Privacy state­ment: applicant register

Proces­sing of perso­nal data of student applicants (Applicant Regis­ter (Karelia Univer­sity of Applied Sciences) / Higher Educa­tion Applica­tion Regis­ter (Finnish Natio­nal Board of Educa­tion, OPH)),

DATA PROTECTION NOTICE. EU Data Protec­tion Regu­la­tion 679/2016, Data Protec­tion Act (1050/2018)

Updated 12.2.2024

1. Contact details of the data controller

Karelia Univer­sity of Applied Sciences

Postal address: Tikka­rinne 9, 80200 Joensuu Finland

tel. +35813260600, email: info(at)

2. The person in charge of the controller

Presi­dent / CEO of the Karelia UAS

3. Person respon­sible for the applicant register

Head of Student Services Pirjo Uusoksa, +358 50 310 9541, email: pirjo.uusoksa(at), Tikka­rinne 9, 80200 Joensuu Finland.

4. Contact persons regar­ding the applicant register

Applica­tion coor­di­na­tors Kirsi Kukko­nen, +358 50 408 8429, and Auli Karja­lai­nen, +358 50 361 1871.  Email: admissions(at) Tikka­rinne 9, 80200 Joensuu Finland.

5. Contact details of data protec­tion officer

Karelia Ammat­ti­kor­kea­koulu Univer­sity of Applied Sciences, Data protec­tion officer, Tikka­rinne 9, 80200 Joensuu, +358 50 525 0623, email: tietosuoja(at)

6. Purpo­ses of the proces­sing of perso­nal data

Students are selec­ted accor­ding to the selec­tion method speci­fied in the selec­tion crite­ria. The selec­tion methods include certi­ficate selec­tion, natio­nal entrance exams, Karelia’s own entrance exams, selec­tion courses, pre-selec­tion tests and interviews.

People applying to become a student fill in the applica­tion in the common applica­tion system Opin­to­polku (, where perso­nal data is proces­sed during the applica­tion / selec­tion process. The perso­nal data of the applicants is proces­sed in the applicant regis­ter in order to ensure a selec­tion process in line with the selec­tion crite­ria. The proces­sing of perso­nal data ensures the legal protec­tion of applicants and the imple­men­ta­tion of the official data collec­tion by the higher educa­tion insti­tu­tion. Perso­nal data of applicants are proces­sed by the UAS in order to carry out the tasks assig­ned to the UAS. The proces­sing of perso­nal data ensures that applicants are treated fairly in the selec­tion process.

When a student is selec­ted as a student, he or she accepts a place in Opin­to­polu and regis­ters for the acade­mic year in the OILI service main­tai­ned by CSC- tieteen tieto­tek­niik­ka­kes­kus Oy (CSC), from where the data of applicants accep­ted as students are trans­fer­red to Karelia Univer­sity of Applied Sciences’ Winha student mana­ge­ment system as students.

OILI is a student regi­stra­tion and semes­ter regi­stra­tion service for higher educa­tion insti­tu­tions, where students who have been admit­ted to higher educa­tion in the joint higher educa­tion entrance exami­na­tion can regis­ter elect­ro­nically as a student at a higher educa­tion insti­tu­tion. A higher educa­tion insti­tu­tion can also use OILI to accept applica­tions from conti­nuing students.

7. Desc­rip­tion of cate­go­ries of data subjects and cate­go­ries of perso­nal data

The regis­ter inclu­des those who have applied or enrol­led as a student at Karelia UAS.

For those who have applied through, the following infor­ma­tion is available:

  • applicant details: first name, surname, social secu­rity number/date of birth, learner’s natio­nal iden­ti­fica­tion number (OID),
  • contact details, data release authorisations,
  • educa­tio­nal background, work experience,
  • applica­tions, test scores, selec­tion results, test answers,
  • special arran­ge­ment docu­ments, admis­sion infor­ma­tion, enrol­ment information.

The data of applicants to the Open Univer­sity of Applied Sciences and specia­li­sed trai­ning courses are desc­ri­bed in the privacy policy of Sole­novo Ltd’s Meer­kado system (, which can be found at

The data of exchange student applicants is desc­ri­bed in the Karelia Exchange Privacy Policy.

8. Legal basis for proces­sing perso­nal data

The legal basis for proces­sing perso­nal data is the perfor­mance of a task in the public inte­rest, the exercise of public autho­rity, the perfor­mance of a statu­tory task (the Univer­sity of Applied Sciences Act and Decree), and the consent of the data subject (in the service).

9. Grounds for provi­ding perso­nal data

The perso­nal data are neces­sary for the perfor­mance of the controller’s tasks mentio­ned in section 8. The regular data sources are desc­ri­bed as follows.

