Processing of Personal Data in the Student Union of the University of Jyväskylä

Purpose of Processing

The Student Union of the University of Jyväskylä (JYY) is a public-law entity established under the Universities Act, and its members include all undergraduate students at the University of Jyväskylä. The University maintains the student register and provides member data to the Student Union. JYY builds its membership register based on this data. We process members’ personal data for the following purposes:

• To monitor the payment of membership fees and verify membership status
• To confirm eligibility to vote in the Representative Council elections and, for elected members, during the term of office
• To include members in the electoral roll for the Representative Council elections
• To verify eligibility for positions in the University’s administrative bodies during the selection process and throughout the term of office

Basis for Processing

The processing of data is based on the EU General Data Protection Regulation (GDPR) or applicable provisions in national legislation, such as the Universities Act and the Data Protection Act, as well as on an agreement between the Student Union and the University of Jyväskylä regarding the transfer and use of data. Additionally, data may be processed with the consent of the data subject.

Description of Data Subject Groups and Categories of Personal Data

• The Student Union processes the following information about its members:
• Name, date of birth, nationality
• Student ID number, email address
• Membership in the Student Union, degree rights
• Status of membership fee payment
• Study rights
• Personal identity code

Collection of Personal Data

Personal data is obtained directly from the University of Jyväskylä’s registry via a secure connection. Information may also be requested directly from the data subject.

Disclosure and Transfer of Personal Data

The following parties process personal data for the following purposes:

• Specialist in Member and Association Affairs for all purposes
• Soihtu Housing, regarding the right of tenancy
• Employees providing member services, regarding the verification of membership
• Specialist in Academic Affairs, regarding the verification of eligibility for election to university administrative bodies and during the term of office
• Executive Director, regarding the verification of eligibility for the Council of Representatives during the Representative Council term
• An employee designated by the Executive Director to be responsible for Representative Council elections, regarding the verification of eligibility in Representative Council elections and the registration of members on the electoral roll for Representative Council elections

FeedCowboy Oy provides the Slice student card service and other digital services. When a member logs in as a user, JYY transfers the following member data: student ID number, type of degree (undergraduate or postgraduate), and the validity period of studies. FeedCowboy Oy uses this information to verify the student’s membership in JYY.

Trevea provides the Vakka software for electronic voting, which is used to conduct elections with proportional representation. For the Representative Council elections, JYY transfers the following data about each member: last name, given names, and university username.

Storage and Deletion of Personal Data

Personal data is stored in the JYY membership information system. The data will be retained indefinitely.

Any requests related to the correction or deletion of data should be directed to the University of Jyväskylä’s Student Services. The members of the Student Union do not have the right to request restrictions on the disclosure of their personal data to the Student Union.

Contact Person:

Specialist in Member and Association Affairs

jyy@jyy.fi

050 430 6747

Purpose of Processing

One of the statutory duties of the Student Union is to appoint student representatives to the University’s administrative bodies. Additionally, the Student Union selects student representatives for other roles. When making decisions about student representatives, personal data is collected for the purpose of naming these individuals and organizing communication with them. The Equality Act applies to bodies that exercise public authority.

Basis for Processing

The processing of data is based on the EU General Data Protection Regulation (GDPR) or relevant provisions in national legislation, such as the Universities Act and the Government Decree on Universities.

Information about legal gender is collected to comply with the Equality Act’s principle of equal treatment.

Description of Data Subject Groups and Categories of Personal Data

The Student Union processes the following data:

• Name, student ID number, phone number, email address
• Legal gender
• Degree rights
• Collection of Personal Data
• Personal data is obtained directly from the data subjects themselves.
• Processing, Disclosure, and Transfer of Personal Data

Personal data is processed by the Specialist in Academic Affairs or their substitute.

Data is not disclosed or transferred to third parties (excluding the relevant bodies) except as required by the Act on the Openness of Government Activities. Applicants are asked for consent during the application process to publish the names of representatives in various bodies on JYY’s website.

Storage and Deletion of Personal Data

Data is retained for the duration of the term of office of the respective body, after which any data not included in archivable material is destroyed. Documentation created within the administration of the Student Union, including information on students serving as student representatives, is permanently archived.

