Learning Services, [email protected]

Anni Tuomela, Legal Counsel, Aalto University
Postal address: P.O. Box 11000, FI-00076 AALTO
Street address: Otakaari 24, 02150 Espoo
Tel.: +358 (9) 47001 (exchange)
[email protected]

For questions concerning the university’s data protection policies, the present notice or other matters concerning the processing of personal data by the university, the student may contact the Aalto University data protection officer.

The university processes personal data

• to organise teaching and to realise and attest the student’s right to study
• to manage and to report statistically on completed degrees and studies (study attain-ments)
• in order to develop teaching, and
• for the physical and information security of the learning environment as well as the safety of students and other members of the university community.
• in order to provide and develop digital and other services related to its duties. This includes for example library, career, email services and various video recording services as well as feedback related to services.
• to communicate with students who have completed or otherwise finished their studies so the university may offer them lifelong learning and alumni services and for assessing the effectiveness of university education

In addition, the university may process personal data

• for scientific research and
• for study-related marketing communications or other special purposes.

The university’s right to process personal data as a controller is based on the following

• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) point e)
• the processing is necessary for compliance with a legal obligation to which the controller is subject (General Data Protection Regulation, Article 6(1) point c)
• the consent given by the data subject and, in certain cases, when necessary for the performance of a contract (Article 6(1) points a and b).

The university has a right as controller to process special categories of personal data when

• the processing is necessary for reasons of substantial public interest (Article 9(2), point g).

Main statutes

• Universities Act (558/2009) and the decrees given under it
• the Government Decree on University Degrees (794/2004) as amended and any prior decrees concerning degrees in science and technology, business, and art and design
• the Act on National Study and Degree Registers (laki valtakunnallisista opinto- ja tutkintorekistereistä, 884/2017, chapter 5)
• the General Data Protection Regulation (EU) 2016/679 and its complementary national statutes
• the Act on the Openness of Government Activities (621/1999)
• the Act on Information Management in Public Administration (906/2019)

-

Aalto University processes following categories of personal data concerning students:

Individualising information:

• individual-specific identifier data (name, personal identity number, birthdate, student number, national learner ID, username)
• background information (such as admissions information, gender, nationality and language information)
• contact details (Aalto email address, other email address, telephone number, postal address)

Information regarding the student’s studies:

• Rights to study towards a degree or towards parts of a degree
• Degrees earned
• Enrolment for the academic year
• Memberships in the student union and its special status associations
• Study attainments (incl. theses, examination responses and other completed assignments used to assess study attainments) and their evaluation
• Thesis publication data
• Examination and course registrations and information on participation in teaching
• Information on video-monitored electronic exam sessions
• Plans of studies and other information pertaining to supervision and advising of studies
• Information on practical training
• Information on international student exchanges
• Information on tuition-fee liabilities
• Information on grants and scholarships
• Student feedback information, more information from Feedback and surveys web pages
• Information necessary for the organisation of student services, including IT, facility and library services
• Information on rectifications and appeals related to study processes
• Information on biologic exposures at work or in learning situations, in accordance with the provisions of occupational safety legislation and the public authorities

Special categories of data (sensitive data) concerning studies:

Special categories of data concerning students may be handled during processes involving:

• Individual study arrangements and study support
• Extensions of the right to study or readmission after forfeiture of the right to study
• Accounts and consequences of any aberrations in the student’s studies or activities in the university environment
• Tuition fee payments and related scholarship matters

At Aalto University, the data is processed only by Aalto employees or contracted individuals working on behalf of Aalto who need the data for their work duties. The information is protected from unauthorised handling. Access rights are in place to restrict unauthorised access to the stu-dent information systems. The personal data is processed mainly by Learning Services staff and teaching staff. In addition, personal data may be processed by other Aalto services, such as campus- and security services, Learning Centre services, IT services, HR services and financial services. Personal data of doctoral students are processed also in the data management system of the university’s research support services.

The Aalto University alumni data system stores contact details and degree information on students who have earned a degree (bachelor’s, master’s, licentiate or doctoral).

Aalto University may also use outside processors, such as system service providers that process personal data on behalf of Aalto on the basis of a commission contract.

