Data protection and processing of personal data in UEF
Data protection is a fundamental right that safeguards the rights and freedoms of data subjects when personal data is processed. The purpose of data protection is to define when and on what conditions personal data can be processed.
The processing of personal data must always be based on law. The EU’s General Data Protection Regulation (2016/679, GDPR) becomes enforceable from 25 May 2018. The GDPR specifies and unifies the rules of personal data processing in the EU Member States. The requirements of the GDPR need to be observed in all processing of personal data: within processes, information systems and acquisitions.
The most important change introduced by the GDPR is accountability. In other words, it is not enough to merely comply with personal data legislation; we also need to be able to demonstrate this compliance through, for example, various documents.
For supervisory authorities, the GDPR gives more power, including the possibility to impose financial sanctions (fines) in case of negligence. For citizens, this means better informational self-determination.
Processing of personal data
Personal data refers to any information that can be traced, either directly or indirectly, to an identifiable person. For example, a person’s name, social security number, occupation, location data, email address, photograph, voice, IP address and even vehicle registration plate may constitute personal data which needs to be processed by taking the person’s privacy protection into consideration.
What changes with the GDPR?
The university is required to:
- process personal data only to the extent required by its activities
- carry out sufficient measures to comply with the GDPR (e.g. information security, access control, log files, data encryption, instructions, regulations, training, non-disclosure agreements) observe the requirements of the GDPR in both its current procedures and information systems, and in the planning of new ones
- make an assessment of personal data processing risks and, if necessary, carry out an impact assessment that charts potential risks posed by data processing on privacy, and measures that are necessary to minimise those risks
- uphold the rights of data subjects.
Data subjects have more and increasingly specific rights. Persons whose information is being processed are called data subjects.
Data subjects have the right, e.g., to:
- request information about whether and which of their information is being processed
- obtain this information in a transparent, easily understandable and accessible format
- demand the correction of their personal data
- be forgotten, i.e. be fully erased from the register (not applicable to statutory registers)
- object to their personal data being processed in certain situations.
To exercise his or her rights at the University of Eastern Finland, the data subject can make a request via the university’s e-Services (staff and students), via a form available on the university’s website, or by contacting the university’s Data Protection Officer.
The University of Eastern Finland respects the privacy of people and of the personal data it processes. In its privacy policy, the university commits to ensuring the privacy and information security of the personal data it processes. The university complies with the EU’s General Data Protection Regulation, the Finnish legislation, and the regulations and guidelines issued by the authorities. The University of Eastern Finland makes information relating to the processing of personal data in its activities openly available.
Data Protection Officer
In accordance with the EU’s General Data Protection Regulation (GDPR), the university is required to appoint a data protection officer. The role of the data protection officer is to monitor conformity to law in the processing of personal data and to assist the university in fulfilling its obligations relating to data protection. The data protection officer serves a point of contact for the supervisory authority, and as a source of support for staff members and data subjects in questions relating to the processing of personal data.