Diaconia University of Applied Sciences, P.O. Box 12, 00511 Helsinki
Data protection officer’s e-mail: firstname.lastname@example.org
The purpose of processing personal data contained in the financial administration personal data register is to conduct Diak’s financial administration. That includes paying and invoicing bills and fees, accounting, travel management, closing the accounts, and managing investments. In addition, personal data for executing debt collection is processed in the register.
Processing the data contained in the register is based on a legal obligation (Accounting Act, Limited Liability Companies Act, etc.), contracts and legitimate interest. The legitimate interest is processing and making payments.
The financial administration personal data register contains data on Diak’s staff (current and former), customers, outside beneficiaries or payees, as well as partners (such as an accounting firm and auditors).
The personal data has been provided by the individual themselves, or obtained from Diak’s staff or academic affairs systems.
The financial administration personal data register contains the following personal data, among other things:
- The names, contact details, bank details, personal identification numbers, staff numbers and employment relationship details of Diak’s staff.
- The names, contact details, bank details and organisational details of issuers and recipients of invoices.
- Names and contact details of persons subject to debt collection.
- Names, contact details and organisational details of Diak’s customers, partners and investment parties.
Personal data in the financial administration personal data register is stored for 6–10 years in accordance with the Accounting Act, or, if the material is related to RDI projects, for the time required by project financiers. This is longer than the time required by the Accounting Act, usually 15 to 20 years depending on the financier. Additionally, some of the data has been assigned for permanent storage. Permanently stored materials are dictated by the National Archives of Finland.
Digital materials: Using the data requires personal access rights, which are granted only to persons whose job is connected to processing this data. Diak’s systems are protected using both administrative and technical means: that is, with personal user IDs, limitations of access rights and IT measures.
Paper materials: Paper materials are stored in locked rooms and cabinets. After the storage period ends, paper materials will be taken to a locked bin (“data protection bin”) for disposal.
Personal data will not be disclosed outside of Diak, but Diak may contract external processors, who will process the personal data. An external processor may be an IT system supplier or a debt collection agency, for instance.
Systems using the register do not have automatic decision-making functions.
Data will not be transferred outside the EU/EEA.
Data is transferred or disclosed outside the EU/EEA, where and to whom:
As a rule, the personal data contained in the register is not transferred outside the European Union or the European Economic Area or to international organisations. However, due to the international nature of the operations, Diak may use resources, applications and servers located outside the EU or EEA when providing the services. In these cases, Diak ensures that there is a legal basis for the transfer of data and that personal data is protected, for example by requiring standard contractual clauses approved by the EU Commission and compliance with appropriate technical and organizational security measures. In addition, where appropriate, a TIA assessment will be carried out in connection with such data transfer, as well as monitoring the overall level of data protection in known countries. In all cases, the data transfer is carried out in accordance with the General Data Protection Regulation and only to the extent strictly necessary.
You have the right to information on how and for what purpose your personal data will be processed. You can also request access to records of your personal data, and request that incorrect information be rectified.
You can also submit a request to delete your data or restrict its use. However, in some cases the data cannot be deleted or its use restricted, for example if the personal data is being processed to fulfil a legal obligation, complete a task in the public interest orexercise public authority vested in Diak.
In certain situations, you also have the right to transfer the personal data you have provided to us to another controller or to object to the processing of your personal data, i.e. to request that we do not process them at all. In addition, you may request that we do not make a decision on your part based solely on automated processing of personal data.
If you would like to know more about the processing of your data or exercise your rights, you can contact Diak’s Data Protection Officer (email@example.com) or submit a request using the form found on Diak’s website https://www.vismasignforms.com/form/fa53720e-cc71-4b92-b062-6db43e0d33d3.
You also always have the right to lodge a complaint with a supervisory authority. If necessary, you can also contact the Data Protection Ombudsman, a government official who supervises the processing of personal data in Finland.
Office of the Data Protection Ombudsman
P.O. Box 800, 00531 Helsinki
Tel. +358 29 566 6700
General advice for individuals: Tel. +358 29 566 6777