Contact Person:

Specialist in Academic Affairs

kopo-asiantuntija@jyy.fi +358 50 330 1025 

Purpose of Processing

Personal data is processed for organizing the tutoring activities at the University of Jyväskylä.

Basis for Processing

Personal data is processed based on the consent given by the individual applying to become a tutor.

Description of Data Subject Groups and Categories of Personal Data

The following personal data is collected about individuals serving as tutors:

• Name
• Contact details, phone number, and email address
• Type of tutor (peer tutor, degree tutor, or international student tutor)
• The degree program to be tutored
• Information about the completion of tutor training (name of training and completion status)

Collection of Personal Data

The University collects the data from the registered individuals themselves through tutor application forms and self-reported information. The University then transfers this data to the Student Union for organizing tutoring activities.

Disclosure and Transfer of Personal Data

Personal data is processed by the Specialist in International Affairs, Specialist in Member and Association Affairs, and other employees whose tasks involve contacting tutors.

Data is not disclosed or transferred to third parties except as required by the Act on the Openness of Government Activities.

Storage and Deletion of Personal Data

Unnecessary personal data is deleted annually when the next tutors have been selected. Only the data essential for confirming the tutor’s term of service will be retained beyond this period.

Contact Person:

Specialist in Member and Association Affairs

jyy@jyy.fi

050 430 6747

Basis for Processing

The processing of data related to honors and awards given by the Student Union is based on the Student Union’s general interest.

For other data, personal data is processed based on the consent given by the data subject.

Purpose of Processing

The purpose of processing the data stored in the alumni register is to maintain contact with the alumni of the Student Union, such as organizing alumni events and annual celebrations.

Otherwise, the data is processed to develop services, inform registered individuals, and distribute honors and awards.

Description of Data Subject Groups and Categories of Personal Data

The Student Union processes the following data in the alumni register:

• Name
• Phone number, email address
• Roles held by the alumni and the years during which they served

Honors and Awards:

For the Good Teacher Award, the following data is collected:

• Information about the nominated teacher and the justification for the nomination
• Information about the person making the nomination

For honorary award recipients, the following data is collected:

• Names and email addresses of the nominees
• Justifications provided by the nominator

Email Lists:

The following data is collected for email lists:

• Email address and name
• Password and language preference

Data Collected in Surveys:

The following data is collected in surveys:

• Name
• Phone number and email address

Students from Other Student Unions Requesting a JYY Semester Sticker :

The following data is collected for students from other student unions requesting a JYY semester sticker:

• Name, student ID number
• Membership in the student union, student union name

Collection of Personal Data

Personal data is collected directly from the data subjects themselves or, in the case of awards, from the members of the Student Union.

The data of students from other student unions requesting a JYY semester sticker is obtained from the other student unions.

Disclosure and Transfer of Personal Data

Personal data is processed by the event producer, the executive director, and others whose duties include maintaining contact with alumni.

Otherwise, personal data is processed by employees of the Student Union of the University of Jyväskylä whose duties include these tasks.

Data is not disclosed or transferred to third parties except as required by the Act on the Openness of Government Activities.

Storage and Deletion of Personal Data

Personal data is deleted upon the request of the data subject.

The data of students from other student unions requesting a JYY semester sticker is retained for one academic year.

Contact Person:

Specialist in Member and Association Affairs

jyy@jyy.fi

050 430 6747 

Purpose of Processing

Personal data is processed to maintain the records of organizations actively operating within the Student Union (JYY). The data is also used to facilitate communication with the boards of these organizations.

Description of Data Subject Groups and Categories of Personal Data

Official information of the association:

• Name
• Phone number, email address

Annually updated information of board members:

• Name
• Responsibilities within the board
• Email address
• Phone numbers of the chairs

Basis for Processing

Vital interest: Article 6(1)(d) of the GDPR

Public interest: Article 6(1)(e) of the GDPR

Collection of Personal Data

The data is collected from the organizations themselves through registration forms.

Disclosure and Transfer of Personal Data

Personal data is processed by employees of the Student Union of the University of Jyväskylä.

Data is not disclosed or transferred to third parties except as required by the Act on the Openness of Government Activities.

Storage and Deletion of Personal Data

Official information of the organizations is retained permanently. Contact details of the board members are deleted one year after the end of their term of office.

