Populus travel administration system’s privacy statement | SeAMK

Populus travel administration system's privacy statement

Articles 13 and 14 of the EU General Data Protection Regulation

Data Protection Act (1050/2018)

Articles 13 and 14 of the Combined Data Subject Information Document (EU Data Protection Regulation 2016/679)

1. Controller

Seinäjoki University of Applied Sciences
Kampusranta 11, Frami F
FI-60320 Seinäjoki, Finland
+358 20 124 3000

2. Controller’s representative

Director of Administration

2a. Official responsible for the personal data file

Director of Administration

2b. Contact persons in matters relating to the data file

Mirka Ketola, HR Secretary, Payroll Administration (System Administrator)
Seinäjoki University of Applied Sciences
tel.  +358 40 8302411

Leena Myllyaho, HR Secretary, Payroll Administration (System Administrator)
Seinäjoki University of Applied Sciences
tel. +358 40 8302414

Teija Rintamäki, HR Secretary
Seinäjoki University of Applied Sciences
tel. +358 40 830 3989

2c. Contact details of the Data Protection Officer

Jarmo Jaskari, Data Protection Officer, Seinäjoki University of Applied Sciences
tel. +358 40 868 0680

3. Name of the data file

ePopulus travel administration system.

4. Purpose of processing personal data/data file use

Producing travel plans, travel advance applications, travel claims and expense claims related to all domestic and foreign travel in the company, and their approval, rejection or transfer to the author for corrections. Travel interruptions are transmitted to Pegasus core system for personnel and payroll administration.

The data are transferred from ePopulus to Basware payment transaction software for payment and to ProEconomica system for cost accounting.

5. Purpose of maintaining the data file

The use of the file is based on legislation applicable to a limited liability company. The relevant statutes and regulations are listed in the section on regular disclosures of data, monitoring, and the following list:

  • Personal Data Act 523/1999 (general prerequisites referred to in section 8)
  • Annex 2 to the collective agreement of Avaintyönantajat AVAINTA union

5a. Data content of the file

The file contains data concerning employees who have an employment relationship with the company.

The following data from the HR and payroll administration system (Pegasos) are imported directly to the file:

  • A person’s basic data (including name, date of birth, personal identity code, contact details)
  • Data on the employment
  • Payment details (bank account number)

Data saved in the file

  • accumulation of kilometres during the current year
  • travel details (purpose, itinerary, days)
  • accounting identifiers (including cost centre)
  • amount to be paid
  • official performing factual verification
  • approver
  • approval date
  • interruption data by transaction type

Data retention periods are determined based on the company’s filing plan.

5b. Information systems using the data file

  • Pegasos

6. Regular sources of data

  • Recipients of travel costs and expenses
  • Approvers

7. Regular disclosure of data

  • Travel plan interruption data are transferred to Pegasos twice a month
  • Annual reports to the Tax Administration

8. Transfer of data outside the EU or the EEA

No data stored in the file is transferred outside the EU or the EEA.

9. Principles of data file protection

A.      Manual material

Manual material is stored in locked cabinets.

B.      Computer-processed data

The information systems in which the personal data file is maintained are managed following the company’s information security rules and guidelines. The information systems and their interfaces are protected technically by such means as a firewall, and the system data are backed up regularly.

Access right groups are used to restrict access to the information systems, ensuring that each user can only access the data they need in their tasks.

The system can only be accessed via a secure network connection.  A personal username and password are required to access the system. Access rights are withdrawn when a person no longer performs relevant tasks.

Sections 21 and 40 of the Universities of Applied Sciences Act contain provisions on confidentiality of information. Further provisions are contained in section 24 of the Act on the Openness of Government Activities. Particular attention is paid to the security of confidential and sensitive data referred to in section 11 of the Personal Data Act.