Metropolia’s Student and Education Data Register

This Privacy Notice is based on the EU's General Data Protection Regulation (2016/679, “GDPR”), namely the obligation to inform the data subjects (GDPR Articles 12–14), the data controller's obligation to maintain a record of processing activities under its responsibility (GDPR Article 30), as well as the obligations set out in the Finnish Data Protection Act (1050/2018) supplementing the GDPR.

Additionally, this Privacy Notice has been prepared with the aim of making it accessible in accordance with the requirements of the EU's Web Accessibility Directive (Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies) and the Finnish Act on the Provision of Digital Services (306/2019) supplementing it.

Purpose of the processing of personal data:

The Student and Education Data Register of Metropolia University of Applied Sciences is used to process data in order to enable studying at the university of applied sciences (UAS) and to handle the student data management tasks. These tasks include the planning, implementation, monitoring and assessment of studies. The purpose of Metropolia’s Student and Education Data Register is to enrol students and record, manage and maintain their study and performance data; to create certificates and reports related to various studies for Metropolia’s own activities and research activities; and to provide data to the authorities; as well as to resolve cases of study misconduct.

Metropolia University of Applied Sciences provides distance/online teaching and distance/online exams. The Microsoft Teams online videoconferencing tool and the Zoom online videoconferencing tool are used in distance teaching. Metropolia University of Applied Sciences monitors the completion of exams to ensure equal treatment of students. In remote monitoring, the university of applied sciences may primarily use live video or sign-in, activity and log data collected by IT systems. In some justified cases or in cases when misconduct is suspected, the UAS may also use video and audio recordings as a secondary means. The student’s identity may be verified for an online exam. Participation in a remotely monitored event at a private location chosen by the student is voluntary. When participating in a remotely monitored event, the student accepts the terms and conditions of the monitoring, such as keeping their camera on. The student has the right to interrupt the monitoring during an exam, for example, due to an unexpected situation, but an interruption of the monitoring may lead to the exam performance being rejected.

The Student and Education Data Register is critical for Metropolia as a tool for planning, implementation, assessment and monitoring. The data subjects (students, lecturers, other staff) are parties to matters related to Metropolia’s education data management and the studies.

The joint data controllers of Metropolia’s student selection register are the Finnish National Agency for Education (EDUFI) and Metropolia University of Applied Sciences. The Finnish National Agency for Education is responsible for collecting the data in the student selection register and the national implementation of application systems, as well as joint communications, guidance and advice related to application for studies and student admission. As a provider of teaching and education, Metropolia is responsible for the accuracy of the data it stores and the right of the data subjects to rectify their personal data. The Finnish National Agency for Education is responsible for the other obligations of the data controller laid down in the General Data Protection Regulation.

A national database called VIRTA is used for the centralised storage of study right data, enrolment data and degree and course performance data. The VIRTA database is used to compile the data content of UAS registers containing student data, and it provides this content through a data-secure technical interface to the student selection register and the joint student selection services of the universities of applied sciences. The joint data controllers of the VIRTA database are the Ministry of Education and Culture and Metropolia University of Applied Sciences. The Ministry of Education and Culture is responsible for the general operation of the database and for the technical interface used to store, process and disclose data. Metropolia is responsible for the accuracy of the data it stores and the right of the data subjects to rectify their personal data. The Ministry of Education and Culture is responsible for the other obligations of the data controller laid down in the General Data Protection Regulation.

The purpose of the processing of personal data is equally to maintain educational cooperation networks and to implement cross-institutional studies. Cross-international studies refer to the opportunity offered to a university student to complete studies at another university. Cross-international Studies offer higher education institutions a standardized way of making provision available, transferring enrollment, and performance information between higher education institutions.

Lawful basis for the processing of personal data:

The processing of the personal data contained in the Student and Education Data Register of Metropolia University of Applied Sciences is based on:

In the case of the processing of study, personal and contact data, mainly the legal obligation of the data controllers and on the exercise of official authority.

