensions or reinstatement of the right to study and accounts of any aberrations in the student’s studies or activities and their consequences may involve processing sensitive data. Data is stored as long as necessary, but no longer than 4 years.

Data System: Opsu/Nettiopsu.

2. Contact Information (academic year from last registration with university)

  • utu-email address: University of Turku may use e-mails for its own feedback queries
  • address
  • phone number (permanent)

Data System: Opsu/Nettiopsu.

3. Student Admission

4. Study rights (permanent, unless otherwise stated)

  • data on student’s target degree, faculty, degree programme, track and major subject, including starting date
  • obligation for tuition fee
  • end date of study right
  • status of study right (major or minor study right)
  • passive register: decision concerning the extension period for study right (until student has graduated)
  • demarcation of study time: decision concerning the extension period or additional time for study right (until student has graduated)
  • study rights of different subjects of non-degree students, including validity periods
  • forfeiting study right
  • information concerning criminal record check, which is demanded by SORA legislation
  • students and studies of Transnational Education (since 1 January 2017). Depending on status of the studies these are registered either as degree studies into Commissioned Education or non-degree studies into Transnational Education. Payment information is not registered to the study administration data system.
  • when education is paid, UTU Financial Services handles the payment. Educational affairs only handles the information about payment obligation, because it is a prerequisite for study right.

Data system: Opsu/Nettiopsu.

5. Data on the students and trainees who have departed for an exchange(permanent)

  • exchange country
  • exchange university
  • exchange program
  • exchange period (beginning and end date), duration and level of study
  • ISCED codes, subject area codes
  • exchange grants
  • domestic internships (years 2010-2017)

Data System: Opsu/Nettiopsu/Venla/Väinö.

6. Data on the students who have applied for an exchange and on the students who have departed for an exchange (the year of application + 6 years, unless otherwise stated)

  • selected exchange destinations in the application
  • language proficiency
  • previous exchanges/internships abroad
  • Motivation Letter
  • preliminary and final Learning Agreement
  • nomination to exchange university
  • bank account information for the grant payment
  • acceptance or cancellation of the exchange place
  • Transcript of Records from the exchange university
  • Letter of Confirmation from the exchange university
  • exchange experiences form
  • student’s registration to the events organized by the International Office (1 academic year after attendance)
  • exchange application that is sent to the exchange university (after exchange)

Data System: Opsu/Nettiopsu/Venla/Väinö/the privacy notice of the Mobility Tool/Webropol.

7. Data on the students and trainees who have arrived for an exchange (permanent, unless otherwise stated)

  • home university
  • exchange period (beginning and end date), duration and level of study
  • exchange program
  • ISCED codes (subject area codes)
  • exchange grants paid by University of Turku
  • Transcript of Records from the home university (the year of application + 6 years)
  • Language Certificate (the year of application + 6 years)
  • Learning Agreement (the year of application + 6 years)

Data System: Opsu/Nettiopsu/Väinö.

8. Credits (permanent)

  • name and code
  • level
  • ECTS
  • date
  • grade
  • teacher
  • study module
  • transferred credits: educational institution and date
  • credits of TSE Exe from the year 2011 are archived the same as other credits
  • credits consisting of different parts are recorded separately until the whole credit has been completed

Data system: Opsu/Nettiopsu.

9. Degrees (permanent)

  • educational institution
  • degree
  • faculty
  • date of approval
  • degree programme
  • track
  • major subject
  • credits of degree in credits points or credit units
  • subjects taught by a subject teacher
  • educational institution, degree and date concerning degrees completed in another educational institution

Data system: Opsu/Nettiopsu.

10. Exam registration (3 full academic years from the exam)

  • registration to exam, optional exam books and possible special agreement
  • video surveillance of the electronic exams

Data system: Opsu/Nettiopsu/Tenttis/Exam.

