Skip to main content

Privacy notice - Tassu system

1. Data Controller   

Tampere University Foundation sr

FI-33014 Tampere University 
Kalevantie 4, 33100 Tampere, Finland

Business ID 2844561-8

2. Contact person  

Kirsi Viitanen

tel. +358 503009394
kirsi.viitanen [at] / tassu.tau [at]

3. Data Protection Officer

dpo [at]

4. Name of the register

Tassu system

5. Purpose of pro-cessing personal data
and the lawful basis for processing

Purpose of processing:

The processes of planning and forecasting the University’s projects and finances are managed by allocating persons to projects. Personal data is also processed to grant user rights to the Tassu system. Lawful basis for processing are 

  • Contract
  • Legitimate interests of the Data Controller.

The legitimate interests: As set out in Section 51 of the Finnish Universities Act (558/2009), higher education institutions are expected to provide the Ministry of Education and Culture with data relating to education and research for assessment, development and statistical purposes as well as other data that is needed for monitoring and oversight purposes as decided by the Ministry.  
For administrative purposes, personal data is transferred within the organisation. The Data Controller has a duty to prepare reliable financial forecasts and reports. 

6. Contents

Data pertaining to a person’s employment contracts: name, staff number, email address, code and name of organisational unit, job title, code and name of cost centre, start and end dates of employment contract, supervisor, job demands level. Information about a person’s personal performance level is not stored in the system. 

Data pertaining to a person’s project activities: participation and role in projects, allocation of tasks and salary costs to project forecasts.

7. Sources of information

The personal data stored in the system is provided by data subjects (employment contract). 
Personal data, employment records and information about a person’s supervisor are retrieved from the Mepco system. 
Organisational data and project records are retrieved from SAP.
All data is delivered to the system supplier through the University’s integration services. 

8. Regular disclosure of data and recipients

Regular disclosure of data to third parties:
The personal data stored in the system is not disclosed to third parties. Data stored in the system may be disclosed to financial auditors for auditing purposes. 

The Data Controller has signed a contract to outsource processing activities. The information system has been purchased as a SaaS service from Keto Software Oy. The University has signed a separate data processing agreement with the supplier.

9. Transfer of data outside the EU/EEA

Data stored in the system is not transferred to a third country or an international organisation located outside the EU/EEA.

10. Data protection principles

Data is only stored in an electronic format in the system. Data is encrypted whilst it is being transferred across the internet. Data is not collected any-where. Access to personal data is only needed for the purposes of allocating resources to ongoing projects and granting user rights.
Data is hosted on servers located in secure premises that are equipped with access control and security systems. 
Access to the database is strictly limited with the help of network technology and username/password authentication. The register is not maintained in the Tassu system. No archived versions are maintained. Access to personal data pertaining to others is limited only to those who require it for their professional roles. 

11. Data retention period or criteria for determining the retention period

 The retention period is specified in the University’s information management plan.

12. Existence of automated decision-making or profiling, the logic involved as well as the significance and the envisaged consequences for data subjects

The data stored in the register will not be used to carry out automated decision-making, including profiling.

13. Rights of data subjects

 Unless otherwise provided by data protection laws, data subjects have the following rights:

  • Right of access
    • Data subjects are entitled to find out what information the University holds about them or to receive confirmation that their personal data is not processed by the University.
  • Right to rectification
    •  Data subjects have the right to have any incorrect, inaccurate or incomplete personal details held by the University revised or supplemented without undue delay. In addition, data subjects are entitled to have any unnecessary personal data deleted.
  • Right to erasure
    • In exceptional circumstances, data subjects have the right to have their personal data erased from the Data Controller’s records (‘right to be forgotten’).
  • Right to restrict processing
    • In certain circumstances, data subjects have the right to request the University to restrict processing their personal data until the accuracy of their data (or the basis for processing their data) has been appropriately reviewed and potentially revised or supplemented.
  • Right to object
    • In certain circumstances, data subjects may at any time object to the processing of their personal data for compelling personal reasons.
  • Right to data portability
    • Data subjects have the right to obtain a copy of the personal data that they have submitted to the University in a commonly used, machine-readable format and transfer the data to another Data Controller.
  • Right to lodge a complaint with a supervisory authority
    •  Data subjects have the right to lodge a complaint with a supervisory authority in their permanent place of residence or place of work, if they consider the processing of their personal data to violate the provisions of the GDPR (EU 2016/679). In addition, data subjects may follow other administrative procedures to appeal against a decision made by a supervisory authority or seek a judicial remedy.
    • Contact information:
      Office of the Data Protection Ombudsman, PO Box 800, FI-00521 Helsinki, Finland tietosuoja [at]

Please deliver all subject access requests by email to the generic email address of Tampere University (tau [at] or

by post to the address: 
Tampere University
FI-33014 Tampere University, Finland

This privacy notice was updated on 17 November 2023