Universities of Applied Sciences Act (932/2014)
Act on the National Registers of Education Records, Qualifications and Degrees (884/2017)
EU General Data Protection Regulation (2016/679)
Data Protection Act (1050/2018)
Act on the Openness of Government Activities (621/1999)
Act on the Protection of Privacy in Working Life (759/2004)
Administrative Procedure Act (434/2003)
Non-discrimination Act (1325/2014)
Degree Regulations of Metropolia University of Applied Sciences
SORA regulations governing ineligibility for studies
Statistics Act (280/2004)
Act on Financial Aid for Students (65/1994)
Unemployment Security Act (1290/2002)
Act on Public Employment and Business Service (916/2012)
Primary Health Care Act (66/1972)
Aliens Act (301/2004)
Archives Act (831/1994)

On consent

Remote monitoring related to online exams:

Special data related to arranging student selections:

In the case of applications to become a student and registration in the student selection register, the processing of personal data included in the register is partly based on the data reported by the applicants concerning their state of health or functioning ability. Data concerning state of health or functioning ability are such data that a person applying to become a student at the university of applied sciences has personally wished to be considered in the arrangements for the student selection. The processing of these data is based on the consent of the data subject under Article 9 of the GDPR, and partly on the exercise of official authority and compliance with the Non-discrimination Act.

Data required by the SORA regulations governing ineligibility for studies that may be collected from students in the Health Care and Social Services degree programmes:

The processing of the personal data included in the register is based on the consent of the data subjects and the exercise of official authority in certain respects in the case of students in the Health Care and Social Services degree programmes who have an opportunity to complete, as part of their studies, a work placement with children and young people.

For the purpose of compliance with the SORA regulations governing ineligibility for studies, students in the Health Care and Social Services degree programmes who have an opportunity to complete a work placement with children and young people as part of their studies will be requested to present to Metropolia’s Student and Admission Services an extract of their criminal record indicating that they have no criminal history that would prevent them from working with children and young people. In this respect, the only information to be recorded in Metropolia’s Student and Education Data Register is that the person has or has not presented an extract of their criminal record. The aim of the SORA regulations governing ineligibility for studies is to improve the safety of education and subsequent working life and to increase opportunities for the providers of education and degrees to intervene if a student is ineligible and if there are safety issues concerning the student. In situations where a student is ineligible for studies, decisions will be made concerning the student as an individual. In such cases, this constitutes an exercise of official authority and decision making concerning the status and situation of the student.

Data concerning photo identity documents required by the HUS hospital district for a work placement:

A certain amount of personal data and a facial photo will be collected from students in the Health Care and Social Services degree programmes who have an opportunity to complete a work placement at one of the HUS Hospital District’s (“HUS”) locations as part of their studies. The processing of these data is based on the consent of the data subjects and partially on the exercise of official authority.

Career guidance

The data subjects in the Student and Education Data Register of Metropolia University of Applied Sciences are the students of Metropolia.

The following personal data will be stored in the Student and Education Data Register:

BASIC INFORMATION AND CONTACT DETAILS OF THE STUDENT

Forenames
Call name
Surname
Former surname
National learner ID
Home institution
Student number
Personal identity code
Date of birth
Gender
User ID
Nationality
Native language
Language used in the studies
Schooling language
Contact details (postal address, phone number, email address)
Home municipality
Municipality of residence
Country of residence
Passport number (if the student is not a Finnish citizen)

STUDY AND DEGREE INFORMATION

Educational classification
Degree programme
Specialisation options
Group
Form of education
Teaching location
Teaching language
Type of studies
Degree
Degree title
Scope of the studies to be completed
Required scope
Previous qualifications
Information on whether the student is present, has graduated or has resigned
Period of the right to study
Maximum terms
Terms spent
Certificate records and qualifications
Funding information
Unit in the organisation
Additional information on the right to study and the role
Permissions concerning the disclosure of data
Possible information on the handling of misconduct in studies

