Data Protection Records
NB: This document is a translation from the original document. This translation is not binding; its purpose is only to explain the contents of the original document in English. In case there are any obscurities in the translation, please check the original document for correct and binding expressions. The original document can be found on the Finnish website of SYKETTÄ.
EU’s General Data Protection Regulation, Articles 12, 13 and 14
1. Controller of the register
The Student Union of the University of Eastern Finland (Itä-Suomen yliopiston ylioppilaskunta, [ISYY])
2. Representative of the controller
Secretary General Sanna Heinonen
3. Contact persons of the controller
Service Planner Niklas Leinonen, tel. +358 44 576 8418, email: firstname.lastname@example.org
Sports Coordinator Heli Aalto, tel. +358 44 576 8445, email: liikuntasuunnittelija@isyy.
4. Contact information of the Data Protection Officer
Data Protection Officer Helena Eronen, tel. +358 50 554 0000, email: email@example.com
5. Purpose of processing personal data
Personal data are processed in SYKETTÄ sports services for the following purposes:
- Management of user status
- Management of enrolments
- Marketing and informing about the services
- Sports instructing
- Compilation of statistics
- Monitoring and measuring the utilisation rate
- Monitoring and solving malpractices
- Verifying the rights to use the service
- Technical monitoring
- Upkeep of the contact details
- Monitoring the payment transactions
6. Legal basis of processing personal data
Processing of personal data is based on Article 6 or 9 of the General Data Protection Regulation:
☒ consent of the data subject
☒ implementation of the controller’s or third party’s legitimate rights. The legitimate right in question is customer relationship.
These can be found from EU’s General Data Protection Regulation, Article 6, paragraph 1, points a-f.
7. Categories of personal data and the data retention period
Personal data on the SYKETTÄ service
When registering in SYKETTÄ service, the following personal data is asked from the user:
- First name
- Last name
- User status (student, staff member, instructor)
- Organisation (University of Eastern Finland [UEF] or Karelia University of Applied Sciences [Karelia UAS])
- Email address
Personal data shall be maintained in SYKETTÄ system as long as the person in question is an active user of the services. Active user means a person to whom at least one of the following conditions applies:
- The person has a valid SYKETTÄ sticker
- The person has had a valid SYKETTÄ sticker for the two preceding semesters (from present). SYKETTÄ semesters are from the 1st of January to the 31st of August and from the 1st of September to the 31st of December.
- The person has a key fob to a SYKETTÄ sports facility
Personal data shall be deleted from the SYKETTÄ system, when none of the conditions mentioned above apply.
Personal data of Physical Activity Counselling
Customers of Physical Activity Counselling shall fill in by themselves an initial information form, which contains background information about exercising. The following personal data are filled by the customer:
- First name
- Last name
- Year of birth
- Phone number
- Email address
In addition, the customers shall fill background information form concerning their state of health and the amount and type of exercise. Forms shall be removed as the counselling period has ended.
8. Information systems that are used in processing
Personal data, that is collected in the SYKETTÄ system, are used in the following information systems:
- SYKETTÄ website and mobile app
- User register
- Google Drive
- Register of the granted key fobs
- Register of the granted free stickers
- Register of the sessions that are inspected by a SYKETTÄ inspector
9. Where is the personal data required in processing received from?
Does a data subject have a responsibility to deliver the required personal data?
Consequences if a data subject does not deliver the required personal data
A user shall register in the SYKETTÄ system by themselves with a student email address or staff member email address of the UEF or the Karelia UAS. Personal data are stored in the system in accordance with the registration. Providing the personal data is a prerequisite to use the services. Also, consent to processing personal data is asked along the registration.
The UEF students and staff members’ right to use the SYKETTÄ services can be checked from WebOodi or from a list of staff members that is delivered regularly for Sports Coordinator by UEF.
Customers of Physical Activity Counselling shall deliver the required personal data for the physical activity counsellor by themselves. Providing the personal data and background information is a prerequisite to participate in the Physical Activity Counselling.
Cookies are used in the following browser-based data processing systems: SYKETTÄ Joensuu
11. Regular transfers and disclosures
Personal data are disclosed regularly for the following parties:
Appliware Oy is an administrator of the SYKETTÄ mobile app and operates as a processor of the SYKETTÄ user register’s personal data. In order to guarantee the operational reliability, Appliware Oy shall have access to all data in the SYKETTÄ system.
