1. General information

This data protection policy is applicable to the processing of all personal data for which Arcada University of Applied Sciences Ltd (hereafter “ Arcada”) is responsible, regardless of by whom, where and by what means the personal data is processed.

The purpose of this policy is to ensure that personal data is processed in accordance with the EU General Data Protection Regulation and national data protection legislation, and that correct processing can be proved by documentation.

2. Personal data processed at Arcada

As a center for knowledge, education and research, large amounts of data is processed at Arcada. In teaching, research and administrative functions a significant part of this data concerns natural persons, which makes it personal data. As the controller of personal data, Arcada has committed to respecting the fundamental right to protection of privacy and personal data that everyone is entitled to.

The personal data processed at Arcada includes information about both persons studying and working at Arcada, and persons who in other ways are connected to or collaborate with Arcada, such as persons applying for study places, alumni, job applicants, persons participating in research as informants or respondents, and collaboration partners.

Within Arcada’s activities, there may occur a need to process sensitive personal data, such as information about a person’s state of health in connection to sick leaves or information about illnesses and functional disabilities in connection to special arrangements for education and examinations. In such cases, the data subject will be informed about the personal data belonging to this special category of personal data and, if required by legislation, Arcada will ask for specific consent from the data subject. For processing sensitive personal data in research, an ethical review is always required.

Information about data protection at Arcada can be found on https://www.arcada.fi/dataprotection . On the website, the processing of personal data of the different categories of data subjects is described in more detail in separate privacy notices. If personal data of a specific group of personnel or students is processed for other purposes than those mentioned in the privacy notices, the persons concerned will be informed either as a group or individually by the department or unit processing the data.

In addition to the information provided on Arcada’s public website, information and instructions regarding the processing of personal data is provided on intra.arcada.fi for the personnel, and on start.arcada.fi for the students.

3. Principles and processes for the processing of personal data

When processing personal data, the following principles are considered:

  1. Lawfulness, fairness and transparency

    There is always a legal basis for the processing of personal data. The data is processed in accordance with the data protection regulations and the data subjects are given sufficient information about the processing.
  2. Purpose limitation

    Personal data is collected for specific, expressly stated purposes and will not later be processed for purposes that are not in accordance with the original purposes.
  3. Data minimisation

    Only personal data necessary for the purpose will be collected and processed.
  4. Accuracy

    The personal data is correct and up to date. All reasonable measures are taken to ensure that incorrect personal data is deleted or corrected.
  5. Storage limitation

    Personal data will not be stored longer than what is necessary for the purpose. When personal data can be anonymised or pseudonymised, these measures will be taken as soon as it is possible considering the purpose of the processing.
  6. Integrity and confidentiality

    Personal data will be processed in a manner which ensures an appropriate level of security. The data is protected against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organizational measures.

Data protection is considered during the entire life cycle of the personal data. The data protection officer is involved in the process already when services, processes and systems are planned.

The person or persons responsible for services, processes or systems shall make sure that the risks connected to the processing of personal data are assessed and that reasonable measures are taken to minimize the risks. If a certain kind of processing of personal data leads to high risks for the data subject, the data protection impacts are assessed in collaboration with the data protection officer.

4. Disclosure and transfer of personal data

Personal data is only disclosed on grounds stated in the privacy notices or in legislation, and only to recipients who, in accordance with legislation, are entitled to process the data.

Arcada strives to use operators and services which process personal data within the EU and the EEA both in its own activities and in services used by Arcada. As Arcada’s activities include international cooperation, in some cases there may be a need to cooperate with or buy services from universities, organizations and individuals who process personal data outside the EU and the EEA. In these cases, Arcada follows the requirements on adequate level of protection and appropriate safeguards stated in the EU Data Protection Regulation regarding transfers of personal data outside the EU or the EEA.

5. Responsibilites and organization

Arcada’s management is responsible for the legality and accuracy of the processing of personal data at Arcada, as well as for the organization and resourcing of the data protection activities at Arcada in a suitable manner.

Heads of departments and units are responsible for ensuring that the personnel within their department or unit attend seminars and other education on data protection and familiarize themselves with instructions given by Arcada. The heads of departments and units specify the roles of the employees in such a way that that employees who process personal data as a part of their work are aware of the obligations and responsibilities this entails.

The data protection officer supports the management in fulfilling the requirements set by the data protection legislation and reports regularly to the management. The data protection officer supervises and develops the data protection at Arcada, educates the personnel and advices the departments and units in questions relating to data protection. The data protection officer also acts as contact person for the data subjects and the supervisory authority.

