Home Data protection Privacy notice for students

Privacy notice for students

This notice provides information about the processing of the personal data of training applicants, students and students’ guardians

Controller

Careeria Oy, Perämiehentie 6, 06100 Porvoo, Finland

  • Controller’s Contact Person: Rector, CEO Pasi Kankare
  • Data File Manager: Expert Frank Backman
  • Data Protection Officer: Joonatan Saarinko, tietosuoja@careeria.fi

The Data File Manager is responsible for data subjects’ inquiries on topics such as gaining access to their data or rectifying errors. For any issues related to data protection, you may contact tietosuoja@careeria.fi. When a data subject asks for a review of their personal data, rectification or errors or other rights of the data subject, formal identification is always required.

Why are we processing personal data and what is the legal basis of processing?

We process the personal data of students for the purpose of planning, implementing, assessing and monitoring our operations in accordance with the task assigned to us by the Finnish National Agency for Education. We also process personal data to protect the rights and benefits of our students.

The data files are used to maintain information related to our students’ progress in studies, completion of degrees and assessment. Contact information is collected to communicate with applicants, students and guardians. Statistical data are retrieved from the student administration system for statutory surveys and data transfers.

We process data for the following purposes:

  • Creating necessary user IDs for students
  • Administering loaned laptops for students
  • Managing applicants and students admitted to and enrolled in degree programmes and training
  • Preparing students’ personal competence development plans and documenting their implementation
  • Ensuring that the rights and benefits of students are upheld
  • Managing the issues of under-aged students (guardians’ information)
  • Ensuring the quality of studies (e.g. reasons for dropping out of education)
  • Providing students with further guidance after the completion of qualifications
  • Protecting the property of Careeria (camera surveillance)
  • Preventing crime and supporting the investigation of offences (camera surveillance)
  • Ensuring and increasing the safety of students (camera surveillance)
  • Demonstrating compliance with the rights of data subjects under the provisions laid down in the EU’s General Data Protection Regulation
  • Implementing high-quality user experiences (e.g. user assistance to website visitors with a chat feature) (only with the user’s consent)
  • Developing marketing and image based on recommendations (only with the user’s consent)

We also disclose data to various authorities, which are the Finnish National Agency for Education’s KOSKI Service, employment administration, National Supervisory Authority for Welfare and Health and parties granting various certificates, including the Centre for Occupational Safety, Finnish Red Cross and Finnish National Rescue Association SPEK.

The legal basis of our right to process personal data as a controller:

  • Compliance with a legal obligation (Article 6.1 c of the General Data Protection Regulation)
  • The legitimate interests pursued by the controller (Article 6.1 f of the General Data Protection Regulation)
    • The legitimate interests include the protection of property, investigation of misconduct and exceptional circumstances and aiding of criminal investigation
  • The data subject’s consent in specific situations (Article 6.1 c of the General Data Protection Regulation)

Which personal data do we process?

Careeria shall only process data relevant to the management of tasks. They include:

  • Applicants
    • Individualized data
    • Contact details
    • Health-related data (only with the applicant’s consent)
    • Previous education
    • Work experience
    • Basic information on the programme to which the person applied for
    • Data concerning the processing of the application
    • Guardian’s contact details
    • Entries related to SORA legislation
    • Footage from surveillance area cameras.
  • Students
    • Individualized data
    • Contact details
    • Personal competence development plans
    • Study and employment history
    • Information about degree programme or training to be completed
    • Information related to financing the studies
    • Choices related to the method of completion of a degree programme and the content of studies
    • Information related to the right to study status
    • Information related to assessments
    • Information related to completed studies
    • Guardians’ contact details
    • Information related to user IDs
    • Possible information on diet/allergies related to a meal subsidy
    • Entries related to special support, including health data, if applies
    • Entries related to SORA legislation
    • Photograph (only with the student’s consent)
    • Footage from surveillance area cameras.
    • Other data strongly related to studies for the purpose of supporting studies, including coping, financial issues, welfare (only based on separate consent)
    • Reasons for withdrawing from studies (only based on separate consent)
    • Photographs and text-based posts on Careeria’s social media channels (only based on the student’s explicit consent)
  • Guardians
    • Name
    • Address
    • Email address
    • Telephone number

How long will we store personal data?

The data will be stored and destroyed based on Careeria’s filing plan. The storage periods determined in the plan are based on legislation and the regulations of the National Archives on permanently stored documents. There are various storage periods for vocational education and training documents, and some data are stored permanently.

  • Footage from camera surveillance will not be stored for more than 30 days after its capture unless there is a special reason for longer storage, such as an ongoing investigation of a suspected offence.
  • The data of an information request considering the rights of the data subject will be stored for the period of validity of the controller’s obligation to demonstrate compliance with EU GDPR or other legislation.
  • The data in the recommendations given based on consent will be stored for as long as the recommendation is deemed valid for Careeria.

Where do we obtain personal data?

