Skip to main content

Privacy notice - Study counselling psychology services

The University of Tampere and Tampere University of Technology were merged on 1 January 2019 to create the new Tampere University. Together the new Tampere University (Tampere University Foundation sr) and Tampere University of Applied Sciences Ltd comprise Tampere Universities.

Why do we process personal data

The study counselling psychologists at Tampere Universities maintain customer records that also include personal data. This data is processed to manage customer relationships. In addition, the records contain information about customer contacts and anonymised statistical data that is used to develop and monitor the quality of the services and activities of our study counselling psychologists.

Lawful basis for processing personal data

As healthcare professionals, our psychologists have a duty to adhere to the Act on Health Care Professionals, the Act on the Status and Rights of Patient, and the Decree on Patient Records when providing services to individual customers. Besides individual sessions, data may be recorded during group sessions with students’ consent.

Lawful basis for processing personal data:

  • Data subjects have provided their consent for processing their personal data as set out in the EU’s General Data Protection Regulation (GDPR; article 1, paragraph 1a).
  • Processing is necessary to comply with a legal obligation to which the data controller is subject as set out in the EU’s General Data Protection Regulation (GDPR; article 1, paragraph 1c).

Main regulations:

  • The EU’s General Data Protection Regulation (GDPR, EU 2016/679)
  • Data Protection Act (1050/2018)
  • Occupational Safety and Health Act (738/2002)
  • Universities Act (558/2009)
  • Universities of Applied Sciences Act (932/2014)
  • Act on the Status and Rights of Patients, section 13 (785/1992)
  • Health Care Act (1326/2010)
  • Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007)
  • Act on Health Care Professionals (559/1994)
  • Decree on Patients Records issued by the Ministry of Social Affairs and Health (30.3.2009/289)

The types of personal data we process

Our study counselling psychologists process the following types of personal data: given name(s), family name, personal identity number, degree programme, year of enrolment, address, phone number, email address, information provided by a student when making an appointment, appointments and cancellations. In addition, the data they process includes information that is recorded by the psychologists during customer sessions about the guidance provided and related events as well as the psychologist’s summary, recommendations and statements. Assessment forms and the results of evaluations may also be processed in the context of providing services.

The study counselling psychologists maintain customer records of individual customer sessions and related activities, events and assignments. The records will often contain health data.

How we collect personal data

Personal data is collected from students. The psychologists maintain records of customer sessions and related events and activities. Information about any statements provided or evaluations carried out by other parties can be stored in the records with students’ consent.   

How we process your personal data

Your personal data stored in our information systems will only be processed for the purposes for which the data were initially collected. Personal data may also be used for statistical and research purposes. As a rule, personal data that is used for statistical or research purposes is anonymised so that individuals cannot be identified. All personal data will be stored in compliance with data protection requirements.

From the beginning of 2023, new customers' personal data, appointment-specific records and appointment information will be recorded in the Diarium customer information system produced by Nordhealth Finland Oy. The information entered into the system is stored on servers within Finland, and Nordhealth Finland Oy is responsible for Diarium's data protection and information security.

The study psychologist logs into the Diarium system with personal credentials. Main users of the system, who are study psychologists themselves, make sure that only employed study psychologists have active User IDs. Only study psychologists have access to customer data. The study psychologist responsible for the customer´s counselling, adds customer’s personal data in Diarium, using the data provided by the customer when booking an appointment. Information related to the client can only be read by the persons managing the customer, and in the case of the intern study psychologist's customers, also the study psychologist responsible for supervision. Viewing customer data always creates a log entry in the system, by monitoring the log data, the implementation of data protection is monitored.

The Diarium system used by study psychologists is not connected to the Kanta National health data records service, so the information cannot be seen in healthcare systems or the OmaKanta service.

For customers who started before 2023:

Customer records for the years 2019-22 are stored in a locked room. If customers have presented documents that they have previously received from other sources, only the necessary information has been included in the session records, and the original copies have been securely destroyed. All the materials will be kept strictly confidential. Notes have been securely disposed of. Information that must be stored is transferred to the University’s archives and stored in accordance with the data management plan. The materials will be securely destroyed as confidential waste after the retention period ends. Only study counselling psychologists are able to access customer records, including archived records. 