The data protection officer’s contact information can be found on the website https://www.arcada.fi/en/dataprotection

The data protection team consists of the data protection officer and representatives from functions with a key role in relation to data protection. The team monitors the data protection activities at Arcada, drafts and discusses instructions and guidelines before they are presented to the management for approval and, when necessary, gives its views on practices and development projects.

The data protection team is appointed by the rector for a term of two years. The team members act as substitutes for the data protection officer in the order stated in the rector’s decision in situations where the data protection officer is prevented and the situation requires immediate action.

The data protection contact persons contribute to the correct processing of personal data by advising on data protection within their own area of responsibility and by monitoring the processing of personal data. The contact persons report regularly to the data protection officer. The contact persons are appointed by the rector.

The personnel have an obligation to obtain basic knowledge of data protection and data security by attending seminars and familiarizing themselves with the instructions given by Arcada. The personnel should be familiar with the provisions and risks relating to the processing of personal data within their own field of responsibility and be able to process personal data in a correct and lawful manner.

The students should familiarize themselves with and follow the instructions on data protection and data security given by Arcada. Students wishing to process personal data within the framework of their studies, for example in a project or as a part of their degree thesis, should discuss the need with the lecturer responsible for the course in question. If students wish to process sensitive personal data, an approval from the lecturer responsible for the course as well as an ethical review is required.

Other persons processing personal data on behalf of Arcada should follow the instructions on the processing of personal data given by Arcada.

6. Processing of personal data in research

Researchers should follow good scientific practice and the approved principles of research ethics also when processing personal data in their research. Researchers should be familiar with and follow the provisions of ethical review as stated in the legislation, national recommendations, and instructions given by Arcada. If sensitive personal data is processed, an ethical review is always required before the research is conducted.

The researcher responsible for the research project is responsible for ensuring that personal data is processed in accordance with the data protection regulations during the entire lifecycle of the research. The researcher responsible for the project should ensure that the researchers and other staff processing personal data within the project have sufficient knowledge of data protection prior to commencing the processing. The researcher responsible for the research is also responsible for assessing the data protection risks and for ensuring that reasonable measures are taken to minimize the risks.

Researchers should give the persons participating in research as informants or respondents transparent information about the research, for which purposes and how personal data is processed, and about the rights of the participants. More detailed information should be given in the privacy notice, which is given to the participants when the data is collected. The privacy notice should also be sent to Arcada’s data protection officer.

7. Ensuring data protection and handling problem situations

Arcada educates the personnel on the basics of data protection, and education on data protection is also included in the introduction program for new employees. In addition, specific education and instructions are provided to the different functions at Arcada according to the needs of the function in question.

Everyone processing personal data is bound by a duty of confidentiality, either by law or by separate agreement.

Arcada supervises the data protection, carries out data protection checks, and monitors the use of IT-systems through user administration, log keeping and other documented processes.

The execution of data protection is ensured by the data protection officer’s regular reporting to the management.

Arcada takes action to improve identified weaknesses and to solve problem situations. Incorrect processing of personal data will be pointed out, and necessary action can be taken by the head of department or unit, or the data protection officer.

The data protection officer reports personal data protection breaches to the supervisory authority within the statutory timeframes. If the breach is likely to result in a high risk to the rights and freedoms of the data subject, and it is motivated in order to take correcting measures of protection or to reduce the damage, breaches are also reported to the data subjects concerned.

8. The data subject’s rights

The data subject has the right, with some limitations depending on the grounds for the processing, to:

  1. receive information on the processing of personal data
  2. obtain access to the personal data regarding him or her
  3. request the rectification of incorrect data
  4. request the erasure of personal data
  5. impose restrictions on the processing of personal data
  6. object to the processing of personal data
  7. transfer his or her personal data to another controller
  8. object to being subject to a decision based on automated processing

In addition, the data subject has the right to lodge a complaint with the Office of the Data Protection Ombudsman.

Information about the processing of personal data within the different categories of data subjects and the grounds for processing is documented in separate privacy notices on https://www.arcada.fi/en/dataprotection . The website also contains information about how the data subjects can exercise their other rights.

9. Approval and alteration of the data protection policy

This data protection policy has been approved by the board of Arcada University of Applied Sciences Ltd on the 11th of April 2018 and will be applicable from the 25th of May 2018. The data protection policy is valid until further notice.

The policy is an official document and is available on Arcada’s external website https://www.arcada.fi/en/dataprotection.