Skip to content

Privacy statement for student recruitment marketing

Data controller

Laurea University of Applied Sciences Ltd, Ratatie 22, 01300 Vantaa, Finland

  • Controller’s contact person: President, CEO Jouni Koski,
  • Person responsible for the marketing register: Marketing Manager Sanni Tanskanen
  • Contact details of the data protection officer: Marjo Valjakka,

Purpose and legal basis for the processing of personal data

The purpose of the processing of personal data is to provide up-to-date information and to target marketing to those interested in Laurea's education and marketing authorisation. The processing of personal data is based on separate consent.

Personal data categories to be processed

  • First and last name
  • Email address
  • Mobile phone number

Personal data is stored for two years.

A person may prohibit the use of their data for marketing purposes, in which case the person's data will be deleted.

Regular sources of information

Contact information is collected on the Laurea website on the education subpages using contact information forms, in competitions and prize draws organised by Laurea, and in Laurea's campus visits and events.

Statutory disclosure and transfer of data

The data is intended for Laurea's internal use and will not be disclosed to third parties unless the parties have requested permission in advance.

Personal data is collected to a separately defined email address, from where personal data is transferred at least once a week to the Postiviidakko system, through which marketing communications are sent to members of the register. Once the data has been transferred, the personal data will be deleted from the email immediately.

Contact information is not provided to parties outside Laurea. Personal data are not transferred outside the EU or ETA area.

The principles how the register is secured

Personal data is only available to Laurea staff members who need it to perform their duties. The data security and protection instructions of Laurea University of Applied Sciences apply to the management of the register.

The use is restricted by means related to the network and access rights. In a public network, data transfers into the system are always encrypted. Maintenance of the server environment has been outsourced with written agreements. The server equipment is located in the service provider’s secure data centre that is suitable for the purpose.

The rights of data subjects

The rights of data subjects are determined in accordance with Articles 15–22 of the EU’s General Data Protection Regulation:

Right of access

Data subjects may request access to the data concerning themselves. The request is made in writing to the person responsible for the register. The request must specify the data it concerns.


Data subjects may request the person in charge of the register to rectify their data.

Withdrawal of consent and erasure of data that are based on the subject’s consent

A data subject may withdraw their consent to the processing of personal data and prohibit the use of their personal data by Laurea University of Applied Sciences for marketing and communication purposes. The request can be made to the person responsible for the register.

Restriction of processing

The data subject has the right to restrict the processing if

  • the data subject disputes the accuracy of the personal data, in which case the processing is restricted for a period during which the controller can verify their accuracy.
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
  • the controller no longer needs the personal data for the purposes of the processing but the data subject needs them for the establishment, exercise or defence of legal claims.

Transferring data from one system to another

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a machine-readable format if the processing is based on consent and the processing is carried out by automated means.

The data protection officer is the contact person in matters related to the data subject’s rights. Data subjects have the right to file a complaint with the data protection authority.