INFORMATION ON THE APPLICANT / APPLICANT INFORMATION RETRIEVED FROM THE OPINTOPOLKU.FI SYSTEM

Student’s personal details (forenames, call name, surname, personal identity code, national learner ID)
Address information
Native language and language used in the studies
Nationality
Information on previous qualifications
Information on the place and education applied for
Information on enrolment and payments
Information related to the permission to publish the results of the student selections

STUDY DATA

Studies (study modules and course)
Course implementations
Personal study plan (PSP) and information related to it;
International student exchange and apprenticeship exchange periods

INFORMATION ON THE SUSPICION OF STUDY MISCONDUCT

Information on the suspicion of study misconduct: time, place, type of misconduct, name of potential course, information on entry exam (if misconduct occurs in the entry exam), information on the thesis (if misconduct has occurred in the thesis)
Potential declarer of misconduct
Potential other parties
Consequences of misconduct

STUDY PERFORMANCE DATA

Studies completed
Assessments of studies and exams
Assessors of studies and exams
Dates of completion
Study modules completed
Progress in the studies
Graduation status

INFORMATION ON THE ARCHIVING OF THE STUDENTS’ STUDY DATA

Information on the archiving of the aforementioned data.

COMMUNICATION DATA RELATED TO THE STUDENTS’ STUDY DATA

Communications regarding studies between the student and the student counsellor and/or lecturer by email or through the OMA/Peppi system.

SPECIAL DATA RELATED TO ARRANGING STUDENT SELECTIONS

To enable special arrangements in student applications and student selections, the applicant may voluntarily disclose information regarding their health or functioning ability.
The UAS may record in the Student Register information on whether an applicant has a health condition, as reported by the applicant, that must be taken into consideration in the student selections or when arranging the selection exam.

DATA REQUIRED BY THE SORA REGULATIONS GOVERNING INELIGIBILITY FOR STUDIES THAT MAY BE COLLECTED FROM STUDENTS IN THE HEALTH CARE AND SOCIAL SERVICES DEGREE PROGRAMMES

For the purpose of compliance with the SORA regulations governing ineligibility for studies, students in the Health Care and Social Services degree programmes who have an opportunity to complete a work placement with children and young people as part of their studies will be requested to present to Metropolia’s Student and Admission Services an extract of their criminal record indicating that they have no criminal history that would prevent them from working with children and young people. In this respect, the only information to be recorded in Metropolia’s Student and Education Data Register is that the person has or has not presented the requested extract of their criminal record. No specific data on crimes and/or convictions will be recorded in Metropolia’s Student and Education Data Register.

DATA CONCERNING PHOTO IDENTITY DOCUMENTS REQUIRED BY THE HUS HOSPITAL DISTRICT FOR A WORK PLACEMENT:

A certain amount of personal data and a facial photo will be collected from students in the Health Care and Social Services degree programmes who have an opportunity to complete a work placement at one of the HUS Hospital District’s (“HUS”) locations as part of their studies. As of 1 January 2020, HUS requires students to present a photo identity card for a work placement to be completed at a HUS location.

Due to this requirement, the following are collected:

Student’s forename
Call name
Surname
Colour photo of the student
Student’s task (e.g. nursing student)
Name and logo of the UAS
Validity of the identity card.

Under a broad interpretation of Article 4.9 of the EU’s General Data Protection Regulation, below is a list of the processors/recipients of personal data to which the data controller “transfers” or “discloses” the personal data it controls for processing (e.g. through a technical interface when maintenance tasks are performed).

The disclosure of data from Metropolia’s Student and Study Register mostly takes place through electronic data transmission connections to the following parties:

Disclosure of student data

In cases prescribed by the law, data are disclosed from the Student and Education Data Register as follows:

• Data are disclosed to the Ministry of Education and Culture to support research, evaluations, development, monitoring and steering. Student, study and degree performance data are disclosed to Statistics Finland, which also forwards data to the Finnish National Agency for Education and the Ministry of Education and Culture (Statistics Act, 280/2004).

