Data privacy notice regarding the employees, payment recipients and contractual external persons of the University of Oulu from 1 June 2020

The purposes for processing data of the personnel of the University of Oulu are: to pay salaries, fees, grants and travel or other expenses, to plan, maintain, monitor and keep statistics of personnel, salaries and employment related matters, to manage the legal obligations of the employer, and to implement human resources customer services.

Data privacy notice

Data controller

University of Oulu
Pentti Kaiterankatu 1
P. O. Box 8000, 90014 OULU

Unit in charge of the processing
University of Oulu, Human Resources Services
The contact persons for the personnel register of the University of Oulu are:
Human Resources Director Jarmo Okkonen jarmo.okkonen(at)oulu.fi and
Human Resources Specialist Tero Vedenjuoksu, tero.vedenjuoksu(at)oulu.fi

University Data Protection Officer: dpo(at)oulu.fi

Purpose of processing personal data and legal basis for processing personal data

The purposes for processing data of the personnel of the University of Oulu are: to pay salaries, fees, grants and travel or other expenses, to plan, maintain, monitor and keep statistics of personnel, salaries and employment related matters, to manage the legal obligations of the employer, and to implement human resources customer services. In addition, the data processing purposes include the employer’s voluntary tasks related to among other things personnel’s international mobility, competence development, and workplace well-being. In addition the purpose is to register contractual external persons (hereinafter "Externals") who have close affiliation to the University based on contract or decision. Externals are for example emeritus, grant researchers, visiting researchers, unpaid interns, affiliation agreement parties and those who receive docentship from the University of Oulu.

The personnel, payment recipient and Externals data collected includes i.e. the following:

  • basic personal information such as name, date of birth, personal identity code, contact details, person ID number, contract number, organizational data, nationality, contact language and their changes
  • data concerning employment / External contract and changes thereof
  • data concerning payments
  • data concerning holidays and other absences
  • data concerning evaluations related to salary system
  • data concerning development discussions
  • data concerning education and training, degrees, badges of honour, honorary titles
  • data concerning secondary occupations, engagements, significant external managerial duties, positions of trust or expert duties
  • data concerning telework
  • secondment agreement data, working abroad data, work permit data
  • data based on early support model
  • data concerning travel administration
  • data concerning work plans
  • data concerning working time allocation and cost accounting
  • data concerning working time monitoring and access control
  • data concerning facility management
  • answers to the leaving feedback questionnaire

The legal basis for data processing:

According to the EU General Data Protection Regulation Article 6: 1. c) processing is necessary to comply with the legal obligation of the controller

According to the EU General Data Protection Regulation Article 6: 1. b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

According to the EU General Data Protection Regulation Article 6: 1. f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Legitimate interest exists when there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is in the service of the controller.

According to the EU General Data Protection Regulation Article 6: 1. a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Exceptionally, the basis for data processing can be the data subject’s consent, in the case of voluntary recreational events or other similar activities that are not directly related to employee’s work or to employer’s obligations.

According to the EU General Data Protection Regulation Article 6: 1. d) processing is necessary in order to protect the vital interests of the data subject or of another natural person. Vital interest can occur as an exceptional basis for data processing, if e.g. the employee is injured in the work premises and his/her data is transferred to healthcare personnel.

The implementation of statistical analysis is based on the EU General Data Protection Regulation (EU 679/2016) Article 6 Section 1.e) and on the National Data Protection Act (4 §).

Origin of personal data (if the data is not received from the registrated person):

Personnel and payment/grant recipient data is collected directly from the following sources:

  • University Academic Affairs
  • Superior or other representative of the employer
  • Execution authority
  • Tax authority
  • The Population Register Centre
  • Orcid organization

Personnel and payment/grant recipient data can be also observed or derived from the University IT Services or equipment or collected from the control and supervision services (e.g. surveillance cameras and work log collected by the salary system evaluation and development discussion system on the views and operations on the forms).

HR System (Mepco) collects view log as follows: Browsing employee list, viewing employment information, using Search functionality saves data into database. Form control log shows the changed sender of a form and the changed recipient of the form. HR system forms show at the top row in all phases a book image, behind which one can view the log on the participants on the process until the time of viewing the log.

Recipients or categories of recipients of personal data

Your personal data may only be processed by persons whose work requires it. Access to your personal data is protected with usernames and passwords together with user roles within secure IT network and telecommunications. Paper records and printouts are stored in locked spaces and cabinets.

Personal data is transferred within the university to

  • travel administration
  • work plans
  • working time allocation and cost accounting
  • working time monitoring and access control
  • user and identity management
  • data storage, from where information is further distributed to operational and financial planning, budgeting, project planning, identity management, access management and teacher information to students' study systems.
  • library data systems
  • internal phone directory (including photo)
  • financial services bookkeeping and planning and follow-up of operations
  • facility management
  • staff ID card printing services
  • European Commission’s Mobility Tool -reporting
  • facility services requests
  • shop stewards as required by the General Collective Agreement

The personnel of the University of Oulu have been given instructions on personal data processing, and they are trained to understand and prevent risks that concern personal data.