Contact Person:

Specialist in Member and Association Affairs

jyy@jyy.fi

050 430 6747

Purpose of Processing

The personal data of Student Union members running for the Council of Representatives is used to organize elections that are open to all Student Union members. Based on the election results, the Council of Representatives is formed, including deputy members.

The Council of Representatives holds the highest decision-making authority in the Student Union. The personal data of candidates running for the Council of Representatives is used to organize elections that are open to all Student Union members. Based on the election results, the Council of Representatives is formed, including deputy members.

Personal data is processed to maintain records of candidates and election alliances for the Council of Representatives elections.

Basis for Processing

The processing of personal data is based on the EU General Data Protection Regulation (GDPR) or applicable national legislation, such as the Universities Act and the University Decree.

In the case of processing a candidate’s or a member of the Council of Representatives’ potential political opinion, the legal basis for processing is provided by Article 9(2)(e) of the GDPR (data that has already been made public by the data subject, even if it relates to political opinions, can be processed).

Description of the Groups of Data Subjects and Categories of Personal Data

The Student Union processes the following personal data for the purposes of the Council of Representatives elections:

Of candidates:

• Name
• Phone number, email address
• Date of birth
• Address
• University user ID
• Student number
• Faculty

Of electoral alliances:

• Name of the electoral alliance
• Full names of the main and substitute contacts
• Addresses of the main and substitute contacts
• Phone numbers of the main and substitute contacts
• Email addresses of the main and substitute contacts
• List of candidates, their dates of birth, and faculties

Of electoral rings:

• Name of the electoral ring
• Electoral alliances belonging to the electoral ring
• Full names of the contact persons of the electoral alliances within the electoral ring
• Names, dates of birth, and faculties of candidates not belonging to any electoral alliance

Collection of Personal Data

The data is collected from the data subjects themselves and from electoral alliances via election forms.

Disclosures and Transfers of Personal Data

Personal data is processed by the Central Election Committee and the staff preparing the elections.

The data may be stored as required to meet legal obligations. Personal data is processed, stored, and transferred only using the Student Union’s own secure technical data transfer systems.

The data will not be disclosed or transferred to third parties except as required by the Publicity Act.

Storage and Deletion of Personal Data

Personal data will be permanently archived.

Contact Person:

Specialist in Member and Association Affairs

jyy@jyy.fi 050 430 6747

 Description of the Groups of Data Subjects and Personal Data Categories

The Student Union processes the following personal data for members and deputy members of the Council of Representatives, as well as for candidates in the election who may become deputy members:

• Name
• Phone number, email address
• Student number
• University user ID
• Council group

Legal Basis for Processing

The processing of personal data is based on the EU General Data Protection Regulation (GDPR) or the applicable national legislation, including Section 46.6 of the Finnish Universities Act and Section 4 of the Finnish Universities Decree. In the case of processing data on a candidate or council member’s political opinions, the legal basis is Article 9(2)(e) of the GDPR.

Purpose of Processing

The Council of Representatives exercises the highest decision-making authority within the student union. The information of the council members elected in the elections is used to organize the functioning of the Council.

Personal data is processed for record-keeping purposes regarding council members,  deputy members, and candidates who may become deputy members of the Council.

Collection of Personal Data

Data is collected directly from the registered individuals and the council groups through election forms, as well as separately from the registered individuals whenever their information changes.

Disclosures and Transfers of Personal Data

Personal data is processed by the Executive Director and their substitute.

Information about council members is disclosed to the council groups and the executive board of the student union.

Data is not disclosed or transferred to third parties except as required by the Publicity Act.

Retention and Deletion of Personal Data

Except for the name and role in the Council (such as regular member, deputy member, group representative), personal data will be deleted from the register once the term of the respective council ends. The name and role will be retained for the purpose of issuing certificates for positions of trust.

Council meetings are recorded and broadcast live via an online service. The recordings are archived until the end of the current calendar year, after which the recordings will be deleted.

Contact Person:

Executive Director

toiminnanjohtaja@jyy.fi +358 45 138 6816

Purpose of Processing

We process personal data to maintain lease agreement information. Additionally, we conduct customer surveys and research, customer communication, and ensure the maintenance of the apartments. We also process data for the collection of rental debts and other housing-related receivables, as well as for planning and developing the business of the data controller.

