Data Protection Records
Student Union of Savonia University of Applied Sciences (SAVOTTA)
SYKETTÄ Kuopio Data Protection Records
NB: This document is a translation from the original document. This translation is not binding; its purpose is only to explain the contents of the original document in English. In case there are any obscurities in the translation, please check the original document for correct and binding expressions. The original document can be found on the Finnish website of SYKETTÄ.
EU’s General Data Protection Regulation, Articles 12, 13 and 14
1. Controller of the register
Student Union of Savonia University of Applied Sciences (SAVOTTA)
2. Contact person of the controller
Executive Director Juha Asikainen
Mobile: +35844 785 5058
3. Registry Title
SYKETTÄ – Kuopio University Sports services
4. Reasons for Data Processing
The retention and use of the register is to gather the information of the users of SYKETTÄ sport services for usage of the services of SYKETTÄ Universities’ of Kuopio.
Information of the user can be handled for the following purposes:
- maintenance and development of the customer relationship
- executing the sport services
- verification of the customer transactions relating to the user
- customer service and development of the sport services
- marketing (monthly SYKETTÄ newsletter)
- analyzing and statistics, monitoring and measuring the utilization rate
- to follow and to verificate misuse of the services
- management of user enrollments
- monitoring payment traffic
- maintenance of contacts
- other similar purposes
5. Legal basis for the processing of personal data
Processing is based on Articles 6 or 9 of the Data Protection Regulation (at least one argument)
EU General Data Protection Regulation, Article 6, point 1,subsections a – f:
☐ the implementation of the contract (in which the data subject is a party), the contract
☐ compliance with the statutory obligation of the controller
☐ vital interest of a registered person or another natural person
☐ exercise the authority of the public interest/controller
☐ information describing the position, tasks or treatment of a person
☐ public interest authority task
☐ scientific or historical research or statistics
☐ archiving research materials and heritage materials
☒ the legitimate interests of the controller or third party
What legitimate interest is in question: the customer relationship
6. Data content of the registry and storage time
The register contains the following information about the profile of the user:
Name (first and last), email address, phone number, type of user (student, staff, instructor), University, Field of study
If the registration is done before 8/2018: Name (first and last), date of birth, gender, email address, phone number, postal address, University, college education sector/unit/degree program, status higher education
Sports stickers: type of the sticker, date and time of the creation of the sticker, date and time of the payment, the information of who has confirmed the payment
Cross-use: city, where the user wants to cross-use the service
Physical activity: past and future physical activity events for which the user is enrolled in
Sanctions: exercise events for which the mover has enrolled, but does not have participated
Use bans: After two sanctions the user is momentarily banned from enrolling and participating events
Personal data will be kept in SYKETTÄ register for as long as the user is an active user. Active user means a person with whom one or more of the following conditions are met.
1) The person has a valid SYKETTÄ sticker
2) The person has had a valid SYKETTÄ sticker for two preceding semesters (from present). SYKETTÄ semesters are 1.1.-31.8. and 1.9.-31.12.
3) The person has a key fob to a SYKETTÄ sports facility
Personal data will be deleted from the SYKETTÄ system after none of the above conditions are met.
7. Regular sources of information
The information is provided by users themselves via SYKETTÄ registration form. The services can be used only after filling up the SYKETTÄ registration form via SYKETTÄ web page. Consent to the processing of personal data is asked at the time of registration.
At the ISYY office is a list of UEF staff members from where the right to use SYKETTÄ sticker is checked. A student’s degree leading to a degree in the college is checked from Oodi.
8. Processing information systems
Personal data, that is collected in the SYKETTÄ system, are used in the following information systems:
- SYKETTÄ website and mobile app
- User register
- Google Drive
- Register of the granted key fobs
- Register of the granted free stickers
- Register of the sessions that are inspected by a SYKETTÄ inspector
Cookies are used in the processing of personal data:
☒ Yes, Cookies are used in the browser-based information systems of data processing, SYKETTÄ Kuopio
10. Disclosure and transfer of information in the EU or European Economic Area
The information is collected only to be used by SYKETTÄ-staff. Personal information will never be disclosed to third parties. The information may be disclosed to police for example in case of a criminal investigation.
Regular disclosure of information and transfer of data outside the EU or the European Economic Area. The data will not be given or transferred outside of EU or economic region of Europe.
