Data privacy notice regarding the employees and payment recipients of the University of Oulu

Data privacy notice regarding the employees and payment recipients of the University of Oulu


Data controller

The University of Oulu is the data controller and Human Resources Services is the unit in charge.


Contact details of the unit in charge

The contact persons for the personnel register of the University of Oulu are: HR Director Jarmo Okkonen jarmo.okkonen(at)oulu.fi and HR Specialist Tanja Mikkonen, tanja.mikkonen(at)oulu.fi


Contact details of the Data Protection Officer

dpo(at)oulu.fi


What purposes your personal data is used for and what is the legal basis for data processing?

The purposes for processing data of the personnel of the University of Oulu are: to pay salaries, fees, grants and travel or other expenses, to plan, maintain, monitor and keep statistics of personnel, salaries and employment related matters, to manage the legal obligations of the employer, and to implement human resources customer services. In addition, the data processing purposes include the employer’s voluntary tasks related to among other things personnel’s international mobility, competence development, and workplace well-being.

The personnel and payment recipient data collected includes i.e. the following:

  • basic personal information such as name, date of birth, personal identity code, contact details, person ID number, organizational data, nationality 
  • data concerning employment
  • data concerning payments
  • data concerning holidays and other absences
  • data concerning evaluations related to salary system
  • data concerning development discussions
  • data concerning education and training
  • data concerning secondary occupations, engagements, significant external managerial duties, positions of trust or expert duties
  • data concerning telework
  • data based on early support model
  • data concerning travel administration
  • data concerning work plans
  • data concerning working time allocation and cost accounting
  • data concerning working time monitoring and access control
  • data concerning facility management
  • answers to the leaving feedback questionnaire

The legal basis for data processing:

According to the EU General Data Protection Regulation Article 6: 1. c) processing is necessary to comply with the legal obligation of the controller

According to the EU General Data Protection Regulation Article 6: 1. b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

According to the EU General Data Protection Regulation Article 6: 1. f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Legitimate interest exists when there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is in the service of the controller.

According to the EU General Data Protection Regulation Article 6: 1. a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Exceptionally, the basis for data processing can be the data subject’s consent, in the case of voluntary recreational events or other similar activities that are not directly related to employee’s work or to employer’s obligations.

According to the EU General Data Protection Regulation Article 6: 1. d) processing is necessary in order to protect the vital interests of the data subject or of another natural person. Vital interest can occur as an exceptional basis for data processing, if e.g. the employee is injured in the work premises and his/her data is transferred to healthcare personnel.

The implementation of statistical analysis is based on the EU General Data Protection Regulation (EU 679/2016) Article 6 Section 1.e) and on the National Data Protection Act (4 §).

Origin of personal data (if the data is not received from the registrated person):

Personnel and payment/grant recipient data is collected directly from the following sources:

  • University Academic Affairs
  • Superior or other representative of the employer
  • Execution authority
  • Tax authority
  • The Population Register Centre
  • Orcid organization

Personnel and payment/grant recipient data can be also observed or derived from the University IT Services or equipment or collected from the control and supervision services (e.g. surveillance cameras and work log collected by the salary system evaluation and development discussion system on the views and operations on the forms).

Who has access to your personal data?

Your personal data may only be processed by persons whose work requires it. Access to your personal data is protected with usernames and passwords together with user roles within secure IT network and telecommunications. Paper records and printouts are stored in locked spaces and cabinets.  

Personal data is transferred within the university to

  • travel administration
  • work plans
  • working time allocation and cost accounting
  • working time monitoring and access control
  • user and identity management
  • data storage, from where information is further distributed to operational and financial planning, budgeting, project planning, identity management, access management and teacher information to students' study systems.
  • library data systems
  • internal phone directory (including photo)
  • financial services bookkeeping and planning and follow-up of operations
  • facility management
  • staff ID card printing services
  • European Commission’s Mobility Tool -reporting
  • facility services requests
  • shop stewards as required by the General Collective Agreement

The personnel of the University of Oulu have been given instructions on personal data processing, and they are trained to understand and prevent risks that concern personal data.

The data controller is legally responsible for data processing also when it has outsourced the data processing to a third party data processor as defined by the EU General Data Protection Regulation. The University of Oulu has outsourced its payroll management to Certia Oy. In addition, the service providers Solenovo Oy and Flexim Security Oy have access to data that is used in work planning, working time monitoring, and access control systems for technical maintenance purposes.


