Data Protection Records
NB: This document is a translation from the original document. This translation is not binding; its purpose is only to explain the contents of the original document in English. In case there are any obscurities in the translation, please check the original document for correct and binding expressions. The original document can be found on the Finnish website of SYKETTÄ.
EU’s General Data Protection Regulation, Articles 12, 13 and 14
1. Controller of the register
The Student Union of the University of Eastern Finland (Itä-Suomen yliopiston ylioppilaskunta, ISYY)
2. Representative of the controller
Secretary General Anna-Kristiina Mikkonen
3. Contact persons of the controller
Juho Mutanen, tel. +358 50 346 9620, email: email@example.com
Heli Aalto, tel. +358 44 576 8445, email: liikuntasuunnittelija@isyy.
4. Contact information of the Data Protection Officer
Data Protection Officer Helena Eronen, tel. +358 400 581 776, email: firstname.lastname@example.org
5. Purpose of processing personal data
Personal data are processed in SYKETTÄ sports services for the following purposes:
- Management of user status
- Management of enrolments
- Marketing and informing about the services
- Sports instructing
- Compilation of statistics
- Monitoring and measuring the utilisation rate
- Monitoring and solving malpractices
- Verifying the rights to use
- Technical monitoring
- Upkeep of the contact details
- Monitoring the payment transactions
6. Legal basis of processing personal data
Processing is based on Article 6 or 9 of the General Data Protection Regulation (at least one basis).
EU’s General Data Protection Regulation, Article 6, paragraph 1, points a-f:
☒ consent of the data subject
☒ implementation of the controller’s or third party’s legitimate rights. What legitimate right is in question: customer relationship
7. Categories of personal data and the period for which the personal data will be stored
Personal data on the SYKETTÄ service
When registering in SYKETTÄ service, the following personal data is asked from the user:
- First name
- Last name
- User status (student, staff member, instructor)
- University or University of Applied Sciences
- Email address
Personal data shall be maintained in SYKETTÄ system as long as the person in question is an active user of the services. Active user means a person, for part of which at least one of the following conditions realises:
- The person has a valid SYKETTÄ sticker
- The person has had a valid SYKETTÄ sticker for the two preceding semesters (from present). SYKETTÄ semesters are from the 1st of January to the 31st of August and from the 1st of September to the 31st of December.
- The person has a key fob to a SYKETTÄ sports facility
Personal data shall be deleted from the SYKETTÄ system, when none of the conditions mentioned above realises.
Personal data in sports instructing
Customers of sports instructing shall fill in by themselves a paper initial information form, which includes background information concerning exercising. The following personal data are filled by customers in the form:
- First name
- Last name
- Year of birth
- Phone number
- Email address
In addition, the customers shall fill background information concerning state of health and exercising in the form by themselves. Forms shall be removed as the instructing period has ended.
8. Information systems that are used in processing
Personal data that is collected in the SYKETTÄ system are used in the following information systems:
- SYKETTÄ website and mobile app
- User register
- Google Drive
- Register of the granted key fobs
- Register of the granted free stickers
- Register of the sessions that are inspected by a SYKETTÄ monitor
9. Where is the personal data required in processing received from? Does a data subject have a responsibility to deliver the required personal data? Consequences if a data subject does not deliver the required personal data
A data subject shall log in the SYKETTÄ system by themselves with a student email address or staff member email address of University or University of Applied Sciences. Personal data are stored in the system in accordance with the login. Providing the personal data is a prerequisite to use the services. Consent to processing personal data is asked along the registration.
Right of the staff members and students of the University of Eastern Finland to use the services can be checked from WebOodi and from the list of staff members that is delivered regularly for a Sports Coordinator by the University.
Customers of sports instructing shall deliver the required personal data for the sports instructors by themselves. Providing the personal data and background information is a prerequisite to implement the sports instructing.
Cookies are used in processing of personal data:
☒ Yes, browser-based systems: SYKETTÄ
11. Regular transfers and disclosures
Personal data are disclosed regularly for the following parties:
Appliware Oy is an administrator of the SYKETTÄ mobile app and operates as a processor of the SYKETTÄ user register’s personal data. To guarantee the operational reliability, Appliware Oy shall have access to all data in the SYKETTÄ system.
