21.06.2018

Personal data about the members of the staff of the University of Jyväskylä

Staff of the JYU, HR Services, privacy notice.

For what purposes do we process personal data and what are the legal grounds for processing?

The purpose of processing personal data about the members of the staff of the University of Jyväskylä is to pay salaries, fees, grants and compensation for travel and general expenses, plan, maintain and monitor staff, salary and employment matters, compile statistics, carry out the employer's statutory tasks and provide customer service for HR management. Another purpose is to carry out the employer's voluntary tasks, such as matters related to the international mobility of staff, competence development and wellbeing at work.

The following data about the staff is saved:

  • Basic personal data, such as name, date of birth, personal identity code, contact information, ID number, organisation
  • Employment information
  • Payment information
  • Performance appraisal information
  • Holiday and absence information
  • Information related to evaluations in the university salary system (YPJ)
  • Travel management information
  • Work plan information
  • Information related to working hours allocation and costing
  • Information related to working hours monitoring and access control
  • Facility management information

Legal grounds for processing:

Article 6.1(c) of the EU General Data Protection Regulation (GDPR): processing is necessary for compliance with a legal obligation to which the controller is subject.

Article 6.1(b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Article 6.1(f) of the GDPR:  processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Processing is based on legitimate interests when there is a meaningful and proper relationship between the data controller and data subject, e.g. the data subject is employed by the data controller.

Article 6.1(a) of the GDPR:  the data subject has given consent to processing. In exceptional cases, processing can also be based on the data subject's consent in the case of voluntary recreational or other similar events that are not directly related to the data subject's work-related tasks or the employer's obligations.

Article 6.1(d) of the GDPR: processing is necessary in order to protect the vital interests of the data subject or of another natural person. This can, in exceptional cases, form the basis of processing if, for example, an employee is injured on the premises and his/her personal data is disclosed to the medical staff.

The compilation of statistics is based on article 6.1(e) of the GDPR and the national data protection legislation (section 4).

Who can access your personal data?

Your personal data can only be processed by individuals who need to process your personal data in their work-related tasks. Access to your personal data is protected by means of usernames, passwords and user roles in protected data communications and data networks. Paper documents and printouts are stored in locked facilities and lockers.

Personal data is transferred within the university to the following systems:

  • Travel management system
  • Work planning system
  • Working hours allocation and costing system
  • Working hours monitoring and access control system
  • User and identity management system
  • Data warehouse
  • Facility management system
  • ID card printing system
  • The European Commission's MobilityTool reporting system
  • Facility service request system

Instructions on how to process personal data have been given to members of the staff, and they are trained to identify and prevent any risks associated with registered data.

The data controller is also responsible for the processing of personal data when it has outsourced the processing of personal data to a processor referred to in the GDPR. The University of Jyväskylä has outsourced payroll accounting to Certia. In addition, the suppliers of the work plan system (Solenovo Oy), the working hours monitoring and access control system (Prevent 360 Turvallisuuspalvelut Oy), the facility management system (Rapal Oy), and the service request system (Buildercom Oy) have access to data by means of technical maintenance. The data processing agreements required have been signed with system suppliers. The content and scope of the agreements vary according to the personal data being processed and the extent of processing.

Disclosure of personal data

The University of Jyväskylä only discloses your data to parties that have a legal right to obtain data for purposes defined in the legislation, that require data for carrying out necessary tasks related to employment and employer matters or that are entitled to obtain data on the basis of consent.

Personal data is disclosed to the following parties outside the university:

  • Employment pension insurance companies
  • Accident insurance company
  • Tax administration
  • Employee associations
  • Banks
  • Occupational healthcare services
  • The Social Insurance Institution of Finland
  • TE Centre
  • Travel agency
  • The Finnish Immigration Service
  • Consultants providing expert services for employer support in Finland and other countries
  • The Confederation of Finnish Industries/the Association of Finnish Independent Education Employers
  • Statistics Finland
  • The Ministry of Education and Culture
  • Project financiers
  • Auditors
  • Employment services of the City of Jyväskylä (rehabilitative employment activities)
  • Authorities
  • Mobility project financiers (European Commission or the Finnish National Agency for Education) and the national office of the Erasmus+ programme (the Finnish National Agency for Education)
  • Universities or other organisations hosting teacher or staff visits
  • Providers of staff training
  • Property maintenance company for processing service requests

Is your personal data transferred outside the EU/EEA and how is data protected during transfers?