The data controller is legally responsible for data processing also when it has outsourced the data processing to a third party data processor as defined by the EU General Data Protection Regulation. The University of Oulu has outsourced its payroll management to Certia Oy. In addition, the service providers Solenovo Oy and Flexim Security Oy have access to data that is used in work planning, working time monitoring, and access control systems for technical maintenance purposes.

Transfer of personal data

The University of Oulu transfers your data only to such parties that have legal basis for obtaining the data for purposes defined by law, or to whom the transfer is necessary in order to carry out tasks related to employment or employer obligations, or to whom the data transfer is based on a given consent by the data subject.

Personal data is transferred outside the University of Oulu to the following parties:

  • employee pension insurance company
  • indemnity insurance company
  • tax authorities
  • trade unions
  • banks
  • occupational healthcare
  • Social Insurance Institution (KELA)
  • Public Employment Services
  • travel agency
  • Finnish Immigration Service
  • consulting agencies providing expert services for employer obligations in Finland and in target country
  • Confederation of Finnish Industries (EK) / Association of Finnish Independent Education Employers
  • Statistics Finland
  • Ministry of Education and Culture
  • funding agencies
  • auditors
  • public authorities
  • mobility funding agencies and Erasmus+ program’s national office (European Commission or Finnish National Agency for Education)
  • receiving university or other organization that is the destination of research or other visit
  • parties organizing staff trainings
  • property maintenance service provider
  • Orcid organization for the use of international researcher ID
  • The Farmers' Social Insurance Institution Mela grant recipient information
  • to international or Finnish organizations that administer and grant accreditations and do audits to universities
  • Finnish State Calender on directors and professors (person can prohibit publication of the birth year in the Calender by sending email HR@oulu.fi)
  • Sportpass information to Cardu
  • Telephone account information to Elisa
  • User data required for the use of O365 services to Microsoft
  • Name, title, unit, work email and work phone number to electronic directories of the University, e.g. external web pages
  • Scientific research
  • Electronic calendar information on the level Meeting/Absent/Busy to telephone switchboard and ring-service attached to phone subscriptions and to the staff and students of the Oulu University of Applied Sciences to provide consolidated group services.
  • Oulun yliopisto tutkii database (SoleCRIS)
  • Well-being survey operator (Eezy Flo Oy) and for wel-being survey reporting purposes (Cixtranet system) information on personnel necessary for reporting the results of the survey.
  • Sport, culture and wellness benefit service provider (2021 ePassi Payments Oy) necessary information on personnel to determine the right to use the benefit and amount of the benefit.

In addition information is transferred for scientific or historical research purposes or statistical purposes based on separate transfer requests.

Data transfers

Data is transferred outside EU/EEA only in situations where employer obligations must be handled outside of Finland according to Finland’s or target country’s tax legislation, tax contract between Finland and target country, EU’s or target country’s pension and social insurance legislation, or according to social insurance contract between Finland and target country, or in situations where employee has applied for travel funding to a country outside this region. In case your personal data is transferred outside EU/EEA, this can take place only under the circumstances and conditions defined by EU’s General Data Protection Regulation.

Data storage time

Your personal data will be processed for the required duration in order to carry out employment related tasks and/or employer obligations. The archiving of data is implemented according to the retention schedule of the University of Oulu information control plan.

Some of the data is archived at the University’s registry office and some data at the electronic archiving system with identifying information.

Data related to working time allocation is maintained according to the retention time defined by financial management, and electronic data and documents related to the Aliens Act are maintained according to the Aliens Act. Erasmus + staff mobility forms must be retained for five years as required by the funding agency. The travel funding application forms for the University's own internal use are retained for two years.

Data subject rights

You have the following rights as a data subject:

  • Right to access your data
  • Right to have inaccurate data corrected (make sure to keep your contact information up to date)
  • In certain situations, the right to have data erased ("right to be forgotten")
  • In certain situations, the right to restriction of processing
  • In certain situations, the right to object to processing
  • In certain situations, the right to have data transferred from one system to another if the processing is based on consent or agreement and is performed automatically.

Please note that the applicability and scope of your above-mentioned rights will be specified on a case-by-case basis in accordance with the EU General Data Protection Regulation, depending on e.g. the grounds for processing the data, and that you do not have the above-mentioned rights in all cases.

If you have any questions about your rights, you can communicate with the University's Data Privacy Officer or the contact person of the responsible unit.

If you want to use the above-mentioned rights, please send a request to the University’s registry office: kirjaamo(at)oulu.fi, where you will get the necessary additional instructions.

Right of appeal to the supervisory authority

In addition to the rights mentioned above, you have the right to file a complaint about the processing of your personal data with the Office of the Data Protection Ombudsman as the supervisory authority. The contact details and opening hours can be found on the website of the Data Protection Ombudsman.

General description of the technical and organisational protection measures

The University as the Data Controller uses appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against damage or loss.