Metropolia’s International Mobility Personal Data Register

This Privacy Notice is based on the EU’s General Data Protection Regulation (2016/679, “GDPR”), namely the obligation to inform the data subjects (GDPR Articles 12–14), the data controller’s obligation to maintain a record of processing activities under its responsibility (GDPR Article 30), as well as the obligations set out in the Finnish Data Protection Act (1050/2018) supplementing the GDPR.

Additionally, this Privacy Notice has been prepared with the aim of making it accessible in accordance with the requirements of the EU’s Web Accessibility Directive (Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies) and the Finnish Act on the Provision of Digital Services (306/2019) supplementing it.

Purpose of the processing of personal data:

Metropolia’s International Mobility Personal Data Register and the personal data it contains are processed for the following purposes:

Administration of the international mobility of students and staff at Metropolia University of Applied Sciences
Application for student, lecturer and staff exchanges and arranging the exchanges
Receiving and processing mobility applications from incoming or outgoing students and staff and the personal data they contain
Maintaining the data concerning the international partners and partnership agreements of Metropolia University of Applied Sciences
Processing personal data concerning student, lecturer and staff exchange for the purpose of implementing exchange and partnership agreements with international partner higher education institutions

Processing personal data is necessary for preparing for an exchange period as well as conducting the measures before and after an exchange and collecting the necessary statistics.

Lawful basis for the processing of personal data:

The processing of personal data contained in Metropolia’s International Mobility Personal Data Register is based on:

Agreements

The activities related to the international partner higher education institutions are based on concluded exchange and cooperation agreements, in which case the lawful basis is ‘performance of a contract’.

In addition, in the case of Metropolia’s lecturer and staff exchange, the processing of personal data is based on an employment contract and/or a contract concerning the exchange which is related to the employment relationship between the person participating in the exchange (the employee) and the employer company (Metropolia University of Applied Sciences Ltd).

Consent of the data subject

When a data subject provides their personal data to apply for a voluntary international student exchange, the processing of the personal data is based on the consent of the data subject.

Consent is also used as the lawful basis for the processing of special categories of personal data contained in the register, including the processing of sensitive personal data, such as biometric data (e.g. facial photo in which the person is identifiable), which are listed as data requiring special protection in Article 9 of the EU’s General Data Protection Regulation.

Legal obligation

The processing of personal data contained in Metropolia’s International Mobility Personal Data Register is, in certain respects, also based on a legal obligation. The applicable laws include the Universities of Applied Sciences Act (932/2014), and some of the data are collected in accordance with the Act on the National Registers of Education Records, Qualifications and Degrees (884/2017).

The data subjects in Metropolia’s International Mobility Personal Data Register are:

Students at Metropolia applying for an exchange or work placement abroad
Students from abroad applying for an exchange or work placement at Metropolia
Lecturers and/or other staff at Metropolia going abroad
Lecturers and/or other staff coming to Metropolia from abroad and
Contact persons of Metropolia’s international partner higher education institutions

Metropolia’s International Mobility Personal Data Register contains the following personal data:

Students at Metropolia applying for an exchange or work placement abroad

Mobility data: Type of mobility and exchange programme, details of the exchange location/work placement (and information on other potential places applied for), dates of the mobility period, studies to be completed at the receiving higher education institution or the duties in the work placement, the information presented by the student in their motivation letter and exchange report
Basic details of the student: name, date of birth, gender, native language, nationality, contact details, language skills
Information on the student’s studies
Information on the next of kin: name and contact details
Information on scholarships: account number, scholarship received by the student, information on possible additional funding, information on whether the work placement is paid work
Information on possible insurance policies
Details of possible contact persons for the work placement (name and contact details, previously gender was also asked)
Other information and documents possibly required for the mobility programme

Students from abroad applying for an exchange or work placement at Metropolia

Mobility data: Mobility type and exchange programme, mobility dates, information provided by the student in their motivation letter and exchange report
Basic details of the student: name, date of birth, gender, native language, nationality, contact details
Information about the student’s studies at Metropolia and the work duties in the work placement
Information on the student’s home higher education institution: information about their studies, details of the contact person (name and contact details)
Information on the next of kin: name and contact details
Faculty-specific additional information or documents that are important for the selection (e.g. CV, portfolio, extract from the criminal record, vaccination information)
Other information and documents possibly required for the mobility programme

