Privacy statement for students | SeAMK

Privacy statement for students

Dear current or former student,

The present statement concerns degree students, exchange students, and students of Open University of Applied Sciences. It includes information on how your personal data are processed and what rights you have in relation to your own personal data.

According to the Act on Universities of Applied Sciences, the he mission of the universities of applied sciences is to provide higher education based on the requirements of working life and its development as well as on research, art and culture for professional expert tasks, and to support the student’s professional growth.

Moreover, their mission is to pursue RDI and artistic activities serving the education provided by them, fostering working life and regional development, and renewing regional economic structures.

When carrying out their mission, universities of applied sciences shall promote lifelong learning. These are statutory duties. Our aim is to meet our statutory duties and to achieve efficiency in the provision of services. Only the information necessary for the fulfilling the mission of SeAMK, the planning, implementation, follow-up and assessment of the operations, is registered by SeAMK’s different systems.

In order to carry out our educational mission, e.g. the arrangement of teaching and the collection and upkeep of study and degree information, as well as the provision of student services, we need to process different data allowing you to be recognized, or personal data. This makes you a Data Subject and us a Data Controller, or the actor controlling the processing of your personal data for this purpose.

Common terminology

Here’s a list of the most common GDPR terms:

  • Data Subject is a person (such as you and me) whose personal data is processed by a data controller (such as a company or service we use).
  • Data Controller is an organisation that collects data from EU residents. It determines the purposes, conditions and means of processing the personal data.
  • The entity that does the actual data processing is called a Data Processor — an example might be a cloud service provider.
  • Processing involves any operation performed on personal data, whether or not by automated means. This includes collection, use, recording, feeding it to machine learning algorithms (read how ML is affected by GDPR), and so on.

Data Controller

Seinäjoen Ammattikorkeakoulu Oy, Kampusranta 11 F, Frami F, 60320 SEINÄJOKI, tel. +358 (0)20 124 3000

Contact person in matters related to the register:

Administrative Manager Johanna Säilä-Jokinen
johanna.saila-jokinen(at)seamk.fi

Data Protection Officer

Data Protection Officer Jarmo Jaskari
tietosuojavastaava(at)seamk.fi

Seinäjoen Ammattikorkeakoulu Oy
Data Protection Officer
P.O. Box 412, Kampusranta 11, Frami F, 60320 Seinäjoki

Scope of the Privacy Statement

The present Privacy Statement concerns the personal data related to students and their studies processed by Seinäjoen Ammattikorkeakoulu Oy, hereafter referred to as SeAMK.

Aim of the processing of personal data and its legal grounds

The purpose of the use of student and study data is the upkeep of student data and students’ study and study attainment data, as well as the production of different study-related certificates and reports for SeAMK’s own operations and research, and data transfers to the authorities.

The student and study data are maintained so as to secure the student’s rights and interests. The processing of personal data is based on the legislation governing the universities of applied sciences.

Why do we process your personal data?

We process your personal data

  1. to implement and show your study entitlement, to arrange the teaching, as well as for study-related counselling and supervision,
  2. to manage and to compile statistics on your study attainments and degrees earned
  3. to develop our teaching
  4. to grant the physical security and information security of the study environment.

Moreover, we may use your data for

  1. scientific research
  2. study-related marketing communication and another specific purpose.

Our right to process your personal data as a student is based on

  • a statutory task (Universities of Applied Sciences Act L932/2014) (1, 2, 3)
  • a mission concerning the public interest and the use of public authority (3, 4, 5)
  • an agreement (4) or
  • a consent (6).

