Skip to content

QUICK LINKS

STUDENT SERVICES

Privacy statement for staff

Article8.2.2021

Controller

Laurea University of Applied Sciences Ltd, Ratatie 22, 01300 Vantaa, Finland

What are the Purpose and legal basis for the processing of personal data?

The purpose of the processing of personal data is to carry out the tasks related to human resources management at Laurea.

  • Receiving the data required for payroll computation and payment of salaries and remunerations as well as forwarding these data to the relevant stakeholders
  • Planning, management and monitoring of matters related to human resources and employment and compilation of relevant statistics; systematic fulfilment of an employer’s statutory duties and obligations
  • Planning and monitoring of the personnel’s working hours
  • Management, monitoring and development of the personnel’s competence and well-being at work
  • Payment of remunerations to elected officials and systematic fulfilment of statutory duties and obligations.

In addition, we process personal data in the User Management System in order to implement a secure lifecycle and access management and to allow us to

  • staff network and email IDs
  • centralised electronic identification in the information systems of Laurea University of Applied Sciences
  • access rights to workspaces and other work-related systems on learning platforms and access tracking
  • authentication for academic network connections and third-party systems related to work tasks
  • two-factor authentication
  • creation of e-mail lists
  • access to the Laurea intranet system for information purposes
  • sending important information by SMS, if necessary

The lawfulness of the processing of personal data is based on the statutory tasks of universities of applied sciences as well as the agreement between the employer and employee pursuant to the following laws:

  • Universities of Applied Sciences Act 932/2014
  • Limited Liability Companies Act 624/2006
  • Employment Contracts Act 55/2001
  • Act on Information Management in Public Administration 906/2019

What personal data we process?

We process the following Information related to the employment relationship and payment:

  • Identification data (name, personal identification number, date of birth, home address and telephone numbers)
  • Employment relationship data (start and end dates of employment, job description, teachers’ working hour plans, organisation identifiers)
  • Payment-related information (bank account number, pay factors, trade union membership)
  • Information related to pay and payment (pay, posting of pay, tax, other deductions)
  • Attendance and absence information (working hours monitoring, absences, sick leave, other leave, annual holiday balance and other balances)
  • Years of experience information (information needed for calculations related to years of service and experience)
  • Information related to development discussions
  • Information related to access rights (user ID)

The retention period of the data is determined by the law and filing plan of Laurea University of Applied Sciences. List of personnel are stored permanently and documents related to the payment of salary, compensations and increments are stored for 50 years. Otherwise, the data will be retained for the period of validity or the necessary period of time, after which the data will be destroyed.

No automatic decision-making or profiling is carried out on the basis of personal data.

What are the sources of information?

  • Basic information provided on electronic forms by the supervisor or the person being recruited and information provided by a visiting lecturer on the agreement form
  • Employment and pay information provided by the supervisor/HR
  • Pay/remuneration transactions, interruptions of employment and holiday periods reported by an employee through the working hours monitoring system and interruption notification or holiday notification forms
  • Tax deduction card information in direct transfers from the tax authorities or provided by the employee

Information systems used in the processing of personal data

Personnel data are processed in the following systems

  • HR management system
  • User management
  • Education management and planning system
  • Project management system
  • Travel expense management system
  • Emergency message system
  • Access control system
  • Case management system

The suppliers who act as processors of the personal data are responsible for the technical protection and data security of the data stored in the register, in accordance with the agreements.

Where we send and transfer the data?

Personal data of the employees are sent to

  • Pension insurance companies (employment, pensionable earnings)
  • Kela (sickness allowance, other absences)
  • Banks and accounting (salary and remuneration payment information)
  • Contact details needed for well-being at work surveys and other personnel surveys
  • Occupational health services (contact details, attendance information, sick leave prescribed by a doctor other than an occupational health physician)
  • Insurance companies (insurance compensation, statistics)
  • The tax authorities (monitoring notice, annual notification, tax card requests)
  • Notifications to trade unions, unemployment funds, the Employment and Economic Development Office and the Education Fund at the employee’s request
  • Statistical data to Statistics Finland and the Ministry of Education and Culture.
  • 3 AMK Library customer database (contact details, attendance information)

On separate request

  • Notifications to trade unions, unemployment funds, the TE Office and the Education Fund
  • For scientific research (The applicant must then provide the controller with the purpose for which the data will be used and any other information necessary to clarify the conditions for disclosure. If necessary, an explanation of how the protection of the data is to be organised.)