11. Course registration (3 full academic year from the beginning of the course)

  • registration to course and information about selection to course
    on courses, where attendance is obligatory, teacher records attendances

Data system: Opsu/Nettiopsu/Webropol/Utuforms/the privacy notice of the Konsta system.

12. Personal Study Plan (10 years from the last approval)

  • Personal Study Plan
  • Tutor-groups
  • Study Modules

Data system: eHOPS.

13. Graduation

  • Degree application (until student has graduated)

Data System: Webropol.

14. Open University Studies

When you are a student in the Open University the following information about you is processed (retention periods in brackets):

  • Applicant’s and student’s personal information (permanent)
    • date of birth
    • Finnish ID number
    • last name
    • given name(s)
    • first name
    • sex
    • nationality
    • native language (Finnish/Swedish/other)
    • home municipality 1.1.
    • release permission for personal data
    • profession/education
    • payment method
    • background information which is used for educational planning and compiling statistics. Background information incl. information on previous and current education, purpose of the studies, and where the student found out about the education offered by the Open University.
    • student number
  • Contact information (academic year after the study right has ended)
    address
    • phone number
    • e-mail
    • Open University may use e-mails for its own feedback queries
  • Study Right (permanent)
    • information concerning student’s study right
    • validity time
    • payment information
  • Credits (permanent)
    • name and code
    • credits consisting of different parts are recorded separately until the
    • whole credit has been completed
    • type of studies
    • credits
    • date(s) of credit(s)
    • grade
    • teacher
    • study right connected to the credit
    • study module
    • transferred credits: educational institution and date

Data system: Rekka/Open University's Nettiopsu.

15. Teaching

Legal Basis for the Processing

The right of the University of Turku to process personal data is based on the necessity for compliance with a legal obligation to which the controller is subject, and on the necessity for reasons of substantial public interest. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In some cases, the right to process personal data can be based on the consent of the data subject or a contract. Organising education, managing educational affairs and planning teaching and learning require study administration data system:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, Article 6.1 a, b, c, and e and Article 9.1 g
Universities Act 558/2009
Government Decree on University Degrees 794/2004
Decree (767/2008)
Decree (568/2005)
Decree (275/2000)
Decree (678/1998)
Decree 316/2003
The University of Turku Regulation on Studies

Contact Information of the Controller

UNIVERSITY OF TURKU
University Services
Student Support Services
20014 University of Turku
disco@utu.fi
tel. +358 29 450 5000

Possible Receivers or Receiver Groups of the Personal Data

Inside University of Turku

  • Data Warehouse of University of Turku
  • Data system of the library of University of Turku (name and address information of the new students daily and name and address information of other students daily if they have changed)
  • User Account Register of University of Turku, idm.utu.fi (access control daily)
  • Search tool of intranet.utu.fi
  • Aino - electronic form for applying grants and scholarships administrated by the University of Turku (information of applicants)
  • The privacy notice of the UGIS system (University of Turku Graduate School Information System)
  • UTUGradu (The Electronic Thesis Process)

