Privacy notice - facilities management, access management, key control and video surveillance
The University of Tampere and Tampere University of Technology have merged to create the new Tampere University on 1 January 2019. Together, the new Tampere University and Tampere University of Applied Sciences comprise the Tampere higher education community (hereinafter the “Community”).
Facilities management, access management, key control and video surveillance
The University of Tampere and Tampere University of Technology were merged on 1 January 2019 to create the new Tampere University. Together the new Tampere University (Tampere University Foundation sr) and Tampere University of Applied Sciences Ltd comprise Tampere Universities.
Why we process personal data
Tampere Universities maintain a range of facilities-related functions, such as building maintenance and repair services, security services, room booking services, parking services, information desk services and AV support.
Tampere Universities manage access to the campus premises and maintain video surveillance systems to protect property, prevent misuse and criminal activities, investigate any offences and misuse that have taken place, and ensure the safety of staff and students.
The access management systems on campus collect and store data when individuals access the premises with their key card issued by Tampere Universities. The systems restrict the movement of unauthorised persons in the campus premises, ensure access to authorised persons and help to create and maintain a safe environment for studying, working and conducting research.
Lawful basis for processing personal data
We process personal data based on legal regulations and the legitimate interests of Tampere Universities. We have a duty to provide our students with a safe learning environment under the Finnish Universities Act and the Universities of Applied Sciences Act and our staff with a safe working environment under the Occupational Safety and Health Act (738/2002).
- Data subjects have provided their consent for processing their personal data as set out in the EU’s General Data Protection Regulation (GDPR; article 6, paragraph 1a).
- Processing is necessary to comply with the data controller’s legal obligation as set out in the EU’s General Data Protection Regulation (GDPR; article 6, paragraph 1c).
- Processing is necessary to perform a task carried out in the public interest or in the exercise of official authority as set out in the EU’s General Data Protection Regulation (GDPR; article 6, paragraph 1e).
- Processing is necessary for the purposes of the data controller’s legitimate interests as set out in the EU’s General Data Protection Regulation (GDPR; article 6, paragraph 1f).
- The EU’s General Data Protection Regulation (GDPR, EU 2016/679)
- Data Protection Act (1050/2018)
- Occupational Safety and Health Act (738/2002)
- Universities Act (558/2009)
- Universities of Applied Sciences Act (932/2014)
The types of personal data we process
- name and contact information
- date of birth
- personal identity number in case a key is issued to a person who is not a student or an employee at Tampere Universities
- staff photo
- job title
- phone number
- TUNI username
- office number
- key card log data
- key identifier
- validity period of employment contract/resource agreement
- validity period of right to study
- digital video recordings where persons caught on camera can be identified
- names and contact details of staff employed by companies operating on campus.
How we collect personal data
- For facilities management, access management and key control purposes data is retrievedfrom data subjects, the companies operating on campus as well as the HR systems and student information systems of Tampere Universities.
- As for key control, personal data is collected from the HR Services of Tampere Universities and/or the key issuance forms signed by individuals or their supervisors.
- As for video surveillance, data is retrieved from the footage recorded by digital security cameras that are installed in the campus premises or their immediate vicinity.
How we process your personal data
Your personal data stored in our information systems will only be processed for the purposes for which the data were initially collected. Personal data may also be used for statistical and research purposes. As a rule, personal data that is used for statistical or research purposes is anonymised so that individuals cannot be identified. All personal data will be stored in compliance with data protection requirements.
How long we retain your personal data
The retention periods of personal data and materials that are manually stored in our information systems are based on applicable legislation and our archive management policy/data management plan.
Personal data stored in the access management system will be deleted when a person returns his or her keys issued by Tampere Universities. Data stored in the access management system (log data) is retained for one year on average.
The retention period for the video recordings of coverage provided by security cameras depends on the capacity of the system. If there is reason to suspect misuse or that a crime has been committed, the data may be stored for as long as is necessary to investigate the suspicions.
Staff photos are automatically deleted no later than 92 days after the expiry of the related employment contract or resource agreement.
Information about license plate numbers is deleted after an individual’s parking contract ends.
Who we may share your data with
We do not regularly transfer data outside of Tampere Universities. Data stored in the system may be disclosed to the public authorities, for example, for the purpose of assisting in a criminal investigation.
Transfer of personal data outside of the EU/EEA
As set out in the data protection policy of Tampere Universities, we are committed to taking special data protection measures in the event that personal data is transferred outside of the EU or the European Economic Area (EEA) to countries that are not covered by the GDPR. Any transfers of personal data outside of the EU/EEA will be managed in strict compliance with the GDPR.
Rights of data subjects
Right of access (GDPR, Article 15)
You have the right to know what personal data we process and hold about you. Many of the University-provided information systems allow you to view the data that we have stored about you when you are logged in.
Right to rectification (Article 16)
You have the right to have any incorrect, inaccurate or incomplete personal details that we hold about you revised or supplemented without undue delay. You are also entitled to have any unnecessary personal data erased from our records.
Right to be forgotten (Article 17)
In certain circumstances, you have the right to have your personal data erased from our records. The right to erasure does not apply, if the processing is necessary for us to comply with our legal obligations or perform tasks carried out in the exercise of official authority.
Right to restrict processing (Article 18)
In certain circumstances, you have the right to request us to restrict processing your personal data until the accuracy of your data, or the lawful basis for processing your data, has been appropriately reviewed and potentially revised or supplemented.
Right to data portability (Article 20)
You have the right to obtain a copy of the personal data that you have submitted to the University in a commonly used, machine-readable format and transfer the data to another data controller. This right applies to situations where data is processed automatically on the basis of consent or contract.
This means that the right to data portability does not apply to data processing that is necessary for the performance of a task carried out in the public interest or to fulfil legal obligations imposed on the data controller. Consequently, this right does not generally apply to the higher education institution’s personal data registers.
Right to object (Article 21)
You may at any time object to the processing of your personal data for special personal reasons, if the basis for processing is a task carried out in the public interest, the exercise of official authority, or the higher education institution’s legitimate interests. After receiving such a request, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing your data.
Right to lodge a complaint with a supervisory authority (Article 77)
You have the right to lodge a complaint with a supervisory authority, if you consider that the processing of your personal data violates the provisions of the GDPR (2016/679). In addition, you may follow other administrative procedures to appeal against a decision made by a supervisory authority or seek a judicial remedy.
Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4
Postal address: PO Box 800, FI-00531 Helsinki, Finland
Email: tietosuoja [at] om.fi
Switchboard: +358 2956 66700
Questions about data protection
You can view the personal data we hold about you by logging into many of the information systems owned or maintained by Tampere Universities. If the personal data we hold about you is incorrect, please request a correction by contacting our Facilities Management at tila-helpdesk [at] tuni.fi
Please deliver all subject access requests to the data protection officer of Tampere Universities (by email at dpo [at] tuni.fi or by post to the following address: Data Protection Officer, Tampere University, FI-33014, Tampere, Finland).
This privacy notice was updated on 16 November 2021.