The student regis­ter of the Student Admi­ni­stra­tion System is updated with infor­ma­tion from the Student Pathway regis­ter of the joint applica­tion system for higher educa­tion insti­tu­tions, applica­tions from students outside the joint applica­tion and with­drawal noti­fica­tions. The semes­terly student attendance/absence data is 1) updated in the system based on the student’s enrol­ment data via the Student Mana­ge­ment System web inter­face, 2) updated by the acade­mic advisor in accor­dance with the rele­vant decision.

The applicant regis­ters his/her details when filling in the applica­tion form. The grading data for matricu­la­tion exami­na­tions are obtai­ned from the Board of Matricu­la­tion Exami­na­tions. For those who have applied for exchange student status, the person themselves.

10. Legi­ti­mate inte­rests of the controller

Not to be used in this context

11. Safety of proces­sing perso­nal data

After the expiry of the storage period, the prin­touts are secu­rely destro­yed. The mate­rial is stored in a locked room.

The data is stored in a compu­ter system or on a secure network drive. Users have perso­nal user IDs for the system. Access to and use of data on the system or on the network drive is restric­ted to those persons who are autho­ri­sed to do so for their work.

The lawful proces­sing of data is ensured by clas­si­fying the data and by opera­ting in accor­dance with the rules on the proces­sing of data files.

For confi­den­tial messa­ges, secure email is used.

12. Reci­pients or cate­go­ries of reci­pients of perso­nal data

Selec­ted students: in the OILI service, Tieteen tieto­tek­nii­kan keskus Oy, CSC, is the proces­sor of perso­nal data. Please see the CSC’s expla­na­tion of the proces­sing of perso­nal data via the following link

Data from the applicant regis­ter may be disclo­sed for research purpo­ses through the research autho­ri­sa­tion procedure.

13. Trans­fer of perso­nal data outside the Euro­pean Union (EU/EEA)

No infor­ma­tion is trans­fer­red outside the EU/EEA.

14. Reten­tion period of perso­nal data

The archi­ving and dele­tion of data from the system is gover­ned by the Karelia Univer­sity of Applied Sciences archi­ving guidelines.

15. Rights of the data subject

The EU General Data Protec­tion Regu­la­tion (2016/679) gives data subjects the following rights:

Right to with­draw consent

The data subject has the right to with­draw consent at any time (Article 7).

Right of access to your data

The data subject has the right to obtain confir­ma­tion from the cont­rol­ler that perso­nal data concer­ning him or her are being proces­sed. The data subject has the right of access to his or her data. Access may be subject to a fee or refused if the requests are mani­festly unfoun­ded or exces­sive, in particu­lar if they are repea­ted (Articles 12 and 15).

Right to rectification

The data subject has the right to obtain the recti­fica­tion of inaccu­rate infor­ma­tion contai­ned in the regis­ter (Article 16). The request for recti­fica­tion is made in writing. A person applying through the Study Path can correct his/her contact details during the applica­tion period.

Right to erasure

Data subjects have the right to request the erasure of their perso­nal data if one of the following condi­tions is met (Article 17):

  • the perso­nal data are no longer neces­sary for the purpo­ses for which they were collec­ted or otherwise processed,
  • the data subject with­draws consent or there is no other lawful basis for the processing,
  • the data subject objects to the proces­sing and there is no legi­ti­mate ground for the proces­sing (Article 21),
  • the perso­nal data have been unlaw­fully processed,
  • the perso­nal data must be erased in order to comply with a legal obli­ga­tion under Union or Member State law to which the cont­rol­ler is subject.

Right to restric­tion of processing

  • The data subject has the right to restric­tion of proces­sing if one of the following applies (Article 18):
  • the data subject contests the accu­racy of the perso­nal data, in which case the proces­sing is limited to a period of time during which the cont­rol­ler can verify the accu­racy of the data,
  • the proces­sing is unlaw­ful and the data subject objects to the erasure of the perso­nal data and requests instead the restric­tion of their use,
  • the cont­rol­ler no longer needs the perso­nal data concer­ned for the purpo­ses of the proces­sing, but the data subject needs them for the establish­ment, exercise or defence of legal claims,
  • the data subject has objec­ted to the proces­sing of perso­nal data pursuant to Article 21, pending veri­fica­tion of whether the controller’s legi­ti­mate grounds over­ride those of the data subject.

The right to trans­fer data from one system to another

The data subject has the right to obtain in a machine-readable form perso­nal data rela­ting to him or her which he or she has provi­ded to the cont­rol­ler, where the proces­sing is based on consent and is carried out auto­ma­tically (Article 20).

The infor­ma­tion recor­ded in the user regis­ter will be correc­ted to be up-to-date, as decla­red by the person concer­ned. The correc­tion of the data is carried out by the system admi­ni­stra­tor. It is the respon­si­bi­lity of the admi­ni­stra­tor, teac­hers and secre­ta­ries to correct any errors that they them­sel­ves discover.

16. Auto­ma­ted deci­sion making and profiling

Not in use.