Careeria receives students’ data from the following sources:

  • Applicants
    • The Studyinfo service of the Finnish National Agency for Education for those applying for education in the joint application process and the application for preparatory education for an upper secondary qualification (VALMA)
    • Applications and applicants
    • Other education providers
    • Employment administration
    • Companies
    • Cameras in the surveillance area
  • Students:
    • Data transferred from the Studyinfo service in the joint application process
    • Students themselves
    • Guardians
    • Applicants’ upper comprehensive schools
    • Companies
    • Cameras in the surveillance area
  • Guardians:
    • Guardians or students themselves

Where is the personal data disclosed and transferred?

  • The data are regularly disclosed to the KOSKI Service of the Finnish National Agency for Education.
  • Parties granting various certificates, including the Centre for Occupational Safety, Finnish Red Cross and Finnish National Rescue Association (SPEK).
  • The data may be disclosed to the police authority for the assessment of a threat to a person’s life or health.
  • The data in the camera surveillance data file may only be disclosed to the police or other competent authority requesting the individualised data for a purpose laid down in valid legislation.

Data from the KOSKI Service of the Finnish National Agency for Education is transferred to various parties if necessary. For more information about the data protection of the KOSKI Service, see: https://opintopolku.fi/konfo/fi/sivu/koski-palvelun-tietosuojaseloste 

Based on a separate request, data may be disclosed:

  • To immigration authorities and police authorities for the purpose of checking the validity of residence permit
  • For scientific research (in which case the party requesting the data must provide information about the use purpose of the data and other factors relevant for determining whether the conditions for data disclosure are met. If necessary, the party must detail how it intends to ensure data protection.)

Students may give their consent for the use of their name and address details using the students and study information system for the following purposes:

Direct marketing:

Even when the student gives their permission for direct marketing, the disclosure of data will not automatically take place but case-by-case discretion is exercised by the persons in charge of the system. As a rule, data will not be disclosed for this purpose.

Transfer of data outside the EU or EEA?

As a rule, the data shall not be transferred outside the European Union or European Economic Area. Certain companies processing personal data, such as companies producing Careeria’s IT services, transfer data outside the European Economic Area. Any transfer of personal data outside the European Economic Area will comply with the requirements set in the GDPR, for example using the standard data protection clauses adopted by the Commission.

How do we protect personal data?

In processing the data contained in the data file, we make sure that the privacy of students will not be compromised without adequate justification. The processing of personal data shall comply with data protection legislation as well as Careeria’s instructions on information security and data protection. Personal data may be accessed only by those who need it for the performance of their tasks.

Manual data

  • Paper documents shall be stored in a locked cabinet that may only be accessed by those who need to process the data as a part of their work tasks. The data are stored as required by public organisations.
  • Any documents containing personal data shall be destroyed using an appropriate data-secure container.

Electronically processed data

  • The register may only be used by those employees of the controller who need to process the data as a part of their work tasks. The persons processing the data are bound by secrecy and non-disclosure obligations. The secrecy and non-disclosure obligations continue also after the termination of the person’s employment relationship.
  • Data file users are identified based on their ID and password and the information system is protected with the necessary solutions related to network and device technology.
  • The device used for storing camera surveillance footage is located in a locked space.

The rights of the data subject

A data request concerning the rights of the data subject may be submitted using the electronic form on the Careeria website. To submit the request, the person must identify themselves. Under exceptional circumstances, in which the electronic form is inaccessible for some reason, the request may be made with some other medium. In such situations, you may contact tietosuoja@careeria.fi.

Right of access

Data subjects have the right to know which of their personal data has been stored in the data file. Data subjects also have the right to know if the data file does not contain their personal data.

Rectification

Any personal data contained by the data file that is erroneous, unnecessary, inadequate or expired from the perspective of the purpose of processing must be rectified, deleted or supplemented. The data shall be rectified without delay. The person providing the erroneous data or for whom the data were disclosed will be informed about the rectification. If a request for rectification is rejected, the Data File Manager shall submit a written certificate stating the reasons for rejecting the request. The party concerned may submit the rejection to the Data Protection Ombudsman for decision.

The right to erasure, restriction of processing and the right to object to the processing of personal data and automated individual decision-making

The right of the data subject to erasure of personal data under Article 17 of the GDPR does not apply to personal data based on tasks laid down in legislation. The data subject has the right to the erasure of personal data based on consent.

In certain situations, the data subject has the right to obtain from the controller restriction of processing. The right is valid when the accuracy of the personal data is contested by the data subject, for instance. The data may continue to be stored but may not be processed without the consent of the data subject.

The data from the system shall not be disclosed for the purposes of direct advertising, distance sales and other forms of direct marketing or for market surveys, opinion polls, dossiers or genealogy. There is thus no separate need for implementing the data subject’s right of restriction of processing of the above data for these reasons. The right to restriction of processing does not apply to the statutory processing of data.

Data subjects also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. However, this prohibition shall not apply if the processing is based on the data subject’s explicit consent or if it is necessary for entering into or performing a contract between the data subject and the data controller.

The Data Protection Officer is the contact person for inquiries related to the rights of the data subject.

The data subject has the right to lodge a complaint with the data protection authority (Data Protection Ombudsman).

Data Protection Officer Joonatan Saarinko, tietosuoja@careeria.fi