Legal Basis for Processing

This data is processed based on the contract between the data controller and the data subject for the management, maintenance, analysis, and development of the customer relationship and any other relevant relationship.

Description of Data Subjects and Categories of Personal Data

Resident Selection and Management

The register may process the following personal data and their updates for housing applicants, tenants, and potential co-tenants:

Basic Information:

• Name, personal identity number, postal addresses, phone numbers, email addresses, and gender
• Personal information of accompanying individuals: first and last names, personal identity numbers
• Information Related to the Customer Relationship or Other Relevant Connection:
• Start date of the customer relationship, customer number
• Study-related information for student housing
• Information about housing needs
• Lease agreement details, rent payment details, security deposit information, and tenancy termination details
• Dates of key issuance and return
• Complaints, feedback (via Webropol, Buenno), other communications related to the customer relationship or relevant connection, actions related to social housing support, communication and measures taken, marketing activities targeted at the data subject, and information provided in connection with such activities
• Bank account information related to the termination of the tenancy

Financial Information:

Information on any legal guardian, income and wealth details, credit information, debts to the landlord, information on debt restructuring

Data Collected for Providing Online Services (Tenant Network) and Service Support:

• Name
• Email address
• Apartment address
• Technical identification information of devices connected to the network

Collection of Personal Data

The data is primarily provided by the data subject themselves. Updates to this information may also be received from the controller’s other electronic services. Personal data may be collected and updated from the controller’s other personal data registers, from resigning customers, from the controller’s partners, and from authorities and companies offering personal data services, such as the Digital and Population Data Services Agency. Credit checks are conducted using the register maintained by Suomen Asiakastieto Oy.

Disclosure and Transfer of Personal Data

Data is not primarily disclosed outside the Student Union of the University of Jyväskylä (JYY). However, data may be disclosed within the limits permitted and required by applicable legislation, for example, to JYY’s contractual partners conducting debt collection on its behalf or to parties entitled to access the information under the law. Furthermore, data may be disclosed to property management, maintenance, security, and locksmith service providers, as well as to electricity and data network providers, for the provision of services related to housing.

Data is transferred to the electronic property management, booking, and enterprise resource planning systems used by the Student Union. If a property is transferred to an external owner outside of JYY, the necessary data required for managing the tenancy may be disclosed to the new owner.

Information provided during the registration process for the JYY resident network and any data submitted in connection with support requests is disclosed to the entity responsible for the maintenance of the network for the purposes of processing registrations and support requests.

Retention and Deletion of Personal Data

Data is retained for the period required by applicable legislation. Data not included in materials subject to archiving will be destroyed after this period.

Request for Inspection of Personal Data

Written inspection requests should be sent to the following address:

Soihtu Housing, Vehkakuja 2 B, 40700 Jyväskylä, Finland.

When requesting information, please include your name, address, and personal identity code. Additionally, specify whether you wish to inspect data related to a specific matter, all data, or data from a specific time period.

Access Control Register

Purpose of Processing

To manage and monitor the use of premises under the administration of the Student Union. The aim is to ensure effective property maintenance and safety, as well as to prevent potential misuse and criminal activity. The electronic access control system helps maintain order and facilitates holding those responsible for causing damage accountable.

Legal Basis for Processing

The processing of data is based on the contract between the data controller and the data subject, to manage, maintain, analyze, and develop the relationship related to the services provided or other legitimate connections.

Description of Data Subjects and Categories of Personal Data

• Name
• Reason for Access Rights (e.g., employment, position of trust, organization space agreement, gym membership, facility rental)
• Facilities Granted Access and the Duration of Access Rights

Collection of Personal Data

Personal data is collected directly from the data subject. Lock-specific data is obtained from the access control system’s reader devices.

Disclosure and Transfer of Personal Data

Access control data may be processed by Student Union employees within the scope of their roles. Data may also be disclosed to authorities, such as the police, for the investigation of incidents within the limits of applicable legislation.

Retention and Deletion of Personal Data

Access control data is retained for one year.

Video Surveillance Register

Purpose of Processing

Personal data is processed to fulfill the legal obligations and rights of the Student Union, as well as for compelling purposes, to ensure the legal protection and safety of employees, partners, and clients of the Student Union. The data is also used to protect the employer’s, employees’, and clients’ information and property, as well as to prevent and investigate crimes.

