Aalto Summer continuing education

Similar documents
PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

(1) General information

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

Address: PL 52 (Ketunpolku 1), Kajaani

Information about the Processing of Personal Data (Article 13, 14 GDPR)

Art. I Right to Access to Personal Data

closer look at Rights & remedies

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

Charter on personal data

Declaration on the protection of personal data in the company TAJMAC ZPS, a.s.

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

Application for a visa for a long stay in Belgium This application form is free

REGULATION (EU) 2016/679 General Data Protection Regulation

Data Protection Policy. Malta Gaming Authority

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Individual Rights (Data Privacy) Policy

16 March Purpose & Introduction

PRIVACY POLICY STATEMENT ON THE PROCESSING OF PERSONAL AND SENSITIVE DATA OF THE CUSTOMERS WITHIN THE MEANING OF ARTICLE 13 AND FF. OF REGULATION (EU)

Brussels, 29 November 2007 (Case ) 1. Procedure

Brussels, 3 May 2006 (Case ) 1. Procedure

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

9091/17 VH/np 1 DGD 2C

Factsheet on the Right to be

Selection procedure at the European Ombudsman's Secretariat

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

1. Processing of personal data legal basis, purpose and scope Legal basis fulfillment of statutory legal requirements

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Information on the Processing of Personal Data (GDPR)

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

COMP Article 1. Article 1 Subject matter and objectives

General Data Protection Regulation

Data Protection Declaration in accordance with the DSGVO

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Adequacy Referential (updated)

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

Processor Agreement SURF Model Agreement

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

APPLICATION FORM SECONDED NATIONAL EXPERTS. 0 The application form must be completed in English and in electronic format;

Schools Subject Access Request Procedures

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

The Act on Processing of Personal Data

5418/16 AV/NT/vm DGD 2

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

PERSONAL DATA PROCESSING AGREEMENT

Privacy Notice 1. CONTROLLER S NAME AND DATA

Port Glasgow St Andrew s Data Protection Policy

DATA PROCESSING AGREEMENT

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

How we use Personal Information

Principles and Rules for Processing Personal Data

Fragomen Privacy Notice

Charities & Not-for-Profits Overview of Data Protection Law

Reports of Cases. JUDGMENT OF THE COURT (Second Chamber) 20 December 2017 *

Brussels, 16 May 2006 (Case ) 1. Procedure

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Ombudsman on verification of telephone bills

SIMON READHEAD Q.C. PRIVACY NOTICE

Law Enforcement processing (Part 3 of the DPA 2018)

Data Protection Bill [HL]

Article 1. Federal Data Protection Act (BDSG)

Name: Address: Phone no: Nature of Business:

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

CENTRAL BANK OF BAHRAIN. Form 3: Application for Approved Person Status (Application for approved person status in the Kingdom of Bahrain)

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Data Protection Policy

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Date recieved Recieved by (name) Authority (stamp) Personal ID / Udl.nr. Previous surnames / family names (if applicable)

DATA PROTECTION LAWS OF THE WORLD. Romania

DATA PROTECTION (JERSEY) LAW 2018

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

MERITOCRACY PRIVACY POLICY. Updated on March 27, 2017.

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

Central Bank of Bahrain. Form 3: Application for Approved Person Status (Application for approved person status in the Kingdom of Bahrain)

AmCham EU Proposed Amendments on the General Data Protection Regulation

EQUILOR BEFEKTETÉSI ZRT. S PRELIMINARY INFORMATION ON DATA PROTECTION

This unofficial translation is provided for information purposes only and has no legal force. Data Protection Act.

Privacy notice regarding the processing of personal data under the General Data Protection Regulation

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

DATA PROTECTION LAWS OF THE WORLD. Ireland

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

CENTRAL BANK OF BAHRAIN

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

Data Protection Bill [HL]

DECISION no. 52 of 31 st May 2012 on the processing of personal data using video surveillance means

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

CENTRAL BANK OF BAHRAIN. Form 5: Application for Registration of Appointed Representative

CHAPTER I. Definitions

Once you have gathered all the information required please send to Key Travel s visa department

Privacy Regulations of the Coaching Monitor

European College of Business and Management Data Protection Policy

Data Protection Act 1998 Policy

PRIVACY STATEMENT (Everest Notariaat N.V.)