Lecturers and/or other staff at Metropolia going abroad

Mobility data: Mobility type and possible exchange programme, mobility dates and location, other possible details of the exchange, estimate of travel costs, possible information on funding (e.g. cost centre).
Basic details of the person undertaking the mobility period: name, date of birth, gender, nationality, contact details
Information on the employment relationship of the person undertaking the mobility period: field of study, degree programme, department, email of their supervisor
Other information and documents possibly required for the mobility programme

Lecturers and/or other staff coming to Metropolia from abroad

Mobility data: Type of mobility period and possible exchange programme, mobility dates, email address of the contact person at Metropolia, faculty and degree programme or support service at Metropolia, other possible details of the exchange
Basic details of the person undertaking the mobility period: name, date of birth, gender, nationality
Details of the sending organisation
Other information and documents possibly required for the mobility programme

Contact persons of Metropolia’s international partner higher education institutions

Basic details: name, contact details
Details of the home higher education institution and work duties/role

Partner agreements

The international exchange cooperation agreements concluded with the partner higher education institutions are applicable to international exchanges. In these agreements, the following personal data are stored on the persons specified in the agreements:

names of the contact persons and signatories of the agreements
job titles and organisation of the contact persons and signatories of the agreements
contact details of the contact persons specified in the agreements
date and place of signing of the agreements

With respect to student exchange, the personal data the applicant has provided on the exchange application may be processed with their consent in correspondence with the partners.

METKA Student Union

International Relations and METKA have agreed on the arrangement of tutoring for incoming exchange students. The personal data of incoming exchange students may be processed when tutoring for these students is arranged and managed and in communications between various parties.

Hoas – The Foundation for Student Housing in the Helsinki Region

Under an agreement between Metropolia and Hoas, Hoas has reserved a quota of furnished rooms for Metropolia’s incoming exchange students. International Relations annually provides Hoas with a list of incoming exchange students to whom Hoas may offer rooms from the Metropolia quota.

Access to the personal data contained in Metropolia’s International Mobility Personal Data Register will be given, where necessary, in the systems listed below (using administrator rights; for example, when a technical fault needs to be repaired, access is given to the system provider or to the maintenance personnel of a measurement device). The provider of the MobilityOnline system always has access through administrator rights to the personal data contained in the system. All system/equipment/software providers used (the companies behind them) can be deemed to be recipients of personal data and recipients of regular disclosures from the register.

With respect to the systems used by Metropolia’s International Mobility Personal Data Register, personal data processing agreements in accordance with Article 28 of the GDPR have been concluded with the following cooperation partners:

SOP Hilmbauer & Mauberger GmbH & Co KG and MobilityOnline international mobility management system

The MobilityOnline system is used for managing student mobility and incoming staff mobility and for storing data concerning them. MobilityOnline is the primary tool used by International Relations. There is an interface between MobilityOnline and the student desktop in OMA. Students from the partner higher education institutions can apply for student exchange at Metropolia through MobilityOnline. The student number of the incoming exchange students is transmitted through an interface from Metropolia’s education data system to the MobilityOnline system.

Eduix Ltd. and Metropolia’s education data system (OMA/Peppi system)

Students leaving on a student exchange fill in their application in the MobilityOnline system. The mobility data on outgoing student exchanges are transferred to Metropolia’s education data system (OMA/Peppi). In the case of an incoming student exchange, the data necessary for recording the student and the mobility period that are to be added to statistics are transferred from the MobilityOnline system to Metropolia’s education data system.

Mobility Tool system

The following data are uploaded to the European Commission’s Mobility Tool system for the reporting required by the European Commission:

Basic details of the person undertaking the mobility period (name, date of birth, gender, contact details)
In the case of students, the education data (student number)
Data on the mobility period (details of the exchange location/work placement, dates of the mobility period)

OLS system

For the purpose of sending the language test required by the Erasmus Programme, the following data on students leaving on an exchange/for a work placement are uploaded to the OLS system of the European Commission:

Basic details of the student (name, contact details, date of birth, nationality, gender)
The student’s education data (student number, application number from MobilityOnline)
Data on the student mobility period (details of the exchange location, dates of the mobility period)

Systems possibly used by the partner higher education institutions

Upon the student’s consent, the following data on the student are disclosed to the nomination system of the partner higher education institution: name, contact details, education data.