• Data are disclosed through the AVOP feedback survey for graduate students to the Ministry of Education and Culture, which coordinates the survey.

• Data are disclosed to the ARVO education impact data service of the Finnish National Agency for Education in the form of responses given in surveys (technical maintenance, however, is provided by CSC – IT Center for Science Ltd.).

• Data on international mobility are disclosed to the Finnish National Agency for Education, the European Union and other potential funders of mobility programmes in order to enable monitoring.

• Data are disclosed to CSC – IT Center for Science Ltd. through the VIRTA system and from VIRTA to the OILI service. VIRTA is a national database for universities of applied sciences (Act on the National Registers of Education Records, Qualifications and Degrees, 884/2017).

• Student and study performance data are disclosed to the Social Insurance Institution (Kela) at its request for the purpose of evaluating student social benefits (study certificate, transcript of records, information on progress in studies) (Act on Financial Aid for Students, 65/1994).

• Data are disclosed to municipalities providing student health care services in accordance with the Primary Health Care Act and to other providers of student health care services under this Act for the purpose of carrying out these duties (Primary Health Care Act (66/1972).

• Data are disclosed to authorities providing labour services, the Social Insurance Institution (Kela) or to unemployment funds for assessing eligibility for labour market support or unemployment benefits (Unemployment Security Act, 1290/2002, and Act on Public Employment and Business Service, 916/2012).

• Data are disclosed to the Finnish Immigration Service and the police at their request for checking residence permits (notification of acceptance as a student, notification of acceptance of a study place, study certificate and transcript of records) (Aliens Act, 301/2004).

• Data are disclosed for the purpose of scientific research (Act on the Openness of Government Activities, 621/1999, and Data Protection Act, 1050/2018). The requester must inform the data controller of the purpose of processing the data and all other details necessary for evaluating whether the data may be disclosed. If necessary, a statement must be provided on how data protection will be arranged.

• The Health Care and Social Services degree programmes of Metropolia transmit degree information and professional qualification information on graduates to the National Supervisory Authority for Welfare and Health (Valvira). Valvira maintains a nationwide register containing information on Finnish health care professionals (Terhikki) for the purpose of verifying and monitoring professional qualifications.

• Metropolia discloses data from its Student and Education Data Register to the METKA Student Union of Metropolia University of Applied Sciences for the maintenance of its membership register.

• Metropolia also discloses data from its Student and Education Data Register to the METKA Student Union for the use of education data on mobile applications and to enable the use of the TUUDO app, and METKA discloses these data to Tuudo Oy. METKA has concluded an agreement with Metropolia under which Metropolia will provide the technical maintenance for METKA’s membership register. The METKA Student Union has given permission to Tuudo Oy to connect the TUUDO service to the METKA membership register for the personal use of membership data by the students.

Additionally, student data are disclosed as follows:

The students may give their consent through the OMA/Peppi interface to the processing of their name and address information. If they wish, the students may give consent to the disclosure of their contact details for the following purposes:

Direct marketing

Even if the student has consented to direct marketing, the data are never disclosed automatically, but after a case-by-case consideration by the administrators of the system. As a general rule, the data are not disclosed.

Marketing of education

Data are disclosed for the purpose of promoting studying to associations and foundations, professional associations and mostly local authorities for mailing information that is intended for:

promoting studies, professional skills or finding work in the student’s profession
enhancing studying or working conditions
promoting the student’s ties to their home region
other purposes supporting studies, such as conducting research, surveys or opinion polls.

Publication of information on graduation

The students may give consent to the publication of information on their graduation. As a general rule, the data are not disclosed.

Internet

The student’s email address is permitted to be included in the People Finder search system on Metropolia’s intranet pages. As a result, users can find the student’s email address on the internal pages of Metropolia if they know the student’s name. If the student has obtained an official order of non-disclosure for personal safety reasons from the Digital and Population Data Services Agency, information on this may be stored in Metropolia’s Student and Education Data Register at the student’s request. The order of non-disclosure for personal safety reasons means that no contact details of the student may be disclosed.

