Data privacy notice - Access control and key management

The purpose of access control is to guarantee the legal protection and safety of the personnel, students, visitors and other stakeholders at the University of Oulu, to protect the property of the employer and employees, to prevent and investigate crime, and to safeguard legal claims and interests.

Data privacy notice

Data controller

University of Oulu
Pentti Kaiterankatu 1
P. O. Box 8000, 90014 OULU

Contact information of the responsible unit:
Security Manager Jukka-Pekka Matero
jukka-pekka.matero(at)oulu.fi

University Data Protection Officer: dpo(at)oulu.fi

A brief description of the processing of personal data

The purpose of access control is to guarantee the legal protection and safety of the personnel, students, visitors and other stakeholders at the University of Oulu, to protect the property of the employer and employees, to prevent and investigate crime, and to safeguard legal claims and interests. Personal data is used to identify persons so that access rights and keys that enable access to the university's premises can be granted in accordance with the right of access role created for each person. The access control system is used to allocate people's access rights to appropriate areas and to prevent unauthorised movement on university premises.

Purpose of processing personal data and legal basis for processing personal data

The purpose of the processing of personal data is access control (fixed-time control, doors, lifts). The access right programme defines the doors through which access is permitted and the time frame during which access rights are valid.

The processing of personal data is based on legislation concerning the University of Oulu (including the Universities Act and the Occupational Safety and Health Act) and the University's legitimate interests.  The purpose of access and key management is to prevent crimes and damages affecting the university's property in its public, teaching and equipment facilities, to investigate the liability for the damage caused, and to prevent and investigate other violations. The purpose of the control is also to maintain the safety and order of the premises, thus ensuring and increasing the safety of staff and students as well as persons visiting or working on the university's premises. Therefore, the legitimate interest is balanced for all parties.

Personal data to be processed and the retention period

The information needed for identifying the person and granting him or her the access role is recorded in the access control system. The information includes the following: name, personal identity code, job title, telephone number, e-mail address, validity of the employment relationship and name of supervisor. The data will be stored in the system for the duration of the employee's employment relationship. Data collected from access control will remain in the access control system for 374 days.

The information collected for key management is the name and phone number of the person. The data will be stored in the system for the duration of the employee's employment relationship.

Recipients or categories of recipients of personal data

The personal data of the access control system can only be viewed by university employees whose duties include establishing and maintaining access rights. If necessary, personal data may also be processed for installation and maintenance purposes by the representatives of the system service provider. Some processing takes place on the servers of the system provider.

Information may be disclosed to authorities (the police) to the extent deemed necessary if the information is or is suspected to be related to vandalism or a criminal offence.

Data transfers

Data are not transferred outside the EU and EEA or to an international organisation.

Principles of protection of personal data during processing

The systems in which personal data is collected are password-protected. Each person entitled to the processing of personal data has been given a unique password, the use of which can be monitored. Key control documents are stored in locked key cabinets in facilities protected by access control.

Data subject rights

You have the following rights as a data subject:

  • Right of access to your own data
  • Right to rectify incorrect information
  • Right to have data erased ("right to be forgotten")
  • Right to restriction of processing
  • Right to object to processing

Please note that the applicability and scope of your above-mentioned rights will be specified on a case-by-case basis in accordance with the EU General Data Protection Regulation and that you do not have the above-mentioned rights in all cases.

If you want to use the above-mentioned rights, please send a request to the University’s registry office: kirjaamo(at)oulu.fi, where you will get the necessary additional instructions.

Data subject’s right to lodge a complaint with a supervisory authority 

In addition to the rights mentioned above, you have the right to lodge a complaint about the processing of your personal data with the Office of the Data Protection Ombudsman acting as the supervisory authority. You can find the contact information and the opening hours of the Office of the Data Protection Ombudsman at the website of the Data Protection Ombudsman.