The processing of personal data is also outsourced to Sarastia Oy, which processes personal data on behalf of Laurea and uses the data for payment of salaries and statutory notifications.

Normally, personal data are not transferred outside the EU or ETA area. If such data transfers are made, one of the following conditions must apply:

  • The EU Commission has determined that the data protection level in the country in question is adequate.
  • Adequate security measures have been taken by applying model contract clauses approved by the EU Commission or by ensuring that the company processing the data has binding corporate rules in place.
  • The person has given consent for the transfer of his/her data.

Principles of register protection

The data security and protection instructions of Laurea  apply to the management of the register. The HR data systems are used through a telecommunications network. The use is restricted by means related to the network and access rights. In a public network, data transfers into the system are always encrypted. Maintenance of the server environment has been outsourced with written agreements. The server equipment are located in the service providers' secure data centre that are suitable for the purpose.

Your rights as a data subject

The rights of data subjects are determined in accordance with Articles 15–22 of the EU’s General Data Protection Regulation:

You have the right to access your personal data 

If you are currently a member of staff at Laurea, you have an opportunity to check your personal information in HR systems.

If you worked at Laurea in the past, you have the right to check personal data regarding yourself. You can do it free of charge once per year. 

If you intend to make a request to access your personal data, you should do it either in person or in writing. If you do it in writing, the document must be signed or otherwise reliably verified. You should direct your request to the Data Protection Officer. 

Your identity will be checked before granting access to your personal data. Official identification card with a photograph can verify your identity. A request sent from Laurea’s email system can be considered adequate proof of identification.

Your right of access should be provided without delay.

You have the right to rectification of your personal data

If you are a member of staff, you may correct your contact details via HR systems or contact HR and ask them to make the change. 

Laurea must erase or complete personal data in the register that is incorrect, unnecessary, incomplete or outdated regarding the purpose of the data processing. The data controller must do so without undue delay. Once the request was received, the data controller has a month to address it and not later than that. 

Data controller must immediately correct the error in personal data once they found it.

You have the right to demand rectification of data

If the controller happens to refuse your demand to rectify personal data, you will receive a certificate of refusal. You have the right to contact the Data Protection Ombudsman regarding your matter. The Data Protection Ombudsman may issue an order to Laurea to rectify the data.

You have the right to erasure of personal data

Your right to the erasure of your personal data, as stated in Article 17 of the General Data Protection Regulation does not apply to personal data processed in compliance with a legal obligation. 

You have the right to erase personal data based on consent.

You have the right to restriction of processing 

There are certain cases when you have the right to restrict the active processing of your personal data. For instance, this right applies to situations where you argue against the accuracy of your personal data. 

Your personal data may still be stored but not in any way processed if you didn’t give the consent.

You have the right to restriction of processing

There are certain cases when you have the right to restrict the active processing of your personal data. For instance, this right applies to situations where you argue against the accuracy of your personal data. 

Your personal data may still be stored but not in any way processed if you didn’t give the consent.

You have the right to object to automated individual decision-making

You have the right to object to the processing of personal data for purposes such as direct marketing, scientific, historical, or statistical research. 

If you use your right to object, Laurea as the controller may no longer process your personal data for the purpose in question. 

Your right to object does not apply to statutory data processing.

You have the right not to be subject to a decision based only on automated processing, including profiling. Profiling produces legal effects concerning you or significantly affects you. However, it does not apply if the decision is based on your explicit consent. Or it is necessary for entering into a contract between you and a data controller. 

If you have questions about your rights as a data subject, you may contact the data protection officer.

You have the right to file a complaint with the data protection authority.