Data is only transferred outside the EU/EEA in situations where the employer's obligations towards an employee must be carried out outside Finland on the basis of the tax legislation of Finland or the other country, a tax agreement between Finland and the other country, the pension or social security regulations of the EU or the other country or social security agreements between Finland and the other country, or in situations where an employee has applied for funding to travel to a country outside the EU/EEA (global Erasmus+ mobility, Finnish-Russian Student & Teacher Exchange).

For how long do we process your personal data and do we archive your data?

Your personal data is processed for as long as is necessary in order to carry out tasks related to employment and employer activities. Archiving follows the guidelines set for storage periods in the data control plan of the University of Jyväskylä.  Some data is archived in the registry office of the University of Jyväskylä, while some data is provided with identification data and archived in the archiving system.

Storage periods set out in the archiving plan (future data control plan) e.g. for the following data are:

  • Personal data form: 1 year
  • Employment contract: 50 years
  • Job certificates: 10 years
  • Tax card: validity period
  • Absence applications, sick leave: 2 years
  • Other absence applications: 10 years
  • Pension matters: 10 years
  • Medical certificates: 1 year (alternative civilian service: 6 months; certificates related to occupational accidents: 20 years)
  • Resignation notices: 10 years
  • Travel expense reports: 20 years
  • Work plans: 5 years
  • Matters related to annual holidays, saved and holiday pay leave: 10 years
  • Evaluation of job requirement level and personal evaluation of performance: 13 years
  • Working hours monitoring and access control reports: 10 years
  • Payslips: 50 years
  • Statements of employee association membership fees: validity period

Information about working hours allocations are stored in accordance with the storage periods set by financial management, and electronic data and documents related to the Aliens Act are stored in accordance with the Aliens Act.  Forms related to staff mobility under the Erasmus+ programme must be stored for five years as required by the financier. Application forms for travel funding intended for internal use must be stored for two years.

What rights do you have as a data subject?

You have the following rights as a data subject:

  • Right to access your data
  • Right to have any incorrect data rectified (remember to keep your contact information up to date)
  • Right to have your data erased (right to be forgotten) if the processing of personal data is based on consent or an agreement
  • Right to restrict processing in certain situations
  • Right to have the unit responsible for the register notifying the party to which data is disclosed of your personal data being rectified or erased or of processing being restricted
  • Right to object to processing if processing is based on the data controller's legitimate interests
  • Right to have your data transferred from one system to another if processing is based on consent or an agreement and is automated
  • Right not to be subject to a decision that is based merely on automated processing, such as profiling, and that has legal impact on you or that has a similar significant impact on you
  • Right to obtain information about any information security breaches resulting in a high risk
  • Right to file a complaint with the supervisory authority

If you have any questions about your rights, please contact the data protection officer of the University of Jyväskylä or the contact person in register-related matters.

How can you exercise your rights?

The University of Jyväskylä has general guidelines on how data subjects can exercise their rights.

General description of technical and organisational protection

The University of Jyväskylä, as the data controller, uses proper technical and organisational means to protect personal data against unauthorised or unlawful processing or the destruction or loss of personal data.

Contact information

Data controller

The University of Jyväskylä acts as the data controller and HR Services is the unit responsible for processing personal data.

Contact information of the responsible unit:

Contact persons in matters related to the HR register of the University of Jyväskylä are Jouni Valjakka, director of HR, jouni.valjakka(at)jyu.fi and Sirkka Aho-Laitinen, HR specialist, sirkka.m.aho-laitinen(at)jyu.fi.

Contact information of the data protection officer of the University of Jyväskylä

tietosuoja@jyu.fi, +358 40 805 3297 

This privacy notice was published and sent to data subjects starting from 25 May 2018.