Privacy notice for staff

Data controller

Laurea University of Applied Sciences Ltd, Ratatie 22, 01300 Vantaa

• Contact person for the data controller: President, CEO Jouni Koski, jouni.koski@laurea.fi
• Person responsible for the personnel register: HR Director Tiina Päivärinne, tiina.paivarinne@laurea.fi
• Data Protection Officer: Marjo Valjakka, tietosuoja@laurea.fi

Why do we process personal data?

Personal data are processed for Laurea University of Applied Sciences’ personnel administration tasks, which include:

• Payment of salaries and fees and receiving and transmitting payroll-related information to various stakeholders
• Planning, managing, monitoring and statistics of personnel and employment matters, as well as systematic fulfillment of the employer’s statutory duties and obligations
• Planning and monitoring of staff working hours
• Management, monitoring and development of staff competence and occupational well-being
• Ensuring staff safety

In addition, we process personal data in the user management system to enable secure lifecycle and access management and to allow

• staff network and email accounts
• centralised electronic identification in Laurea University of Applied Sciences’ information systems
• access rights to learning platform workspaces and other work-related systems, and monitoring of access rights
• identification in inter-university network connections and in third-party systems related to work tasks
• two-factor authentication
• creation of email lists
• creation of access rights to Laurea’s intranet system for communication purposes
• sending important notices via text message when necessary 

The lawfulness of personal data processing is based on the statutory duties of the university of applied sciences and on the employment contract between the employer and the employee. In other cases, separate consent is requested for the processing of personal data.

The processing of personal data is particularly governed by the following legislation:

• University of Applied Sciences Act 932/2014
• Limited Liability Companies Act 624/2006
• Employment Contracts Act 55/2011
• Act on the Management of Government Information 906/2019

What personal data do we process?

We process the following information related to employment relationships and payroll:

• Identification data (name, personal identity number and date of birth, home address and telephone numbers)
• Employment relationship data (start and end dates of the employment relationship, position, teachers’ working time schedules, organizational identifiers)
• Payroll-related information (bank account number, salary factors, trade union membership)
• Salary and payroll-related information (salary, payroll accounting, taxation, other deductions)
• Presence and absence records (working time monitoring, absence periods, sick leaves, other leave periods, annual leave balances, etc.)
• Years-of-experience data (information required for calculation of years of service and experience)
• Information related to development discussions
• Staff training and staff event information (participation details)

How long do we store personal data?

Retention periods are determined by legal requirements, decisions of the National Archives and Laurea University of Applied Sciences’ records management plan.

The staff directory is stored permanently. Information related to salary and fee payments is retained for 50 years. Other information is retained for the duration of validity and/or the necessary period, after which the data are destroyed.

No automated decision-making or profiling is carried out with regard to personal data.

Where do we obtain personal data?

Laurea University of Applied Sciences receives staff information from the following sources

• Basic information provided on electronic forms by the supervisor or person being recruited, and information provided by a visiting lecturer on the agreement form.
• Employment and payroll data reported by the supervisor/HR.
• Salary/fee events and employment interruptions and employee leave periods reported on the employee’s timesheets, interruption and leave notification forms
• Information provided by staff themselves, e.g. related to staff events and surveys.
• Tax card information via direct transfer from the tax authority or provided by the employee themselves.

To whom are personal data disclosed and transferred?

Staff information is disclosed to

• Pension insurance companies (employment relationships, pension earnings)
• Kela (sickness allowances, other absences)
• Banks and accounting (payment information for salaries and fees)
• Contact details required for occupational well-being and other staff surveys
• Occupational health care (contact details, presence records, and sick leaves not prescribed by occupational health care)
• Insurance companies (claims, statistical data)
• Tax authorities (control notifications, annual reports, requests for tax cards)
• To the 3AMK libraries’ customer database
• Statistical data to Statistics Finland and the Ministry of Education and Culture

Upon separate request

• Notifications to trade unions, unemployment funds, the Employment and Economic Development Office (TE Office) and the Education Fund
• For scientific research (The requester must then present to the data controller the purpose of use of the data and other matters necessary to clarify the conditions for disclosure. If necessary, a description of how data protection will be organised must be provided.)

Processing of personal data has also been outsourced to Sarastia Ltd, which processes personal data on behalf of Laurea and uses the data for salary payments and statutory notifications.

Personal data are generally not transferred outside the EU or EEA. If such transfers occur, one of the following conditions must be met:

• The European Commission has decided that the level of data protection in that country is adequate
• Appropriate safeguards have been implemented by using the European Commission’s approved standard contractual clauses or by ensuring that the data-processing company has binding corporate rules in place
• The transfer is based on the individual’s consent

In which systems do we process personal data?

Staff information is processed in the following systems:

• HR system
• User management
• Student administration system
• Project management system
• Travel and expense management system
• Case management system
• Emergency messaging system
• Access control system
• Event Management System

System providers acting as processors are responsible, under contract, for the technical protection and information security of the personal data.

How do we protect personal data?

The processing of personal data follows Laurea University of Applied Sciences’ information security and data protection guidelines. Systems containing personal data are accessed via a communications network. Usage is restricted by network measures and user rights. Traffic to the system over public networks is always encrypted. Server environment maintenance is outsourced under written contracts. The server hardware is located in the service provider’s secure data centre appropriate for its purpose.

Rights of the data subject

Right of access

A current staff member has the possibility to review their own data in the personnel information systems they use.

Former employees of Laurea have the right to inspect their personal data free of charge once a year. The inspection request must be made in person or in writing (signed or otherwise reliably authenticated). The request should be addressed to the Data Protection Officer. If the requester is not previously known or their identity cannot otherwise be verified, they must prove their identity with an official identity document before the data are released.

Rectification

A staff member can correct their contact details themselves via the personnel administration system and notify HR of changes.

The data controller must, without undue delay, on its own initiative or at the request of the data subject, rectify, erase or complete a personal data item in the register that is incorrect, unnecessary, incomplete or outdated with respect to the purpose of processing. If a request to correct data is refused, a written refusal certificate will be provided. The data subject has the right to bring the matter before the Data Protection Ombudsman. The Data Protection Ombudsman may issue an order to the data controller to correct the data.

Right to erasure, restriction of processing, and objection to processing and automated individual decision-making

The data subject’s right to erasure does not apply to personal data based on tasks prescribed by law. The data subject has the right to delete personal data processed on the basis of consent.

In certain situations, the data subject has the right to obtain restriction of the active processing of their personal data. This right exists, for example, when the data subject disputes the accuracy of their personal data. The data may still be stored but may not otherwise be processed without the data subject’s consent.

Furthermore, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, if it has legal effects concerning them or similarly significantly affects them. However, an exception may be made if the individual has given explicit consent or if the processing is necessary for entering into or performance of a contract between the data controller and the data subject.

The contact person for matters related to the data subject’s rights is the Data Protection Officer.

The data subject has the right to file a complaint with the supervisory authority.

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: P.O. Box 800, 00531 Helsinki
Switchboard: +358 29 56 66700
Registry: +358 29 566 6768
Email: tietosuoja@om.fi