Privacy notice: Processing of student personal data (HAMK)
Processing of student personal data
31.01.2022
Privacy notice: Processing of student personal data: joint informative document for data subjects (Articles 13 and 14 of the General Data Protection Regulation [2016/679]).
Purposes of processing personal data
Information on students, study rights, guidance and study attainments is maintained in the student register. The higher education institution processes the above-mentioned personal data in order to ensure the high quality of studies, guidance and teaching processes. With up-to-date data, it is ensured the implementation of the legal protection of students and the implementation of authority data collection.
The higher education institution processes student data in order to perform duties set for universities of applied sciences. The higher education institution must process student personal data in order to enable for the students to study, get guidance, complete studies and/or study for a degree and obtain a certificate of completed studies and a degree certificate.
Legal basis for processing
The basis for processing personal data contained in the register is public interest and law. Main legal instruments include the Finnish Universities of Applied Sciences Act 932/2014 and the Finnish Government Decree on Universities of Applied Sciences 1129/2014.
Personal data content and retention periods of the register
| Data category name | Retention period |
| student data | retained permanently |
| – first name, last name | retained permanently |
| – personal identity code | retained permanently |
| – learner’s national identifier (OID) | retained permanently |
| – passport number (exchange students) | retained permanently |
| contact details | retained permanently |
| data disclosure permissions | retained permanently |
| study data | retained permanently |
| information on presence | retained permanently |
| personal study plan | retained permanently |
| enrolment for an implementation | retained permanently |
| Thesis | retained permanently |
| completed credits with grades | retained permanently |
| material on which assessment is based | 1 years from the end of the implementation |
| surveillance data, exam aquariums (EXAM), see privacy notice: Camera surveillance | |
| international mobility | retained permanently |
| contact person details (applies to minors) | 1 year |
| documents related to student exchange | 6 years |
| degree students’ tuition fee data | 10 years |
| degree student grant data | 10 years |
| internships | 1 year |
| thesis placement | 5 years |
| health information related to special arrangements during studies | 2 months (handling time for requests for adjustment) |
| health information related to the application for extension to the right to study | 2 months (handling time for requests for adjustment) |
| information related to student financial aid | 6 years after the last day with a student status |
| statements of a student psychologist.and dyslexia tests | retained permanently |
| disciplinary information related to the student | 5 years |
| service requests made by students | 5 years |
| data on study events | 3 years |
| Personal files: Microsoft 365 (e-mails and OneDrive), P-drive and Google services | 3 months |
| Processing of personal data in Mentoring and Friendship Programme activities and other similar additional services for the student. The processed information is related to career, networking and free time. | 6 years |
Data subjects
Registered HAMK students
Regular sources of data
Data concerning those admitted students who have accepted study place is transferred from the Studyinfo applicant register. Population information system provides HAMK’s student register with regular address update.
If applying has been conducted in other ways than via Studyinfo, data concerning admitted applicants is transferred from the application form.
Student ID register provides HAMK’s student register with student IDs.
Incoming exchange students’ personal data and mobility data are transferred from the mobility system where the student has provided the information
Regular disclosures of data
Data is transferred to the national VIRTA study information service which is updated constantly for different authority needs.
Data is disclosed from the VIRTA service for the following recipients and purposes:
- the enrolment and registration service for students OILI (CSC – IT Center for Science Ltd)
- Learner’s follow-up surveys (the Finnish Ministry of Education and Culture, CSC – IT Center for Science Ltd)
- recognition of qualifications (National Supervisory Authority for Welfare and Health – Valvira)
- FIONA remote access service of research material (Statistics Finland)
- Tuudo service (CSC – IT Center for Science Ltd, Caleidon Oy)
- Koski, study attainments and rights of study (Finnish National Agency for Education)
- EMREX service (the Finnish Ministry of Education and Culture, CSC – IT Center for Science Ltd)
- UAF, University Admissions Finland consortium, application and pre-processing service (CSC – IT Center for Science Ltd)
- FSHS, Finnish Student Health Service
- The Employment Fund
If the student uses PIVO’s mobile student card or Kela’s meal support card, PIVO will check the student’s attendance information from Virta.
Data may be disclosed from the register for research purposes through research permit procedure.
HAMK may use external personal data processor (for example information system service providers) who are processing personal data according to agreements. The most important processors are Tieteen tietotekniikan keskus Ltd CSC, Microsoft and Eduix Ltd and Studyo Ltd/Netum Group Ltd.
Principles of data protection of the register
A Manual material
Original certificates are copied and stored in HAMK archives where they are retained permanently. Other printouts are disposed of in a secure manner at the end of the retention period. Material is kept in a locked space.
B Data processed through automated data processing
Data is stored in an information system or protected network drive. Users have personal user IDs for the system. Access is granted only to those persons who are entitled to access and use the data in the system or network drive in order to perform their duties.
The lawful processing of personal data is ensured by categorisation of data and with operating methods that are in compliance with the data handling rules concerning data set.
Automated decision-making
No automated decision-making is performed on the recorded data.
Transfer of data outside the EU or EEA
If it is necessary to transfer personal data outside EU or ETA area to the countries EU does not have determined adequate level of data protection, the transfer is done by using EU Standard Contractual Clauses. These contractual clauses are available from the data protection officer.
Rights of the data subject
The EU General Data Protection Regulation (2016/679) provides the data subject with the following rights:
Right to withdraw consent
The data subject shall have the right to withdraw his or her consent at any time. (Article 7)
Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The data subject shall have the right to access to the personal data concerning him or her. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may charge a fee or refuse to act on the request. (Article 12 and Article 15)
Right to rectification
The data subject shall have the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her contained in the register (Article 16). A request for rectification shall be submitted in writing. Persons in an employment relationship (with HAMK or HAMI) are able to do rectification suggestions concerning their recorded working hours, which are then approved by their supervisor or salary administration personnel.
Right to erasure
The data subject shall have the right to request the erasure of personal data concerning him or her where one of the following grounds applies (Article 17):
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to the processing, and there are no overriding legitimate grounds for the processing (Article 21);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
Right to restriction of processing
The data subject shall have the right to obtain restriction of processing where one of the following applies (Article 18):
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
Where the processing is based on consent and carried out by automated means, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a machine-readable format. (Article 20)
Requests to exercise these rights are to be submitted:
Häme University of Applied Sciences Ltd
Data protection officer
P.O. Box 230 (Visamäentie 35A)
FI-13101 Hämeenlinna, Finland
email: tietosuojavastaava@hamk.fi . You can also send the message via secured e-mail https://www.securedmail.eu/ .
Right to lodge a complaint
The data subject shall have the right to lodge a complaint with the Office of the Data Protection Ombudsman.
