Processing of Personal Data in the Student Union of the University of Jyväskylä

 

Open here as a PDF: JYY Privacy Policy

This privacy policy describes the processing of personal data within the Student Union of the University of Jyväskylä (JYY) and its various activities.

Data Controller:

The Student Union of the University of Jyväskylä (JYY)

Keskussairaalantie 2
40600 Jyväskylä
jyy(a)jyy.fi
+358 504306747

You can find information about the processing of personal data in this privacy policy based on the specific group of individuals you are looking for. It is possible for a person to belong to several groups simultaneously: for instance, someone might be both a resident of a property we rent out and a participant in a training session we organize, and they might also use the gym services designated for our residents. In such cases, the descriptions for all these groups apply to the individual. However, this grouping facilitates finding relevant information, as often only specific processing activities may be of interest.

Additionally, this privacy policy outlines the rights applicable to everyone, explains how we protect personal data, and provides the contact information of the supervisory authority in case someone needs to submit their matter for official review.

The Student Union complies with the Administrative Procedure Act (434/2003) when performing public administrative duties. The public access to the activities of the Student Union is governed by the provisions of the Act on the Openness of Government Activities (621/1999) concerning the transparency of activities carried out by public authorities as defined in Section 4(1) of the Act.

  Hallintolaki (434/2003): Administrative Procedure Act (434/2003)

  Laki viranomaisten toiminnan julkisuudesta (621/1999): Act on the Openness of Government Activities (621/1999)

The Student Union of the University of Jyväskylä – Processing of Student Data

Membership Register of the Student Union of the University of Jyväskylä

Purpose of Processing

The Student Union of the University of Jyväskylä (JYY) is a public-law entity established under the Universities Act, and its members include all undergraduate students at the University of Jyväskylä. The University maintains the student register and provides member data to the Student Union. JYY builds its membership register based on this data. We process members’ personal data for the following purposes:

  • To monitor the payment of membership fees and verify membership status
  • To confirm eligibility to vote in the Representative Council elections and, for elected members, during the term of office
  • To include members in the electoral roll for the Representative Council elections
  • To verify eligibility for positions in the University’s administrative bodies during the selection process and throughout the term of office

Basis for Processing

The processing of data is based on the EU General Data Protection Regulation (GDPR) or applicable provisions in national legislation, such as the Universities Act and the Data Protection Act, as well as on an agreement between the Student Union and the University of Jyväskylä regarding the transfer and use of data. Additionally, data may be processed with the consent of the data subject.

Description of Data Subject Groups and Categories of Personal Data

The Student Union processes the following information about its members:

  • Name, date of birth, nationality
  • Student ID number, email address
  • Membership in the Student Union, degree rights
  • Status of membership fee payment
  • Study rights
  • Personal identity code

Collection of Personal Data

Personal data is obtained directly from the University of Jyväskylä’s registry via a secure connection. Information may also be requested directly from the data subject.

Disclosure and Transfer of Personal Data

Primarily, personal data is handled by the membership services and organizational affairs specialists, Soihtu Housing Services, and employees who provide member services.

FeedCowboy Oy provides the Slice student card service and other digital services. When a member logs in as a user, JYY transfers the following member data: student ID number, type of degree (undergraduate or postgraduate), and the validity period of studies. FeedCowboy Oy uses this information to verify the student’s membership in JYY.

Trevea provides the Vakka software for electronic voting, which is used to conduct elections with proportional representation. For the Representative Council elections, JYY transfers the following data about each member: last name, given names, and university username.

Storage and Deletion of Personal Data

Personal data is stored in the JYY membership information system. The data will be retained indefinitely.

Any requests related to the correction or deletion of data should be directed to the University of Jyväskylä’s Student Services. The members of the Student Union do not have the right to request restrictions on the disclosure of their personal data to the Student Union.

