University of Turku processes personal data in order to fulfil its mission as set in the Universities Act (558/2009). It processes research data that may contain personal data. It processes personal data of students, staff members and stakeholders.
Alumni, client and stakeholder data may be processed on basis of contract, consent, legitimate interest, public interest, or a legal obligation. Services provided for use within the University Community contain processing of personal data for performing of work assignments, studying, and maintaining access management and information security. Provision of safe and well-maintained services are a necessity.
Categories and services
Categories and services that are for internal data only may be described in separate document in the University Intranet.
- Research Data
- Student Data
- Human Resources Data
- Central Services
- Registry, Media Bank
- IT Services
- Identity and Access Management (UTU Account)
- Service Desk
- Communications (Exchange)
- Financial Services
- University Library
- Alumni, clients and stakeholders
- Communications Services
University services produce log data of their use. The logs are used for providing the service, maintaining and improving the service and for maintaining security, as set in the Information Society Code (917/2014).
University adheres by the law governging data protection and by good professional practices. Everyone is responsible for data protection in perfoming their personal duties as set in the University Data Protection Policy.
Each service may have its own Privacy Notice where the appropriate direct contact information is provided. Contact point for general inquiries is the Registry at firstname.lastname@example.org, which processes and forwards the inquiries as needed.
University Data Protection Officer can be reached via email@example.com. Data protection experts are available for University's internal matters at service address firstname.lastname@example.org.
Transfers of data, storing of data
Each individual Privacy Notice will describe specific information regarding transfers of data and storage times of data. University uses subcontractors to produce many of its services. If data is processed in a third country, this will be informed in the specific Privacy Notice.
Personal data will be processed and stored for a period that is mandated by law, or needed to fulfill the purpose of processing. Such criteria will be described in individual Privacy Notices.
Personal data will mainly be processed in systems located within University premises. If personal data is to be processed outside of the European Economic Area, the data subject will be separately informed.
Rights of the data subject
The data subject always has the right of access to the personal data, right to rectification, right to erasure, right to restriction of processing and the right to object. The right to erasure may not apply to data that the University processes for purposes related to legal obligations, in the public interest or for which the University has some other obligation.
The data subject has the right to lodge a complaint with a supervisory authority.
All data concerning the data subject, when possible, will be given in a structured, commonly used and machine-readable format.
Technical and organisatorial security measures
Personal data is protected with measures that are a part of University's normal information security practices.
University data processing is based on user authorisations that depend on the user's status and tasks at the University, and additionally on separate authorisations given by individual data controllers.
University services and processes are protected from unauthorised access with good professional practices, they are designed to be sufficiently resilient, and their life cycle is managed.