Move to content

Privacy statement of Senate Group’s e-learning and skills development network environment

1. Data controllers and contact information

Senate Properties and Defence Properties Finland

Senate Properties: Lintulahdenkatu 5 A, P.O.Box 237, 00531 Helsinki, Finland
E-mail: kirjaamo(at)senaatti.fi

Defence Properties Finland: Isoympyräkatu 10, P.O.Box 1, 49401 Hamina, Finland
E-mail: kirjaamo(at)puolustuskiinteistot.fi

Tel: +358 294 830 000

Data Protection Officer Petri Konttinen, firstname.lastname(at)senaatti.fi

2. Purpose of the processing of personal data and
the legal basis for the processing

The purpose of processing personal data is to train the personnel and service providers of Senate Properties and Defence Properties Finland, as well as to collect information on the skills and training completed by the persons concerned. Senate Properties and Defence Properties Finland are joint controllers within the meaning of Article 26 of the EU’s General Data Protection Regulation (GDPR) with regard to the processing of personal data described in this statement. Processing of data is necessary for the performance of tasks carried out by the controllers on the public interest (GDPR Article 6.1(e)). In the case of own Group employees, the processing may also be necessary for the performance of a contract to which the data subject is a party (GDPR Article 6.1(b).

3. Processed personal data and groups of data subjects

The register collects information on the Group’s personnel and service providers (persons who have a user account for it and those who do not have a user account). If a person does not use the system with their own account, their supervisor will record their personal data.

The register contains information on individuals according to the following grouping:

  • name (everyone)
  • user ID
  • Group employees have a unique personal identification number
  • country
  • locality
  • email address (persons who have a personal user ID)
  • organisation (everyone)
  • dates of course completion
  • time of first login (users with an ID only)
  • time of last login (users with an ID only).

Course achievements of Group employees are stored in the Group’s HR system. Users with an ID can edit their own user data.

4. Regular data sources

Data on the Group’s employees is obtained from the Group’s HR systems. External users save their own data, or their data is stored either by the data controllers’ administrators, or by the service provider’s responsible persons.

5. Recipients or categories of recipients of the personal data

Access to personal data is granted to the Group administrators, persons with the role of teachers in the system, and the Group’s service provider, who perform system maintenance and support tasks on behalf of the data controllers. Data may be disclosed to other parties if the recipient has a legal right to receive personal data.

6. Data transfers outside the EU or EEA

Data is not transferred to outside of the EU or EEA.

7. Security of personal data

Senate Group ensures the secure processing of data by ensuring technical and administrative requirements through audits, inspections and risk management. The requirements are assessed for all information systems of the controller, as well as for their service providers, at the required risk management level. Data is encrypted using strong encryption methods, or pseudonymised by excluding unnecessary personal data that could identify the individual. The continued confidentiality, integrity, availability and fault-tolerance of information systems and services are ensured through back-ups and regular security audits, as well as appropriate software and security updates. Procedures to regularly test, examine and evaluate the security of information systems and services are part of the Senate Group’s continuous improvement process.

The Group’s administrators, as well as the administrators of the service provider responsible for maintaining the system, have access to all information in the system. In other respects, access to information is granted on an exam-by-exam basis, so that people in the role of teachers can see the information related to their courses.

8. Data retention period and the principles for determining it

The data of Group employees is deleted within one year of the termination of the employment relationship. The data of the Group’s service providers is deleted from the system five years after completion of the person’s last course.

9. Rights of the data subjects

Data subjects may exercise their rights under the General Data Protection Regulation in the following matters:

  • The right to access personal data (to be informed about the processing of their personal data)
  • The right to withdraw consent for the processing of personal data in full, if the consent was given solely for direct marketing purposes.
  • The right to correct their own personal data
  • The right to erasure of their own personal data
  • The right to restrict processing of their own personal data
  • The right to object to the processing of their own personal data, and to object marketing communication
  • The right not to be unconsciously subject to a decision based on automated processing.

The controller shall provide information on action taken on request under Articles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject (Article 12.3 of the GDPR).

The data subject also has the right to lodge a complaint with the Data Protection Ombudsman acting as a supervisory authority.

Give feedback