Video surveillance
Privacy notice, recording video surveillance at Aalto University
| Name of personal data file | Video surveillance in Aalto University |
| Updated | 15.8.2024 |
| Controller | Aalto-korkeakoulusäätiö sr 2228357-4 |
| Unit responsible | Security and Lobby Services |
| Person responsible | Head of Security Seija Piiponniemi-Lahti seija.piiponniemi-lahti(at)aalto.fi |
| Aalto University Data Protection Officer | Sirpa Syrjälä dpo(at)aalto.fi |
| Privacy notice as pdf | Privacy notice, Aalto-university digital camera surveillance |
Video surveillance at Aalto University
The use of recording surveillance cameras is communicated via signs posted in Finnish, Swedish and English at the entrances of the monitored areas. These signs also inform the data subject how to access this privacy notice.
At Aalto University, personal data is processed in accordance with the requirements of the Act on the Openness of Government Activities (621/1999) and data protection legislation (EU Data Protection Regulation, national legislation).
What personal data is collected and processed while implementing video surveillance?
The university processes video surveillance recordings of individuals within the monitored areas and the timestamp produced by the surveillance camera.
When using surveillance camera footage to investigate violations and damages, personal identification information or access control data, for example, may be processed and combined. To aid in the investigation, information may also be received from authorities.
- Kulunhallinnan tietosuojailmoitus (in Finnish)
Surveillance cameras in university premises
Surveillance cameras are located in the university's
- IT classrooms and equipment rooms,
- Electronically monitored exam rooms,
- Lobby areas,
- Building entrances, and
- In the immediate proximity of the buildings.
Why and on what basis does Aalto University process your personal data?
Purpose and legal basis of surveillance
The purpose of video surveillance is to prevent and investigate criminal activity and vandalism of the property in the university's public, teaching, and equipment facilities and to resolve responsibility issues of caused damages as well as deter and investigate other violations. The purpose is also to maintain safety and order to ensure and increase the security of the staff, students, and other individuals visiting or working in the university premises.
As an employer, the university has the right to use the register data also in situations specified in sections 1-3 of the 2nd subsection of the Act on the Protection of Privacy in Working Life (759/2004), to provide evidence for terminating employment, to investigate harassment or improper conduct as defined in the Act on Equality between Women and Men (609/1986) or the Occupational Safety and Health Act (738/2002) and to demonstrate it, and to investigate a situation that has caused an occupational accident or a danger or threat as defined in the Occupational Safety and Health Act.
Legal basis for the processing of personal data
- Employees: Compliance with a legal obligation (Occupational Safety).
- Students: Compliance with a legal obligation. According to the Universities Act, students have the right to a safe study environment.
- Other individuals: Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
How does Aalto University protect your personal data?
Ensuring data security is important to Aalto University. Aalto University uses appropriate technical, organizational, and administrative security procedures to protect all personal data from loss, misuse, unauthorized use, disclosure, alteration, and destruction.
The contents of the register are not public. Personal data is not collected directly from data subjects. The cameras in the university's recording surveillance system transmit footage of individuals within the range of the camera and a timestamp (date and time).
Live footage from surveillance: Only those employees of Aalto University or its security service providers who are responsible for monitoring the security of the premises, or system administrators responsible for installation and maintenance of the system, are allowed to view the live footage.
Viewing of surveillance recordings: Access to recordings is limited to the system administrator and his or her deputy, and to the employees of security services by separate arrangement. The person responsible for the register determines the access to the recording by other persons case-by-case.
Who can Aalto University disclose your personal data to?
Information may be disclosed to authorities (police) in the extent deemed relevant or suspected to be relevant to an act of vandalism or a crime that has occurred.
Transfer of personal data to third countries
Video surveillance data is processed in the university's own surveillance system and server.
The university's data protection policy is to exercise special care if personal data is transferred outside the EU and European Economic Area (EEA) to countries that do not provide data protection in accordance with the EU Data Protection Regulation. The transfer of personal data outside the EU and EEA is carried out in accordance with the requirements of the Data Protection Regulation using, for example, standard contractual clauses or other protective measures in accordance with the Data Protection Regulation.
How long will your personal data be stored?
Your personal data will be stored for as long as it is needed for the purpose for which it is processed, or as long as the law and regulations require.