Basis for Processing

Personal data is processed based on the legitimate interest of the Student Union to investigate and prevent crimes, vandalism, and other misconduct that occur on properties owned by the Student Union.

Description of Registered Groups and Categories of Personal Data

We process video or other recorded footage of individuals and vehicles moving within areas monitored by the Jyväskylä University Student Union’s camera surveillance systems (such as office spaces and business premises). The footage is accompanied by the date and time of the event.

Collection of Personal Data

Devices for camera surveillance have been installed in the company’s operational and business premises, as well as other areas managed by the Student Union. Camera surveillance captures and records video footage of individuals and vehicles moving within the monitored areas.

Disclosures and Transfers of Personal Data

Personal data may be disclosed to supervisors, external contacts, customers, and/or authorities (e.g., the police) to the extent permitted and required by law.

Personal data may be transferred to subcontractors acting on behalf of the Student Union, who process personal data based on the instructions provided by us. Subcontractors are not allowed to use personal data for purposes other than delivering the service agreed upon with us. When using subcontractors, we ensure that data processing is carried out in accordance with the privacy policy and the data protection statement.

Data Protection

Personal data in electronic form is stored in a database, access to which is granted only to specifically designated personnel of the University of Jyväskylä Student Union or its authorized agents, whose roles require access to the data.

Data Retention and Deletion

The surveillance camera systems operate on a closed network. Access to the application is restricted through user rights. Recordings are stored on the server for two weeks.

Exercise of the Data Subject’s Rights

A data subject can request access to their data by contacting the designated responsible person mentioned at the beginning of this notice. As part of the request, the individual must specify as accurately as possible the time and location they believe the video footage from the surveillance cameras may be from. The individual must also verify their identity when making the request.

The data subject cannot exercise the right to deletion of their data, as it is not possible to remove an individual from video recordings without undue effort. For the same reason, the data subject cannot exercise their right to correction or transfer of their data.

Purpose of Processing

The Student Union rents out event spaces, organizes events and training sessions, as well as other informal activities, lends equipment, and provides advisory services. The data collected in connection with these activities is used to ensure that practical arrangements are carried out as appropriately as possible and to enable the provision of services.

Personal data is processed for purposes related to managing, administering, and developing customer relationships, as well as for providing and delivering services, service development, and billing. Personal data is also processed for purposes necessary to handle and resolve any complaints or other claims.

In addition, personal data is processed in communications directed at customers, such as for informational and news-related purposes, as well as for marketing. As part of marketing activities, personal data is also processed for direct marketing and electronic direct marketing purposes.

Customers have the right to object to direct marketing addressed to them.

The data controller processes personal data directly and may also use subcontractors acting on behalf of and for the account of the data controller in the processing of personal data.

Legal Basis for Processing

Data on participants in free events, information collected from partners and contractual partners, and data necessary for carrying out venue rental operations are processed on the basis of the data subject’s consent.

Data collected for event reports is processed in accordance with the Act on Private Security Services.

In venue rental operations, the processing of personal data is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract.

Description of Data Subjects and Categories of Personal Data

Data collected from private individuals participating in training sessions and other free events:

• Allergy and dietary information
• Name and affiliated association
• Email address
• Phone number
• Accessibility information
• Field of study

Data collected from corporate partners and contractual partners:

• Name of contact person and salesperson
• Email address
• Phone number
• Dietary requirements, allergies, and organisation
• Business ID for companies/sole traders; personal identity code where necessary for contractual partners

Data collected for venue rental operations (booking details):

• First name and last name of the person making the booking
• Email address
• Phone number
• Billing address (street address, postal code, and city)
• For corporate bookings: official name of the organisation and Business ID
• Direct marketing consents and prohibitions
• Name of the payment service provider
• Bank account number for refunds

Data recorded in the key management register:

• Name of the key holder
• Association represented by the key holder
• Email address of the key holder
• Phone number of the key holder
• Information on the premises to which the key grants access

Data collected for event reports:

• Date and location
• Contact details of participants
• Contact details of witnesses

Data collected in connection with ticket sales:

• Name
• Email address
• Phone number

Collection of Personal Data

Personal data is collected from the student, customer using the services, or the representative of a partner organisation themselves.