Contact Person:
Specialist in Member and Association Affairs

jyy@jyy.fi
050 430 6747

Student Representatives in University Administration

Purpose of Processing

One of the statutory duties of the Student Union is to appoint student representatives to the University’s administrative bodies. Additionally, the Student Union selects student representatives for other roles. When making decisions about student representatives, personal data is collected for the purpose of naming these individuals and organizing communication with them. The Equality Act applies to bodies that exercise public authority.

Basis for Processing

The processing of data is based on the EU General Data Protection Regulation (GDPR) or relevant provisions in national legislation, such as the Universities Act and the Government Decree on Universities.

Information about legal gender is collected to comply with the Equality Act’s principle of equal treatment.

Basis for Processing

The processing of data is based on the EU General Data Protection Regulation (GDPR) or applicable provisions of national legislation, such as the Universities Act and the Government Decree on Universities.

Information about legal gender is collected to comply with the Equality Act’s principle of equal treatment.

Description of Data Subject Groups and Categories of Personal Data

The Student Union processes the following data:

  • Name, student ID number, phone number, email address
  • Legal gender
  • Degree rights

Collection of Personal Data

We collect the data directly from the data subjects themselves.

Processing, Disclosure, and Transfer of Personal Data

Personal data is processed by the higher education policy expert or their substitute.

Data is not disclosed or transferred to third parties (excluding the relevant bodies) except as required by the Act on the Openness of Government Activities. Applicants are asked for consent during the application process to publish the names of representatives in various bodies on JYY’s website.

Storage and Deletion of Personal Data

Data is retained for the duration of the term of office of the respective body, after which any data not included in archivable material is destroyed. Documentation created within the administration of the Student Union, including information on students serving as student representatives, is permanently archived.

Contact Person:
Specialist in Academic Affairs
kopo-asiantuntija@jyy.fi
+358 50 330 1025

Tutor Register

Purpose of Processing

Personal data is processed for organizing the tutoring activities at the University of Jyväskylä.

Basis for Processing

Personal data is processed based on the consent given by the individual applying to become a tutor.

Description of Data Subject Groups and Categories of Personal Data

The following personal data is collected about individuals serving as tutors:

  • Name
  • Contact details, phone number, and email address
  • Type of tutor (peer tutor, degree tutor, or international student tutor)
  • The degree program to be tutored
  • Information about the completion of tutor training (name of training and completion status)

Collection of Personal Data

The University collects the data from the registered individuals themselves through tutor application forms and self-reported information. The University then transfers this data to the Student Union for organizing tutoring activities.

Disclosure and Transfer of Personal Data

Personal data is processed by the higher education policy expert, membership services and organizational affairs specialist, and other employees whose tasks involve contacting tutors.

Data is not disclosed or transferred to third parties except as required by the Act on the Openness of Government Activities.

Storage and Deletion of Personal Data

Unnecessary personal data is deleted annually when the next tutors have been selected. Only the data essential for confirming the tutor’s term of service will be retained beyond this period.

Contact Person:

Specialist in Member and Association Affairs
jyy@jyy.fi
050 430 6747

Other Activities of the Student Union and Alumni

Basis for Processing

The processing of data related to honors and awards given by the Student Union is based on the Student Union’s general interest.

For other data, personal data is processed based on the consent given by the data subject.

Purpose of Processing

The purpose of processing the data stored in the alumni register is to maintain contact with the alumni of the Student Union, such as organizing alumni events and annual celebrations.

Otherwise, the data is processed to develop services, inform registered individuals, and distribute honors and awards.

Description of Data Subject Groups and Categories of Personal Data

The Student Union processes the following data in the alumni register:

  • Name
  • Phone number, email address
  • Roles held by the alumni and the years during which they served

Honors and Awards:

For the Good Teacher Award, the following data is collected:

  • Information about the nominated teacher and the justification for the nomination
  • Information about the person making the nomination

For honorary award recipients, the following data is collected:

  • Names and email addresses of the nominees
  • Justifications provided by the nominator

Email Lists:

The following data is collected for email lists:

  • Email address and name
  • Password and language preference

Data Collected in Surveys:

The following data is collected in surveys:

  • Name
  • Phone number and email address

Students from Other Student Unions Requesting a JYY Semester Sticker :

The following data is collected for students from other student unions requesting a JYY semester sticker:

  • Name, student ID number
  • Membership in the student union, student union name

Collection of Personal Data

Personal data is collected directly from the data subjects themselves or, in the case of awards, from the members of the Student Union.