Finnish National Agency for Education, European Union and other parties funding mobility

Data on international mobility is disclosed to the Finnish National Agency for Education, the European Union and other potential funders of mobility programmes in order to enable monitoring of the activities.

Eduix Ltd. and E-lomake (E-form) software

E-lomake is used for collecting registrations in the following cases:

International business trip applications by Metropolia’s staff: Members of staff can announce their intention to leave on an international business trip.
International weeks organised at Metropolia: Persons working with partner institutions announce their intention to participate in an international week.
Tutoring of incoming exchange students: incoming exchange students announce that they would like to have a tutor student for their exchange period at Metropolia.

Visma Enterprise Ltd. and M2 travel management system

The M2 travel management system is used to manage affairs related to the travel of Metropolia’s lecturers/other staff. It is used to create travel itineraries, applications for advance travel payments, travel invoices, invoices for costs and driving logs. The old paper forms are no longer in use.

Google LLC and Google Suite for Education cloud service

The students and course lecturers have the opportunity to widely use the digital tools enabled by the Google Suite for Education cloud service when completing their studies or implementing courses. The end user is requested specifically for permission and consent to use the cloud service tools procured by Metropolia for its students and staff, as well as asked to accept the terms and conditions separately.

Microsoft Corporation and Microsoft for Education cloud service (Office 365 service package)

The students and course lecturers have the opportunity to widely use the digital tools enabled by the Microsoft for Education cloud service (Office 365 service package) when completing their studies or implementing courses. The end user is requested specifically for permission and consent to use the cloud service tools procured by Metropolia for its students and staff, as well as asked to accept the terms and conditions separately.

Tuudo Ltd. and the TUUDO service and TUUDO mobile app

TUUDO (www.tuudoapp.fi) is a mobile app developed by the Finnish company Tuudo Oy. It allows students to view their course performance, register for courses and manage their personal schedules. METKA, the Student Union of Metropolia University of Applied Sciences, has concluded an agreement with Metropolia University of Applied Sciences under which Metropolia will provide the technical maintenance for METKA’s membership register. Metropolia University of Applied Sciences and the METKA Student Union have agreed on allowing the TUUDO service and TUUDO mobile app to search data directly from the Student and Education Data Register of Metropolia University of Applied Sciences through a technical interface. Students can utilise the data that can be retrieved through this connection when using the TUUDO service and TUUDO mobile app.

The TUUDO mobile app offers the students a digital member ID from METKA, with which they can use METKA’s membership benefits and services. The use of the TUUDO service by students to view their personal data is based on voluntary registration by the students for membership of the METKA Student Union.

CSC – IT Center for Science Ltd. and the VIRTA database

Certain statutory student and education data are transmitted using VIRTA data transfer, which is administered by CSC – IT Center for Science Ltd., at regular frequencies to the national VIRTA database, and from there they are forwarded through VIRTA to the OILI system, which is used for enrolment as present or absent. VIRTA is the national database for higher education institutions.

Data disclosed for the purpose of scientific research (Act on the Openness of Government Activities, 621/1999, and Data Protection Act, 1050/2018)

The International Relations unit of Metropolia University of Applied Sciences discloses data from the International Mobility Data Register for the purpose of scientific research, whenever necessary. The requester must inform the data controller of the purpose of processing the data and all other details necessary for evaluating whether the data may be disclosed. If necessary, a statement must be provided on how data protection will be arranged.

Opintopolku.fi service portal

Data on applicants and student selection data from the national Opintopolku.fi service maintained by the Finnish National Agency for Education.

Hoas – The Foundation for Student Housing in the Helsinki Region

Social Insurance Institution of Finland (Kela)

Upon request, the following data are disclosed to the Social Insurance Institution of Finland for confirming the mobility of students leaving for an exchange/work placement: mobility dates and mobility location.

Metropolia’s METKA Student Union

International Relations and METKA have agreed on the arrangement of tutoring for incoming exchange students. The personal data of incoming exchange students (name, contact details, mobility data) may be processed when tutoring for these students is arranged and managed and in communications between various parties.