Outside University of Turku

  • The national data warehouse of higher education was developed for the centralized storage and use of study rights, enrolments, qualifications and study attainments. Student register data collected in this warehouse is shared via a secured channel through a user interface for use in the student admission register and common student admission services (Act 884/2017 1 a).
  • The institute of higher education shares student information via an electronic user connection with the national data warehouse for higher education for use in the student admission register (Act 884/2017 5 §).
  • The Ministry of Education and Culture produces data materials from student information sourced from the national data warehouse for higher education, as required in the assessment, development and compilation of statistics and other follow-up and steering of education and research (Act 884/2017 10 §).
  • An institute of higher education shares technical records of student data with the National Supervisory Authority for Welfare and Health (Valvira) via an electronic user connection through the national data warehouse for higher education (Act and Decree on Health Care Professionals, Act 559/1994, Decree 564/1994).
  • An institute of higher education shares technical records of student data directly with Statistics Finland (Statistics Act 280/2004 15 §) as well as through the national data warehouse for higher education.
    An institute of higher education may use the data warehouse in its own operations and when sharing data with authorities and other institutes of higher education (Act 884/2017 1 a).
  • University of Turku shares technical records of student data with the Finnish Student Health Service (FSHS) via an electronic user connection through the national data warehouse.
  • University of Turku may share technical records of student data with the national LUMA-research via an electronic user connection through the national data warehouse.
  • University of Turku may share technical records of student data via an electronic user connection through the national data warehouse for the purposes of monitoring, compiling statistics, and research.
  • HAKA – user authentication system.
  • Vipunen – Education Statistics Finland.
  • University of Turku shares technical records of student data with the Social Insurance Institution (KELA) via an electronic user connection through the national data warehouse (Act 65/1994 41§).
  • The Finnish Student Health Service (FSHS) (Primary Health Care Act 66/1972).
  • Finnish National Agency for Education (information concerning student mobility via an electronic user connection through the national data warehouse).
  • The staff of the Student Union of the University of Turku (TYY) (lists of voters for Student Union elections, addresses of subscribers of The Turku Student Newspaper), the privacy notice of the TYY.
  • Information about the members of the Student Union of the University of Turku for student card applications to Oy Frank AB.
  • Scientific research (Act on the Openness of Government Activities 621/1999 ja Personal Data Act 523/1999). Research plan and responsible director of the research must be announced in the application.
  • With the student’s permission, the University of Turku gives the student’s name and address information for limited purposes which aim at supporting studies.
  • Åbo Akademi (credits based on JOO-agreement four times a year).
    Other Finnish universities and universities of applied sciences in the Turku area (credits based on JOO-agreement once a year).
  • Other Finnish universities, universities of applied sciences and affiliate educational institutes in different network and co-operation studies.
  • JOOPAS Application System (personal data and study rights of degree students).
  • Via Puro, service for transferring credits, student can gather credits from the national warehouse and deliver them electronically to their home university. 
    Data is not shared to third countries i.e. countries outside EUja European Economic Area.

The Source of the Personal Data

  • Data of degree and post-graduate students who have confirmed their study place from the student via the national studyinfo.fi service.
  • Data of arriving exchange student’s registrations with the university from the student via Väinö exchange application data system.
  • Data concerning departing exchange students’ exchange university, language proficiency, previous exchanges, exchange grants, motivation letter, study plan, exchange period, bank account information and confirmation of exchange place from student and exchange agreements from Väinö exchange application data system.
  • Data of non-degree student’s registrations with the university from the student.
  • Data of Open University students from Popular Register Centre and from the student.
  • Student Union fees from banks daily.
  • Data of student’s attendances and non-attendances on the basis of the student’s registration with the University. Registrations with the University of new students from Oili enrolment and registration service and from banks via payment information. Registrations with the University of other students from the student via study administration data system.
  • Data concerning study rights and degrees from faculties.
  • Data concerning credits from faculties, departments, subjects and teachers.
  • Changes concerning personal data from student.
  • E-mail addresses of degree and non-degree students from User Account Register of University of Turku, idm.utu.fi.
  • E-mail addresses of Open University students from the student.
  • Exam registration from student via study administration data system.
  • Course registration from student via study administration data system.
  • Changes in contact and home municipality data and release permission for personal data from the student via study administration data system.
  • Data concerning personal study plan from the student and supervisor.
  • JOO-studies from Åbo Akademi University five times a year.

Publicity and Confidentiality

Student data in the institute of higher education register are public information as per the Act on Openness of Government Activities (621/1999), which is to be made publicly available on request. Public documents are made publicly available on request pursuant to said Act (Sections 13 and 16) and the Personal Data Act (523/1999). Confidential or sensitive data is not registered in the study administration data system.

