Information to the data subject in accordance with the EU General Data Protection Regulation (2016/679) articles 13-14

1. Controller

Arcada University of Applied Sciences Ltd
Jan-Magnus Janssonin aukio 1
00560 Helsinki
Business ID: 2553871-2

2. The controller’s representative

Head of IT Mikael Ekblom
Tel. 0294 282 867
E-mail address it-chef@arcada.fi

3. Contact person for the register

Head of IT Mikael Ekblom
Tel. 0294 282 867
E-mail address it-chef@arcada.fi

4. Data protection officer

Data protection officer, legal counsel Anna Härmä
Tel. 0294 282 888
E-mail address dataprotection@arcada.fi

5. Purposes of processing personal data

The data is used to create electronic identities within Arcada. The identities are used to give personnel and students access to resources they need in order to perform their work and study related tasks. Also people with other affiliations to Arcada can be given
electronic identities for limited purposes.

6. Legal basis for processing personal data

The processing of personal data is based on Arcada’s legitimate interest due to the data subject’s role as personnel or student at Arcada.

7. Categories of personal data and the duration of storage

  1. Basic data: Full name, social security number, start date, end date, username
  2. Additional data for personnel: Employment number, position, unit, cost center, personnel category
  3. Additional data for students: Student code, education code, degree programme, specialisation, language of degree programme

Additional data connected to the person and describing the person’s roles and authorities is created within the user administration register. The purpose of this data is to regulate access to data within Arcada and to enable the use of Arcada identity for logging in (over the HAKA federation) to services at other universities.

8. IT systems used when processing personal data

ASE – identity management system
Apache Syncope – identity management system
AAS (Arcada Account Services) – account service for administration of keys, activation of IT accounts and change of passwords
Tullbommen – system for issuing proofs of identity and consents for disclosure of personal data

9. Sources for the data

Data regarding the personnel is transferred from the personnel register and data regarding students is transferred from the student register. Data regarding other persons is provided by the persons themselves or by their contact persons at Arcada.

10. Receiver of the personal data

Basic identity data is transferred to catalogue services (functioning as encyclopedias for personal data) to enable logins to Arcada’s internal services and external cloud services.

Data is disclosed to create cloud identities to the following systems:

Aditro Trip & Expense – travel administration system (personnel)
Office 365 – Microsoft’s portal for productivity software
itslearning – online learning environment
IMS –quality monitoring system
Google for Education – Google’s programme portfolio for promotion of education (with consent)

Data is also disclosed to external systems with the data subject’s consent through the HAKA federation and the eduGAIN interfederation.

11. Transfer of personal data outside the EU and the EEA and the basis for the transfer

Personal data is not regularly transferred outside the EU or the EEA without the data subject’s consent.

If suppliers or services which require personal data to be transferred outside the EU or the ETA are used, Arcada will make sure that the requirements for adequate level of protection are met or that appropriate safeguards are provided in accordance with the General Data Protection Regulation 44-50.

12. Principles for the protection of personal data

Material in electronic format is stored in IT systems and on computers protected from unauthorized use with security measures including firewalls and passwords. The systems have different user levels, and users are granted access to the data only to the extent the user’s work tasks require.

Material in paper format is stored in locked rooms with limited access and access control.

13. Automated decision-making

Roles and authorities which provide access to resources are automatically given based on personnel’s personnel category and students’ right to study, degree programme and specialisation.

Other than the above mentioned, automated decisions and profiling are not made based on the personal data within the register.

14. The data subject’s rights

Information about the data subject's rights can be found here.