Privacy statement for staff
The employees’ personal data are processed in compliance with the Act on the Protection of Privacy in Working Life (759/2004). Under this Act, the employer may only process personal data that are necessary for the employee’s employment relationship and related to:
- exercise of the rights of the parties to the employment relationship or fulfilment of their obligations; or
- benefits offered by the employer to employees, or
- reasons due to the special nature of the tasks.
No exception may be made to the requirement of necessity, not even by the employee’s consent. Consequently, there are restrictions on the personal data concerning an employee the employer is allowed to process.
The Act on the Protection of Privacy in Working Life contains specific provisions on the processing of health data and personal credit data (sections 5 and 5a).
The Act also has provisions on using technical aids to supervise employees, the employer’s right to open an employee’s personal work e-mail messages, and on the circumstances in which the employer may investigate an employee’s credit information or drug abuse.
The EU General Data Protection Regulation (2016/679 EU) contains general provisions on data protection which, in addition to this special Act, also apply to working life.
The co-operation legislation (Act on Co-operation in Undertakings and the Act on Co-operation in State Agencies and Institutions) contains provisions on the basis of which data collected both at the beginning and in the course of an employment relationship are within the scope of the co-operation procedure.
When processing personal data, we always comply with the basic principles defined in the General Data Protection Regulation:
- personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- personal data shall be collected for specified, explicit and legitimate purposes and not processed further in a manner that is incompatible with those purposes (‘purpose limitation’)
- personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’)
- personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
For what purposes do we collect your personal data?
We process your personal data based on legislation, a contract, legitimate interest and your consent in order to perform various employer’s duties and statutory and voluntary tasks. In addition to managing your employment relationship, we need your personal data for a number of other reasons, including for the authorities to handle taxation and social security contributions, for HR administration and organisational development, for customers, etc.
The legislation only allows the employer to process personal data that are directly necessary for the employee’s employment relationship and that are related to the exercise of the rights of the parties to the employment relationship or fulfilment of their obligations, or for benefits offered by the employer to the employees, or for reasons due to the special nature of the duties.
Data necessary for exercising the employer’s and employee’s rights and fulfilling their obligations include data related to the performance of tasks, the selection of an employee, working conditions and compliance with collective agreement provisions.
Data related to benefits provided by the employer may concern, for example, tickets to a swimming pool or discounts offered by the employer and their use.
Data based on the special nature of the tasks may, for example, apply to the family circumstances of an employee posted abroad as the employer makes arrangements for their children’s education.
We collect personal data from former and current employees as well as from persons participating in a recruitment process.
The purposes for which employees’ personal data are processed include but are not limited to:
Legal obligations, a contract, a legitimate interest, a consent.
Tasks related to the processing and payment of salaries, fees and grants and statistical purposes
- Working time monitoring and allocation of working hours (allocation of salary costs to projects).
- For the process of assessing the demands of work
- Tasks related to the processing and payment of expenses and reimbursements and for statistical purposes
- Administration of travel and the expenses and reimbursements related to it
- Administration of benefits offered by the higher education institution
- Administration of participation in development programmes
- Administration of staff training
- Administration of work carried out by the staff abroad and in international tasks
- Management of shortcomings and claims raised by employees
- Management of the co-operation procedure
- Obligations under employment contracts
- Organising elections at SeAMK
- Administration of the employee dismissal process
- HR reporting and planning of HR matters
- Management of SeAMK’s and the staff’s communications
- Management of staff numbers and facilities
- Management of information technology and communication systems, such as the company’s e-mail system and corporate directory
- Ensuring the staff’s physical safety and information security
- Logs, scans, CCTV monitoring and access control
- Management of audits and similar matters and processes
- Production of data for stakeholders (including the Tax Administration, auditors, pension insurance companies, Social Insurance Institution, trade unions, Ministry of Education and Culture, Academy of Finland)
Which data do we collect?
Our file contains personal data on persons in an employment relationship with the higher education institution, including salary earners, fee recipients, persons in a position of trust and grant recipients.
Personal data refer to any type of entries describing a person, their characteristics or their living conditions that can be identified as being relevant to them or their family. In order for information to be considered personal data referred to in legislation, it must be stored manually, mechanically or electronically. Consequently, hand-written notes made by the employer in a job interview, for example, information stored in a computer memory, data recorded by an access control device, and data generated on telephone use are considered personal data. Information which exists exclusively in the oral form is not personal data unless it is based on data stored in or disclosed from a file.
The following are some of the personal data we collect on you:
- Identification and authentication data, including name and personal identity code
- Contact details, including address, e-mail address and phone number
- Data needed for HR administration
- Necessary health data
- Personal credit data (in specific tasks)
- Data required to fulfil statutory obligations
- Data on IT service and system use
- Data collected by the monitoring and administration systems
The data we store in the personal data file include the following:
- The person’s basic data (including name, date of birth, personal identity code, contact details)
- Data on the employment relationship
- Payment data (including account number, salary determinants, trade union membership)
- Payment data for salaries and fees
- Data on performance appraisal discussions
- Data on training
- Working time monitoring data
- Working time allocation data
- Data on product and service deployment
- Data on product and service use; for example, we collect data on service use and browsing on our website and in mobile services
- Logging, scanning
- Access control data
- CCTV monitoring data
How do we collect your personal data?
Primarily, we collect your personal data directly from you, either orally or in writing. The data may be collected by us, or this task may be assigned to our partners.
The data may also be acquired by observing the use of our services and systems or derived from it as you use the office equipment, computers, telephones and software offered to you by SeAMK, including electronic communication, e-mail and Internet applications.
The data may also be collected by our management and supervision services.
Additionally, we obtain data from registers kept by the authorities, the credit data and customer default register, and other reliable registers.
