Data Protection Policy of Seinäjoki University of Applied Sciences

This data protection policy was approved by the management team of Seinäjoki University of Applied Sciences as a Code of Conduct binding on SeAMK’s staff and students on 10 April 2018.

1.  General points

The Data protection policy of Seinäjoki University of Applied Sciences specifies what information security and data protection mean and how they are maintained. Data protection refers to protecting personal data and other confidential or sensitive data concerning a person.

Seinäjoki University of Applied Sciences is committed to complying with the EU General Data Protection Regulation (2016/679) and the requirements of the statutes and other norms related to it.

This policy applies to all personal data for which SeAMK is responsible and their processing, regardless of where or how they are processed and any other arrangements concerning them.

Seinäjoki University of Applied Sciences ensures that this data protection policy and legislation are complied with and that the policy remains up to date and is reviewed as needs to change it arise.

2.  Descriptions

Seinäjoki University of Applied Sciences maintains a privacy policy required under the acts and decrees in force on data processing for which it is responsible.

For details of how the principles are implemented, see the privacy policies of different areas in the activities of Seinäjoki University of Applied Sciences.

3. Principles and implementation of personal data processing

Personal data must be processed in compliance with the following requirements:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

Among other things, these principles are implemented ensuring that:

1. There always is a legal ground for processing personal data
2. The persons whose data are processed are informed sufficiently about the processing
3. Processing is limited to the purpose for which the data were collected
4. Data are processed in compliance with information security regulations
5. The persons whose personal data are processed are given effective possibilities to exercise their rights, and their requests are responded to promptly
6. The risks of personal data processing are assessed from the perspective of the person whose data are being processed, the risks are minimised, for example by pseudonymisation, and an impact assessment concerning the processing is carried out if the risks are high
7. Personal data are only processed as necessary
8. Data accuracy is ensured
9. Data processing activities are documented
10. Data processing practices are reviewed regularly
11. The principle of data protection by design is followed.

Seinäjoki University of Applied Sciences must be able to demonstrate compliance with the above principles of personal data processing. Compliance with the principles is described in the annual data balance sheet.

In its capacity as an employer, Seinäjoki University of Applied Sciences must ensure that each employee understands the importance of these principles and follows them, and complies with the more detailed conditions of processing and protecting personal data belonging to special categories (sensitive data).

The data may only be used by persons who need them for their work and to the extent necessary for the performance of their duties. Data can only be disclosed with the consent of the data subject or pursuant to legislation.

4.  Data protection by design

Employees of Seinäjoki University of Applied Sciences responsible for specifying and designing new or significantly changed systems in which personal data are processed take into account the protection of personal data and the necessary impact assessments to be carried out.

A data protection impact assessment may also be required for a research, study or other project if processing poses risks to the data subjects.

An impact assessment relating to data protection in a research project is part of the research ethics assessment process.

5.  Responsibilities

Seinäjoki University of Applied Sciences monitors compliance with data protection legislation in its activities by means of internal control, audits, guidance and instruction. Seinäjoki University of Applied Sciences produces instructions for completing the necessary technical and organisational measures in its various activities.

The management of Seinäjoki University of Applied Sciences always carries the ultimate responsibility as the controller for the processing and lawfulness of personal data.

6.  Data subject’s rights

Seinäjoki University of Applied Sciences safeguards data subjects’ rights in compliance with the legislation and the General Data Protection Regulation. A data subject has the right to address a request of access to personal data concerning them to the controller, and the right to request rectification or erasure of such data or a restriction of processing, and to object to processing. The right of erasure does not extend to personal data which are processed by SeAMK to comply with a legal obligation or to carry out a task in the public interest, or which the university of applied sciences has some other obligation to retain.

The data subject has the right to lodge a complaint with a supervisory authority.

The data subject may have the right to transmit data from one system to another, should this right be applicable to the data in question.

7.  Actions

Seinäjoki University of Applied Sciences provides training on basic information security concepts and measures to all of its staff, as well as more in-depth training for those who need it.

Seinäjoki University of Applied Sciences has a Data Protection Officer. The Data Protection Officer answers any questions related to this Data protection policy, compliance with the General Data Protection Regulation and other legislation concerning personal data at SeAMK, and the processing of personal data at SeAMK. The Data Protection Officer is directly accountable only to the company’s senior management. The administrative substitute for the Data Protection Officer is the Director of Administration.

Enquiries concerning specific personal data files are responded to by the contact points indicated in the policies.

8.  Informing staff, data subjects and stakeholders

Information on this Data protection policy and any changes made to it is disseminated on the internal communication channels of Seinäjoki University of Applied Sciences. The policy will be updated as necessary. Internal guidelines on data protection will also be issued.

The Data protection policy of Seinäjoki University of Applied Sciences will be valid until further notice. It is a public document available on SeAMK’s external and internal websites.

Adoption of the Data protection policy

This Data protection policy was adopted by a decision of the President of Seinäjoki University of Applied Sciences on 18 June 2018.