The key statutes:

  • Universities of Applied Sciences Act (L932/2014) and the related Decrees
    • Universities of Applied Sciences Decree (A1129/2014)
  • Act on the National Registers of Education Records, Qualifications and Degrees L884/2017
  • General Data Protection Regulation (EU) 2016/679 and its complementary national statutes, Act on the Openness of Government Activities L621/1999
  • Degree Regulations of Seinäjoki University of Applied Sciences

Student data content

We process the following data groups concerning you:

  • Basic information: identifying information (name, identity number, student number, national student number) and your background and contact information
  • Study entitlements
  • Registrations for semesters
  • Membership of the Student Association (if necessary)
  • Study attainments (incl. theses, exam replies, and other assignments completed for the assessment of study attainments)
  • Earned degrees
  • Registrations for exams and courses, as well as the data related to attendance in classes
  • Data of the video supervision of attended electronic exams
  • Data on special arrangements
  • Personal curricula and other study and study counselling and support-related data
  • Feedback given by you
  • Traineeship-related data
  • Student exchange-related data
  • Scholarship-related data
  • Information on decisions related to deceitful action

Furthermore, data related to you may be processed by:

  • Services related to facilities, safety, and surveillance
  • Library services
  • IT services
  • Staff and economic services
  • Moodle learning environments
  • Student data system (Peppi, Perusrekisteri, Pakki, (Winha as a readable version only))
  • Career and employment follow-up surveys
  • Feedback surveys

Distantly supervised exams in exceptional situations (e.g. Covid-19)

  • The University of Applied Sciences supervises the exams to ensure the equal treatment of students. In distant supervision, the University of Applied Sciences can primarily use a live picture or login, activity and log data gathered by the information systems.
  • The University of Applied Sciences may check your identity for the exam.
  • Participation in distant supervision in a private place chosen by you is voluntary. When agreeing to distant supervision, you approve the conditions of supervision, such as having your camera turned on. You have the right to interrupt the supervision during the exam e.g.  because of an unexpected situation, but the interruption of the supervision may lead to the failing of your exam.
  • The data protection and security policy of the University of Applied Sciences is observed in the processing of personal data.
  • You will receive more specific information on the other details of the exam from your teacher.

Key stipulations concerning a remotely proctored exam

  • In accordance with the Universities of Applied Sciences Act, education, teaching and awarding Degrees are included in the statutory duties of a university of applied sciences.
  • The universities of applied sciences shall arrange their operations in such a way that a high international level is assured, among others, in education and teaching, observing the principles of ethics and good scientific practice.
  • Students’ knowledge can be assessed with a written or oral exam, or another demonstration of knowledge.
  • The basis for surveillance of examinations and the related processing of personal data is the performance of a statutory task (the General Data Protection Regulation, Article 6, points 1 c and 1e).
  • The proctor of the exam is under an obligation of confidentiality if they learn something about the examinee’s personal conditions while carrying out measures related to the processing of personal data (Privacy Protection Act 1050/2018 35§).
  • Submitted exams are confidential documents (Act on the Openness of Government Activities, Subsection 24.1, Paragraph 30).

Regular sources of information

  • Studyinfo.fi, the national applicant register maintained by the Finnish National Agency for Education
  • OILI, the national attendance registration register maintained by the Finnish National Agency for Education,
  • The data submitted by participants in application procedures outside Studyinfo.fi
  • Changes in contact information and permissions to transfer data updated by the student
  • User management system
  • Digital and Population Data Services Agency
  • Graduation system
  • The EXAM electronic exam software for higher education
  • The Peppi study planning system
  • E-forms of the Study Administration

Regular transfer of data

The transfer of data takes place through electronic data lines, as single paper printouts, and mailing lists.

Transfer of student data

 In cases stipulated by law, data is transferred from the student and study data system as follows:

