Processing of personal data of student applicants (Applicant Register (Karelia University of Applied Sciences) / Higher Education Application Register (Finnish National Board of Education, OPH)), Opintopolku.fi
DATA PROTECTION NOTICE. EU Data Protection Regulation 679/2016, Data Protection Act (1050/2018)
Updated 12.2.2024
1. Contact details of the data controller
Karelia University of Applied Sciences
Postal address: Tikkarinne 9, 80200 Joensuu Finland
tel. +35813260600, email: info(at)karelia.fi
2. The person in charge of the controller
President / CEO of the Karelia UAS
3. Person responsible for the applicant register
Head of Student Services Pirjo Uusoksa, +358 50 310 9541, email: pirjo.uusoksa(at)karelia.fi, Tikkarinne 9, 80200 Joensuu Finland.
4. Contact persons regarding the applicant register
Application coordinators Kirsi Kukkonen, +358 50 408 8429, and Auli Karjalainen, +358 50 361 1871. Email: admissions(at)karelia.fi. Tikkarinne 9, 80200 Joensuu Finland.
5. Contact details of data protection officer
Karelia Ammattikorkeakoulu University of Applied Sciences, Data protection officer, Tikkarinne 9, 80200 Joensuu, +358 50 525 0623, email: tietosuoja(at)karelia.fi
6. Purposes of the processing of personal data
Students are selected according to the selection method specified in the selection criteria. The selection methods include certificate selection, national entrance exams, Karelia’s own entrance exams, selection courses, pre-selection tests and interviews.
People applying to become a student fill in the application in the common application system Opintopolku (Opintopolku.fi), where personal data is processed during the application / selection process. The personal data of the applicants is processed in the applicant register in order to ensure a selection process in line with the selection criteria. The processing of personal data ensures the legal protection of applicants and the implementation of the official data collection by the higher education institution. Personal data of applicants are processed by the UAS in order to carry out the tasks assigned to the UAS. The processing of personal data ensures that applicants are treated fairly in the selection process.
When a student is selected as a student, he or she accepts a place in Opintopolu and registers for the academic year in the OILI service maintained by CSC- tieteen tietotekniikkakeskus Oy (CSC), from where the data of applicants accepted as students are transferred to Karelia University of Applied Sciences’ Winha student management system as students.
OILI is a student registration and semester registration service for higher education institutions, where students who have been admitted to higher education in the joint higher education entrance examination can register electronically as a student at a higher education institution. A higher education institution can also use OILI to accept applications from continuing students.
7. Description of categories of data subjects and categories of personal data
The register includes those who have applied or enrolled as a student at Karelia UAS.
For those who have applied through Opintopolku.fi, the following information is available:
- applicant details: first name, surname, social security number/date of birth, learner’s national identification number (OID),
- contact details, data release authorisations,
- educational background, work experience,
- applications, test scores, selection results, test answers,
- special arrangement documents, admission information, enrolment information.
The data of applicants to the Open University of Applied Sciences and specialised training courses are described in the privacy policy of Solenovo Ltd’s Meerkado system (www.meerkado.fi), which can be found at https://meerkado.fi/registry.
The data of exchange student applicants is described in the Karelia Exchange Privacy Policy.
8. Legal basis for processing personal data
The legal basis for processing personal data is the performance of a task in the public interest, the exercise of public authority, the performance of a statutory task (the University of Applied Sciences Act and Decree), and the consent of the data subject (in the Opintopolku.fi service).
9. Grounds for providing personal data
The personal data are necessary for the performance of the controller’s tasks mentioned in section 8. The regular data sources are described as follows.
The student register of the Student Administration System is updated with information from the Student Pathway register of the joint application system for higher education institutions, applications from students outside the joint application and withdrawal notifications. The semesterly student attendance/absence data is 1) updated in the system based on the student’s enrolment data via the Student Management System web interface, 2) updated by the academic advisor in accordance with the relevant decision.
The applicant registers his/her details when filling in the application form. The grading data for matriculation examinations are obtained from the Board of Matriculation Examinations. For those who have applied for exchange student status, the person themselves.
10. Legitimate interests of the controller
Not to be used in this context
11. Safety of processing personal data
After the expiry of the storage period, the printouts are securely destroyed. The material is stored in a locked room.
The data is stored in a computer system or on a secure network drive. Users have personal user IDs for the system. Access to and use of data on the system or on the network drive is restricted to those persons who are authorised to do so for their work.
The lawful processing of data is ensured by classifying the data and by operating in accordance with the rules on the processing of data files.
For confidential messages, secure email is used.
12. Recipients or categories of recipients of personal data
Selected students: in the OILI service, Tieteen tietotekniikan keskus Oy, CSC, is the processor of personal data. Please see the CSC’s explanation of the processing of personal data via the following link https://wiki.eduuni.fi/pages/viewpage.action?pageId=70201606.
Data from the applicant register may be disclosed for research purposes through the research authorisation procedure.
13. Transfer of personal data outside the European Union (EU/EEA)
No information is transferred outside the EU/EEA.
14. Retention period of personal data
The archiving and deletion of data from the system is governed by the Karelia University of Applied Sciences archiving guidelines.
15. Rights of the data subject
The EU General Data Protection Regulation (2016/679) gives data subjects the following rights:
Right to withdraw consent
The data subject has the right to withdraw consent at any time (Article 7).
Right of access to your data
The data subject has the right to obtain confirmation from the controller that personal data concerning him or her are being processed. The data subject has the right of access to his or her data. Access may be subject to a fee or refused if the requests are manifestly unfounded or excessive, in particular if they are repeated (Articles 12 and 15).
Right to rectification
The data subject has the right to obtain the rectification of inaccurate information contained in the register (Article 16). The request for rectification is made in writing. A person applying through the Study Path can correct his/her contact details during the application period.
Right to erasure
Data subjects have the right to request the erasure of their personal data if one of the following conditions is met (Article 17):
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
- the data subject withdraws consent or there is no other lawful basis for the processing,
- the data subject objects to the processing and there is no legitimate ground for the processing (Article 21),
- the personal data have been unlawfully processed,
- the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject.
Right to restriction of processing
- The data subject has the right to restriction of processing if one of the following applies (Article 18):
- the data subject contests the accuracy of the personal data, in which case the processing is limited to a period of time during which the controller can verify the accuracy of the data,
- the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use,
- the controller no longer needs the personal data concerned for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims,
- the data subject has objected to the processing of personal data pursuant to Article 21, pending verification of whether the controller’s legitimate grounds override those of the data subject.
The right to transfer data from one system to another
The data subject has the right to obtain in a machine-readable form personal data relating to him or her which he or she has provided to the controller, where the processing is based on consent and is carried out automatically (Article 20).
The information recorded in the user register will be corrected to be up-to-date, as declared by the person concerned. The correction of the data is carried out by the system administrator. It is the responsibility of the administrator, teachers and secretaries to correct any errors that they themselves discover.
16. Automated decision making and profiling
Not in use.