University of Jyväskylä emailing lists – Privacy notice

Published

23.8.2023

What should you know about the processing of your personal data?

The University of Jyväskylä collects personal data about you to carry out its duties. You have rights to this data, such as the right to access the data and the right to be sure that it is stored securely and only for the necessary time. Above all, you have the right to know the following:

what information we collect about youand why,
for how long, and where we keep this information, and
to whom we share this information.

All of these points are explained in this privacy notice.

How to find the information you are looking for?

We have created this privacy notice to be as easy as possible to use and understand. That is why you will find the key points summarised under each section. If you are interested in knowing more, please follow the links in the sections or contact the data protection officer of the University of Jyväskylä.

Contact the data protection officer

Why we process your personal data?

We process personal data in order to maintain and manage email lists that support the activities of the University of Jyväskylä. This includes communication with students, staff, and other stakeholders involved in the activities of the University of Jyväskylä. In addition, personal data is processed to ensure information security and the proper functioning of the service.

Email lists may not be used for electronic direct marketing unless the list owner obtains the data subject's informed, voluntary, and unambiguous consent to the processing of personal data. The list owner is responsible for documenting consent.

The University of Jyväskylä may, in exceptional cases, act as a processor of personal data if it maintains an email list on behalf of another controller. The controller is responsible for the lawfulness of the processing of personal data and for informing the data subjects.

What data we process and how long?

What personal data do we process and for how long?

We process the following personal data: name, email address, and information about the employer, if the email address reveals it. In addition, any contact or other personal data contained in the messages themselves and their attachments may be processed.

To ensure the functionality of the service, Microsoft collects technical diagnostic data from M365 Groups email lists, such as features used, error conditions, and device environment information. Data collection is based on Microsoft's privacy practices and does not include content data such as messages or files. The organization can control the scope of data collection through settings. For more information, see https://www.microsoft.com/fi-fi/privacy/data-collection-office. The University of Jyväskylä does not allow the collection of optional data by default. Only mandatory data necessary for the functioning of the M365 service is transmitted to Microsoft. When investigating a malfunction, the University of Jyväskylä may grant Microsoft limited access to other data for a limited period of time.

The data is stored for as long as the email list is active and related to the university's activities. The activity of the email list is determined by asking the list owner once a year in the fall. If the list owner does not respond to the activity query, the list will be archived. Ninety days after archiving, the list will be deleted, and the messages on the list will be removed from Microsoft's service. You can also opt-out of the list.

If the last owner of the list leaves the group and no new owner can be appointed, the M365 Groups email list will be deleted without separate notification.

Email lists may not be used for direct marketing without the prior consent (opt-in) of the registered person, and special categories of personal data may not be processed on the list.

The data subject's information is obtained from the data subject themselves or from the university's registers. Representatives of companies and organizations: personal data may also be stored from public sources, such as websites, if there are appropriate grounds for doing so. The data subject has the right to opt out of the list.

What personal data may not be processed on the list?

Special categories of personal data.

Special categories of personal data refer to personal data that reveal, for example:

racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data for the purpose of uniquely identifying a natural person
data concerning health
data concerning a natural person's sex life or sexual orientation

The processing of this data is prohibited on M365 Groups email lists. Email lists may not be used to send, store, or process such data. If you are unsure whether certain data falls into a special category of personal data, please contact the data protection officer before sending the message.

What rights you have and how to exercise them?

You have the following rights:

Right to access your data.
Right to have any incorrect information corrected.
Right to have your data erased (right to be forgotten), in certain situations.
Right to restrict processing.
Right to have the responsible unit inform the party to which your data is disclosed of your data being corrected, erased, or the processing being restricted.
Right to object processing, e.g. direct marketing.
Right to have your data transferred from one system to another, when processing is based on an agreement or your consent.
Right to be notified of any information security breaches resulting in a high risk.
Right to file a complaint with the supervisory authority.

You can exercise your rights by sending a request to the university's Registry Office. You can use the form on the Registry Office's website or send your request informally.

Get to know your rights

Use the form of the Registry Office

Send an informal request to the Registry Office

Who can access your personal data?

At the university, your personal data is processed by employees whose duties include the processing of personal data.

In addition, the service providers we use have access to your personal data in their capacity as data processors. However, service providers do not actively process personal data, but they have access to personal data for maintenance purposes.

Email lists are created in Microsoft's (processor) O365 service. Microsoft Ltd. acts as a personal data processor.

To whom we transfer your data?

Personal data may be transferred outside the EU/EEA in connection with system logs or support requests. For the latest information on data transfers, please visit Microsoft's website: https://www.microsoft.com/fi-fi/privacy The transfer is based on the adequacy decision between the European Commission and the United States and the Commission's model contractual clauses.

On what basis we process your personal data?

We process your personal data based on legal grounds, agreements, or your consent. If you want to dive deeper into our legal bases, such as the relevant legal provisions, you can find more information through the menu below.

The basis for the processing of personal data is the task carried out in the public interest in accordance with Article 6(1)(e) of the General Data Protection Regulation (Section 2 of the Universities Act (2009/558)). Stakeholder data: includes persons whose position or role (and their management in public administration, business, organization activities, or other similar activities) is such that they act as experts, partners, visiting lecturers, or in other similar roles in the university's activities.

Email lists are maintained and personal data is processed on the basis of the controller's legitimate interest 6(1) (f). Controller's balancing test (available only in Finnish).

Task in the public interest (Data Protection Act, Section 4), when university employees use the email list to perform tasks belonging to the university.

Fulfillment of the controller's legal obligations or tasks in the public interest (Public Administration Information Management Act, Sections 15–17). Ensuring information security: ensuring the security of data, managing access rights, and collecting log data.

How to contact us?

If you want more information about the processing of your personal data, do not hesitate to contact our data protection officer via email or phone (+358 40 805 3297).

Contact our data protection officer

Contact information of unit

Digital Services

Service requests primarily HelpJYU service portal - all service and support requests, as well as Digital Services guides.
Service point B315 (B-building, 3rd floor.) Jyväskylä University Library Lähde - follow the signs to the HelpJYU service point (Mon-Fri 10-14).
By phone 029 441 8030 (Mon-Fri 9-15)

If you want to exercise your rights (withdraw your consent for example) you can contact the Registry Office by email:

Send a request to the Registry Office