Electronic data about customers is stored in a password-protected network drive that only the relevant individual psychologist is able to access. Electronic materials that must be archived are printed out after the customer relationship ends, and the electronic copies are destroyed.  

Data will not be exported to the paper archive after the transition period of 2023, but in the future, all customer data will be recorded in the Diarium system.

How long we retain your personal data

The retention period for patient records created in the course of individual customer sessions is defined in the Decree on Patient Records issued by the Ministry of Social Affairs and Health (298/2009). Copies of any statements or recordings received from other healthcare units will be securely disposed of immediately after the necessary information has been stored in the patient records. 

No data that must be retained is generated during group sessions, and personal data will be deleted after the group session ends. Students who attend group sessions get to keep the group assignments and materials and are therefore free to manage their own information as they choose. Group participants are asked to provide feedback on the sessions. Feedback is processed anonymously.

Who we may share your data with

As a rule, personal data that is processed in the course of providing psychological services is not shared with any third parties.

Transfer of personal data outside of the EU/EEA

Personal data will not be transferred outside of the EU/EEA.

How we protect personal data

We process all personal data securely and in compliance with legal requirements. We have carefully assessed the potential risks associated with our processing activities and taken the necessary measures to control the risks.

Pre-appointment forms filled out by customers and notes taken by psychologists during customer sessions are stored in a locked room. If students present documents that they have previously received from other parties, only the necessary information will be included in the session records, after which the documents will be securely destroyed. All materials are kept strictly confidential.

Notes taken by psychologists will be securely disposed of. Data that must be stored about previous customers will be transferred to the University’s archives. This data will be stored in accordance with the data management plan and securely destroyed as confidential waste after the retention period ends. Only study counselling psychologists are allowed to process archived customer records.

Electronic data about customers is stored in a password-protected network drive that only the relevant individual psychologist is able to access.

Rights of data subjects

Right of access (GDPR, Article 15)

You have the right to know what personal data we process and hold about you.

Right to rectification (Article 16)

You have the right to have any incorrect, inaccurate or incomplete personal details that we hold about you revised or supplemented without undue delay. You are also entitled to have any unnecessary personal data erased from our records.

Right to be forgotten (Article 17)

In certain circumstances, you have the right to have your personal data erased from our records.

The right to erasure does not apply, if the processing is necessary for us to comply with our legal obligations or perform tasks carried out in the exercise of official authority.

Right to restrict processing (Article 18)

In certain circumstances, you have the right to request us to restrict processing your personal data until the accuracy of your data, or the lawful basis for processing your data, has been appropriately reviewed and potentially revised or supplemented.

Right to data portability (Article 20)

You have the right to obtain a copy of the personal data that you have submitted to the University in a commonly used, machine-readable format and transfer the data to another data controller. This right applies to situations where data is processed automatically on the basis of consent or contract.
This means that the right to data portability does not apply to data processing that is necessary for the performance of a task carried out in the public interest or to fulfil legal obligations imposed on the data controller. Consequently, this right does not generally apply to the higher education institution’s personal data registers.

Right to object (Article 21)

You may at any time object to the processing of your personal data for special personal reasons, if the basis for processing is a task carried out in the public interest, the exercise of official authority, or the higher education institution’s legitimate interests. After receiving such a request, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing your data.

Right to lodge a complaint with a supervisory authority (Article 77)

You have the right to lodge a complaint with a supervisory authority, if you consider that the processing of your personal data violates the provisions of the GDPR (2016/679). In addition, you may follow other administrative procedures to appeal against a decision made by a supervisory authority or seek a judicial remedy.

Office of the Data Protection Ombudsman

Street address: Lintulahdenkuja 4
Postal address: PO Box 800, FI-00531 Helsinki, Finland
Email: tietosuoja [at] om.fi (tietosuoja[at]om[dot]fi)
Switchboard: +358 2956 66700

Questions about data protection

If the personal data we hold about you is incorrect, please request a correction by contacting our study counselling psychologists at opintopsykologit.tau [at] tuni.fi (opintopsykologit[dot]tau[at]tuni[dot]fi)

Please deliver all subject access requests to the data protection officer of Tampere Universities (by email at dpo [at] tuni.fi (dpo[at]tuni[dot]fi) or by post to the following address: Data Protection Officer, Tampere University, FI-33014, Tampere, Finland).

This privacy notice was updated on 9 February 2023.