Privacy statement for SeAMK's marketing and communications

Purpose of the processing of personal data

The data subjects are informed about the activities of Seinäjoki University of Applied Sciences: education, research, services, events or other similar matters based on the data subject’s consent and interests.

Legal basis for the data processing 

The legal basis for the processing is the purposes of processing personal data and the consent of the data subject.

Data subjects

Persons who have requested additional information about the operations of Seinäjoki University of Applied Sciences: training, research, services, events or other similar matters.

What personal data do we collect about you?

If you apply to us to study or you are a former student or you are our customer or partner or otherwise in contact with us, we will process your contact information, for example. In addition, we process information that is generated when you use our services, such as network traces, cookies and communication traces. Where applicable, information on contact persons and users as well as their duties in the companies is also collected from our corporate customers.

We process the following personal data about you:
  • Basic information: identifying information (name, address, telephone number, e-mail address)

In addition, we may process the following personal data:

  • Person’s job title, place of work and organisation

As a rule, processed telephone numbers and addresses of data subjects are contact information of person’s employer. If the contact information is obtained from the person themselves, it can also be a home phone number and home address.

How do we collect your personal data?

Personal data is collected directly from data subjects based on their consent.

How do we process your personal data?

Your personal data is processed in the systems for the purposes for which the data was collected. As a rule, an online service is used to process personal data. Personal data is processed exclusively by employees of the university or university’s partners who have the right to process personal data. Access and reading rights to information systems are always determined and granted to the extent required by the job task only to those persons who need the information in question in order to carry out the task assigned to them. The data is stored with due regard to security requirements.
We use personally obtained information related to special needs only for that specific purpose (e.g. accessibility), and we take special care in handling it.

To whom do we disclose your personal data?

Personal data is not disclosed to third parties.
Seinäjoki University of Applied Sciences may use external workforce (e.g. companies providing IT services) who process personal data in accordance with the signed agreements.

How long do we keep your personal data?

Personal data will be kept for as long as the need to use it exists. See the table below for details.
Name of the data group Retention period
Name and contact information Retained until the person withdraws his/her consent, the contact information ceases to exist or the declared object of interest ceases to operate (e.g. the project ends)
Objects of interest Retained until the person withdraws his/her consent, the contact information ceases to exist or the declared object of interest ceases to operate (e.g. the project ends)
Employer information / Role related information Retained until the person withdraws his/her consent, the contact information ceases to exist or the declared object of interest ceases to operate (e.g. the project ends)

How do we protect your personal data?

When processing personal data, we always make sure that your privacy is not unduly compromised and that the data is always stored in a way that complies with the law.

Manual material

  • Stored and protected in such a way that they cannot be seen by outsiders and cannot be accidentally destroyed, altered, transferred, moved or otherwise illegally handled.
  • Employees have the right to see only such information about the students that he or she needs in order to do his or her job.
  • Employees are responsible for archiving the documents that needs to be archived together with the archivist. The archiving plan defines the retention times and life cycles of documents.
  • Documents containing personal data are disposed of by shredding or as data protection waste.

Electronically processed data

  • The maintenance of the server equipment is the responsibility of SeAMK’s Information Management. The devices are located in locked spaces with strictly restricted access. The network and servers are properly protected.
  • Access rights are limited by user groups. The visibility of the information and the right to update the system is determined by the access roles for different user groups.
  • The data can only be accessed by those who have access to the system.
  • Access to the system is determined by the person’s job duties or study status.
  • The staff is bound by the obligation of confidentiality defined in the employment contract.
  • The Data Subject’s Rights

    The EU General Data Protection Regulation (2016/679) grants the Data Subject the following rights:

    Right to access the data (Article 15)

    The General Data Protection Regulation grants you the right to obtain a copy of personal data concerning you. No specific format has been laid down for making this request. If necessary, we may ask you for more information to enable us to confirm your identity.

    If you submit your request concerning this right electronically, we will provide the data in a commonly used electronic format. While such requests are fulfilled free of charge in principle, under certain conditions we may charge you for the administrative costs of fulfilling the request, or refuse it.

    The General Data Protection Regulation sets the time limit of one month for responding to your request. Where necessary, this period may be extended by a maximum of two months, taking into account the complexity and number of the requests.

    Right to rectification (Article 16)

    The Data Subject has the right to demand the rectification of erroneous information in the register. The request for rectification is submitted in writing.

    Right to withdraw consent (Article 17)

    The data subject has the right to withdraw his or her consent at any time, if their consent has been requested.