The data of students from other student unions requesting a JYY semester sticker is obtained from the other student unions.

Disclosure and Transfer of Personal Data

Personal data is processed by the event producer, the executive director, and others whose duties include maintaining contact with alumni.

Otherwise, personal data is processed by employees of the Student Union of the University of Jyväskylä whose duties include these tasks.

Data is not disclosed or transferred to third parties except as required by the Act on the Openness of Government Activities.

Storage and Deletion of Personal Data

Personal data is deleted upon the request of the data subject.

The data of students from other student unions requesting a JYY semester sticker is retained for one academic year.

Contact Person:

Specialist in Member and Association Affairs
jyy@jyy.fi
050 430 6747

Organization Register

Purpose of Processing

Personal data is processed to maintain the records of organizations actively operating within the Student Union (JYY). The data is also used to facilitate communication with the boards of these organizations.

Description of Data Subject Groups and Categories of Personal Data

Official information of the association:

  • Name
  • Phone number, email address

Annually updated information of board members:

  • Name
  • Responsibilities within the board
  • Email address
  • Phone numbers of the chairs

Basis for Processing

  • Vital interest: Article 6(1)(d) of the GDPR
  • Public interest: Article 6(1)(e) of the GDPR

Collection of Personal Data

The data is collected from the organizations themselves through registration forms.

Disclosure and Transfer of Personal Data

Personal data is processed by employees of the Student Union of the University of Jyväskylä.

Data is not disclosed or transferred to third parties except as required by the Act on the Openness of Government Activities.

Storage and Deletion of Personal Data

Official information of the organizations is retained permanently. Contact details of the board members are deleted one year after the end of their term of office.

Contact Person:

Specialist in Member and Association Affairs

jyy@jyy.fi
050 430 6747

The Council of Representatives Registry

Council of Representatives Election Register

Purpose of Processing

The personal data of Student Union members running for the Council of Representatives is used to organize elections that are open to all Student Union members. Based on the election results, the Council of Representatives is formed, including deputy members.

The Council of Representatives holds the highest decision-making authority in the Student Union. The personal data of candidates running for the Council of Representatives is used to organize elections that are open to all Student Union members. Based on the election results, the Council of Representatives is formed, including deputy members.

Personal data is processed to maintain records of candidates and election alliances for the Council of Representatives elections.

Basis for Processing

The processing of personal data is based on the EU General Data Protection Regulation (GDPR) or applicable national legislation, such as the Universities Act and the University Decree.

In the case of processing a candidate’s or a member of the Council of Representatives’ potential political opinion, the legal basis for processing is provided by Article 9(2)(e) of the GDPR (data that has already been made public by the data subject, even if it relates to political opinions, can be processed).

Description of the Groups of Data Subjects and Categories of Personal Data

The Student Union processes the following personal data for the purposes of the Council of Representatives elections:

For candidates:

  • Name
  • Phone number, email address
  • Date of birth
  • Address
  • University user ID
  • Student number
  • Faculty

For electoral alliances:

  • Name of the electoral alliance
  • Full names of the main and substitute contacts
  • Addresses of the main and substitute contacts
  • Phone numbers of the main and substitute contacts
  • Email addresses of the main and substitute contacts
  • List of candidates, their dates of birth, and faculties

For electoral rings:

  • Name of the electoral ring
  • Electoral alliances belonging to the electoral ring
  • Full names of the contact persons of the electoral alliances within the electoral ring
  • Names, dates of birth, and faculties of candidates not belonging to any electoral alliance

Collection of Personal Data

The data is collected from the data subjects themselves and from electoral alliances via election forms.

Disclosures and Transfers of Personal Data

Personal data is processed by the Central Election Committee and the staff preparing the elections.