The employer must primarily obtain personal data from the employee themselves as this is the best way for the employee to know what data are collected on them. If the employer collects information from other sources, they must obtain the employee’s consent.
Consent is not required when an authority discloses information to the employer to enable the employer to perform a task laid down in legislation or when the employer acquires personal credit data or criminal record data to determine if the employee is trustworthy. The employee’s credit data may be needed in tasks where the employee carries direct financial responsibility for the employer’s assets or where special trust is required in the employment relationship for other reasons.
The Criminal Records Act and Decree, on the other hand, contain provisions on the purposes for which and the parties to whom criminal records data can be disclosed. In some workplaces, knowing that the employees are trustworthy is particularly important. They may include airports, nuclear power plants, teleoperator centres, certain IT service companies, production and research institutions, and authorities. The Act on Background Checks, which lays down the criteria for such reports, applies to these tasks. Where the employer acquires data in order to determine if the employee is trustworthy they must, before acquiring the data, inform the employee of their intention to acquire this data. This obligation to inform the employee applies not only to personal credit data and criminal record data but also other data obtained to determine if the employee is trustworthy, which the employer collects by the employee’s consent from other sources.
The employer must inform the employee of the data collected from other sources and their content before the data are used to make decisions about the employee.
How do we process your personal data?
We process your personal data in compliance with the General Data Protection Regulation and in a manner that respects your rights and freedoms. We ensure that the principles of data protection are observed at all stages of processing.
Your data are only processed by those employees of the higher education institution or its partners who have the right to do so. We have ensured our staff’s awareness and competence related to information security by means of continuous training and up-to-date instructions.
Your personal data may be processed in several different information systems administrated by either the higher education institution or its partners.
We have concluded GDPR-compliant contracts with our partners. Under these contracts, we have received sufficient guarantees from the processors to ensure that that they will process personal data in compliance with the GDPR requirements.
We have implemented appropriate technical and organisational actions in connection with the processing of personal data to comply with the data protection principles. Technical and organisational measures refer to such security measures as staff training, instructions and regulations issued to staff, non-disclosure agreements, monitoring of the facilities, self-monitoring as a means of access control, information system security, data encryption, data anonymisation, data pseudonymisation, audits, remote access, technical restrictions, audit and control systems, a data balance sheet process, and the introduction of codes of conduct and certification.
To whom do we disclose your personal data?
SeAMK outsources certain data processing services to its partners. We only select as partners processors who follow good personal data processing practices based on appropriate technical and organisational measures, meet the requirements of the General Data Protection Regulation, and are able to ensure that your rights are realised.
We have concluded written contracts with all of our partners specifying the object, purpose and duration of processing and designating the persons who process personal data.
In addition, personal data are disclosed in connection with the following: notifications to pension insurance companies, annual reporting to the Tax Administration, direct transfer of tax cards with the Tax Administration, reports on membership fees to trade unions, statistical data provided to the Ministry, other statutory transfers, salary payment data to banks and accounting, and transmission of data to other parties to manage employee benefits (including occupational health care services, TE Office).
As a rule, we process the data within the EU and EEA.
Do we transfer your data to non-EU or EEA countries?
As a rule, we process your personal data within the EU and EEA. In some exceptional cases, we may need to transfer your personal data to countries outside the EU or the EEA in connection with international postings or the use of some services. In that case, we ensure that your personal data have an adequate level of protection as required by legislation, for example by using standard contractual clauses approved by the European Commission.
How long do we retain your personal data?
The retention periods of personal data are determined in compliance with the legislation and the higher education institution’s information management plan. In keeping with the data protection principles, we do not store outdated or unnecessary data on our employees.
The retention periods of data are determined in SeAMK’s information management plan.
Your right to access the data
The General Data Protection Regulation grants you the right to obtain a copy of personal data concerning you. No specific format has been laid down for making this request. If necessary, we may ask you for more information to enable us to confirm your identity.
If you submit your request concerning this right electronically, we will provide the data in a commonly used electronic format. While such requests are fulfilled free of charge in principle, under certain conditions we may charge you for the administrative costs of fulfilling the request, or refuse it.
The General Data Protection Regulation sets the time limit of one month for responding to your request. Where necessary, this period may be extended by a maximum of two months, taking into account the complexity and number of the requests.
Your right to rectify the data and be forgotten
With certain exceptions, the General Data Protection Regulation gives you the right to rectify and erase your data; the latter is also referred to as the right to be forgotten.
You also have the right to withdraw your consent by which the processing has taken place. To do so, you can ask us to erase the data concerning you in our systems. If there are no other legal grounds for processing your personal data, we will erase them.
If one of our partners is in possession of your data which you wish to rectify or erase, we will ask them to comply with your request.
Your right to data portability
Under the GDPR, you have the right to transmit your data from one system to another. In practice, you have the right to obtain the personal data concerning you in a commonly used, machine-readable form and to transmit them to another controller. A precondition for this right is that the processing is based on consent or a contract and carried out by automated means.
Your right to object to processing, automated decision-making and profiling
On grounds relating to your particular personal situation, you have the right to object to processing of personal data concerning you at any time. This right does not apply to public sector files maintained on statutory grounds.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Your right to having a personal data breach communicated to you
We have a duty to personally communicate a personal data breach to data subjects whose data have been breached. This right applies if the breach is likely to result in a high risk to the rights and freedoms of natural persons, for example in the form of identity theft, payment fraud or other criminal activity.
Whom can I contact?
Requests for rectification and access should be addressed to: firstname.lastname@example.org
You can contact SeAMK’s Data Protection Officer in case of any problems or whenever you need advice:
Seinäjoki University of Applied Sciences
Data Protection Officer
P.O. Box 412 (Kampusranta 11)