Various group reports printed out of the Student and Education Data Register

International Relations discloses mobility data to selected persons in the degree programmes to support decisions on mobility and the organisation of teaching. Various group reports printed out of systems are deemed manual registers. For this reason, the disclosure of a report printed out from the register is treated as a disclosure of data from the personal data register.

The personal data contained in Metropolia’s International Mobility Register may be transferred outside the EU or EEA in connection with and to conduct international student selections and exchange as well as in situations where a student participates in international RDI (research, development and innovation) activities. The personal data contained in Metropolia’s International Mobility Personal Data Register may be transferred outside the EU or EEA in connection with and to conduct international lecturer or staff exchange as well as in situations where a lecturer/member of staff participates in international RDI activities.

In addition, in order to provide IT services that are necessary for completing studies, the personal data contained in Metropolia’s Student and Education Data Register may be transferred outside the EU or EEA. Only the necessary data are transferred and the transfer is carried out in accordance with data protection legislation and within the restrictions placed by it. A separate agreement is always concluded on data security during the transfer.

In addition, an exception is made in situations where a student/trainee/lecturer/member of staff independently activates a separate service, such as Google Suite for Education or the Microsoft Office 365 service. In such cases, the necessary data required by the service are disclosed to the service. In such exceptional cases, however, the student will be separately requested to give consent to the service and asked to accept its terms and conditions.

In general, personal data contained in the data register of Metropolia University of Applied Sciences may be transferred outside the EU or the EEA in order to provide IT services necessary for work or study, on a case-by-case basis. The destination country to which the personal data is transferred then, is mainly the United States. It is also possible that India is the destination country as global ICT service providers use often India as a host country for the international helpdesk service / ICT technical user support.

The ICT service provider of Metropolia UAS may not transfer or grant access to personal data or process personal data of Metropolia UAS outside the EU or the EEA without prior consultation and prior written consent received from Metropolia UAS.

In the case of written consent has been received from the data controller (Metropolia UAS) for the personal data transfer outside the EU or the EEA, a documented TIA ((Data) Transfer Impact Assessment) must be conducted and approved by the data controller. Before personal data can be transferred outside the EU or the EEA, the data exporter (Metropolia UAS) of personal data must ensure that an adequate level of data protection is guaranteed for the personal data to be transferred. If the basis for the transfer does not guarantee adequate protection in itself, it can be supplemented in certain cases with different kinds of technical, organisational or agreement-based additional safeguards.

The controllers and processors of personal data that are transferring the data must check on a case-by-case basis if the legislation of the third country guarantees a level of protection for the personal data to be transferred that is essentially equivalent to that of the EU and of the EEA. The assessment must take account of the case-by-case conditions of the transfer, the legislation of the third country in question and the applicable basis for the transfer. The data exporter (Metropolia UAS) is responsible for drawing up a concrete assessment. The assessment must also be documented carefully.

In the case of written consent received from the data controller /data exporter (Metropolia UAS) for the personal data transfer outside the EU or the EEA, the contract bounding the data transfer must include Standard Contractual Clauses (SCC) adopted by the EU Commission. In addition, the data controller /data exporter (Metropolia UAS) must assess and follow-up on a regular basis the level of data protection in the destination country. The data controller /data exporter (Metropolia UAS) may negotiate with the ICT service provider whether some additional safeguards - like technical, organizational or agreement-based additional safeguards - might be used when transferring data from the EU or the EEA outside the EU or the EEA. The data transfer might be conducted also by using an other data controller’s written approved mechanism.

The SCC (Standard Contractual Clauses) clauses will be included as part of the personal data processing agreement to be drawn up with the ICT service provider. Only the necessary data will be transferred and the transfer will be made in accordance with and within the limits set by data protection law. The security and data protection of the transfer are always agreed separately.

The personal data collected and processed in Metropolia’s International Mobility Personal Data Register are retained in the register as follows:

Study performance that results in credit points is stored permanently. It is stored in Metropolia’s OMA/Peppi data system (forming a part of Metropolia’s student register) and also transferred to the national VIRTA database through VIRTA data transfer for permanent storage. All study performance that results in credit points is governed by sections 25 and 27 of the Act on the National Registers of Education Records, Qualifications and Degrees. The transcripts of records for the studies completed by the students in the partner higher education institutions are also stored in the MobilityOnline system.