  • Student, study attainment and degree completion data to Statistics Finland, which passes on the data to the he Finnish National Agency for Education and the Ministry of Education and Culture. (Statistics Act 280/2004).
  • Student and study attainment data to Kela (Act on Student Financial Aid 65/1994 41§).
  • To the Labour Authority, Kela or an unemployment fund for the assessment of entitlement to a labour market subsidy or daily unemployment allowance (Unemployment Allowances Act 1290/2002, Act on Labour Policy Training 1295/2002)
  • On request, to Kela for the assessment of social benefits (registration certificate, transcript of records, progress of studies)
  • On request, to the immigration and police authorities for the checking of a residence permit (notification of acceptance as a student, notification of reception of student place, registration certificate, and transcript of records)
  • For scientific research (Act on the Openness of Government Activities 621/1999 and Personal Data Act 523/1999). The applicant shall present the purpose of use of the data and other information necessary for the assessment of the preconditions for the transfer of data to the Data Controller. If necessary, an account of the implementation of the protection of data shall be provided.
  • To the municipality or another actor providing student health services, as stipulated in the Public Health Act (66/1972)
  • To CSC to VIRTA, and through VIRTA to the OILI Service. VIRTA is the study data service of the national information resource of the Finnish institutions of higher education.
  • The OILI enrolment and registration service for students (Tieteen tietotekniikan keskus Oy CSC)
  • Learner’s follow-up surveys (Ministry of Education and Culture, Tieteen tietotekniikan keskus Oy CSC)
  • The FIONA environment for remote access to research data (Statistics Finland)
  • The Tuudo service (Tieteen tietotekniikan keskus Oy CSC, Caleidon Oy)
  • Puro, search service for study attainment and degree data (Tieteen tietotekniikan keskus Oy CSC)
  • Koski, study attainments and study entitlement (Finnish National Agency for Education)
  • Emrex Service (Ministry of Education and Culture, Tieteen tietotekniikan keskus Oy CSC)
  • UAF, University Admissions Finland consortium, kansainvälisen haun palvelu (Tieteen tietotekniikan keskus Oy CSC)
  • To Valvira, the qualifications and degree data
  • Career follow-up for universities of applied sciences (Tieteen tietotekniikan keskus Oy CSC, Turku University f Applied Sciences and Seinäjoki University of Applied Sciences)
  • Through VIRTA, for use by the Finnish Student Health Services (FSHS) for the performance of its statutory tasks (Act on the FSHS 2021, 695/2019).

In addition, student data are transferred to/for

  • The user administration system of Seinäjoki University of Applied Sciences for the ceration of network ID’s and email accounts.
  • Use by Seinäjoki University of Sciences for the compilation of email lists (email address). Lists are not retransferred for any purpose other than they were originally compiled.  Emails are sent in such a way that the recipient cannot see to which other people the same email was sent.
  • The Intranet system of Seinäjoki University of Applied Sciences for the establishment of access rights and the sending of information to students.
  • The Voyager library database for the establishment of user IDs and borrowing rights.  The student has the right to forbid the transfer of their data to the library system while accepting a student place (form for acceptance of student place)
  • The Jobiili career and recruitment system of the universities of applied sciences
  • The admittance permit system of Seinäjoki University of Applied Sciences
  • The Jobiili practice placements system of the social and health care sector
  • The SAMO student association of Seinäjoki University of Applied Sciences for joining it as a member and for checking the attendance information.
  • If necessary, the student’s personal data are transferred to the traineeship workplace(s) in order to allow the implementation of traineeship included in the Degree, and possibly for the establishment of a user ID or an admittance permit.
  • In connection with graduation, the student’s information is transferred to the Seinäjoki University of Applied Sciences’ alumni register. The registrant may indicate his / her willingness to terminate his / her membership in the alumni network, in which case the stored data will be deleted. The processing of personal data in the Seinäjoki University of Applied Sciences’ alumni register is based on the legitimate interest of the registrar.
  • The preliminary information forms related to entrance examinations
  • The works statistics of workstations, used by the Information Management e.g. for the allocation of purchases

Irregular transfer of data

Through the student interface of the student and study data system, the student gives their approval to the use of their name and address data. The student can grant permission to the transfer of data for the following purposes:

Direct marketing

Although the student had granted permission for direct marketing, the transfer of data is never automatic but takes place case by case, at the discretion of and by the main user of the system. As a rule, data is not transferred.