Metropolia complies with good governance and registration practices and requires that a party seeking disclosure of data has an appropriate connection with the target group whose data it is requesting. According to the Data Protection Act, data may only be used for the purpose for which they were disclosed. The user of name and address information must declare where it has obtained these data.

Various group reports printed out of the Student and Education Data Register

(participants in a course, student lists, students in a group, the student’s progress, funding list, students by municipality, course diary, course assessments, performance of the group)

Various group reports printed out of the Student and Education Data Register are deemed to be manual registers.

For this reason, the disclosure of a report printed out from the register is treated as a disclosure of data from a personal data register.

Data system suppliers and service providers

The data in Metropolia’s Student and Education Data Register are processed in various data systems and software. The external system and service providers behind these tools can also be deemed to be recipients of personal data and recipients of regular disclosures from Metropolia’s Student and Education Data Register. Agreements on the processing of personal data in accordance with Article 28 of the GDPR have been concluded centrally by Metropolia with the system suppliers, service providers and partners, because access to the personal data contained in the register will be given through, for example, a technical interface in situations where maintenance tasks need to be performed or faults need to be repaired.

Eduix Ltd. and OMA-/Peppi system and E-lomake (E-form) software

Students must register for some of Metropolia’s implementations, courses, training sessions and events using E-lomake, from which data are transferred to Excel for the purpose of managing participant data and, in the case of courses or modules for which study credits are earned, to the OMA/Peppi system. Similarly, if there are external lecturers for the courses or training sessions, they use E-lomake to provide their personal data for the payment of their fees. The necessary data are transferred to the data systems of the financial administration unit.

Eduix Ltd. and Wihi system (thesis guidance and management system)

Wihi system (thesis guidance and management system) is used for giving guidance and management for Metropolia’s students during their thesis phase. Wihi system is operated on Metropolia’s own server, and it is provided by Eduix Ltd.

Aditro Public Ltd. and Wintime financial administration system (e.g. invoicing of fee-based activities)

All fee-based activities and the invoicing related to them are processed using the Aditro Wintime financial administration system.

Protector insurance online service system

Students are insured for the duration of their studies using the Protector insurance online service system and secure mail.

Innofactor Plc and the Dynasty case and contract management system

Orange Advertising Ltd. and Metropolia’s People Finder search system

Turnitin LLC and Turnitin plagiarism detection system

SOP Hilmbauer & Mauberger GmbH & Co KG and MobilityOnline international mobility management system

CSC – IT Center for Science Ltd. and Adobe Connect online videoconferencing system

Tuudo Ltd. and TUUDO mobile app

Leijonaverkot Ltd. (part of the Erillisverkot Group, formerly Deltagon Group Ltd.) and secure mail (Deltagon’s sec@gw secure mail solution)

Google LLC and Google Suite for Education cloud service

Microsoft Corporation and Microsoft for Education cloud service (Office 365 service package)

Microsoft Corporation and Microsoft Teams online videoconferencing tool

CSC – IT Center for Science Ltd. as a service provider and Zoom online video conferencing tool (Funet Miitti/NORDUnet)

Microsoft Corporation and Metropolia’s email system (part of the Microsoft O365 package, but the email system is operated on Metropolia’s own server)

VIHTA-booking tool

The retention period for personal data collected in Metropolia’s Student and Education Data Register is based on the orders and decisions of the National Archives, the Archives Act (831/1994), the Act on the National Registers of Education Records, Qualifications and Degrees (884/2017) and the archiving plan of Metropolia University of Applied Sciences. Some of the data collected in Metropolia’s Student and Education Data Register are stored for a fixed period of time. Some of the data must be stored permanently based on legislation.

The personal data collected in Metropolia’s Student and Education Data Register are stored as follows:

Study performance that results in credit points:

Study performance that results in credit points is stored permanently. It is stored in Metropolia’s OMA/Peppi data system and also transferred to the national VIRTA database for permanent storage through VIRTA data transfer. All study performance that results in credit points is governed by the Act on the National Registers of Education Records, Qualifications and Degrees.