Information on a person’s right to study concerning education leading to a degree and specialisation education as well as information on the acceptance of a study place and enrolment for education leading to a degree and specialisation education (course performance for which credit points are earned is governed by the Act on the National Registers of Education Records, Qualifications and Degrees, 884/2017).

Special data related to the arrangement of student selections (including health data):

Data concerning state of health are such data that a person applying to become a student at the university of applied sciences has personally wished to be considered in the arrangements for the student selection. They are stored for a maximum of four years and erased from the register no later than four years after they were recorded (processing of sensitive personal data, section 40 of the Universities of Applied Sciences Act, 932/2014).

Data concerning the state of health of the employees (lecturers and other staff)

Data concerning state of health are such data that a person applying for an exchange has personally wished to be considered in the arrangements for the selection. They are stored for as long as their purpose is valid, after which they are immediately erased. The lawful basis and purpose of the processing are evaluated at least every five years (section 5 of the Act on the Protection of Privacy in Working Life, 759/2004).

Written course performance (e.g. exam answers written on paper): In accordance with the Universities of Applied Sciences Act, Metropolia University of Applied Sciences stores written course performance (e.g. exam answers written on paper) for six months after the results have been published. After this period, the lecturers and the assessors of the performance will shred the paper versions of the performance and/or dispose of them in designated data-secure bins.

Participation data related to lecturer and staff exchange and student exchange as well as mobility statistics are stored permanently.

Data on the payment of international scholarships are stored for 10 years.

Other data contained in the Student and Education Data Register:

Other data in Metropolia’s Student and Education Data Register and their retention are governed by the order issued by the National Archives to the universities of applied sciences: Order concerning the permanent retention of data exclusively in a digital format in the data systems of universities of applied sciences (in Finnish: Ammattikorkeakoulujen tietojärjestelmien tietojen pysyvä säilytys yksinomaan sähköisessä muodossa).

However, the data controller evaluates the retention times at regular intervals and complies with the guidelines and orders of the National Archives, among others.

The following regulations have been observed when determining the retention times:

EU General Data Protection Regulation (“GDPR”, 2016/679)
Data Protection Act (1050/2018)
Universities of Applied Sciences Act (932/2014)
Decision of the National Archives of Finland on retention times – order given to universities of applied sciences concerning the permanent retention of data in a digital format (AL/20757/07.01.01.03.02/2016)

The data subjects have the right to receive confirmation from the data controller of whether their personal data are being processed. Furthermore, the data subjects have the right of access to their personal data and the right to inspect their personal data stored in the register and to receive copies of them. Under the GDPR, the data controller must respond to requests by the data subjects to exercise their rights within one month of receiving such a request.

A. Right of access to personal data

The data subjects have the right to check whether their personal data are stored in the personal data register. A data subject may submit a request for information by delivering the data subjects’ information request form, which can be found on Metropolia’s public website and/or Metropolia’s intranet, to one of the three offices of Metropolia’s Student and Admission Services. The form must be filled in carefully, printed and signed personally by the data subject. If the data subject is a member of staff, they can deliver the request form to Metropolia’s Human Resources Management unit. When submitting the request, the data subject must prove their identity in a reliable manner (for example by presenting an official personal identity document or driving licence to the Metropolia employee receiving the request).

The visiting addresses of the offices of Metropolia’s Student and Admission Services are:

Metropolia’s Myllypuro campus

Myllypurontie 1, 00920 Helsinki, Finland

Metropolia’s Arabia campus

Hämeentie 135 D, 00560 Helsinki, Finland

Metropolia’s Myyrmäki campus

Leiritie 1, 01600 Vantaa, Finland

The visiting address of Metropolia’s Human Resources Management unit is:

Metropolia’s Myllypuro campus (Buildings C and D, 5th floor)

Myllypurontie 1, 00920 Helsinki, Finland

All information requests will be forwarded from the offices of Metropolia’s Student and Admission Services and/or the Human Resources Management unit to Metropolia’s Data Protection Officer (email: tuulia.aarnio [at] metropolia.fi (tuulia[dot]aarnio[at]metropolia[dot]fi), tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)).

Metropolia’s Data Protection Officer will respond to information requests submitted by the data subjects. If necessary, the Data Protection Officer can be requested to provide additional information on progress in the processing of the request or on the content of the response.

