Privacy Policy for Employees

Oulu University of Applied Sciences Ltd (hereafter “Oamk”)

Visiting address
Yliopistokatu 9
FI-90570 Oulu

Postal address
PO Box 222, FI-90101 Oulu

Business ID
2509747–8

Phone
+358 20 611 0200

Oamk’s operations require the processing of employees’ personal data. Therefore, data protection must be considered in all operations, and personal data are processed within the framework of legislation and agreements. The personal data of employees are processed for the purpose of performing work duties and maintaining user authorisations and data security.

The data subject has the right to obtain confirmation from the controller as to whether their personal data are being processed. The data subject always has the right to request from the controller access to and copies of their personal data, as well as the right to request rectification or erasure of such data or restriction of processing and to object to processing. As a rule, this is handled by enabling staff members to update their contact information directly in the register. If the data subject does not have access to the register in which they wish to review their data, they may submit a request for review or rectification to Oamk. In accordance with the General Data Protection Regulation, the controller must respond to a request for exercising the data subject’s rights within one month after receiving the request.

The right to erasure does not extend to personal data that the University of Applied Sciences processes on the basis of a statutory task or in the public interest, or for which the University of Applied Sciences has another retention obligation.

The purpose of processing the personal data contained in the register of Oamk’s HR management is to carry out Oamk’s statutory employer obligations with the aid of the controller’s (Oamk) HR management (HRM).

HR management processes personal data for the following purposes:

• Personnel planning and reporting
• Recruitment and induction of employees
• Personnel payroll calculation, wage payment and fee management
• Payment of grants and travel and other expenses
• Management of annual holidays and other leave and absences
• Management of membership matters
• Equality and non-discrimination
• Management of employment relationships
• Competence management and development
• Operational control and monitoring (e.g. personnel surveys and quality)
• Supporting work ability and occupational health and wellbeing services
• Fulfilment of obligations under the Occupational Safety and Health Act
• Occupational accident insurance
• Collaboration

The processing of personal data in the register of Oamk’s HR management is based on the performance of a contract (e.g. an employment or commission contract) to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract or in order to pursue the legitimate interests of the controller or a third party (Art. 6(1)(b) of the EU General Data Protection Regulation (GDPR) and Art. 6(1)(f) GDPR). A legitimate interest exists when there is a relevant and appropriate relationship between the data subject and the controller, such as the data subject being employed by the controller.

In addition, the processing of personal data is based on compliance with the controller’s legal obligation (Art. 6(1)(c) GDPR). Oamk implements its statutory employer obligations when performing HR management tasks in accordance with the applicable provisions of the Employment Contracts Act, Cooperation Act, Act on Occupational Safety and Health Enforcement and Cooperation on Occupational Safety and Health at Workplaces, Occupational Safety and Health Act and Occupational Health Care Act, as well as the collective agreement.

In the case of special categories of personal data (e.g. trade union membership), classified as sensitive personal data in the GDPR, processing based on the need to carry out the obligations and exercise the specific rights of the controller or the data subject in the field of employment law, to the extent it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject (Art. 9(2)(b) GDPR).

The processing of personal data is based on the data subject’s explicit consent (health data) for sensitive personal data belonging to a special category of personal data (Art. 9(2)(a) GDPR).

The following personal data are stored in the register of Oamk’s HR management, grouped by personal data category:

• First name, last name, former last names, date of birth, personal identity code, address, country, phone number, gender, email address, level of education, occupation
• The first name, last name, phone number and address of the next of kin indicated by the data subject
• The data subject’s contact details for work and home: address, phone number and email address
• Native language, nationality, degree and work experience information
• Information related to the payment of wages or fees
• Username and identity management
• Basic information about the employment relationship: e.g. the unit, the nature of the employment relationship, the start and end date of the employment relationship or commission
• Information about work tasks
• Eligibility information: applicable degree, work experience, other merits and pedagogical studies
• Certificates of employment and sports benefit information

• Information on competence development (e.g. performance reviews and competence profile)
• Operational control and monitoring (e.g. personnel surveys and quality)
• Absence information (time of absence and reason/explanation)
• Holiday information (flexitime, annual holiday or other leave)
• Occupational health data to the extent permitted and required by occupational health legislation
• Information about employees exposed to biological agents, as required by the Occupational Safety and Health Act and decrees, including information about the biological agent causing the exposure, if known, and a description of how and when the exposure occurred
• Notices related to the employment relationship to HR services and/or the manager;
• Travel management and payment information
• Information related to working time tracking and access control

As a rule, the personal data contained in Oamk’s personal data register is not transferred outside the EU or EEA or to international organisations.

Personal data contained in the personal data register may be transferred outside the EU or the EEA for the purpose of carrying out IT services required for work or the completion of studies, based on case-by-case evaluation.

As a rule, Oamk does not disclose data outside the EU/EEA. However, in cases where this is necessary, the international transfer of personal data from the Oamk personal data register to countries outside the EU/EEA is primarily secured by using the safeguards laid down in Article 46, Chapter V, of the EU General Data Protection Regulation (GDPR), that is, standard contractual clauses. Standard contractual clauses will be included as part of the personal data processing agreement drawn up with the ICT service provider. Information about any transfers is provided in the privacy policies of individual systems.

Only the necessary data are transferred and the transfer is made in accordance with and within the limits set by data protection legislation. The security and data protection of the transfer is always agreed separately.

Personal data collected in the register of Oamk’s HR management and processed within the register’s scope are stored in the register in accordance with the storage period instructions included in Oamk’s information management plan.

In addition, the following regulations apply to the storage period of personal data, deletion of data and any archiving of data:

• EU General Data Protection Regulation (“GDPR”, 2016/679)
• Decision of the National Archives (AL/20757/07.01.01.03.02/2016) (decision on permanent electronic storage concerning universities of applied sciences, document number: AL/20757/07.01.01.03.02/ 2016)
• Act on the Protection of Privacy in Working Life (759/2004)
• Occupational Safety and Health Act (738/2002)

The data contained in the register of Oamk’s HR management are not used for automated decision-making or profiling.