The retention period for video recording is thirty (30) days from the collection of data, after which the data is automatically deleted. If an act of vandalism, a crime, or a violation is reported during the retention period, the recording will be kept for the time required to investigate the event. If the data is related or suspected to be related to a crime, act of vandalism, or violation that has occurred, they will be held for the time required to investigate the event.
The retention periods for the university's documents and the personal data contained therein are described in the university's information management plan (tiedonohjaussuunnitelma TOS).
Rights of the data subject
Under the Data Protection Regulation, you have the right to review and rectify your data. With certain exceptions, you also have the right to have your data deleted. If the processing of personal data is based on consent, you also have the right to withdraw your consent. You can find more detailed information about your rights in the list below.
Under the Data Protection Regulation, you normally have the right to find out what data about you has been stored in the personal data register. You have the right to request that inaccurate and incorrect personal data about you be rectified without undue delay. If the data to be corrected or deleted are in the possession of our partner, we will ask them to act accordingly.
Typically, there is no permission to review surveillance footage. Data subjects have limited access to their own information if it can be implemented without compromising the confidentiality of security arrangements and the privacy of other individuals. It is also required that the data subject provides additional information by which they can be unambiguously identified from the recording. Requests to exercise this right should be addressed by email to the person responsible for the register.
The data subject does not have the right to transfer data from one system to another as the processing is not based on consent or contract.
With certain exceptions, the Data Protection Regulation also gives you the right to have your data deleted, also known as the right to be forgotten. This right does not apply especially when the university's right to process personal data as a controller is based on a task carried out in public interest or the exercise of official authority or a legal obligation. You also have the right to withdraw your consent if the processing of personal data is based on consent. In this case you can request us to delete your data from our systems. If there is no other legal basis for the processing of personal data, we will delete the data.
If you dispute the accuracy of the data or the legality of the processing, or have objected to the processing of the data in accordance with your rights, you can request that the processing of personal data be restricted only to the storage of data. The processing of the data is then limited only to their storage until, for example, the accuracy of the data is confirmed. If you do not have the right to request the deletion of data, you can instead request that Aalto University restrict their processing to data storage only.
You always have the right to object to the processing of your personal data, for example, for marketing purposes.
Regarding surveillance, the data subject does not have the right to object to processing, as personal data processing is not based on the legitimate interests of the controller or third parties, the performance of a task of public interest or the exercise of official authority vested in the controller.
Exercising the rights of the data subject and the data protection officer
This section informs you on how to exercise data subject's rights at Aalto University.
You can exercise the rights described above by submitting a request in accordance with the Data Protection Regulation through our personal data portal: Aalto University personal data portal.
If you have questions about the service or surveillance or want to change your contact information and make other ordinary changes, please contact the service address/contact person
- Security and Lobby services, [email protected]
- Head of Security Seija Piiponniemi-Lahti seija.piiponniemi-lahti(at)aalto.fi
If you have questions related to this privacy notice, please contact Aalto University's Data Protection Officer:
Data Protection Officer: Sirpa Syrjälä
Switchboard: 09 47001
Email: dpo(at)aalto.fi
If the data subject feels that his or her personal data has been processed against data protection legislation, they have the right to complain to the supervisory authority, the Data Protection Ombudsman. Read more: https://tietosuoja.fi/en/home
We are obligated to personally notify those data subjects whom a breach concerns. This right comes into force when the breach is likely to pose a significant risk to individual rights and freedoms, such as identity thefts, payment fraud or other criminal activity.
Aalto University has a cybersecurity team (email security(at)aalto.fi) for handling data security and data privacy deviation notifications concerning the university and assisting in resolving deviations, e.g., by investigating possible data breaches.
Processing of personal data is done meticulously and data security is appropriately maintained. Up-to-date technical solutions such as firewalls and encryption are in place.
As the data controller, Aalto University ensures that stored data, access rights, and other information critical for data security of personal data are handled confidentially and according to given instructions by only those individuals whose job description includes it.
We process your personal data in accordance with data protection regulation, respecting the rights and freedoms of the data subject. We ensure that data protection principles are followed at all stages of personal data processing.
Personal data is processed on paper, electronically, and in information systems that are administered by either Aalto University or its partners.
To process personal data, Aalto has chosen only service providers who follow good personal data processing practice with appropriate technical and organizational measures and meet the requirements of the data protection regulation and are capable of ensuring the implementation of your rights.
- Published:
- Updated: