Data Protection Policy at Vaasa University of Applied Sciences

The purpose of this Data Protection Policy is to describe the principles and measures we follow to ensure data protection at Vaasa University of Applied Sciences.

At VAMK, personal data are processed carefully, ethically and in accordance with the General Data Protection Regulation (GDPR) and relevant legislation. The Data Protection Policy also serves as the basis for other clarifying guidelines concerning data protection.

Find out more about our Data Protection Policy:

Principles and implementation of personal data processing

Taking care of data protection is part of the daily operations and risks management of Vaasa University of Applied Sciences. Data protection is taken into account as early as in the planning phase of services, processes and systems. Data protection is an in-built and default part of the planning and implementation of functions that involve personal data processing.
When it comes to personal data processing, Vaasa University of Applied Sciences complies with the following data protection principles at all stages of the data lifecycle:

• lawfulness, fairness and transparency of processing
• purpose limitation
• data minimisation
• data accuracy
• limitation of data retention
• data integrity and confidentiality
• the controller’s accountability.

The aforementioned data protection principles are implemented in the following ways:

  1. There is a legal basis for the processing of personal data.
  2. Data subjects are provided with sufficient information on the collection and processing of their personal data.
  3. Personal data are processed only for a predefined purpose.
  4. Processing is carried out in accordance with information security regulations.
  5. Data subjects are provided with effective means to exercise their rights, and their requests are reacted to without delay.
  6. The risks associated with the processing of personal data are assessed from the perspective of the data subject.
  7. Collection and processing is limited to personal data that are necessary for the purpose of processing.
  8. The correctness of personal data is ensured.
  9. Personal data are retained only for as long as is necessary for the purpose of processing.
  10. Personal data processing measures are documented and appropriate privacy notices are prepared for them.
  11. Personal data processing is only carried out by persons whose participation in personal data processing is necessary for the purpose of processing; access rights are restricted accordingly.
  12. Data processing practices are regularly reviewed.

Personal data are disclosed only on the basis of the data subject’s consent or legislation. Furthermore, appropriate steps are taken to ensure the more detailed terms of processing and protection of special categories of personal data (sensitive personal data).


Measures and responsibilities

Vaasa University of Applied Sciences must be able to demonstrate compliance with the above-mentioned principles of personal data processing. Compliance with the principles is described in the annual data balance sheet. Events related to data protection are recorded in a separate event log.

Vaasa University of Applied Sciences ensures that the rights of the data subject are realised in accordance with the GDPR and relevant legislation. Instructions for submitting information, access, rectification and erasure requests are provided on the external website.

Transfer of personal data outside the EU and the European Economic Area (EEA) requires particular care. Vaasa University of Applied Sciences makes sure that personal data are not transferred outside the EEA without appropriate protection measures in accordance with data protection legislation.

Research and project activities as well as students’ theses and other studies may require a risk assessment concerning data protection. Based on the assessment, appropriate technical and organisational measures will be selected for protecting personal data. Data protection impact assessment is part of the research ethics review process.

When data processing is outsourced, the chosen subcontractor’s compliance with this Data Protection Policy must be ensured. The outsourcing of personal data processing is always subject to a written agreement that defines the responsibilities and obligations of the parties.

Vaasa University of Applied Sciences must ensure that every member of the university community understands and complies with the principles of data protection.

Procedure in the event of a personal data breach

Every member of the university community is obligated to report personal data breaches. All personal data breaches and suspicions thereof must be immediately reported to the university’s data protection officer.

All suspected and detected personal data breaches are investigated without delay. All personal data breaches are documented in accordance with legislative requirements, and confirmed personal data breaches are reported to the data protection authority and affected data subjects in accordance with the GDPR.

Communication, guidelines and training

This Data Protection Policy is communicated to the staff and students of the university and made available on both the external and internal websites of the university. In addition to this Data Protection Policy, the university issues internal data protection guidelines.

Every staff member must complete an online training course on data protection and information security.

Entry into force and updating of the Data Protection Policy

This data protection policy has been processed by the management group of Vaasa University of Applied Sciences and was approved by the President, CEO as a code binding on the staff and students of Vaasa University of Applied Sciences on 13 September 2022.

The Data Protection Policy shall remain in force until further notice and be updated as necessary.