Educational marketing

For purposes supporting studying, to associations and foundations, professional associations, and (basically) regional authorities for mailing such information that

  • is aimed at on promoting studies, professional skills, or employment
  • on improving study or work conditions
  • is aimed at promoting the student’s connections with their home area, or is for other purposes supporting studying, such as research, surveys, or polls

Publication of the graduation data

The student can grant permission to the publication of their graduation data. As a rule, that data is not transferred.

Internet

The student’s email address may be included in the email address search engine on the Intranet of the University of Applied Sciences. Then, it is possible to find the student’s email address at SeAMK’s internal website if you know their name.

If the student has obtained an official non-disclosure from a city administrative court, the data can be saved in the Student Administration’s register at the student’s request. The non-disclosure means the prohibition of transfer of the student’s all contact information.

SeAMK observes a good registration policy and requires that the actor applying for transfer of data have an appropriate connection with the target group whose data is requested. Based on the Personal Data Register Act, the data can only be used for the purpose for which it was transferred.  The user of name and address data shall mention from where the data was received.

Different kinds of group reports (participants in an implementation, student lists, students in a group, student’s progress, students by municipality, implementation diary, assessment of an implementation, assessment of a group) are interpreted as manual registers. For this, a report printed from the register is considered as transfer of data from a personal register.

Transfer of data outside the EU or the EEA

Student data will not be transferred outside the EU or the European Economic Area, with certain exceptions, Microsoft and Google.

In the event that a student activates a separate service, such as Google Apps for Education, the necessary information will be provided to these services. In such an exceptional case, the student will be asked for permission separately and approval of the terms of use will be required.

Personal information is transferred outside the European Union or the European Economic Area (Microsoft online) to provide access and support services. The transfer is based on the Microsoft Online Services Terms and Conditions, including the model contract clauses approved by the Commission (Appendix 3), which are available in the Microsoft Terms of Use at: http://www.microsoftvolumelicensing.com/Downloader.aspx?documenttype=OST&lang=English

Data protection

In the processing of data, it is always ensured that students’ privacy is not unnecessarily endangered, and that data are always stored in such a way that the conditions set by the law are fulfilled.

Manual data

Manua data is stored and protected in such a way that it cannot be seen by outsiders or be accidentally deleted, changed, disclosed, transferred, or otherwise inappropriately processed.

  • The staff members have the right to see only such student data that they need for their work
  • The Study Secretaries are in charge of the filing of archivable documents together with the person in charge of files. The filing plan defines the retention periods of documents
  • The copies of Degree Certificates are filed permanently
  • Documents containing personal data are disposed of by shredding or as confidential waste.

Electronically processed data

The Information Management of SeAMK maintains the servers. The equipment is stored in locked facilities with strictly regulated access. The web and servers are protected.

  • User rights are restricted by user group. The visibility of data and the right to update the system are defined by user role for the different user groups.
  • Data can only be accessed by someone with access rights to the system.
  • Access rights to the system are determined by a person’s duties or student status
  • Th staff members are bound by the confidentiality requirement included in the employment contract

Retention period of personal data

Personal data are retained for a period defined by legal statutes.

The Data Subject’s rights

The EU General Data Protection Regulation (2016/679) grants the Data Subject the following rights:

Right to withdraw consent

The data subject has the right to withdraw his or her consent at any time, if their consent has been requested. (Article 7)

Right of access to personal data

The privacy statements are on display on SeAMK’s website.

The student has the right to get an official registration certificate and transcript of records at the Student Office.

The Date Subject has the right to get the Data Controller’s confirmation on whether their personal data are processed. The Data Subject has the right to access the data related to them. The Data Subject can check their data for free once a year. If the person uses their right of inspection for the second time during the year, it may be subject to a fee. The right of inspection may be refused if the demands are evidently groundless or unreasonable and especially if they are made repeatedly. (Articles 12 and 15)

Right to rectification

The Data Subject has the right to demand the rectification of erroneous information in the register (Article 16). The request for rectification is submitted in writing.