Transcription:

1 Aalto University Privacy Notice for Aalto Summer Students General Data Protection Regulation (EU) 2016/679, (GDPR), Articles 13 and 14 Dear Aalto Summer Students, This notice concerns Aalto Summer continuing education students who have a right to pursue single course(s). The notice contains information about how personal data on students is processed and the rights that students have to their own personal data. In order to comply with our tasks, such as arranging teaching, collecting and maintaining data on studies, and providing student services, we have to process various kinds of information by which an individual may be identified, that is personal data. In this context, the student is referred to as a data subject and we are referred to as the controller, that is, the party that controls the processing of the personal data for the abovementioned purposes. We only process personal data that is necessary for complying with our tasks. Therefore, we collect and handle personal data in accordance with the particular needs of student groups. Name of register: Aalto Summer continuing education Date: 3 July 2018 Controller, unit in charge: Aalto University Aalto University Foundation Postal address: P.O. Box 11000, FI-00076 AALTO Street address: Otakaari 24, 02150 Espoo Tel.: +358(9) 47001 (exchange) Learning Services Eija Zitting, Head of Learning Services Person in charge, contact person and contact details Person in charge: Ms Johanna Söderholm, Chief, Programme Management Services Contact person: Ms Mervi Rantanen, Aalto Summer Project Manager, Learning Services, Contact details: summer @aalto.fi University s data protection officer, contact details Mr Jari Söderström, Senior Legal Counsel, Aalto University Postal address: P.O. Box 11000, FI-00076 AALTO Street address: Otakaari 24, 02150 Espoo Tel: +358 (9) 47001 (exchange) Email: dpo@aalto.fi You may contact the Aalto University s data protection officer for questions concerning the university s data protection policies, this present notice or other matters concerning the processing of personal data by the university.

2 Purpose and legal grounds for the processing of personal data Personal data is processed for the organization of Aalto Summer courses. Personal data is processed also for statistical purposes. The university s right to process personal data as a controller is mainly based on the following: Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract: processing applications, admission to courses, arranging teaching, registration of credits, collecting feed-back and taking care of invoicing. Compliance with a legal obligation to which the controller is subject: Some of the course credits may have to be reported to National Data Warehouse for Higher Education (VIRTA). The university has a right as controller to process special categories of personal data when the processing is necessary for reasons of substantial public interest or is based on an explicit consent (Article 9(2), point a or g). A: Personal data collected directly from the data subject Yes B: Personal data collected elsewhere than from the data subject Yes Source of personal data: Aalto University staff and IT-systems - Data regarding admission for courses and programmes - Data regarding study assessment and attainment for courses and programmes - Aalto ID and username Categories of personal data in the register Aalto Summer processes categories of personal data concerning students outside Aalto University who are applying and participating Aalto Summer courses Individualising information: Name Date of birth Nationality Contact details: Postal address, e-mail address, telephone number (Skype ID) Passport information Information regarding student s application: Contact person Home university Position at home university Educational background Work experience Curriculum Vitae (CV) English language skills Name of embassy Invoicing information

3 Letter of motivation Special needs Accommodation requirements Information regarding completed studies: Completed courses and programmes with marking Additional: Aalto ID and username Student study information that may contain special categories of personal data (sensitive data): Information given by the data subject relating to special needs 0BThe recipients or categories of recipients of the personal data At Aalto University, the data is processed only by Aalto employees or contracted individuals working on behalf of Aalto who need the data for their work duties. The information is protected from unauthorised handling. Access rights are in place to restrict unauthorised access to the student information systems. The personal data is processed mainly by Learning Services staff and teaching staff. In addition, personal data may be processed by Aalto s campus- and security services, Learning Centre services, IT services, and financial services. Aalto University may disclose personal data on students as follows: for scientific research to comply with the Act on the Openness of Government Activities (621/1999) or with other legal obligations with the student s consent, contact information may be disclosed to parties outside the university for marketing communications or other special purposes Continuing education data is transferred to Virta, the National Data Warehouse for Higher Education.