    Right to erasure (Article 17)

    The Data Subject has the right to demand the erasure of their personal data if one of the following grounds applies:

    • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
    • the Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing
    • The Data subject objects to the processing and there are no overriding legitimate grounds for the processing (Article 21)
    • The personal data have been unlawfully processed
    • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject

    Right to restriction of processing (Article 18)

    The Data Subject has the right to obtain from the controller restriction of processing where one of the following applies):

    • The accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data
    • The processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead
    • The Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims
    • The Data Subject has objected to processing pursuant to Article 21 pending the verification whether the legitimate grounds of the controller override those of the Data Subject.

    Right to data portability (Article 20)

    The Data Subject has the right to receive the personal data concerning them, which they have provided to a controller, in a machine-readable format if the processing is based on consent and the processing is carried out by automated means.

    Requests for the use of the above rights are addressed to:

    Seinäjoen Ammattikorkeakoulu Oy
    Data Protection Officer
    P.O. Box 412 (Kampusranta 11)
    60101 Seinäjoki

    Rectification of errors

    The Controller shall, without unnecessary delay, spontaneously or at the Data Subject’s demand rectify, erase or complete personal data that are erroneous from the perspective of processing, unnecessary, insufficient or outdated.

    Having detected an error, the person in charge of register-related matters shall immediately rectify the error or notify a person with the sufficient rights to do it. The Data Subject has the right to demand the rectification of the data, and the data is rectified without unnecessary delay. If the rectification is refused, a written refusal certificate is provided. The Data Subject has the right to submit the matter to be resolved by the Data Protection Ombudsman, address Tietosuoja-valtuutetun toimisto, PL 315, 00181 Helsinki. The Data Protection Ombudsman may issue the Data Controller an order to rectify the data.

    The demand for rectification is submitted in writing or orally to the person in charge of register-related matters and, if necessary, the Data Subject’s identity is verified.

    For other cases, a demand for rectification is addressed to:

    Seinäjoen Ammattikorkeakoulu Oy
    Data Protection Officer
    P.O. Box 412 (Kampusranta 11)
    60101 Seinäjoki

    Other rights related to the processing of personal data

    Checking of identity

    Unless the person requesting data is not known from before or their identity cannot be verified in other ways, they shall always prove their identity before the transfer of data.

    Identity can be proved with an official identification including a photo, such as driving licence, passport, identity card issued by the police authority, and the Kela card.

    Prohibition of transfer of address data

    The Data Subject has the right to prohibit the transfer of their personal data from the population information system and related documents

    • for direct marketing, telemarketing and other direct marketing, as well as market research and opinion polls (Personal Data Act 30 §)
    • as an address service (Population Information Act 25 § 5)
    • for a register (Personal Data Act 30)
    • for genealogy (Personal Data Act 30).

    The prohibition of the transfer of the above data is applied for from the Population Register Centre or a city administrative court. After the prohibition has come into effect, the Population Register Centre no longer transfers data as an address service to the University of Applied Sciences. A Data Subject not willing to give their address data is responsible of the inconvenience and damage caused by the impossibility of reaching them.

    Non-disclosure

    If a person has reasonable grounds for suspecting their security or that of their of family is under threat, the city administrative court can at their request rule that their domicile or address information shall not be transferred from the population information system to other actors than the authorities. The city administrative court requires a written, justified request from the applicant of a non-disclosure, or at least a visit to the office. For the first time, the non-disclosure order may be valid for five years maximum. It can be prolonged for two years at a time. If a person has a non-disclosure, their address is in many cases not transferred even to the authorities. The authorities that receive the person’s contact data to their systems, are also informed of the non-disclosure.

    A person with a non-disclosure shall notify the person in charge of register-related matters.

    Restraining order

    A restraining order means that, in order to protect the person’s life, health, freedom or piece someone else can be prohibited to contact them. A restraining order can be applied for by anyone who with good reason feels threatened or disturbed by someone else. A restraining order is applied for from the police or directly from the local court.

    A person who has been granted a restraining order shall, when necessary, notify the person in charge of register-related matters.


Controller

Seinäjoki University of Applied Sciences
Kampusranta 11 F, Frami F, 60320 SEINÄJOKI
tel. +358 20 124 3000

Contact persons in matters relating to the data file

Outi Kemppainen, Marketing and Communications Manager, Seinäjoki University of Applied Sciences
outi.kemppainen(at)seamk.fi

Data Protection Officer

Jarmo Jaskari, Data Protection Officer, Seinäjoki University of Applied Sciences
tel. +358 40 868 0680
jarmo.jaskari(at)seamk.fi

Postal address:
Seinäjoki University of Applied Sciences
Data Protection Officer, P.O. Box 412, Kampusranta 11, Frami E, 60320 SEINÄJOKI

Main Acts

  • University of Applied Sciences Act 932/2014 and regulations issued pursuant to it
    • Government Decree on the Universities of Applied Sciences 1129/2014
  • General Data Protection Regulation (EU) 2016/679 and supplementing national regulations, Act on the Publicity of Authorities’ Activities 621/1999