B. Right to rectify personal data and to restrict processing

The data subjects have the right to request the data controller to restrict the processing of their personal data in the following cases:

the data subject denies that their personal data is correct (right to rectify personal data), in which case processing will be restricted until the data controller can ascertain that the data is correct;
processing is unlawful and the data subject objects to the erasure of their personal data, instead requesting that the processing of the data be restricted;
the data controller no longer needs the personal data for the purposes of the processing, but the data subject needs them in order to establish, exercise or defend a legal claim.

Such a request for rectifying personal data in a Metropolia personal data register or restricting processing can be submitted in person to one of the above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

C. Right to erase personal data

The data subject has the right to obtain from the controller the erasure of their personal data from a Metropolia register without undue delay if any of the following conditions are met:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which processing is based and there is no other lawful basis for processing;
the personal data have been unlawfully processed; or
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

Such a request for the erasure of personal data in a Metropolia personal data register can be submitted in person to one of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

D. Right to data portability (transfer of data from one system to another)

Partially applicable. Article 20 of the General Data Protection Regulation introduces a new right of the data subject: the right to receive their personal data in a “structured, commonly used and machine-readable format” and the right to transmit those data to another controller. The purpose of this right is to increase the opportunities available to data subjects to influence their personal data because this facilitates the transfer or copying of personal data from one data system environment to another (to their own systems, the opportunity to save the data for their personal use or to begin storing their personal data in systems controlled by reliable third parties). In this respect, the right to data portability from one system to another complements the right of access to one’s personal data.

The right to data portability from one system to another under Article 20 of the General Data Protection Regulation also means that the data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format so that they can easily transfer those data from one system to another system with another controller. The data may be transferred at the data subject’s request directly from one data controller to another if this is technically feasible (section 2 of Article 20). Data controllers are encouraged to develop compatible formats that enable the transfer of data from one system to another, although data controllers are not obliged to accept or maintain data processing systems that are technically compatible.

What is noteworthy about Article 20 of the General Data Protection Regulation is that the right to data portability applies to personal data processing activities that are based on:

consent of the data subject (in accordance with Article 6(1)(a) or Article 9(2)(a) if the processing concerns special groups of personal data), or
a contract to which the data subject is a party (in accordance with Article 6(1)(b)).

In other words, Article 20 of the General Data Protection Regulation must be complied with if the lawful basis for the processing of personal data is the consent of the data subject or the execution of a contract. The right only applies to personal data provided by the data subject to the data controller.

A request based on Article 20 of the General Data Protection Regulation can be submitted in person to one of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

E. Right to not be subjected to a personal data breach

The data subject has the right to not be subjected to a personal data breach, as referred to in Article 33 of the EU’s General Data Protection Regulation, due to the data controller’s negligence in data protection and/or data security matters or due to negligence on the part of a data processor used by the controller in data protection and/or data security matters. The data subject has the right to be informed without undue delay if a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons.

General description of the technical and organisational security measures aiming at protecting the personal data of the data subjects and the personal data registers:

The protection of the register has been agreed upon with the system providers. If necessary, the responsibilities have been described in adequate detail in the appropriate agreements.

The employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.

The system providers (personal data processors) undertake to maintain the register and the personal data relating to it in accordance with good data processing practices and comply with the obligation to absolute secrecy and confidentiality.

The data security of the personal data register of the data controllers and the confidentiality of the data contained therein are ensured with appropriate technical and administrative means in accordance with good data processing practices.

The data controllers have restricted user rights and authorisations to data systems, tools and other storage platforms in such a way that they can only be accessed and processed by the persons who are necessary for such processing due to their job duties or position.

The system containing personal data may only be used by employees who are entitled to process personal data due to their job duties and/or position. Such employees will be given the appropriate training for their duties.

Every user of a tool/system must identify themselves with their personal codes, which are issued when the right to access the tool/system is granted. The right of access will expire once the employee resigns or is transferred from the duties for which they were granted the right at Metropolia.

The data are collected in databases that are protected logically and physically.

The databases and their back-up copies are located in locked premises, and the data can only be accessed by certain pre-appointed persons.

Privacy notice: Metropolia’s International Mobility Personal Data Register