Right to erasure

The Data Subject has the right to demand the erasure of their personal data if one of the following grounds applies (Article 17):

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  • the Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing
  • The Data subject objects to the processing and there are no overriding legitimate grounds for the processing (Article 21)
  • The personal data have been unlawfully processed
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject

Right to restriction of processing

The Data Subject has the right to obtain from the controller restriction of processing where one of the following applies (Article 18):

  • The accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data
  • The processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead
  • The Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims
  • The Data Subject has objected to processing pursuant to Article 21pending the verification whether the legitimate grounds of the controller override those of the Data Subject.

Right to data portability

The Data Subject has the right to receive the personal data concerning them, which they have provided to a controller, in a machine-readable format if the processing is based on consent and the processing is carried out by automated means. (Article 20)

Requests for the use of the above rights are addressed to:

Seinäjoen Ammattikorkeakoulu Oy
Data Protection Officer
P.O. Box 412 (Kampusranta 11)
60101 Seinäjoki

Rectification of errors

The Controller shall, without unnecessary delay, spontaneously or at the Data Subject’s demand rectify, erase or complete personal data that are erroneous from the perspective of processing, unnecessary, insufficient or outdated.

Having detected an error, the person in charge of register-related matters shall immediately rectify the error or notify a person with the sufficient rights to do it. The Data Subject has the right to demand the rectification of the data, and the data is rectified without unnecessary delay. If the rectification is refused, a written refusal certificate is provided. The Data Subject has the right to submit the matter to be resolved by the Data Protection Ombudsman, address Tietosuoja-valtuutetun toimisto, PL 315, 00181 Helsinki. The Data Protection Ombudsman may issue the Data Controller an order to rectify the data.

The demand for rectification is submitted in writing or orally to the person in charge of register-related matters and, if necessary, the Data Subject’s identity is verified.

For other cases, a demand for rectification is addressed to:

Seinäjoen Ammattikorkeakoulu Oy
Data Protection Officer
P.O. Box 412 (Kampusranta 11)
60101 Seinäjoki

Other rights related to the processing of personal data

Checking of identity

Unless the person requesting data is not known from before or their identity cannot be verified in other ways, they shall always prove their identity before the transfer of data.

Identity can be proved with an official identification including a photo, such as driving licence, passport, identity card issued by the police authority, and the Kela card.

Prohibition of transfer of address data

The Data Subject has the right to prohibit the transfer of their personal data from the population information system and related documents

  • for direct marketing, telemarketing and other direct marketing, as well as market research and opinion polls (Personal Data Act 30 §)
  • as an address service (Population Information Act 25 § 5)
  • for a register (Personal Data Act 30)
  • for genealogy (Personal Data Act 30).

The prohibition of the transfer of the above data is applied for from the Population Register Centre or a city administrative court. After the prohibition has come into effect, the Population Register Centre no longer transfers data as an address service to the University of Applied Sciences. A Data Subject not willing to give their address data is responsible of the inconvenience and damage caused by the impossibility of reaching them.

Non-disclosure

If a person has reasonable grounds for suspecting their security or that of their of family is under threat, the city administrative court can at their request rule that their domicile or address information shall not be transferred from the population information system to other actors than the authorities. The city administrative court requires a written, justified request from the applicant of a non-disclosure, or at least a visit to the office. For the first time, the non-disclosure order may be valid for five years maximum. It can be prolonged for two years at a time. If a person has a non-disclosure, their address is in many cases not transferred even to the authorities. The authorities that receive the person’s contact data to their systems, are also informed of the non-disclosure.

A person with a non-disclosure shall notify the person in charge of register-related matters.

Restraining order

A restraining order means that, in order to protect the person’s life, health, freedom or piece someone else can be prohibited to contact them. A restraining order can be applied for by anyone who with good reason feels threatened or disturbed by someone else. A restraining order is applied for from the police or directly from the local court.

A person who has been granted a restraining order shall, when necessary, notify the person in charge of register-related matters.