Home Privacy policy Privacy notice: Access control

Privacy notice: Access control

Privacy notice: Access control: joint informative document for data subjects (Articles 13 and 14 of the General Data Protection Regulation [2016/679]).

Purposes of processing personal data

Enabling access control in HAMK Ltd’s premises.

Working hour records will be used for salary payment and for supervising the compliance with the Working Hours Act.

Legal basis for processing

The basis for processing personal data is the legitimate interest (employment relationship, right to study, HAMK partnership) of the data controller. Main legal instruments include the Finnish Employment Contracts Act, Working Hours Act, Annual Holidays Act, Universities of Applied Sciences Act, Government Decree on Universities of Applied Sciences and bilateral partnership agreements.

Personal data content and retention periods of the register

Personel:

Data category name	Retention period
Name	5 years after the termination of the employment relationship
Personal identifier	5 years after the termination of the employment relationship
Job title	5 years after the termination of the employment relationship
Department	5 years after the termination of the employment relationship
Company	5 years after the termination of the employment relationship
Unit	5 years after the termination of the employment relationship
Supervisor	5 years after the termination of the employment relationship
Microsoft account ID	5 years after the termination of the employment relationship
Access control number	5 years after the termination of the employment relationship
PIN code	5 years after the termination of the employment relationship
Access right areas	5 years after the termination of the employment relationship
Working hour calendar	5 years after the termination of the employment relationship
Access badge use	5 years after the termination of the employment relationship
Working hour records data (timestamps)	5 years after the termination of the employment relationship

Students:

Data category name	Retention period
Name	1 year after the termination of the right to study
Student number	1 year after the termination of the right to study
Degree programme	1 year after the termination of the right to study
Company	1 year after the termination of the right to study
Unit	1 year after the termination of the right to study
Start group	1 year after the termination of the right to study
Microsoft account ID	1 year after the termination of the right to study
Access control number	1 year after the termination of the right to study
PIN code	1 year after the termination of the right to study
Access right areas	1 year after the termination of the right to study
Access badge use	1 year after the termination of the right to study
Working hour records data (timestamps)	1 year after the termination of the right to study

Others:

Data category name	Retention period
Name	1 year after the termination of the partnership
Company	1 year after the termination of the partnership
Unit	1 year after the termination of the partnership
Access badge requester	1 year after the termination of the partnership
Access control number	1 year after the termination of the partnership
PIN code	1 year after the termination of the partnership
Access right areas	1 year after the termination of the partnership
Access badge use	1 year after the termination of the partnership

Data subjects

The register contains the following:

students of Häme University of Applied Sciences (HAMK) and Häme Vocational Institute (HAMI)
personnel of HAMK and HAMI
collaboration partners to the extent they have requested access rights to the premises of Häme University of Applied Sciences Ltd.

Regular sources of data

Data is obtained from HAMK and HAMI person management systems, the student register and from the person him/herself.

Regular disclosures of data

No data is disclosed to third parties.

Principles of data protection of the register

A Manual material

Working time data may also be processed in printed form in connection with salary payment and tracking.

B Data processed through automated data processing

Data is stored in an information system. Users can see and make correction suggestions to their working hour records (timestamps).

Access is granted only to those persons who are entitled to access and use the data in the system in order to perform their duties.

The lawful processing of personal data is ensured by categorisation of data and with operating methods that are in compliance with the data handling rules concerning data set.

Automated decision-making

No automated decision-making is performed on the recorded data.

Transfer of data outside the EU or EEA

No data is transferred outside the EU or EEA.

Rights of the data subject

The EU General Data Protection Regulation (2016/679) provides the data subject with the following rights:

The data subject shall have the right to withdraw his or her consent at any time. (Article 7)

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The data subject shall have the right to access to the personal data concerning him or her. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may charge a fee or refuse to act on the request. (Article 12 and Article 15)

The data subject shall have the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her contained in the register (Article 16). A request for rectification shall be submitted in writing. Persons in an employment relationship (with HAMK or HAMI) are able to do rectification suggestions concerning their recorded working hours, which are then approved by their supervisor or salary administration personnel.

The data subject shall have the right to request the erasure of personal data concerning him or her where one of the following grounds applies (Article 17):

the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
the data subject objects to the processing, and there are no overriding legitimate grounds for the processing (Article 21);
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

The data subject shall have the right to obtain restriction of processing where one of the following applies (Article 18):

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where the processing is based on consent and carried out by automated means, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a machine-readable format. (Article 20)

Requests to exercise these rights are to be submitted:

Häme University of Applied Sciences Ltd
Data protection officer
P.O. Box 230 (Visamäentie 35A)
FI-13101 Hämeenlinna, Finland

email: [email protected]. You can also send the message via secured e-mail https://www.securedmail.eu/ .

The data subject shall have the right to lodge a complaint with the Office of the Data Protection Ombudsman.