Privacy protection

The Student Union of Tampere University (TREY) has committed to protecting its members’ privacy, in accordance with the EU’s General Data Protection Regulation and other applicable legislation. TREY’s right to process its members’ personal data is based on the statutory duty of the register’s controller (Universities Act 2009/558, section 46). In addition, TREY processes personal data in order to provide various services. Authorisation to process personal data is based on the consent given by a data subject (EU’s General Data Protection Regulation, Article 6, paragraph 1, point a).

It is more specifically explained in TREY’s Privacy Policies, how, where and on what grounds the personal data are processed. The data subject has the right to check from the controller, what information has been collected of them. The data subject may also demand the controller to restrict the processing of the data subject’s personal data, or claim for rectification or erasure of the personal data. Processing period of the forms concerning data protection is one month from the day the form has been received or it has arrived.

General privacy policy

This privacy policy is in compliance with the European Union’s General Data Protection Regulation (GDPR). It was written on 8 December 2021. This document will be issued to data subjects upon the collection of their personal data.

This privacy policy was last updated on 18 January 2022.

Data controller and contact person

Name: Tampereen ylioppilaskunta (TREY) / Student Union of Tampere University (TREY)

Address: Korkeakoulunkatu 10, 33720 Tampere, Finland

Email: toimisto@trey.fi

Contact person: TREY’s Secretary General

Email: paasihteeri@trey.fi

Title of the privacy policy

Legal grounds and purpose of the processing of personal data

In the context of its activities, the Student Union of Tampere University collects and processes the personal data of students, association members, tutors, student representatives working in administrative bodies, and the Student Union’s personnel and stakeholders. The Student Union also processes personal data when it organises events and conducts surveys and studies.

The Student Union of Tampere University processes personal data in compliance with the data protection laws in force at the time and commits to data protection policies that ensure the highest possible level of data protection. This general privacy policy provides a general description of the principles followed by the Student Union in the processing of personal data.

According to the Universities Act (558/2009, Section 46), the purpose of a student union is to liaise with and on behalf of its members and to promote their societal, social and intellectual aspirations and those relating to studies and the status of students in society. The student union also has a duty to participate in the implementation of the educational mission of the university, referred to in Section 2 of the Universities Act, by preparing students for an active, informed and critical citizenship.

The duties of the student union are in particular to

nominate student representatives to the administrative bodies of the university referred to in Chapter 3 and
contribute, where needed, to the performance of the tasks relating to students’ primary healthcare referred to in section 17 of the Health Care Act (1326/2010) and the Act on Health Care for Students in Higher Education (695/2019). (2019/698)

The purpose of the processing of personal data by the Student Union is to implement and support the above tasks.

The legal grounds for the processing of personal data are defined in Article 6 of the GDPR. The basis for the processing of personal data is the consent of the data subject, a contract, a legal obligation, a task carried out in the public interest or the exercise of public authority by the Student Union.

Legal obligation: The Student Union may process personal data to comply with its legal obligations. On this basis, the Student Union may, where appropriate, process personal data to fulfil its obligations as an employer and to meet regulatory requirements.

Legitimate interest of the Student Union: The Student Union may store and process personal data based on its legitimate interests when this is necessary to meet the Student Union’s interests. If the Student Union uses its legitimate interests as a justification for the processing of personal data, a balancing test is carried out to assess the legitimate interests. For more information on the balancing test, please visit the Data Protection Ombudsman’s website.

Exercise of public authority: The Student Union may process personal data when it is necessary for the exercise of public authority vested in the data controller. Such exercise of public authority includes the tasks laid down in the Universities Act (2009/558) and, in particular, the tasks related to the election of student representatives for administrative bodies.

Consent: The Student Union may process personal data with a person’s explicit consent. If the processing of personal data is based on consent, you can withdraw your consent at any time. In such event, the Student Union must stop processing your personal data unless it has any other legal grounds for processing the data.

Contract: The Student Union may process personal data to fulfil a contract to which you are a party or in order to take steps at the request of the data subject prior to entering into a contract. On this basis, the Student Union may, for example, process the personal data of membership service users, stakeholders’ representatives, and job applicants. Based on the contract principle, the Student Union may only process data that is necessary for entering into or performing a contract.

Types of personal data collected

The categories of personal data collected by the Student Union depend on the purpose and grounds for the processing of data (see above). If it is necessary for the purpose of the processing of data, the Student Union may collect personal data that falls into the following categories:

basic information and identification data, such as name, birth year/age group, address, contact information, and communication language at the University;
information related to a person’s studies and right to study (faculty, degree programme, year, main campus, level of studies, full-time/part-time nature of studies, exchange student status, level of education);
information about a person’s student organisation memberships (name of the organisation/association the person is a member of, role in the organisation, other relevant information);
information about a person’s memberships and positions of trust in TREY or other entities that are relevant to TREY, such as Tampere University;
employment information (including the type and duration of the employment contract, job title, salary, fees, and holiday rights);
data related to the use and booking of TREY’s membership services;
data necessary for research or statistical purposes. In this case, the data is anonymised to the extent possible to prevent re-identification.
data required for archival purposes.

As a data subject, you have the right to request the erasure of your personal data from the register (see section 10).

Sources of data

TREY receives personal data of its members from Tampere University. Below is a list of the types of personal data obtained by TREY from Tampere University:

basic information and identification data, such as name, birth year/age group, address, contact information, and communication language at the University;
information related to a person’s studies and right to study (faculty, degree programme, year, main campus, level of studies, full-time/part-time nature of studies, exchange student status, level of education).

TREY also collects personal data from the data subjects themselves for purposes such as the following: applications for positions of trust, surveys, event registrations, recruitment and employment, agreements and contracts, and nomination of candidates for the Student Union’s council elections. The sources of personal data used in specific contexts are described in more detail in the Student Union’s context-specific privacy statements.

Transfers of data to third parties

As a rule, TREY will only process personal data within the University Community and to the extent required by the purpose of data processing. TREY will only disclose data to third parties in the following cases:

Personal data may be disclosed for statistical, scientific, or historical research purposes, such as a thesis, provided that the data has been altered so that the data subject cannot be re-identified. To obtain data from the Student Union for the above purpose, an express permission must be sought. This comes with an obligation to adhere to the principles of research ethics and the guidelines of the Finnish Social Science Data Archive.
Based on consent: With the person’s express consent, personal data may be disclosed for uses relating to third-party services, for example.
Legal obligations under the Act on the Openness of Government Activities: The Finnish Act on the Openness of Government Activities (621/1999) applies to the University Community’s activities. The documents and data stored in the personal records held by the University Community are generally considered public under the constitutional principle of publicity and the provisions of the Act on the Openness of Government Activities unless they are defined as non-public under applicable laws. The Act on the Openness of Government Activities governs the disclosure of data. In the context of TREY’s activities this means that data can be disclosed to data subjects and authorities by the service of a decision or other document in administrative matters that concern them. Confidential information may be disclosed under the conditions laid down in the law, such as the parties’ right of access to information under the Act on the Openness of Government Activities (1999/621), or under the provisions of special legislation.

Transfers of data outside the EU or the EEA

The Student Union does not transfer personal data outside the EU or the EEA. The Student Union’s data protection policy is to exercise great care if personal data is transferred outside the EU or the EEA to countries whose data protection does not comply with the General Data Protection Regulation of the EU. Any transfers of personal data outside the EU and the EEA will be carried out in compliance with the GDPR.

Duration of data retention

The duration of data retention depends on the purpose of and grounds for the processing of data. The Student Union has context-specific privacy statements that state the retention period of personal data collected for a specific purpose.

The personal data of a member of the Student Union will be kept in the Student Union’s membership register for the duration of the student’s membership of the Student Union. The register is owned by the University. The Student Union will not store its members’ data outside the membership register.

Below is a list of the types of data the Student Union obtains from the University regarding its members:

basic information and identification data, such as name, birth year/age group, address, contact information, and communication language at the University;
information related to the person’s studies and right to study (faculty, degree programme, year, main campus, level of studies, full-time/part-time nature of studies, exchange student status, level of education).

The retention period of the data contained in the Student Union’s administrative documents is stated in the Student Union’s filing plan (available on request).

Principles of data protection

The Student Union collects and processes personal data only through systems and databases that comply with the data protection policies of the Student Union and the University Community. Personal data is stored in locked and monitored facilities and in systems and databases that are only accessible to authorised users. Access to personal data is limited to authorised persons who need to process personal data to carry out their professional duties or to provide services. Any use of personal data that is unauthorised or contrary to the purposes defined by the University Community or the Student Union is strictly prohibited.

Rights of the data subject

Data subjects have certain rights that are described below. Any requests to exercise the rights of the data subject must be submitted to the Student Union. As the data controller, TREY has the right to ask the person who made the request to confirm their identity. The data controller will respond to the request within the timeframe set in the GDPR, usually in one month.

Contact in data protection matters

To request the rectification of inaccurate data, contact the Student Union’s office by email to toimisto@trey.fi.

To exercise your rights as a data subject, send a request to the Secretary General of the Student Union of Tampere University (by email to paasihteeri@trey.fi or by post to Tampereen ylioppilaskunta, Korkeakoulunkatu 10, 33720 Tampere). You will find the request forms at the bottom of this page.

Right of access and right to rectification

As a data subject, you have the right to access the data that has been collected from you and stored in a register and to request the rectification or completion of any inaccurate or incomplete data.

Right to object

You have the right to object to the processing of your personal data if you feel that your data is being processed unlawfully or that TREY has no right to process your personal data.

Right to erasure

You have the right to request the erasure of your personal data from the register (the right to be forgotten).

Right to restrict processing

You have the right to ask us to restrict the processing of your personal data.

Right to file a complaint

As a data subject, you have the right to lodge a complaint with the Data Protection Ombudsman if you feel that TREY has failed to process your personal data in a correct and appropriate manner.

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data is against the General Data Protection Regulation (GDPR) of the EU. You also have the right to follow other administrative procedures to appeal against a decision or to pursue a judicial remedy.

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4
Mailing address: P.O. Box 800, 00531 Helsinki, Finland
Email: tietosuoja@om.fi
Tel. 02956 66700

Privacy Policies

Tutor application privacy policy (pdf, 708 kt)

Band bank privacy policy (.pdf, 900 kt)