Aalto University discloses personal data to parties outside the university or processes data for purposes other than the original only in situations where such disclosure or processing is permitted by law.

Aalto University may disclose directly, or through the National Data Warehouse for Higher Education (VIRTA), such personal data on students as is necessary to the following recipients. The disclosures may occur using a technical interface in compliance with the requirements laid down in legislation.

• Aalto University Student Union (AYY)
• the Finnish Student Health Service
• the Ministry of Education and Culture’s KOTA database
• the Finnish National Agency for Education
• the student admissions register
• national services such as Koski, Oili, ARVO, Puro, EMREX
• the Social Insurance Institution of Finland, Kela
• the National Supervisory Authority for Welfare and Health
• Statistics Finland for statistics and the FIONA research data service
• the employment authorities
• immigration authorities
• the Aarresaari network, for career monitoring surveys
• the Finnish Social Science Data Archive, in the case of data concerning the Finnish Bachelor’s Graduate Survey
• Information on dissertation authors to the Asteri database of the National Library of Fin-land

In addition, Aalto University may disclose personal data on students as follows:

• for scientific research
• to comply with the Act on the Openness of Government Activities (621/1999) or with other legal obligations
• to other Finnish institutions of higher education in order to process a right to study or to transfer information on completed studies as a part of cooperation in teaching, for example
• to institutions of higher education abroad, for the implementation of double and joint degrees and other cooperation in education such as for transferring information about completed studies
• with the student’s consent, contact information may be disclosed to parties outside the university for marketing communications or other special purposes

The main sources of information that may be disclosed include the Sisu student information system and the MoveOn mobility system. Part of the permanently stored student information and information on mobility periods by the student are transferred to Virta, the National Data Ware-house for Higher Education.

The data protection policy of the university is to exercise particular care when transferring personal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR.

Personal data are transferred to institutions of higher education outside the EU and EEA area according to the Student Exchange Program Data Protection Statements (incoming students and outgoing students). 

When processing personal data, Aalto University uses cloud services that may transfer personal data outside the EU and EEA area.

The periods for which personal data saved in systems and manual material are stored are based on the law and the records management plan of Aalto University.

Permanent storage (under the Act on National Study and Degree Registers 884/2017, sections 25 and 27):

• learner ID, ID number or a similar individual-specific identifier data;
• data on the degrees and professional specialisation programmes completed by the student, as well as on all study attainments and their grades
• data on the persons rights to study in degree programmes or professional specialisation programmes and information on accepting an offer of admission and enrolment as a student in degree programmes or professional specialisation programmes.

By decision of the National Archives of Finland, other personal data of the student may also be stored permanently.

Main types of personal data not stored permanently:

• Course and examination registration data are stored for a minimum of 2 years
• Saved study attainments are stored for a minimum of 6 months
• Any personal data related to study processes other than those stored permanently are stored until the graduation of the student or alternatively for a minimum of 5 years.
• Sensitive data are stored as long as necessary but for no more than 4 years.

Periods for which data are stored may vary in individual cases and they may be revised.

Please note! Students wishing to access or rectify personal data only in a specific information system do not have to request access to all their data.
Many of the university’s systems allow students to access their own personal data with an Aalto University IT account. The student can obtain information on his or her saved study attainments by contacting a course staff person or other person specified (6 months). A list of the key systems and services where student personal data are processed is provided at the end of this document.

To make any information requests related to his or her rights as a data subject, the student may use the personal data portal https://datarequest.aalto.fi/en-US/

Right of students to access their data

Students have a right to know what personal data are being processed and what data concerning them have been saved.

• The student may make an information request to the university. In such cases, the following procedure is to be followed:
• The university provides the information requested without undue delay. The person making the request must verify his/her identity as necessary. The requested information or the additional information related to the request must be provided no later than one month after receiving the request. If the information request is complex and comprehensive, the deadline may be extended by two months.
• As a rule, the information shall be provided free of charge. For any further copies requested by the student, the university may charge a fee based on administrative costs. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the university may either charge a fee based on administrative costs or refuse to act on the request. The university shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
• If the university does not provide the information requested, the student will be provided with a written account of the matter. The written account will also include an explanation of the student’s rights to judicial remedies, for instance, the right to lodge a complaint with the supervisory authority.