The data may be stored as required to meet legal obligations. Personal data is processed, stored, and transferred only using the Student Union’s own secure technical data transfer systems.

The data will not be disclosed or transferred to third parties except as required by the Publicity Act.

Storage and Deletion of Personal Data

Personal data will be permanently archived.

Contact Person:

Specialist in Member and Association Affairs

jyy@jyy.fi
050 430 6747

Council of Representatives Register

Description of the Groups of Data Subjects and Personal Data Categories

The Student Union processes the following personal data for members and deputy members of the Council of Representatives, as well as for candidates in the election who may become deputy members:

  • Name
  • Phone number, email address
  • Student number
  • University user ID
  • Council group

Legal Basis for Processing

The processing of personal data is based on the EU General Data Protection Regulation (GDPR) or the applicable national legislation, including Section 46.6 of the Finnish Universities Act and Section 4 of the Finnish Universities Decree. In the case of processing data on a candidate or council member’s political opinions, the legal basis is Article 9(2)(e) of the GDPR.

Purpose of Processing

The Council of Representatives exercises the highest decision-making authority within the student union. The information of the council members elected in the elections is used to organize the functioning of the Council.

Personal data is processed for record-keeping purposes regarding council members,  deputy members, and candidates who may become deputy members of the Council.

Collection of Personal Data

Data is collected directly from the registered individuals and the council groups through election forms, as well as separately from the registered individuals whenever their information changes.

Disclosures and Transfers of Personal Data

Personal data is processed by the Executive Director and their substitute.

Information about council members is disclosed to the council groups and the executive board of the student union.

Data is not disclosed or transferred to third parties except as required by the Publicity Act.

Retention and Deletion of Personal Data

Except for the name and role in the Council (such as regular member, deputy member, group representative), personal data will be deleted from the register once the term of the respective council ends. The name and role will be retained for the purpose of issuing certificates for positions of trust.

Council meetings are recorded and broadcast live via an online service. The recordings are archived until the end of the current calendar year, after which the recordings will be deleted.

Contact Person:

Executive Director

toiminnanjohtaja@jyy.fi

+358 45 138 6816

Soihtu Housing

Purpose of Processing

We process personal data to maintain lease agreement information. Additionally, we conduct customer surveys and research, customer communication, and ensure the maintenance of the apartments. We also process data for the collection of rental debts and other housing-related receivables, as well as for planning and developing the business of the data controller.

Legal Basis for Processing

This data is processed based on the contract between the data controller and the data subject for the management, maintenance, analysis, and development of the customer relationship and any other relevant relationship.

Description of Data Subjects and Categories of Personal Data

Resident Selection and Management
The register may process the following personal data and their updates for housing applicants, tenants, and potential co-tenants:

Basic Information:

  • Name, personal identity number, postal addresses, phone numbers, email addresses, and gender
  • Personal information of accompanying individuals: first and last names, personal identity numbers

Information Related to the Customer Relationship or Other Relevant Connection:

  • Start date of the customer relationship, customer number
  • Study-related information for student housing
  • Information about housing needs
  • Lease agreement details, rent payment details, security deposit information, and tenancy termination details
  • Dates of key issuance and return
  • Complaints, feedback (via Webropol, Buenno), other communications related to the customer relationship or relevant connection, actions related to social housing support, communication and measures taken, marketing activities targeted at the data subject, and information provided in connection with such activities
  • Bank account information related to the termination of the tenancy

Financial Information:

  • Information on any legal guardian, income and wealth details, credit information, debts to the landlord, information on debt restructuring

Data Collected for Providing Online Services (Tenant Network) and Service Support:

  • Name
  • Email address
  • Apartment address
  • Technical identification information of devices connected to the network

Collection of Personal Data

The data is primarily provided by the data subject themselves. Updates to this information may also be received from the controller’s other electronic services. Personal data may be collected and updated from the controller’s other personal data registers, from resigning customers, from the controller’s partners, and from authorities and companies offering personal data services, such as the Digital and Population Data Services Agency. Credit checks are conducted using the register maintained by Suomen Asiakastieto Oy.

