Skip to content

Personal data register of human resources

Register controller and contact information

Diaconia University of Applied Sciences, P.O. Box 12, 00511 Helsinki

Data protection officer’s e-mail:

What is the purpose of processing personal data?

Data regarding Diak’s staff is processed in order to conduct employment relationships, calculate and pay wages, make reports, and fulfil legal obligations.

What is the basis for processing the data?

Processing the data is based on legal obligations (Accounting Act, Employment Contracts Act, Annual Holidays Act, Working Time Act, etc.) and the employer’s legitimate interests. The legitimate interests are conducting employment relationships.

Whose personal data does the register contain?

The register contains data from Diak’s current and former employees and reward recipients.

Where was the data collected?

The data was collected mainly from the individuals themselves, but some was also obtained from insurance companies, occupational health care providers, and authorities such as Tax Administration and Kela.

What personal data does the register contain?

The register includes the following information about Diak’s current and former employees and reward recipients: name, personal identification number, contact details, basic information about their employment relationship, service periods and salary information, absences, annual holidays, workplace, working time, information about education and job experience, job description, and roles. The register also contains information about close relatives, if the employee has entered that information into the system themselves.

The register contains the following sensitive data: information on sick leave, information provided by providers of occupational health care or other treatment, and disciplinary measures. Absences and performance reviews may also be considered sensitive information.

How long is personal data stored in the register?

The data is stored for the duration of the employment relationship, or for the period required within reason for fulfilling legal obligations or ensuring due process for the organisation. Storage times for different documents have been defined in Diak’s internal information management plan.

How is data protected?

Digital materials are protected with access rights, passwords, two-factor authentication, surveillance and firewalls. Paper materials are not collected, but if paper materials are created, they will be stored in an access-controlled room in a locked cabinet for the duration of use, and disposed of in a locked trash container (“data protection bin”) when no longer needed.

Will the data be disclosed to external parties?

The data will be disclosed to external partners who make salary payments, banks, Tax Administration, income register, occupational health care, and project financiers, for example. Statistical data is disclosed for instance to Statistics Finland, the Ministry of Education and Culture, and the Confederation of Finnish Industries. Diak may contract external processors, who will process personal data. An external processor may be an IT system supplier, for instance.

Is the data subject to automatic decision making?

Systems using the register do not have automatic decision-making functions.

Will data be transferred outside of the EU/EEA area?

Data will not be transferred outside the EU/EEA.

Data is transferred or disclosed outside the EU/EEA, where and to whom:


As a rule, the personal data contained in the register is not transferred outside the European Union or the European Economic Area or to international organisations. However, due to the international nature of the operations, Diak may use resources, applications and servers located outside the EU or EEA when providing the services. In these cases, Diak ensures that there is a legal basis for the transfer of data and that personal data is protected, for example by requiring standard contractual clauses approved by the EU Commission and compliance with appropriate technical and organizational security measures. In addition, where appropriate, a TIA assessment will be carried out in connection with such data transfer, as well as monitoring the overall level of data protection in known countries. In all cases, the data transfer is carried out in accordance with the General Data Protection Regulation and only to the extent strictly necessary.

What rights do I have?

You have the right to information on how and for what purpose your personal data will be processed. You can also request access to records of your personal data, and request that incorrect information be rectified.

You can also submit a request to delete your data or restrict its use. However, in some cases the data cannot be deleted or its use restricted, for example if the personal data is being processed to fulfil a legal obligation, complete a task in the public interest orexercise public authority vested in Diak.

In certain situations, you also have the right to transfer the personal data you have provided to us to another controller or to object to the processing of your personal data, i.e. to request that we do not process them at all. In addition, you may request that we do not make a decision on your part based solely on automated processing of personal data.

If you would like to know more about the processing of your data or exercise your rights, you can contact Diak’s Data Protection Officer ( or submit a request using the form found on Diak’s website

You also always have the right to lodge a complaint with a supervisory authority. If necessary, you can also contact the Data Protection Ombudsman, a government official who supervises the processing of personal data in Finland.

Contact information:
Office of the Data Protection Ombudsman
P.O. Box 800, 00531 Helsinki
Tel. +358 29 566 6700

General advice for individuals: Tel. +358 29 566 6777