Right of the student to rectification of data

• The student has a right to have any inaccurate or incomplete personal data concerning him or her rectified or completed without undue delay. In addition, the student has a right to demand that all personal data concerning him or her that is no longer necessary be erased.
• If the university does not accept the student’s request for rectifying his or her personal data, the student will be given a written account specifying the reasons for rejecting his or her request. The written account will also include an explanation of the student’s rights to judicial remedies, for instance, the possibility of lodging a complaint with the supervisory authority.

Student right to erasure of data

• Depending on the legal basis, the student may have a right to have their personal data erased from the register of the school. This right shall not apply to cases where data processing is necessary for compliance with a legal obligation or for a task carried out in the exercise of official authority vested in the school. The storage and erasure of data shall comply with the records management plans of the university and the data storage periods required by legislation.

Right to restrict processing

• In certain situations, students may have the right to restrict the processing of their personal data until the legal basis for the data or their processing has been duly checked and rectified or completed.

Right to data portability

• The right to data portability means that the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the university, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the university. This right shall apply only to situations where the processing is carried out by automated means and is based on consent or on a contract.
• This right shall not apply to cases where data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a result, this right shall not apply, as a general rule, to the personal data files of the university.

Right to object to processing of personal data

To make any information requests related to his or her rights as a data subject, the student may use the personal data portal https://datarequest.aalto.fi/en-US/

• The student shall have the right to object, on grounds relating to his or her particular situ-ation, at any time to processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or in the exercise of official authority or the legitimate interest of the university. In such cases, the university shall no longer process the personal data unless the university demonstrates compelling legitimate grounds for the processing.
• Where personal data are processed for direct marketing purposes, the student shall have the right to object at any time to processing of personal data concerning him or her for such marketing.

• In situations where the processing of the personal data is based solely on consent, the student shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
• As a rule, the withdrawal of consent is communicated to the party to which the original consent was given. If this is impossible, the student may use the personal data portal https://datarequest.aalto.fi/en-US/
•  

• The student shall have the right to lodge a complaint with a supervisory authority, if they consider that the processing of personal data relating to him or her infringes the General Data Protection Regulation (EU) 2016/679. In addition, the student has a right to use other administrative or judicial remedies.
• The student shall have the right to bring proceedings against the controller or the organisation processing the personal data before a court if the student considers that the processing of his or her personal data infringes the General Data Protection Regulation.

The student shall provide all personal data necessary for the process in question and is responsible for their accuracy. Providing personal data is often necessary for completing a process task.

Information concerning students is collected directly from the following sources:

• national student application systems or those of the higher education institution
• international student application systems
• Finnish or foreign higher education institutions
• online payment and registration services
• university staff
• the Population Information System, if necessary; data subjects primarily update their contact information themselves

Information may be observed, inferred or derived from the use of the IT services or systems provided for student use by the university or collected by the security and monitoring services used by the university (e.g. camera surveillance).

No

List of the key information systems and services where student personal data are processed

Aalto University’s shared teaching and study administration systems where student personal data are processed:

• Enrolment management for degree-students (Oili)
• Student register (SISU)
• Service platform (Salesforce)
• Course information management (MyCourses)
• Management of informational and electronic processes for international student mobility (MoveOn)
• Electronic services for students (eAge and Nintex)
• Similarity check for written assignments (Turnitin)
• Electronic examinations (EXAM)
• Course feedback system (KPJ)
• Media service for recording teaching and presentations (Panopto)
• The Open University customer register and course registration system (AIMO)
• Education Management Information Service Arvo

Personal data are also processed otherwise than in the shared information systems, in some cases manually

Stored examinations as well as other study attainments
Aalto University school departments

Student files (Aalto University schools of technology – CHEM, ELEC, ENG and SCI): documents concerning the student’s study-related processes
Degree programme offices

Individual study arrangements
School contact persons for accessibility

Study psychologists’ documents for individual counselling
Learning Services study psychologists

In addition, personal data are processed as necessary in other Aalto University shared information systems and services, such as the data warehouse, IT user administration (including the identity manager (IDM) system), the electronic document and records management system (SAHA), the Learning Centre’s customer database (Aalto-Primo) as well as the research information system (ACRIS) and the alumni system (CRM).