Special data related to the arrangement of student selections (including health data):

In the case of applications to become a student and registration in the student selection register, the processing of personal data included in the register is partly based on the data reported by the applicants concerning their state of health or functioning ability. Data concerning state of health are such data that a person applying to become a student at the university of applied sciences has personally wished to be considered in the arrangements for the student selection. The processing of these data is based on the consent of the data subject, and partly on the exercise of official authority and partly on compliance with the Non-discrimination Act. They are stored for a maximum of 4 years and they are erased from the register no later than 4 years after they were recorded (processing of sensitive personal data, section 40 of the Universities of Applied Sciences Act, 932/2014).

Written course performance (e.g. exam answers written on paper):

In accordance with the Universities of Applied Sciences Act, Metropolia University of Applied Sciences stores written course performance (e.g. exam answers written on paper) for six months after the results have been published. After this period, the lecturers and the assessors of the performance will shred the paper versions of the performance and/or dispose of them in designated data secure bins.

Other data contained in the Student and Education Data Register:

Other data in Metropolia’s Student and Education Data Register and their retention are governed by the order issued by the National Archives to the universities of applied sciences: Order concerning the permanent retention of data exclusively in a digital format in the data systems of universities of applied sciences (in Finnish: Ammattikorkeakoulujen tietojärjestelmien tietojen pysyvä säilytys yksinomaan sähköisessä muodossa)

The data subjects have the right to receive confirmation from the data controller of whether their personal data are being processed. Furthermore, the data subjects have the right of access to their personal data and the right to inspect their personal data stored in the register and to receive copies of them. Under the GDPR, the data controller must respond to requests by the data subjects to exercise their rights within one month of receiving such a request.

A. Right of access to personal data

The data subjects have the right to check whether their personal data are stored in the personal data register. A data subject may submit a request for information by delivering the data subjects’ information request form, which can be found on Metropolia’s public website and/or Metropolia’s intranet, to one of the three offices of Metropolia’s Student and Admission Services. The form must be filled in carefully, printed and signed personally by the data subject. If the data subject is a member of staff, they can deliver the request form to Metropolia’s Human Resources Management unit. When submitting the request, the data subject must prove their identity in a reliable manner (for example by presenting an official personal identity document or driving licence to the Metropolia employee receiving the request).

The visiting addresses of the offices of Metropolia’s Student and Admission Services are:

Metropolia’s Myllypuro campus

Myllypurontie 1, 00920 Helsinki, Finland

Metropolia’s Arabia campus

Hämeentie 135 D, 00560 Helsinki, Finland

Metropolia’s Myyrmäki campus

Leiritie 1, 01600 Vantaa, Finland

The visiting address of Metropolia’s Human Resources Management unit is:

Metropolia’s Myllypuro campus (Buildings C and D, 5th floor)

Myllypurontie 1, 00920 Helsinki, Finland

All information requests will be forwarded from the offices of Metropolia’s Student and Admission Services and/or the Human Resources Management unit to Metropolia’s Data Protection Officer (email: tuulia.aarnio [at] metropolia.fi (tuulia[dot]aarnio[at]metropolia[dot]fi), tietosuojavastaava [at] metropolia.fi (tietosuojavastaava[at]metropolia[dot]fi)).

Metropolia’s Data Protection Officer will respond to information requests submitted by the data subjects. If necessary, the Data Protection Officer can be requested to provide additional information on progress in the processing of the request or on the content of the response.

B. Right to rectify personal data and to restrict processing

The data subjects have the right to request the data controller to restrict the processing of their personal data in the following cases:

the data subject denies that their personal data are correct (right to rectify personal data), in which case processing will be restricted until the data controller can ascertain that the data are correct;
processing is unlawful and the data subject objects to the erasure of their personal data, instead requesting that the processing of the data be restricted;
the data controller no longer needs the personal data for the purposes of the processing, but the data subject needs them in order to establish, exercise or defend a legal claim.

