Case register
Information to the data subject in accordance with the EU General Data Protection Regulation (2016/679) articles 13-14.
1. Controller
Arcada University of Applied Sciences Ltd
Jan-Magnus Janssonin aukio 1
00560 Helsinki
Business ID: 2553871-2
2. The controller’s representative
Adminstrative and HR director Susanne Homén-Lindberg
Tel. 0294 282 609
E-mail address in the format E-mail: firstname.surname
3. Contact person for the register
Information management specialist Heidi Träskelin
Tel. 050 302 23 84
E-mail address in the format E-mail: firstname.surname
4. Data protection officer
Data Protection Officer, Legal Counsel Anna Härmä
Tel. 0294 282 888
E-mail address E-mail: dataprotection
5. Purposes of processing personal data
The purpose of processing personal data in the register is to enable the management of the organisation's matters and documents, decision-making in official activities, information services and the electronic storage of documents. Personal data is used to identify the principals and the matters and documents being processed. The contact information register is used to manage the contact information of contracting parties.
According to section 25 of the Act on Information Management in Public Administration (906/2019), the university is obliged to maintain a case register of cases that it processes or has processed.
6. Legal basis for processing personal data
The processing of personal data is based, depending on the case in question, on
- the consent of the data subject;
- a contract;
- the controller's legal obligation;
- a task carried out in the public interest or the exercise of public authority; or
- the legitimate interests of the controller or a third party.
7. Categories of personal data and the duration of storage
The case management system processes personal data of varying nature depending on the case in question.
The data is stored in accordance with the retention periods defined in Arcada University of Applied Sciences' information management plan (TOS). The retention periods for the university's documents have been defined in accordance with current legislation, the National Archives' regulations and the recommendations of the Information Management Board. A document whose retention period has expired is destroyed without delay, taking into account data security.
8. IT systems used when processing personal data
Case Managenment System Dynasty 10.3, Information Management System TOJ, Digital Archive
9. Data sources
The case management system collects information from incoming and outgoing documents and information on the handling of the case. Sources can be, for example, the initiators of a case, parties to a case, applicants, partners and stakeholders or other public authorities.
10. Recipients of the personal data
Data from the register is only disclosed on the basis of a law or an official decision.
11. Transfer of personal data outside the EU and the EEA and the basis for the transfer
Personal data is not regularly transferred outside the EU or the EEA without the data subject’s consent.
12. Principles for the protection of personal data
Material in electronic format is stored in IT systems and on computers protected from unauthorized use with security measures including firewalls and passwords. The systems have different user levels, and users are granted access to the data only to the extent the user’s work tasks require.
13. Automated decision-making
Automated decisions and profiling are not made based on personal data within the register.
14. The data subject’s rights
Information about the data subject's rights can be found here.