Privacy statement: ICT services

ICT services privacy statement

Management of user IDs and rights for Diak’s staff and student for Diak’s information network, information systems and e-learning environment.

According to Article 6 of the General Data Protection Regulation, data processing is lawful only if, and only to the extent that, at least one of the following conditions is met:

a) The data subject has given their consent
b) The processing is necessary for implementing an agreement to which the data subject is a party
c) The data processing is necessary for compliance with the statutory obligations of the data controller
d) The data processing is necessary for safeguarding the vital interests of the data subject or some other natural person
e) The data processing is necessary for performance of some duty in the public interest, or the processing is necessary for the data controller ‘s exercise of their public power
f) The processing is necessary for fulfilment of the legitimate interests of the data controller or of a third party

The conditions to be met are a, c and f.

Personal data to be processed: Personal ID number, Email address, Telephone, Address, Name, Photo.

Other data to be processed: Information related to the student’s courses and information provided voluntarily by the student, e.g. social media profile links or areas of interest.

Periods for which data is stored: In accordance with Diaconia University of Applied Sciences’ archive plan (AMS).

Whether sensitive information (race/ethnicity, origin, political opinion, religious or philosophical belief, membership of a trade union, health-related information, sexual orientation or behaviour) is processed. Article 9: No.

• Microsoft IDM
• Microsoft AD and Azure AD
• Manual registers (paper) – Devices handed over
• Computer management in the 3StepIT hardware register
• Efecte

• Sympa (staff information)
• MyDiak (student information)

Information is not directly disclosed. The information is used to create, check, and delete user accounts against the user registry (AD).

More precisely: Data disclosure through centralised user management (ADFS authentication, HAKA login) to the required systems, and creation of IDs for the following systems: MyDiak, Diakle, AditroForecast, SolePro (discontinued in 2019, replaced with Reportronic), SoleTM (discontinued in 2019, replaced with Reportronic), Dynasty, InvoiceReady.

The data is not transferred outside the EU or the European Economic Area.

A) Manual material

Is there manual data? Yes.

If yes, how is the material stored and protected? Documents relating to the handover of devices are stored in accordance with Diaconia University of Applied Sciences’ archive plan (AMS). The registers for each location are kept in lockable cabinets in locked facilities. Only digital services staff and infrastructure staff can access the register.

B) Digitally processed data

Is there data in electronic form? Yes.

If yes, how is the material stored and protected? The data will be stored in accordance with Diaconia University of Applied Sciences’ archive plan (AMS). Electronic material is processed based on the user’s rights of access to such systems.

The data subject has the right to request access to personal data concerning him or her, the right to request correction or erasure of such data and the right to request restriction of the processing of it, the right to oppose processing or it, and the right to transfer from one controller to another.

The data subject has the right to withdraw their consent at any time without this affecting the lawfulness of the processing carried out prior to this withdrawal, if the processing of personal data is based on the consent of the data subject.

Upon request, the data subject may use the Diaconia University of Applied Sciences’ own model form.

The data subject has the right to file a complaint with the Office of the Data Protection Ombudsman.

Profiling is not carried out on the basis of personal data contained in the register.

If personal data is processed for direct marketing purposes, the data subject has the right at any time to oppose the processing of their personal data for such marketing, including profiling when it is related to such direct marketing.

The data protection officer is the contact person in matters relating to the rights and obligations of the data subjects. The contact details of the data protection officer are given at the beginning of the privacy statement.