The Sisu student information system contains the master data of Aalto University’s student register. Students’ personal data (both identifying data and other student and study data) is maintained in the Sisu student information system. Staff master data is maintained in registers intended for employment relationship matters. The personal data of staff members is transferred to Sisu from Aalto University’s human resource information system, if this is necessary due to the nature of their work.

At Aalto University, both students and staff use the Sisu student information system. Students use Sisu to register for courses and examinations. Students can also view their study attainments and update their contact information on Sisu. The staff use Sisu as a student information system and for teaching. As a student information system, Sisu is used for the processing and editing of student data and for the registration of study attainments and study modules. As a teaching information system, it used for the processing and editing of degree requirements and available courses.

Personal data on students and staff as well as student study data are transferred from Sisu to e.g. the following centralised Aalto University information systems:

• The curriculum design tools Curriculum Planner and ASIO
• The identity management system IDM
• MyCourses learning environment 
•  Exam – an electronic examination system 
• The Open University registration system AIMO
• The course feedback system KPJ
• The workflow systems Nintex and eAge
• The service platform Salesforce
• The alumni system CRM
• MoveON, an international mobility system 
• Data warehouse, the reporting tools QlickView (Qlik) and PowerBI and SSRS (Microsoft)
• The survey and events management tool Webropol
• The learning environment A+

In addition, Aalto University’s Management Information Services uses data from Sisu to produce statistics, reports and analyses.

Learning Services, [email protected]

Students, staff

Changes to students’ identifying data

• Changes to identifying data (name, personal identity code)
• Changes to background information (gender, nationality, languages)
• Changes to contact details (secondary email address, telephone number, postal address, In Case of Emergency (ICE) information)

Changes to data on students and on student studies

• Enrolment for the academic year
• Student union membership 
• Special status associations’ membership data to the 2022–2023 academic year
• Registration for exams and courses
• Changes to information on student tuition-fee liabilities 

Students identifying data

• Student identifying data (name, personal identity code, date of birth, national learner ID) retrieved from the national student admissions register maintained by the Finnish National Agency for Education
• Background information (e.g. admissions information, gender, nationality and languages) retrieved from the national student admissions register maintained by the Finnish National Agency for Education
• Contact details (secondary email address, telephone number, postal address) retrieved from the national student admissions register maintained by the Finnish National Agency for Education
• Aalto.fi email address retrieved from Aalto University’s identity management system
• Identifying data on incoming international exchange students, including background information and contact details retrieved from Aalto University’s international mobility management system
• Open University student identification data from the Suomi.fi service
• Based on the identifying data, a student’s information will be connected to their possible role as a staff member or student at Aalto University. 

Student and student study data

Data retrieved from the national student admissions register maintained by the Finnish National Agency for Education (the Act on the National Registers of Education Records, Qualifications and Degrees, 884/2017)

• Rights to study towards a degree
• Enrolment data for academic terms is retrieved from the national student admissions register or the OILI service

Data retrieved from other higher education institutions through the study path for cross-institutional studies 

• Identifying data on students from other Finnish higher education institutions and their registrations for parts of a degree at Aalto University 
• Aalto University student registrations and completed studies at other Finnish higher education institutions 

Data retrieved from Aalto University’s services

• Data on the study rights of incoming international exchange students is retrieved from the international mobility management system
• Rights to study towards parts of a degree (non-degree studies) are retrieved from the unit responsible for the studies
• Data concerning student rights to study through the Open University, including payment information 
• Other rights to study are retrieved from the unit responsible for the studies
• Data on degrees completed at other higher education institutions, insofar as the data is relevant to the student’s right to study at Aalto University
• For transfer students, data on earlier academic-term enrolments and the period of validity of a transferred right to study are retrieved from the student’s previous university 
• Data on membership in the student union from e-banking services or the OILI service 
• Data on study attainments, their evaluation and on degrees completed at Aalto University are retrieved from the unit responsible for the studies or the degree 
• Study plans and other information pertaining to the supervision and advising of studies are retrieved from the unit responsible for the student 
• Information on work placements (i.e. internships or practical training) is retrieved from the unit responsible for the student 
• Information on tuition fee liability and scholarships or grants is retrieved from the unit responsible for the student 