11. Regular transfers and disclosures
Personal data are disclosed regularly for the following parties:
1) Student Union of the Savonia University of Applied Sciences, SAVOTTA
Student Union of the Savonia University of Applied Sciences, SAVOTTA, operates as a processor of the SYKETTÄ user register’s personal data. At SAVOTTA’s payroll there is an SYKETTÄ employee. SAVOTTA’s employees have access to the personal data to the extent that their work duties require (for example, for collecting the sports fees).
2) Student Union of the Karelia University of Applied Sciences, POKA
Student Union of the Karelia University of Applied Sciences,POKA operates as a processor of the SYKETTÄ user register’s personal data in Joensuu. When a person, who has registered in the SYKETTÄ Kuopio website and purchased a SYKETTÄ sticker, wants to cross-use the services in Joensuu, the person has to first activate the cross-usage to Joensuu campus on their own user profile. After this, the person’s data transfers from their user profile into the user register of SYKETTÄ Joensuu. Thus the person can be given access to SYKETTÄ services in Joensuu.
3) Hurja Solutions Oy
Hurja Solutions Oy is an administrator of the SYKETTÄ website and operates as a processor of the SYKETTÄ user register’s personal data. In order to guarantee the operational reliability, Hurja Solutions Oy shall have access to all data in the SYKETTÄ system.
4) Co-operation companies that hold sport classes for SYKETTÄ customers
Co-operation companies that hold SYKETTÄ classes operate also as processors of the SYKETTÄ user register’s personal data. Disclosure of the personal data concerns those users, who have enrolled in a class that is held by a co-operation company. Disclosure of the information is made so that the instructor of the class can verify the participants to the SYKETTÄ system. Participating in the classes is monitored to prevent abuse of the services.
5) The student union of the University of Eastern Finland (ISYY)
The student union of the University of Eastern Finland operates as a processor of the SYKETTÄ user register’s personal data. At the ISYY’s payroll is an SYKETTÄ employee. ISYY’s employees have access to the personal data to the extent that their work duties require (for example, for collecting the sports fees).
6) Appliware Oy
Appliware Oy is an administrator of the SYKETTÄ mobile app and operates as a processor of the SYKETTÄ user register’s personal data. In order to guarantee the operational reliability, Appliware Oy shall have access to all data in the SYKETTÄ system.
12. Security of the data
Every person who has access to the database has a personal access right admitted by the registry owner (username and a password). Only the persons who need the personal information for their work have access to the database.
Different access rights
The access rights are granted based on the work duties of an employee. With instructor status the instructor can only see users who have enrolled in the classes they teach.
SYKETTÄ web site is protected by SSL certificate. It is not possible to sign in to the website without e-mail account from university.
13. Right of inspection
Every user has the right to know what personal data is recorded in the user register referred in this registration description. Everyone is also able to check that there is no data concerning them in this register. The data can be checked once in a year without a charge. A request for data check-up has to be signed and personally delivered or delivered in another secured manner to the address of the registry owner.
The data can also be checked by visiting the registry owner in person. There will be an ID check-up before any data is given. The right to check-up data can only be denied in a case of exception. If the right to check-up data is denied a written letter of denial will be given. The person in question has the right to contact the Data Protection Ombudsman who will settle the case: The Office of Data Protection Ombudsman, PL 315, 00181 HELSINKI.
A request for a revised decision concerning data can be done by sending it to the registry owner’s address or by visiting the office in person. The ID of the person will be checked.
If the correction of data is denied a written letter of denial will be given. The person in question has the right to contact the Data Protection Ombudsman who will settle the case: The Office of Data Protection Ombudsman, PL 315, 00181 HELSINKI.
14. Right to demand that information be corrected
SYKETTÄ Kuopio Universities’ sport services, supplies and deletes incorrect, unnecessary, defective and outdated data from the register.
A user has the right to request correction of his or her incorrect information if he or she has detected any errors in his or her information when checking their information or otherwise.
SYKETTÄ Kuopio Universities’ sport services must correct the incorrect information within three (3) months. If SYKETTÄ Kuopio Universities’ sport services refuses to repair the information, a written denial certificate will be issued to the user.
15. The right to be informed of the data breach against the controller
Without undue delay, SYKETTÄ Kuopio Universities’ sport services must inform the users of any security breach of the registry that violate SYKETTÄ user’s rights or freedoms.
16. The right to appeal to the Authority
Every user has a right to make a complaint to Data Protection Ombudsman, in cases the user suspects that the EU General Data Protection Regulation is violated. The person in question has the right to contact Data Protection Ombudsman who will settle the case: The Office of Data Protection Ombudsman, PL 315, 00181 HELSINKI.