Transfer of personal data

The University of Oulu transfers your data only to such parties that have legal basis for obtaining the data for purposes defined by law, or to whom the transfer is necessary in order to carry out tasks related to employment or employer obligations, or to whom the data transfer is based on a given consent by the data subject.   

Personal data is transferred outside the University of Oulu to the following parties:

  • employee pension insurance company
  • indemnity insurance company
  • tax authorities
  • trade unions
  • banks
  • occupational healthcare
  • Social Insurance Institution (KELA)
  • Public Employment Services
  • travel agency
  • Finnish Immigration Service
  • consulting agencies providing expert services for employer obligations in Finland and in target country
  • Confederation of Finnish Industries (EK) / Association of Finnish Independent Education Employers
  • Statistics Finland
  • Ministry of Education and Culture
  • funding agencies
  • auditors
  • public authorities
  • mobility funding agencies and Erasmus+ program’s national office (European Commission or Finnish National Agency for Education)
  • receiving university or other organization that is the destination of research or other visit
  • parties organizing staff trainings
  • property maintenance service provider
  • Orcid organization for the use of international researcher ID
  • The Farmers' Social Insurance Institution Mela grant recipient information
  • to international or Finnish organizations that administer and grant accreditations and do audits to universities
  • Finnish State Calender on directors and professors (person can prohibit publication of the birth year in the Calender by sending email HR@oulu.fi)
  • Sportpass information to Cardu
  • Telephone account information to Elisa
  • User data required for the use of O365 services to Microsoft
  • Name, title, unit, work email and work phone number to electronic directories of the University, e.g. external web pages
  • Scientific research

In addition information is transferred for scientific or historical research purposes or statistical purposes based on separate transfer requests.


Is your personal data being transferred outside EU/EEA?

Data is transferred outside EU/EEA only in situations where employer obligations must be handled outside of Finland according to Finland’s or target country’s tax legislation, tax contract between Finland and target country, EU’s or target country’s pension and social insurance legislation, or according to social insurance contract between Finland and target country, or in situations where employee has applied for travel funding to a country outside this region. In case your personal data is transferred outside EU/EEA, this can take place only under the circumstances and conditions defined by EU’s General Data Protection Regulation.


How long will your personal data be processed and will data be archived?

Your personal data will be processed for the required duration in order to carry out employment related tasks and/or employer obligations. The archiving of data is implemented according to the retention schedule of the University of Oulu:

https://notio.oulu.fi/fi/ohjeet/Documents/OYams_total.pdf#search=Arkistonmuodostussuunnitelma

Some of the data is archived at the University’s registry office and some data at the electronic archiving system with identifying information.

Data related to working time allocation is maintained according to the retention time defined by financial management, and electronic data and documents related to the Aliens Act are maintained according to the Aliens Act. Erasmus + staff mobility forms must be retained for five years as required by the funding agency. The travel funding application forms for the University's own internal use are retained for two years.


What rights do you have as a data subject?

You have the following rights as a data subject:

  • Right to access your data
  • Right to have inaccurate data corrected (make sure to keep your contact information up to date)
  • In certain situations, the right to have data erased ("right to be forgotten")
  • In certain situations, the right to restriction of processing
  • In certain situations, the right to object to processing
  • In certain situations, the right to have data transferred from one system to another if the processing is based on consent or agreement and is performed automatically

Please note that the applicability and scope of your rights will be specified on a case-by-case basis in accordance with the EU General Data Protection Regulation. Depending on e.g. the grounds for processing the data, you do not have the above mentioned rights in all cases.


How can you exercise your rights?

If you have any questions about your rights, you can communicate with the University's Data Privacy Officer or the contact person of the responsible unit.

If you want to use the above mentioned rights, please send a request to the University’s registry office: kirjaamo (at) oulu. fi, where you will get the necessary additional instructions.


Right to appeal to the supervisory authority

In addition to the rights mentioned above, you have the right to file a complaint about the processing of your personal data with the Office of the Data Protection Ombudsman as the supervisory authority. The contact details and opening hours can be found on the website of the Data Protection Ombudsman.


General description of the technical and organizational protection measures

The University as a Data Controller uses appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing, as well as the damage or loss of personal data.

Last updated: 23.8.2019