Rights

Below you can find your rights in legal language. This is because the issue is highly regulated. However, educational affairs at the university aim at reducing bureaucracy and to avoid unnecessary legalization of matters. We at the educational affairs think that most of the problems are solved by discussing about them. Thus, before taking official and legal actions we encourage you to contact Student Center Disco (disco@utu.fi). Despite this, you naturally have the right to use all the below mentioned legal remedies if you so wish.


If you wish to access or rectify personal data only in a specific information system you do not have to request access to all their data. Many of the university’s systems allow students to access their own personal data with an University of Turku IT account. To make any information requests related to your rights as a data subject, you may send an e-mail to: kirjaamo@utu.fi

The Right to access your data

  • You have a right to know what personal data are being processed and what data concerning you have been saved.
  • You may make an information request to the university. In such cases, the following procedure is to be followed:

The university provides the information requested without undue delay. The person making the request must verify his/her identity as necessary. The requested information or the additional information related to the request must be provided no later than one month after receiving the request. If the information request is complex and comprehensive, the deadline may be extended by two months.

As a rule, the information shall be provided free of charge. For any further copies requested by you, the university may charge a fee based on administrative costs. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the university may either charge a fee based on administrative costs or refuse to act on the request. The university shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

If the university does not provide the information requested, you will be provided with a written account of the matter. The written account will also include an explanation of your rights to judicial remedies, for instance, the right to lodge a complaint with the supervisory authority.

 

The Right to rectification of data

  • You have a right to have any inaccurate or incomplete personal data concerning you rectified or completed without undue delay. In addition, you have a right to demand that all personal data concerning you that is no longer necessary be erased.
  • If the university does not accept your request for rectifying your personal data, you will be given a written account specifying the reasons for rejecting your request. The written account will also include an explanation of the your rights to judicial remedies, for instance, the possibility of lodging a complaint with the supervisory authority.

The Right to erasure of data

  • Depending on the legal basis, you may have a right to have your personal data erased from the register of the school. This right shall not apply to cases where data processing is necessary for compliance with a legal obligation or for a task carried out in the exercise of official authority vested in the school. The storage and erasure of data shall comply with the records management plans of the university and the data storage periods required by legislation.

Right to restrict processing

  • In certain situations, you may have the right to restrict the processing of their personal data until the legal basis for the data or their processing has been duly checked and rectified or completed.

Right to data portability

  • The right to data portability means that the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the university, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the university. This right shall apply only to situations where the processing is carried out by automated means and is based on consent or on a contract.
  • This right shall not apply to cases where data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a result, this right shall not apply, as a general rule, to the personal data files of the university.

The Right to object to processing of personal data

  • You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on the performance of a task carried out in the public interest or in the exercise of official authority or the legitimate interest of the university. In such cases, the university shall no longer process the personal data unless the university demonstrates compelling legitimate grounds for the processing.
  • Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.

The right to withdraw consent

  • In situations where the processing of the personal data is based solely on consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • As a rule, the withdrawal of consent is communicated to the party to which the original consent was given. If this is impossible, you may e-mail to: kirjaamo@utu.fi
  • The right to lodge a complaint with a supervisory authority
    You have the right to lodge a complaint with a supervisory authority, if you consider that the processing of personal data relating to you infringes the General Data Protection Regulation (EU) 2016/679. In addition, you have a right to use other administrative or judicial remedies. Further information www.tietosuoja.fi. You can contact the Data Protection Officer at the University of Turku by sending email to dpo@utu.fi.
  • You have the right to bring proceedings against the controller or the organisation processing the personal data before a court if you consider that the processing of your personal data infringes the General Data Protection Regulation.

    Principles for Protection of Personal Data
 
Principles for protection of personal data are described in a separate web-page: http://www.utu.fi/en/unit/university-services/it-services/information_security/Pages/Data-Security-Description.aspx
Keywords:
Tags:

20014 Turun yliopisto, Finland
Tel. +358 29 450 5000

People search

Follow us: 
Facebook   Twitter   Instagram   Youtube   LinkedIn
© University of Turku