4 1BPlanned transfers of personal data to third countries or international organisations The controller does not, as a rule, transfer information from this register outside the European Union (EU) or European Economic Area (EEA). The data protection policy of the university is to exercise particular care when transferring personal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR. 2BCriteria used to determine the period for which data are stored and periods for which personal data are stored The periods for which personal data saved in systems and manual material are stored, are based on the law and the records management plan of Aalto University. Applications: rejected 2 years; accepted 6 years Information on education: study attainments and their grades: minimum of 50 years Information on accounting: accounting information must be kept for a minimum of 6 years from the end of each accounting period.

5 Rights of the data subject To make any information requests related to his or her rights as a data subject, the student may send an e-mail to: summer@aalto.fi Right of students to access their data Students have a right to know what personal data are being processed and what data concerning them have been saved. The student may make an information request to the university. In such cases, the following procedure is to be followed: The university provides the information requested without undue delay. The person making the request must verify his/her identity as necessary. The requested information or the additional information related to the request must be provided no later than one month after receiving the request. If the information request is complex and comprehensive, the deadline may be extended by two months. As a rule, the information shall be provided free of charge. For any further copies requested by the student, the university may charge a fee based on administrative costs. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the university may either charge a fee based on administrative costs or refuse to act on the request. The university shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. If the university does not provide the information requested, the student will be provided with a written account of the matter. The written account will also include an explanation of the student s rights to judicial remedies, for instance, the right to lodge a complaint with the supervisory authority. Right of the student to rectification of data The student has a right to have any inaccurate or incomplete personal data concerning him or her rectified or completed without undue delay. In addition, the student has a right to demand that all personal data concerning him or her that is no longer necessary be erased. If the university does not accept the student s request for rectifying his or her personal data, the student will be given a written account specifying the reasons for rejecting his or her request. The written account will also include an explanation of the student s rights to judicial remedies, for instance, the possibility of lodging a complaint with the supervisory authority. Student right to erasure of data Depending on the legal basis, the student may have a right to have their personal data erased from the register of the school. This right shall not apply to cases where data processing is necessary for compliance with a legal obligation or for a task carried out in the exercise of official authority vested in the school. The storage and erasure of data shall comply with the records management plans of the university and the data storage periods required by legislation.

6 Right to restrict processing In certain situations, students may have the right to restrict the processing of their personal data until the legal basis for the data or their processing has been duly checked and rectified or completed. This right shall not apply to cases where data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a result, this right shall not apply, as a general rule, to the personal data files of the university. Right to data portability The right to data portability means that the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the university, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the university. This right shall apply only to situations where the processing is carried out by automated means and is based on consent or on a contract. Right to object to processing of personal data The student shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or in the exercise of official authority or the legitimate interest of the university. In such cases, the university shall no longer process the personal data unless the university demonstrates compelling legitimate grounds for the processing. The right of the data subject to withdraw consent In situations where the processing of the personal data is based solely on consent, the student shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. As a rule, the withdrawal of consent is communicated to the party to which the original consent was given. If this is impossible, the student may e-mail to: dpo@aalto.fi The right of the data subject to lodge a complaint with a supervisory authority The student shall have the right to lodge a complaint with a supervisory authority, if they consider that the processing of personal data relating to him or her infringes the General Data Protection Regulation (EU) 2016/679. In addition, the student has a right to use other administrative or judicial remedies. The student shall have the right to bring proceedings against the controller or the organisation processing the personal data before

a court if the student considers that the processing of his or her personal data infringes the General Data Protection Regulation. 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback