Data privacy notice - Processing student's personal data at the University of Oulu
Data privacy notice
The lawful basis for data processing in the University of Oulu is typically to comply with legal obligations and to perform tasks in the pubic interest. In some cases, the lawful basis can be to fulfil contractual obligations with a data subject or legitimate interests of the data controller. Lawful basis can also be the data subject’s consent.
In the links below, you will find more detailed descriptions on processing personal data regarding different stakeholder categories e.g. purposes and legal basis for processing. You will also find descriptions of your rights regarding your personal data processed. Please note that persons participating in research projects will be separately informed on data processing during the research.
Data privacy notice for student councelling services are described separately.
Data controller and responsible unit:
University of Oulu
P.O. Box 8000
Pentti Kaiteran katu 1, Linnanmaa
90014 University of Oulu
Phone +358 294 48 0000
Unit in charge of the processing
The unit responsible for students’ personal information in the University of Oulu is Academic Affairs. Academic Affairs, Director Vesa-Matti Sarenius, email: study(at)oulu.fi
University Data Protection Officer: dpo(at)oulu.fi
Description of processing student's personal data at the university in order to organise statutory education.
Purpose of processing personal data and legal basis for processing personal data
Data processing in the University of Oulu is based on legislation. Your personal information is being processed to:
- maintain personal information and contact information,
- process applications and implement study rights,
- process enrollment for exams,
- organize teaching and exams,
- organize entrance examination and level exams,
- maintain study records and records of degrees,
- provide study counselling and guidance,
- provide records of studies and diplomas of completed degrees,
- process study rights, such as applying for extended study period or recognition of prior learning,
- generate statistics,
- develop teaching and selection of students,
- to protect the safety and information security of students and other members of the university
- library services registry
In addition, the university can process personal data for scientific or historical research purpose.
By the consent you have given, your personal data can be handed over to provide student card . Your personal data can also be used in recruitment processes concerning your studies or other special purposes.
University’s (data controller) right to process students’ personal data is based on:
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (The European Data Protection Regulation Art. 6.1 e)
- compliance with a legal obligation to which the controller is subject (The European Data Protection Regulation Art 6.1 c and the relevant Finnish rules: Universities Act 558/2009, Yliopistoasetus 115/1998 (Degree on Universities), Government Decree on University Degrees 794/2004, University of Oulu Education Regulations 2016)
- data subject's given consent to the processing of personal data or the performance of a contract to which the data subject is party (The European Data Protection Regulation Art. 6.1 a and b)
The university has the right to process special categories of personal data (sensitive personal data) when data processing is necessary for reasons of substantial public interest (The European Data Protection Regulation Art. 9.1 g) or the data subject has given explicit consent (The European Data Protection Regulation Art. 9.1 a).
The data is being processed and kept confidential as required by legislation (Act on the Openness of Government Activities 621/1999, data protection legislation).
Personal data to be processed
Students’ personal data and study records are processed by information systems or manually. The data will be complemented during the studies, for example by adding grades to study records.
The University of Oulu processes following data categories concerning students:
Personal information, background information and contact information:
- Personal information: name, social security number, date of birth, student number, national student number, username
- Background information: admission information, gender, nationality and language skills
- Contact information: email, phone number, address
Information concerning studies:
- Study rights to degree and non-degree studies
- Completed degrees
- Annual registration
- Membership of The Student Union of the University of Oulu (OYY)
- Study records and assessments
- Publishing information on thesis/dissertations
- Enrollment to exams and courses
- Information on participating in teaching and location of mobile device
- Electronic examination and video surveillance
- Personal study plans (PSP) and other information concerning study counselling
- Information concerning internship and international exchange studies
- Internship feedback from the employer
- Information concerning tuition fees for citizen on non EU/EEA member states
- Grants from foundations or from a research group/project fund
- Course feedback
- Information needed to provide services for students, including IT services.
Information on issues during studies that may contain processing of special categories of personal data:
- Information concerning special arrangements and support of studies
- Information concerning extended study period and reactivating study rights
- Problem situations and their consequences concerning studies or study environment
Recipients or categories of recipients of personal data
Personal data is being processed only by the personnel in the University of Oulu or other people assigned by the University of Oulu to fulfill their obligations.
The data is protected from unauthorized processing. Access to information systems is restricted by licenses. Personal information is mainly being processed by the personnel in Academic Affairs unit and teachers. In addition, data can be processed in security services, IT services, human resources, finance & accounting, facility services and communications services.
The University of Oulu may also use other data processors (e.g. information system providers), which will process data on behalf of the University of Oulu under a Data Processing Agreement.
The University of Oulu will transfer personal information outside the university or process information outside its original use only by lawful basis.
The University of Oulu transfers necessary personal data of students to:
- Student Union of the University of Oulu OYY
- Finnish Student Health Service FSHS
- By electric means to International education services of Finnish National Agency for Education
- By electric means to student admission register (via national VIRTA information service)
- By electric means to KELA - The Social Insurance Institution of Finland
- By electric means to Valvira - National Supervisory Authority for Welfare and Health (via national VIRTA information service)
- Statistics Finland, as a technical document from national VIRTA information service
- Ministry of Education and Culture through national information service, which produces statistics from student information, evaluates and develops education and research, monitors and steers operations
- Employment and Economic Development Services (TE Services)
- By electric means to Finnish Immigration Services MIGRI
- Student Housing Foundation PSOAS
- Teaching Hospitals and Healthcare Centers
- Admission services for International Master Programmes, for checking applications, attachments and contacting persons selected to these programmes also from non EU/EEA memeber states.
In addition, the University of Oulu may transfer student’s personal information:
- for scientific research purposes
- to comply with Act on the Openness of Government Activities (Julkisuuslaki 621/1999) or other legislation
- to other Finnish universities or polytechnics to process study rights and study records
- to foreign universities or polytechnics (also non EU/EEA member states) to implement exchange studies, joint or double degree education or to transfer study records.
- with student’s consent; contact information (address) to authorities, associations, foundations and organizations for sharing information that aims to advance studies or improve study circumstances
- the source of transferred information is mainly Peppi (information system). Permanently stored study information and information concerning exchange periods are transferred to national information service VIRTA.
Transfers of personal data to third countries or international organizations
If the personal data needs to be transferred outside of EU/EEA member states and the transfer would not be under Commission adequacy decision, such transfer will only be conducted in accordance with the rules of Chapter V of the GDPR.
Retention time of personal data
Retention time of personal data handled by electronic means and in writing is based on legislations and guidelines of the University of Oulu. When legislation and guidelines do not determine the retention time, data will be preserved for as long it is needed for the information in question.
Student’s rights to his/her personal information
As a student you can check your information and change contact information in Peppi system.
Student as a data subject has the following rights:
- Where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
- Right to access own personal information
- Right to have inaccurate information rectified (remember to update your contact information)
- In some occasion right to have information removed (“right to be forgotten”)
- In some occasion right to restriction or objecting of data processing
- In some occasion right to have data transferred between systems in machine-readable format, if the processing of data is based on consent and performed automatically.
- Please note that the rights mentioned above will be considered case by case in accordance with the European Data Protection Regulation. Also note that in all occations you do not have the rights mentioned above.
How can you exercise your rights?
If you have questions concerning your rights, you can contact the data protection officer or faculty’s contact person.
If you wish to exercise your rights mentioned above, please send your request to: kirjaamo(at)oulu.fi. You will get a reply with necessary instructions.
Right of appeal to the supervisory authority
In addition to the rights mentioned above, you have the right to file a complaint about the processing of your personal data with the Office of the Data Protection Ombudsman as the supervisory authority. The contact details and opening hours can be found on the website of the Data Protection Ombudsman.
Is providing personal data required by law or contract and is data subject obligated to provide personal data? / What happens if personal data is not provided?
The student is expected to provide information needed for the provision of university education and may in certain situations be based on the lawful obligation of University. The student is responsible for the validity of the information. Providing personal information is often mandatory to handle issues and processes.
The origin of personal data (when it is not provided by the data subject)
Information concerning students is collected from the following sources:
- National or university’s own admission systems
- International admission systems
- Other Finnish or international university or polytechnic
- Enrollment and payment services
- University’s personnel
- Trainees’ employers
- Information can also be retained from IT services and appliances provided to students, or it may be retained from surveillance data collected by the university (such as video surveillance).
Processing personal data in automated decision-making, including profiling
General description of the technical and organisational protection measures
The University as the Data Controller uses appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against damage or loss.