Disclosure and Transfer of Personal Data

Data is not primarily disclosed outside the Student Union of the University of Jyväskylä (JYY). However, data may be disclosed within the limits permitted and required by applicable legislation, for example, to JYY’s contractual partners conducting debt collection on its behalf or to parties entitled to access the information under the law. Furthermore, data may be disclosed to property management, maintenance, security, and locksmith service providers, as well as to electricity and data network providers, for the provision of services related to housing.

Data is transferred to the electronic property management, booking, and enterprise resource planning systems used by the Student Union. If a property is transferred to an external owner outside of JYY, the necessary data required for managing the tenancy may be disclosed to the new owner.

Information provided during the registration process for the JYY resident network and any data submitted in connection with support requests is disclosed to the entity responsible for the maintenance of the network for the purposes of processing registrations and support requests.

Retention and Deletion of Personal Data

Data is retained for the period required by applicable legislation. Data not included in materials subject to archiving will be destroyed after this period.

Request for Inspection of Personal Data

Written inspection requests should be sent to the following address:
Soihtu Housing, Vehkakuja 2 B, 40700 Jyväskylä, Finland.

When requesting information, please include your name, address, and personal identity code. Additionally, specify whether you wish to inspect data related to a specific matter, all data, or data from a specific time period.

Soihtu Stay

Purpose of Data Processing

We process personal data to arrange accommodation and financial transactions. Additionally, we conduct customer surveys, communicate with customers, and ensure the maintenance of the accommodations. Personal data is also processed to send and collect any additional services or invoices.

Legal Basis for Processing

This data is processed based on the agreement between the controller and the data subject, for the management, handling, analysis, and development of the customer relationship or other relevant association.

Description of Data Subject Groups and Categories of Personal Data

Accommodation Management
The registry may process the following personal data and updates related to the users of the service:

Basic Information:

  • Name, personal identity code/date of birth, postal addresses, nationality, passport/ID card number, phone numbers, and email addresses
  • Personal data of accompanying travellers: first and last names, and personal identity codes/dates of birth

Information Related to Customer Relationship or Other Relevant Association:

  • Reservation details and payment information for accommodation
  • Dates of key handover and return
  • Complaints, feedback (feedback forms), and other customer communication and actions related to the relationship or association
  • Bank account information, if required for refunds

Collection of Personal Data

The data is always sourced directly from the data subject.

Disclosure and Transfer of Personal Data

As a rule, data is not disclosed outside of JYY. Data may be disclosed within the limits permitted and required by applicable legislation, for example, to contracted partners handling debt collection on behalf of JYY, or to entities legally entitled to access the data. Additionally, data may be disclosed to property management, maintenance, security, and locksmith service providers, as well as electricity and network providers, to deliver accommodation-related services. Data is transferred to the digital property management, booking, and operational systems used by the Student Union.

Retention and Deletion of Personal Data

Data is retained for the period required by law. Information not included in archived materials is destroyed after this period.

 

Access control and video surveillance registry

Access Control Register

Purpose of Processing

To manage and monitor the use of premises under the administration of the Student Union. The aim is to ensure effective property maintenance and safety, as well as to prevent potential misuse and criminal activity. The electronic access control system helps maintain order and facilitates holding those responsible for causing damage accountable.

Legal Basis for Processing

The processing of data is based on the contract between the data controller and the data subject, to manage, maintain, analyze, and develop the relationship related to the services provided or other legitimate connections.

Description of Data Subjects and Categories of Personal Data

  • Name
  • Reason for Access Rights (e.g., employment, position of trust, organization space agreement, gym membership, facility rental)
  • Facilities Granted Access and the Duration of Access Rights

Collection of Personal Data

Personal data is collected directly from the data subject. Lock-specific data is obtained from the access control system’s reader devices.

Disclosure and Transfer of Personal Data

Access control data may be processed by Student Union employees within the scope of their roles. Data may also be disclosed to authorities, such as the police, for the investigation of incidents within the limits of applicable legislation.

