12.06.2018

University online payment service

University of Jyväskylä, Financial Services, privacy notice

For what purposes do we process personal data and what are the legal grounds for processing?

The online payment service is used for the management of order and payment transactions related to the online payment services of the University of Jyväskylä. Through the service, customers can purchase products from the online shop, top up their printing or copying balance, pay for sports or event fees, purchase an application or make other online payments.

Processing is needed in order to implement agreements to which the data subject is a party or to take steps prior to entering into an agreement as requested by the data subject (article 6.1(b) of the EU General Data Protection Regulation (GDPR, 679/2016). 

What type of personal data do we process?         

The personal data required for the service is obtained directly from payers. Personal data includes the name of the organisation or background organisation, any VAT code or business ID of the organisation, name, personal identity code (requested only for registration and payment transactions, for which the explicit authentication of customers is necessary), email address, postal address, telephone number, information about processed orders and order tracking, information about the payment method, Posti's tracking information and the customer's consent to or refusal to receiving marketing material. 

Who can access your personal data?

Personal data is processed by employees of university services of the University of Jyväskylä who carry out tasks related to online payments.

No personal data is transferred or disclosed to third parties for processing.

Is your personal data transferred outside the EU/EEA and how is data protected during transfers?

No personal data is transferred outside the EU/EEA.

For how long do we process your personal data and do we archive your data?

No data is disclosed. Data processors are employees of the University of Jyväskylä.

Defined periods for erasing data groups are the same as those for retaining data in the accounting system, i.e. six years starting from the end of the year, during which the financial period closes.

Exercising the right of refusal

You have the right to refuse the processing of your personal data, insofar as processing is based on the legitimate interests of the data controller, or you can withdraw your consent when processing is based on consent (marketing). You can refuse the processing of your personal data or withdraw your consent by sending an email to the registry office of the University of Jyväskylä (kirjaamo@jyu.fi). Withdrawing consent has no impact on any processing carried out before you withdrew your consent.

What rights do you have as a data subject?

You have the following rights as a data subject:

  • Right to access your data
  • Right to have any incorrect data rectified (remember to keep your contact information up to date)
  • Right to have your data erased (right to be forgotten) in certain situations
  • Right to restrict processing in certain situations
  • Right to have the unit responsible for the register notifying the party to which data is disclosed of your personal data being rectified or erased or of processing being restricted
  • Right to object to processing in certain situations, such as in direct marketing
  • Right to have your data transferred from one system to another in certain situations
  • Right not to be subject to a decision that is based merely on automated processing, such as profiling, and that has legal impact on you or that has a similar significant impact on you
  • Right to obtain information about any information security breaches resulting in a high risk
  • Right to file a complaint with the supervisory authority

If you have any questions about your rights, please contact the data protection officer of the University of Jyväskylä or the contact person in register-related matters.

How can you exercise your rights?

The University of Jyväskylä has general guidelines on how data subjects can exercise their rights.

General description of technical and organisational protection

Access rights to the online payment service have been divided into different levels using views that limit the visibility of different types of data in accordance with the purpose of use of each online payment service. In addition, system administrators in an employment relationship with the University of Jyväskylä have access to data contained by the online payment service. Each access right has a personal username and password. Data is stored in a physically locked facility behind firewalls in the data centre of the University of Jyväskylä.

 

Contact information

Data controller

The University of Jyväskylä acts as the data controller and Financial Services is the unit responsible for processing personal data.

Contact information of the responsible unit:

Kari Jaakonaho, Financial Services, P.O. Box 35, 40014 Jyväskylä University

+358 50 591 9515

 Contact information of the data protection officer of the University of Jyväskylä

tietosuoja@jyu.fi, +358 40 805 3297 

This privacy notice was published and sent to data subjects starting from 25 May 2018.