Disclosure and Transfer of Personal Data

As a rule, personal data is not disclosed in identifiable form.

Data is retained only for as long as necessary for the provision of the service or activity, after which any data not included in archived materials is deleted.

Retention of Personal Data

Personal data stored in the register is retained only for as long and to the extent necessary in relation to the original or compatible purposes for which the data was collected.

The data controller regularly assesses the necessity of data retention in accordance with its internal policies. In addition, the data controller takes all reasonable measures to ensure that inaccurate, incorrect, or outdated personal data is erased or rectified without delay.

• Personal data of participants in training sessions and other free events is retained until the training or event has been completed. Necessary data may also be retained after the event.
• Data of partners and contractual partners is retained for the duration of the contract. Accounting and invoicing records are retained for six (6) years in accordance with the Accounting Act.
• Data in the key management register is retained for the duration of the contract.
• Data of venue rental customers is retained for six (6) years insofar as it is included in accounting documentation (e.g. name, payment service provider details, and bank account number for refunds). Registered individual customers’ data is retained for at least three (3) years from the last use of the booking account. For organisational customers, the retention period is five (5) years.
• Event reports are retained for two (2) years from the end of the calendar year in which they were created and are deleted within one month after the retention period ends.

Contact

Email: tilakoordinaattori@soihtu.fi

Purpose of Processing

We process applicants’ personal data during the recruitment process, for purposes such as reviewing job applications, informing applicants about the progress of the recruitment process, arranging interviews, and assessing professional or personal suitability.

Legal Basis for Processing

The legal basis for processing personal data is the execution of pre-contractual measures based on your request by applying.

In certain circumstances and to the extent permitted by applicable law, we may also process personal data based on consent provided for reliability assessments or background checks.

Description of Data Subject Groups and Categories of Personal Data

We collect and process contact information and job application details provided by job applicants in their applications.

Collection of Personal Data

Personal data is primarily collected from the applicant themselves.

Disclosure and Transfer of Personal Data

We may disclose personal data to third parties to the extent permitted and required by law, or when our partners process personal data on our behalf and under our instructions (e.g., outsourced payroll services). Additionally, data may be disclosed with the applicant’s consent to parties specified in the consent, such as referees.

Retention of Personal Data

We retain personal data only for as long as necessary to fulfill the purposes outlined in this notice.

Personal data may also be retained to the extent necessary after the recruitment process concludes, as permitted or required by applicable law.

Data will be deleted when its retention is no longer necessary for compliance with legal requirements or for the realization of the rights or obligations of either party.

Contact Person

Contact details provided in the job advertisement.

Purpose of Data Processing

We process personal data to arrange accommodation and financial transactions. Additionally, we conduct customer surveys, communicate with customers, and ensure the maintenance of the accommodations. Personal data is also processed to send and collect any additional services or invoices.

Legal Basis for Processing

This data is processed based on the agreement between the controller and the data subject, for the management, handling, analysis, and development of the customer relationship or other relevant association.

Description of Data Subject Groups and Categories of Personal Data

Accommodation Management

The registry may process the following personal data and updates related to the users of the service:

Basic Information:

• Name, personal identity code/date of birth, postal addresses, nationality, passport/ID card number, phone numbers, and email addresses
• Personal data of accompanying travellers: first and last names, and personal identity codes/dates of birth

Information Related to Customer Relationship or Other Relevant Association:

• Reservation details and payment information for accommodation
• Dates of key handover and return
• Complaints, feedback (feedback forms), and other customer communication and actions related to the relationship or association
• Bank account information, if required for refunds

Collection of Personal Data

The data is always sourced directly from the data subject.

Disclosure and Transfer of Personal Data

As a rule, data is not disclosed outside of JYY. Data may be disclosed within the limits permitted and required by applicable legislation, for example, to contracted partners handling debt collection on behalf of JYY, or to entities legally entitled to access the data. Additionally, data may be disclosed to property management, maintenance, security, and locksmith service providers, as well as electricity and network providers, to deliver accommodation-related services. Data is transferred to the digital property management, booking, and operational systems used by the Student Union.

Retention and Deletion of Personal Data

Data is retained for the period required by law. Information not included in archived materials is destroyed after this period.