Retention and Deletion of Personal Data

Access control data is retained for one year.

Video Surveillance Register

Purpose of Processing

Personal data is processed to fulfill the legal obligations and rights of the Student Union, as well as for compelling purposes, to ensure the legal protection and safety of employees, partners, and clients of the Student Union. The data is also used to protect the employer’s, employees’, and clients’ information and property, as well as to prevent and investigate crimes.

Basis for Processing

Personal data is processed based on the legitimate interest of the Student Union to investigate and prevent crimes, vandalism, and other misconduct that occur on properties owned by the Student Union.

Description of Registered Groups and Categories of Personal Data

We process video or other recorded footage of individuals and vehicles moving within areas monitored by the Jyväskylä University Student Union’s camera surveillance systems (such as office spaces and business premises). The footage is accompanied by the date and time of the event.

Collection of Personal Data

Devices for camera surveillance have been installed in the company’s operational and business premises, as well as other areas managed by the Student Union. Camera surveillance captures and records video footage of individuals and vehicles moving within the monitored areas.

Disclosures and Transfers of Personal Data

Personal data may be disclosed to supervisors, external contacts, customers, and/or authorities (e.g., the police) to the extent permitted and required by law.

Personal data may be transferred to subcontractors acting on behalf of the Student Union, who process personal data based on the instructions provided by us. Subcontractors are not allowed to use personal data for purposes other than delivering the service agreed upon with us. When using subcontractors, we ensure that data processing is carried out in accordance with the privacy policy and the data protection statement.

Data Protection

Personal data in electronic form is stored in a database, access to which is granted only to specifically designated personnel of the University of Jyväskylä Student Union or its authorized agents, whose roles require access to the data.

Data Retention and Deletion

The surveillance camera systems operate on a closed network. Access to the application is restricted through user rights. Recordings are stored on the server for two weeks.

Exercise of the Data Subject’s Rights

A data subject can request access to their data by contacting the designated responsible person mentioned at the beginning of this notice. As part of the request, the individual must specify as accurately as possible the time and location they believe the video footage from the surveillance cameras may be from. The individual must also verify their identity when making the request.

The data subject cannot exercise the right to deletion of their data, as it is not possible to remove an individual from video recordings without undue effort. For the same reason, the data subject cannot exercise their right to correction or transfer of their data.

Restaurant Operations, Training, and Event Space Usage

Purpose of Processing

The student union organizes events, training sessions, and other informal activities, rents and lends spaces and equipment, provides advice, and offers restaurant-related services. The data collected in connection with these activities are used to ensure the practical arrangements are carried out as effectively as possible and to provide the services.

Processing Basis

Information collected from participants in free events, from partners/contract partners, and from data necessary for restaurant sales and event space rentals is collected based on the registered person’s consent and explicit consent.

Data collected for event announcements related to restaurant operations is processed based on the law on private security services.

Description of Groups of Registered Persons and Categories of Personal Data

Information collected from private individuals participating in trainings and other free events:

  • Allergy information and dietary requirements
  • Name and student association
  • Email address
  • Phone number
  • Accessibility information
  • Field of study

Information collected from corporate partners or contractual partners:

  • Contact person’s name, vendor’s name
  • Email address
  • Phone number
  • Dietary requirements, organization, and allergies. In some cases, personal identification number (Finnish ID number).

Information necessary for restaurant sales and event space rental:

  • Name
  • Email address
  • Billing address
  • Allergy information
  • Business ID (Y-tunnus)

The following information is recorded in the key management register:

  • Key holder’s name
  • Information about the spaces for which the key holder has access

Information collected for event announcements:

  • Date and location
  • Contact details of participants
  • Contact details of witnesses

Information collected during ticket sales:

  • Name
  • Email
  • Phone number

Collection of Personal Data

Personal data is collected directly from the student or service user, or from the representative of a partner organization.

Disclosure and Transfer of Personal Data

As a general rule, data is not disclosed in an identifiable form.