Co-operation companies that hold classes for SYKETTÄ customers
Co-operation companies that hold SYKETTÄ classes operate also as processors of the SYKETTÄ user register’s personal data. Disclosure of the personal data concerns those users, who have enrolled for a class that is held by a co-operation company. Disclosure is made so that the instructor of the class can verify the participants to the SYKETTÄ system. Participating in the classes is monitored to prevent malpractices of the services.
Hurja Solutions Oy
Hurja Solutions Oy is an administrator of the SYKETTÄ website and operates as a processor of the SYKETTÄ user register’s personal data. In order to guarantee the operational reliability, Hurja Solutions Oy shall have access to all data in the SYKETTÄ system.
Student Union of the Karelia University of Applied Sciences, POKA
Student Union of the Karelia University of Applied Sciences, POKA, operates as a processor of the SYKETTÄ user register’s personal data. SYKETTÄ stickers are sold and key fobs are granted at POKA’s offices, and in addition there is a SYKETTÄ staff member on the payroll of POKA.
Student Union of the Savonia University of Applied Sciences, SAVOTTA
Student Union of the Savonia University of Applied Sciences, SAVOTTA, operates as a processor of the SYKETTÄ user register’s personal data. When a person, who has registered in the SYKETTÄ Joensuu website and purchased a valid SYKETTÄ sticker, wants to cross-use the services in Kuopio, the person has to first activate the cross-usage to Kuopio campus on their own user profile. After this, the person’s data transfers from their user profile into the user register of SYKETTÄ Kuopio. Thus the person can be given access to SYKETTÄ services in Kuopio.
Terveystalo, Finnish Student Health Service (FSHS), student health service of the Karelia University of Applied Sciences
Customers coming to the Physical Activity Counselling are sent to the physical activity counsellor through Terveystalo, FSHS and the student health service of the Karelia University of Applied Sciences. After the Physical Activity Counselling, information concerning the success and implementation of the Physical Activity Counselling is disclosed to the above-mentioned parties. Customer’s consent for sending the information is asked.
University of Eastern Finland (UEF)
When a staff member of the University of Eastern Finland buys a SYKETTÄ sticker, their right to use the Aurora’s gym is activated in their key fob. In case a staff member buys a SYKETTÄ sticker online, they can ask the Facilities Management to activate the their right to use the Aurora’s gym without having to inform ISYY about buying the sticker.
12. Data transfer or disclosure to outside EU or EEA and the legitimate grounds for such actions
Personal data on the SYKETTÄ website and mobile app shall not be transferred to outside EU or EEA. Personal data located in Google Drive are transferred to outside EU. Google obeys the standard contractual clauses of the European Commission in guaranteeing the required level of data protection, when personal data are transferred to outside EU. ISYY has agreed to EU’s standard contractual clause in the legal clauses of its contract’s data protection with Google.
13. Principles of protecting personal data
Protecting personal data on the SYKETTÄ website
Access to personal data on the SYKETTÄ website has been restricted to only include following people:
- Inspector (valvoja)
- Instructor (ohjaaja)
Access to personal data have been given for the staff members in accordance with their tasks and responsibilities. Instructor can inspect personal data only for the part of those classes, in which the person in question has been marked as the instructor of the class.
SYKETTÄ website is protected with an SSL Certificate. It is not possible to register in the website without a valid email address of UEF or Karelia UAS.
Protecting personal data in Physical Activity Counselling
Customers’ personal data and background information concerning Physical Activity Counselling are stored as paper versions in a locked room for the period of counselling. Only the physical activity counsellors and SYKETTÄ staff members have access to this locked room.
14. Automated decision-making
Automated decisions shall not be made.
15. Rights of a data subject
As a data subject you have the right to:
- Inspect your data
- Claim for rectification of your data
- Claim for erasure of your data
- Claim for restriction of processing
- Object processing
- Request for transferring your personal data from the controller to another controller
- Withdraw your consent, if the processing of the personal data is based on the consent given by you
As a data subject you may use the above-mentioned rights by contacting the Data Protection Officer of the Student Union.
A data subject has the right to make a complaint to the Office of the Data Protection Ombudsman, in case the data subject deems that the valid data protection legislation has been violated in processing the personal data concerning the data subject.
Advice and instructions in matters related to the rights of data subject are given by the Data Protection Officer, contact information in section 4.