Such a request for rectifying personal data in a Metropolia personal data register or restricting processing can be submitted in person at any of the above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

C. Right to erase personal data

The data subject has the right to obtain from the controller the erasure of their personal data from a Metropolia register without undue delay if any of the following conditions are met:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which processing is based and there is no other lawful basis for processing;
the personal data have been unlawfully processed; or
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

Such a request for the erasure of personal data in a Metropolia personal data register can be submitted in person at any of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

D. Right to data portability (transfer of data from one system to another)

Partially applicable. Article 20 of the General Data Protection Regulation introduces a new right of the data subject: the right to receive their personal data in a “structured, commonly used and machine-readable format” and the right to transmit those data to another controller. The purpose of this right is to increase the opportunities available to data subjects to influence their personal data because this facilitates the transfer or copying of personal data from one data system environment to another (to copy them to their own systems, to save the data for their personal use or to begin storing their personal data in systems controlled by reliable third parties). In this respect, the right to data portability from one system to another complements the right of access to one’s personal data.

The right to data portability from one system to another under Article 20 of the General Data Protection Regulation also means that the data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format so that they can easily transfer those data from one system to another system with another controller. The data may be transferred at the data subject’s request directly from one data controller to another if this is technically feasible (section 2 of Article 20). Data controllers are encouraged to develop compatible formats that enable the transfer of data from one system to another, although data controllers are not obliged to accept or maintain data processing systems that are technically feasible.

What is noteworthy about Article 20 of the General Data Protection Regulation is that the right to data portability applies to personal data processing activities that are based on:

- consent of the data subject (in accordance with Article 6(1)(a) or Article 9(2)(a) if the processing concerns special groups of personal data), or

- a contract to which the data subject is a party (in accordance with Article 6(1)(b)).

In other words, Article 20 of the General Data Protection Regulation must be complied with if the lawful basis for the processing of personal data is the consent of the data subject or the execution of a contract. The right only applies to personal data provided by the data subject to the data controller.

A request based on Article 20 of the General Data Protection Regulation can be submitted in person at any of the three above-mentioned offices of Metropolia’s Student and Admission Services or Metropolia’s Human Resources Management unit (staff only), where the data subject must prove their identity in a reliable manner when submitting the request.

E. Right to not be subjected to a personal data breach

The data subject has the right to not be subjected to a personal data breach, as referred to in Article 33 of the EU’s General Data Protection Regulation, due to the data controller’s negligence in data protection and/or data security matters or due to negligence on the part of a data processor used by the controller in data protection and/or data security matters. The data subject has the right to be informed without undue delay if a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons.

General description of the technical and organisational security measures aiming at protecting the personal data of the data subjects and the personal data registers:

The protection of the register has been agreed upon with the system providers. If necessary, the responsibilities have been described in adequate detail in the appropriate agreements.

The employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.

The system providers (personal data processors) undertake to maintain the register and the personal data relating to it in accordance with good data processing practices and comply with the obligation to absolute secrecy and confidentiality.

The data security of the personal data register of the data controllers and the confidentiality of the data contained therein are ensured with appropriate technical and administrative means in accordance with good data processing practices.

The data controllers have restricted user rights and authorisations to data systems, tools and other storage platforms in such a way that they can only be accessed and processed by the persons who are necessary for such processing due to their job duties or position.

The system containing personal data may only be used by employees who are entitled to process personal data due to their job duties and/or position. Such employees will be given the appropriate training for their duties.

Every user of a tool/system must identify themselves with their personal codes, which are issued when the right to access the tool/system is granted. The right of access will expire once the employee resigns or is transferred from the duties for which they were granted the right at Metropolia.

The data are collected in databases that are protected logically and physically.

The databases and their back-up copies are located in locked premises, and the data can only be accessed by certain pre-appointed persons.

Privacy notice: Metropolia’s Student and Education Data Register

Name of the register