Data is stored for as long as necessary to perform the service or activity, after which any data not included in archived material is destroyed.

Storage of Personal Data

Personal data of individuals participating in training and other free events is retained until the organization of the training or event is completed. Necessary personal data may be kept for as long as required after the event has concluded.

Data of partners and contractual partners are kept for the duration of the contract period. Additionally, proof and invoicing data are retained for 6 years in accordance with accounting laws.

Data collected in relation to restaurant sales and facility rental activities are retained for the duration of the contract. Proof and invoicing data are also retained for 6 years according to accounting laws.

Data stored in the key management register are kept for the duration of the contract.

Event registrations are retained for two years from the end of the calendar year in which they were created. They are destroyed within one month after the retention period ends.

Contact Person:

Venue Manager

venuemanager@ilokivi.fi

Job Applicants

Purpose of Processing

We process applicants’ personal data during the recruitment process, for purposes such as reviewing job applications, informing applicants about the progress of the recruitment process, arranging interviews, and assessing professional or personal suitability.

Legal Basis for Processing

The legal basis for processing personal data is the execution of pre-contractual measures based on your request by applying.

In certain circumstances and to the extent permitted by applicable law, we may also process personal data based on consent provided for reliability assessments or background checks.

Description of Data Subject Groups and Categories of Personal Data

We collect and process contact information and job application details provided by job applicants in their applications.

Collection of Personal Data

Personal data is primarily collected from the applicant themselves.

Disclosure and Transfer of Personal Data

We may disclose personal data to third parties to the extent permitted and required by law, or when our partners process personal data on our behalf and under our instructions (e.g., outsourced payroll services). Additionally, data may be disclosed with the applicant’s consent to parties specified in the consent, such as referees.

Retention of Personal Data

We retain personal data only for as long as necessary to fulfill the purposes outlined in this notice.

Personal data may also be retained to the extent necessary after the recruitment process concludes, as permitted or required by applicable law.

Data will be deleted when its retention is no longer necessary for compliance with legal requirements or for the realization of the rights or obligations of either party.

Contact Person

Contact details provided in the job advertisement.

Principles of Register Security

The data in the register is stored in databases protected by firewalls, passwords, and other necessary technical measures, such as encryption.

Access to systems containing personal data of students or our stakeholders is restricted to designated employees of the Student Union of the University of Jyväskylä, who need such access to perform their duties. All employees have ongoing access to guidelines for the secure and lawful handling of personal data and other information entrusted to us.

Paper-based and digital materials are disposed of securely to ensure data protection.

Risk Management for Data Subjects

Efforts are made to minimize risks to data subjects in the processing of personal data. Risk management measures include regular risk assessments and impact assessments related to personal data processing.

In the event of a data breach, the controller will urgently assess and mitigate potential risks to the data subject. If it is likely that the breach poses a high risk to the data subject’s rights and freedoms, the controller will notify the data subject of the breach.

Data Subject Rights and How to Exercise Them

Individuals have certain rights regarding the personal data we process. This section provides a general overview of those rights. Exceptions to these rights may apply depending on the legal basis for the processing. Details about such exceptions can be found in the descriptions of specific groups of individuals earlier in this document.

If you wish to exercise your rights, please contact the designated contact person mentioned at the beginning of this statement. To expedite the process, specify whether you are a student, a resident in one of our rental properties, or if your request concerns participation in events or services at the Student Union building. If your request pertains to a specific period, providing these details will significantly speed up the process. Supplying identifiers such as your student number or other relevant details can also facilitate a quicker response.

Rights can generally be exercised free of charge once per calendar year. If multiple requests are made by the same individual within a calendar year, an administrative fee may be applied based on the scope of the request. You will be informed of the estimated cost in advance.

Right to Access Personal Data
Data subjects have the right to obtain a copy of their personal data in a commonly used electronic format and review their information.

Right to Rectification
Data subjects have the right to have inaccurate or incorrect data rectified. This right can be exercised by notifying the data controller and providing the correct information. Individuals can request the correction of inaccurate or incomplete data.