Data on continuing-education students

• Identifying data (name, personal identity code, date of birth, student number) is retrieved from the unit responsible for continuing education
• Background information (e.g. admissions information, gender, nationality and languages) are retrieved from the unit responsible for continuing education
• Contact details (email address, telephone number, postal address) are retrieved from the unit responsible for continuing education
• Rights to study are retrieved from the unit responsible for continuing education
• Based on the identifying data, information on continuing education students is connected to their possible role as staff members or students at Aalto University.  

Data on staff and employment relationships

• Identifying data (name, personal identity code) is retrieved from Aalto University’s human resource information system
• Information about a contractual employment relationship currently in force (period of validity, job title, contract number) is retrieved from Aalto University’s human resource information system
• Information about teaching events and teachers is retrieved from the curriculum design and facility-booking systems
• Based on the identifying data, a staff member’s information will be connected to their possible role as a student or as a continuing education student at Aalto University

Data concerning other individuals

• Name and email address of payers of Open University right-to-study fees 

Aalto University discloses personal data to parties outside the university or processes data for purposes other than the original purpose only in situations where such disclosure or processing is permitted by law.

Aalto University may disclose students’ personal data contained in the Sisu student information system, insofar as necessary, to the following recipients:

• Aalto University Student Union (AYY) (Universities Act, 558/2009)

Data disclosed through the cross-institutional studies study path: 

• Registrations of students from other Finnish higher education institutions and their completed studies at Aalto University
• Identifying data on Aalto University students and their registrations for parts of a degree at other Finnish higher education institutions 

The personal data of Aalto University students and data on students and studies are disclosed to the following parties through the VIRTA higher education achievement register of the National Data Warehouse for Higher Education and through the KOSKI data warehouse (KOSKI-tietovaranto, in Finnish and Swedish only at https://opintopolku.fi/konfo/fi/sivu/koski-palvelun-tietosuojaseloste ): 

• Finnish Student Health Service (FSHS) (the act on student health care at higher education institutions, (laki korkeakouluopiskelijoiden opiskeluterveydenhuollosta, 695/2019))
• The KOTA database of the Ministry of Education and Culture
• The internationalisation services of the Finnish National Agency for Education
• The student admissions register (Act on the National Registers of Education Records, Qualifications and Degrees, 884/2017, section 20)
• The Social Insurance Institution of Finland, Kela (Act on Financial Aid for Students, 65/1994, sections 41b and 43)
• National Supervisory Authority for Welfare and Health, Valvira (Act (559/1994) and Decree (564/1994) on Health Care Professionals)
• Statistics Finland (Statistics Act, 280/2004, section 15)
• Employment authorities (Unemployment Security Act (1290/2002), Act on Public Employment and Business Service (916/2012))
• Immigration authorities (the act on the processing of personal data in the field of immigration administration, laki henkilötietojen käsittelystä maahanmuuttohallinnossa, 615/2020, section 13)
• Other integrated services (the Puro service for transferring credits, the Koski database)
• To other parties on separate commission and to other authorised parties

In addition, Aalto University may disclose students’ personal data stored on Sisu as follows:

• For scientific research
• In order to comply with the Act on the Openness of Government Activities (621/1999) or with other legal obligations
• To other Finnish institutions of higher education in order to process a right to study or to transfer information on completed studies as a part of cooperation in teaching, for example
• To institutions of higher education abroad for the implementation of double and joint degrees, or for other cooperation in education, such as for transferring information about completed studies
• With the student’s consent, contact information may be disclosed to parties outside the university for marketing communications or other special purposes

Personal data of staff that is stored on Sisu and related to the implementation of teaching may be disclosed by Aalto University as follows: 

• For the development and piloting of the Digivisio 2030 project (Opin.fi)

See the privacy notice for students for more information on the processing of students’ personal data. To learn more about the processing of employees’ personal data, see the privacy notice for employees. The privacy notices for students and employees contain information on the processing of personal data and on the data subjects’ rights to their personal data.