Information to the data subject in accordance with the EU General Data Protection Regulation (2016/679) articles 13-14

1. Controller

Arcada University of Applied Sciences Ltd
Jan-Magnus Janssonin aukio 1
00560 Helsinki
Business ID: 2553871-2

2. The controller’s representative

Adminstrative and HR director Susanne Homén-Lindberg
Tel. 0294 282 609
E-mail address in the format

3. Contact person for the register

Payroll clerk Susanne Tuominen
Tel. 0294 282 605

HR specialist Maria Höglund
Tel. 0294 282 820

E-mail addresses in the format

4. Data protection officer

Data protection officer, legal counsel Anna Härmä
Tel. 0294 282 888
E-mail address

5. Purposes of processing personal data

The data is used to manage employment relationships during the employment’s entire life cycle as well as for payments of salaries and remunerations.

6. Legal basis for processing personal data

The legal basis for processing personal data is Arcada’s legal obligation and legitimate interests as an employer.

Data that belongs to special categories of personal data (according to the General Data Protection Regulation, article 9) are processed in the register. Data about the employee’s state of health is processed to ensure that Arcada fulfills its legal obligations as an employer, which includes providing occupational health care for the personnel and assessing the employees’ working ability and capacity. Information about memberships in labor unions is processed with the employee’s consent.

7. Categories of personal data and the duration of storage

  1. Basic data about the person (name, date of birth, social security number, contact information)
  2. Information about the employment, including the entire life cycle of the employment
  3. Information about salary payments (salaries, bank account number, information about the employment, distrains, personal salary additions, employee benefits, memberships in labor unions)
  4. Documentation in connection to yearly performance reviews
  5. Education, follow-up of competencies, CV
  6. Working hours, annual holidays and leaves, sick leaves and other absences and certifications regarding these
  7. Information on job measurement for salary levels
  8. Position profile and job description
  9. Information about work equipment (phone, computer, special tools)
  10. Written warnings, notices on termination of employment, employment certificates, information about intellectual property rights and other documentation in connection to the employment

The duration of storage of the data is:

Personnel register time of storage: permanent
Documents in connection to sidelines time of storage: validity + 10 years
Absence notification time of storage: 2 years
Annual holiday confirmation time of storage: 5 years
Annual holiday notification time of storage: 2 years
Decision/certificate on termination of employment time of storage: 50 years
Power of attorney, membership in labor union time of storage: 10 years
Documents regarding salaries and salary additions time of storage: 50 years
Time sheets time of storage: 10 years
Notes from yearly performance reviews time of storage: 10 years
Job measurements (forms and decisions) time of storage: 10 years
Personnel training time of storage: validity
List of attendees in personnel trainings time of storage: 2 years
Requests of leaves time of storage: validity
Employment certificate with annexes time of storage: 10 years
Position profiles and job description time of storage: 10 years

8. IT systems used when processing personal data

Personec W –personnel administration and payroll system
ASE and Apache Syncope – identity management systems
Trail – inventory system

Arbetstidsplan –time sheet processing system
Aditro Trip & Expense – travel administration system
Norlic –project follow-up system

9. Data sources

The data in the register is provided by:

  • The employee: Basic information, bank account number, further education, membership in labor unions. The basic information and bank account number is necessary in order for Arcada to fulfill its legal responsibilities as an employer and in order for an employment contract to be made with the employee
  • Recruitment register: CV, employment certificates, diplomas
  • HR unit: Employment contract, job measurement
  • The employee’s manager: Time sheet, yearly performance reviews, other matters regarding the employment and the employee’s performance
  • The tax authorities: Taxation information
  • Office of the Bankruptcy Ombudsman: Information about distrains
  • Labor unions: Power of attorney for deductions of labor union fees

10. Recipients of the personal data

Data may be transferred to:

Pension insurance companies
The Finnish Centre for Pensions
The Social Insurance Institution of Finland (KELA)
The Association of Finnish Independent Education Employers (AFIEE)
Labor unions
The Unemployment Insurance Fund (TVR)
The Tax Administration
Tax authorities abroad (for personnel residing abroad)
The Ministry of Education and Culture
Enforcement offices
Banks and auditors
Insurance companies
Occupational health care and other companies providing services relating to employees’ health.
The Civilian Service Centre
Telephone companies
Travel agencies and other companies providing services relating to business trips

11. Transfer of personal data outside the EU and the EEA and the basis for the transfer

Personal data is not regularly transferred outside the EU or the EEA without the data subject’s consent.

If suppliers or services which require personal data to be transferred outside the EU or the ETA are used, Arcada will make sure that the requirements for adequate level of protection are met or that appropriate safeguards are provided in accordance with the General Data Protection Regulation 44-50.

12. Principles for the protection of personal data

Material in electronic format is stored in IT systems and on computers protected from unauthorized use with security measures including firewalls and passwords. The systems have different user levels, and users are granted access to the data only to the extent the user’s work tasks require.

Material in paper format is stored in locked rooms with limited access and access control.

13. Automated decision-making

Automated decisions and profiling are not made based on personal data within the register.

14. The data subject’s rights

Information about the data subject's rights can be found here.