Right to Erasure
Anyone has the right to request the deletion of their data. Deletion can be carried out, for example, in the following cases:

  • You withdraw your consent, and there is no other basis for processing the personal data.
  • You object to the processing of your personal data, and there is no overriding reason to continue processing.

Outdated and unnecessary data is automatically removed whenever possible, without requiring a separate request. However, personal data processed for contractual or billing purposes may need to be retained in compliance with accounting laws or other legal obligations.

Right to Restrict Processing
Data subjects have the right to request the restriction of processing their personal data. This applies, for example, in cases where there is uncertainty regarding the accuracy or lawfulness of the data processing, but retaining the data is necessary to resolve the uncertainty. However, the right to restrict processing does not apply in cases where the law requires data retention. For example, accounting laws mandate retaining financial records for 10 years.

Right to Object
Data subjects have the right to object to the processing of their personal data if it is being processed based on our legitimate interests or for tasks in the public interest (e.g., scientific or historical research, statistical purposes, or direct marketing).

Right to Data Portability
In certain situations, data subjects have the right to transfer the data they have provided to another system. This applies when the processing of personal data is based on consent or a contract. If we cannot transfer personal data automatically, you have the right to receive the data you have provided in a machine-readable format to enable further transfer.

Automated Decision-Making and Profiling
In digital service channels, data provided by the data subject may be automatically assessed, for example, to verify eligibility for a contract.

When automated processing and related decision-making are used, the data subject has the right to object if the procedure is not essential for entering into or executing a contract. In such cases, data subjects will be informed about alternative ways to proceed with their matters through other channels.

Right to Withdraw Consent
Data subjects have the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent will not impact the quality or content of the services we provide.

Right to File a Complaint with a Supervisory Authority
If a data subject believes that their data has been processed improperly or unlawfully, we encourage contacting us first so that we can address the issue together. If our response is not satisfactory, you also have the right to lodge a complaint with the relevant supervisory authority.

We encourage you to always contact us first to help resolve any issues as quickly as possible.

Office of the Data Protection Ombudsman

The Data Protection Ombudsman is the national supervisory authority in Finland responsible for monitoring and ensuring compliance with data protection laws. If you believe that your personal data has been processed unlawfully or improperly, you have the right to file a complaint with the Data Protection Ombudsman.

Contact details for the Data Protection Ombudsman:

  • Website: www.tietosuoja.fi
  • Email: tietosuoja@om.fi
  • Postal Address:
    Data Protection Ombudsman
    P.O. Box 800
    00521 Helsinki
    Finland

The Ombudsman can help resolve disputes regarding the processing of personal data and provide guidance on your rights.

Data Transfers and Disclosures

The subcontractors we use are always committed to processing data only according to our instructions and for the purposes we have defined. All subcontractors are contractually obligated to this, as well as to maintain confidentiality regarding the personal data they process on our behalf.

Data is not generally disclosed outside of JYY.

If data is transferred to third countries, this will be communicated at the time of data collection. Data processing may involve systems or cloud services that store data outside the EU. If data is transferred outside the European Union or the European Economic Area, such a transfer requires that the country in question ensures an adequate level of data protection, or the data controller provides sufficient safeguards regarding the privacy and rights of individuals through contractual clauses or other means, or the data subject has given explicit consent to the transfer. Transfers to the United States are based on the European Commission’s decision on the adequacy of data protection under Article 45 of the GDPR and the Privacy Shield agreement.

Changes to the Privacy Policy

We update the privacy policy as necessary. If the changes are significant, we aim to inform the individuals affected directly. Any questions or inquiries regarding the privacy policy can be sent to the Data Controller, whose contact details are provided at the beginning of this document.

This policy supersedes any previous privacy policies of the organizations and companies mentioned earlier and was last updated on November 4, 2024.

Note: This translation is provided for informational purposes only. The content has not been legally reviewed, and the official document is the one in the original language.

In Jyväskylä, 18.11.2024