Co-operation companies that hold classes for SYKETTÄ customers
Co-operation companies that hold SYKETTÄ classes operate also as processors of the SYKETTÄ user register’s personal data. Disclosure of the personal data concerns those users, who have enrolled for a class that is held by a co-operation company. Disclosure is made so that the keeper of the class can confirm the participants of the class in the SYKETTÄ system. Participating in the classes is monitored to prevent malpractices of the services.
Riku Jokinen is an administrator of the SYKETTÄ website and operates as a processor of the SYKETTÄ user register’s personal data. To guarantee the operational reliability, Jokinen shall have access to all data in the SYKETTÄ system.
Student Union of the Karelia University of Applied Sciences, POKA
Student Union of the Karelia University of Applied Sciences, POKA, operates as a processor of the SYKETTÄ user register’s personal data. SYKETTÄ stickers are sold and key fobs are granted at POKA’s offices, and in addition there is a SYKETTÄ staff member on the payroll of POKA.
Student Union of the Savonia University of Applied Sciences, SAVOTTA
Student Union of the Savonia University of Applied Sciences, SAVOTTA, operates as a processor of the SYKETTÄ user register’s personal data. When a person, that has registered in the SYKETTÄ Joensuu website and redeemed a SYKETTÄ sticker, wants to cross-use the services in Kuopio, the person has to first activate the cross-usage to Kuopio campus on their own user profile. After this, the person’s data transfers from their user profile into the user register of SYKETTÄ Kuopio. Thus the person can be given a SYKETTÄ sticker to the services of Kuopio.
Terveystalo, FSHS (YTHS), student health service of the Karelia University of Applied Sciences
Customers coming to the sports instructing are sent to the sports instructors through Terveystalo, FSHS and the student health service of the Karelia University of Applied Sciences. After the sports instructing, information concerning the success and implementation of the sports instructing is disclosed to the above-mentioned parties. Customer’s consent for sending the information is asked.
University of Eastern Finland
When a staff member of the University of Eastern Finland buys a SYKETTÄ sticker, right to use the Aurora’s gym is activated in their key fob. In case a staff member buys a SYKETTÄ sticker online, they can ask the Facilities Management for the right to use the Aurora’s gym without having to inform ISYY about buying the sticker.
12. Data transfer or disclosure to outside EU or EEA and the legitimate grounds for such actions
Personal data on the SYKETTÄ website and mobile app shall not be transferred to outside EU or EEA. Personal data located in Google Drive are transferred to outside EU. Google obeys the standard contractual clauses of the European Commission in guaranteeing the required level of data protection, when personal data are transferred to outside EU. ISYY has agreed EU’s standard contractual clause in the legal clauses of its contract’s data protection with Google.
13. Principles of protecting personal data
Protecting personal data on the SYKETTÄ website
Access to personal data on the SYKETTÄ website has been restricted to only for those persons, who have one of the following rights to use:
- Valvoja (monitor)
- Ohjaaja (instructor)
Rights to use have been given for the staff members in accordance with their tasks and responsibilities. Persons with the instructor status can inspect personal data only for the part of those classes, in which the person in question has been marked as the instructor of the class.
SYKETTÄ website has been protected with an SSL Certificate. It is not possible to register in the website without a valid email address of University or University of Applied Sciences.
Protecting personal data in sports instructing
Customers’ personal data and background information concerning sports instructing are stored as paper versions in a locked room for the period of sports instructing. Only the sports instructors and SYKETTÄ staff members have access to the locked room.
14. Automated decision-making
Automated decisions shall not be made.
15. Rights of a data subject
A data subject shall have the right to inspect the data that concern them. A data subject shall have the right to claim for rectification of their data. A data subject shall have the right to claim for erasure of their data. A data subject shall have the right to claim for restriction of processing. A data subject shall have the right to object processing. A data subject shall have the right to request for transferring their personal data from the controller for another. A data subject shall have the right to withdraw the consent they have given, in case processing the personal data is based on the consent the data subject has given. A data subject may use the above-mentioned rights by contacting the Data Protection Officer of the Student Union, email@example.com.
A data subject has the right to make a complaint to the Office of the Data Protection Ombudsman, in case the data subject deems that the valid data protection legislation has been violated in processing the personal data concerning the data subject.
Advice and instructions in matters related for the rights of data subject are given by the Data Protection Officer, contact information in section 4.