Move to content

Privacy statement of Senate Group’s e-learning and skills development network environment

1. Data controllers and contact information

Senate Properties and Defence Properties Finland

Senate Properties: Lintulahdenkatu 5 A, P.O.Box 237, 00531 Helsinki, Finland
E-mail: kirjaamo(at)senaatti.fi

Defence Properties Finland: Isoympyräkatu 10, P.O.Box 1, 49401 Hamina, Finland
E-mail: kirjaamo(at)puolustuskiinteistot.fi

Tel: +358 294 830 000

Data Protection Officer Petri Konttinen, firstname.lastname(at)senaatti.fi

2. Purpose of the processing of personal data and
the legal basis for the processing

The purpose of processing personal data is to train the personnel and service providers of Senate Properties and Defence Properties Finland, as well as to collect information on the skills and training completed by the persons concerned. Senate Properties and Defence Properties Finland are joint controllers within the meaning of Article 26 of the EU’s General Data Protection Regulation (GDPR) with regard to the processing of personal data described in this statement. Processing of data is necessary for the performance of tasks carried out by the controllers on the public interest (GDPR Article 6.1(e)). In the case of own Group employees, the processing may also be necessary for the performance of a contract to which the data subject is a party (GDPR Article 6.1(b).

3. Processed personal data and groups of data subjects

The register collects information on the Group’s personnel and service providers.

The register contains the following information about Group employees:

  • first name
  • last name
  • user ID
  • Entra user ID
  • email address
  • unit
  • job title
  • unincorporated state enterprise
  • language
  • end of employment (termination date)
  • ID creation date.

The register contains the following information about employees of service providers:

  • name
  • user ID (email)
  • authority/clearance level
  • company name and/or business ID
  • login method
  • ID creation date
  • strong authentication.

Courses completed by Group employees are recorded in the Group’s HR system. Users can edit their own selected personal data.

4. Regular data sources

Data on the Group’s employees is obtained from the Group’s HR system. Stakeholders mostly use strong authentication to log in to the system. If this is not possible for someone, they will be sent a link to a login form, which they can use to create a username and password and then log in. Users log in to the system with a username (which is their email address) and password.

5. Recipients or categories of recipients of the personal data

Access to personal data is granted to the Group’s administrators, persons in the role of system trainers, and the Group’s service providers, who carry out system maintenance and support tasks on behalf of the controllers. Data may be disclosed to other parties if the recipient has a legal right to receive personal data.

6. Data transfers outside the EU or EEA

Data is not transferred to outside of the EU or EEA.

7. Security of personal data

Senate Group ensures the secure processing of data by ensuring technical and administrative requirements through audits, inspections and risk management. The requirements are assessed for all information systems of the controller, as well as for their service providers, at the required risk management level. Data is encrypted using strong encryption methods, or pseudonymised by excluding unnecessary personal data that could identify the individual. The continued confidentiality, integrity, availability and fault-tolerance of information systems and services are ensured through back-ups and regular security audits, as well as appropriate software and security updates. Procedures to regularly test, examine and evaluate the security of information systems and services are part of the Senate Group’s continuous improvement process.

The Group’s administrators, as well as the administrators of the service provider responsible for maintaining the system, have access to all information in the system. In other respects, access to information is granted on an exam-by-exam basis, so that people in the role of teachers can see the information related to their courses.

8. Data retention period and the principles for determining it

The user data of controllers is deleted from the learning environment 365 days after the termination of their employment relationship. The user data of stakeholders is deleted after 5 years.

9. Rights of the data subjects

Data subjects may exercise their rights under the General Data Protection Regulation in the following matters:

  • The right to access personal data (to be informed about the processing of their personal data)
  • The right to withdraw consent for the processing of personal data in full, if the consent was given solely for direct marketing purposes.
  • The right to correct their own personal data
  • The right to erasure of their own personal data
  • The right to restrict processing of their own personal data
  • The right to object to the processing of their own personal data, and to object marketing communication
  • The right not to be unconsciously subject to a decision based on automated processing.

The controller shall provide information on action taken on request under Articles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject (Article 12.3 of the GDPR).

The data subject also has the right to lodge a complaint with the Data Protection Ombudsman acting as a supervisory authority.

Give feedback