UTU Forms Privacy Notice

1. Data Controller

The data controller is the University of Turku. Digital Services, helpdesk@utu.fi. Each form has a responsible unit.


The contact address for the Data Protection Officer of the University of Turku is dpo@utu.fi.

2. Purpose of the Register and the Use of Personal Data

The register is for the storage of information related to the form processes created with the UTU Forms system. The data is used to process forms within the UTU Forms system. The processes are related to the activities, services, and legal duties of the University.

Additionally, different forms may request personal data from the users, for example, the person or persons whom the contents of the form concerns. This data is used to process forms.

In addition to the above, the system logs user activities in the system. Logged information is used in ensuring the functionality and information security of the system.

3. Contents, Personal Data Groups, and Description of Function

The register contains data about the form process as a whole, the active stage of the process, the people involved in the process, and the information entered in the forms during the form process. Each part of the form specifies which data is required for the completion of the form process. If the data is not entered, the process stops.

To identify the filler of each part of the form, the user account and IP address are logged. If the part does not require the filler to be logged in, only the IP address is logged. Identification of the user is necessary for the implementation of the service, access control, and for investigating problems in the system.

No sensitive personal data groups will be processed (for example, health, ethnicity or sexual orientation).

4. Sources of Data

Basic personal information for the University's staff and students are obtained from the other systems of the University through the api.utu.fi service. This information includes, for example, the person's name, user name, email address, place of study, student number, and employee data (unit, supervisor, and type). If the form process requires other information from external systems in addition to the ones mentioned above, they will be described separately. Any other data is entered into the form by the users.

The details of specific form processes are described in the Privacy Notices of those forms.

Log type usage data is collected according to the user's actions.

5. Data Retention

The data retention period depends on the purpose of the form process. The data retention period will be calculated from the time of the latest change to the form process. The period of time a specific form will be retained is described in the Privacy Notice of that form. Säilytysaika lasketaan viimeisestä kokonaisprosessiin tehdystä muutoksesta alkaen.

Data has been collected since 2017.

6. Transfer of Data, Recipients, and International Transfer of Data

Data will be transferred to external parties only if the form process specifically requires it. For example, a person involved in the form process may receive an automated email during the process, and in this case the University is not responsible for the transmission of such messages.

Reports on the status of form processes and number of users will be provided for the contact person of the form process by request.

For administrative purposes, the form data is available through an API in the University's api.utu.fi service. The access to the data is controlled.

The University may transfer data to or notify external parties when there is a legal obligation to do so.

Information will not be transferred outside the EU or ETA. The service is located in a server room of the University of Turku, in Finland.

The details concerning specific form processes can be found in the Privacy Notice of the form in question.

7. Automated decisions

No automated decisions are made.

8. Publicity and Confidentiality of Data by Group

The basic information concerning the form processes is public. Detailed information may be confidential, depending on the form process. The confidentiality class of forms and their contents is determined by the contact person of each form process.

9. Rights of the Data Subjects

Access to or rights to modify the stages of a form process can be granted to a specific person involved in the form process, or a group of people who, due to their work or status, have a right or obligation to participate in the form process.

Read access will be retained for as long as data has not been marked for removal from the system. Modifications to data can be done as long as the part of the form process containing it has not been locked. Afterwards, the data can only be modified if that part of the process is unlocked. A person related to a form process has the right to request the rectification of data even if the form has already been locked. The form's contact person handles requests for data rectification. Corrections may cause other parts of the form process to be reprocessed.

Personal data may also be stored in sections in which the person in question does not have reading permissions, if necessary for the processing of the form. A person has the right to also request information from these stages if this will not break confidentiality. Requests for extended access should be sent to the contact person of the register.

A person has the right to get their data removed from the system, provided that the form process or legal requirements do not mandate that the data be retained.

If the data originates from another system, any changes to the registry must be requested through the registry of the system in question.

A person has the right to object to the handling of data and/or lodge a complaint with the regulatory authorities.

Contact details of the Data Protection Ombudsman:

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki
Switchboard: 029 566 6700
E-mail: tietosuoja@om.fi

10. Principles for the Protection of the Registry

The access rights to data included in the form processes are limited to those people who are related to the process in question, or who have, through their work duties or other responsibilities, the right to access the data.

Access rights to the entire registry are limited only to those people who need access as part of their work duties, as authorised by the registry controller. They have user accounts and passwords to the system the data is located in. The registry controller limits the access to data with access rights. The administrators of the system and its backend database are employees of the Digital Services of the University of Turku. Connections to the server are secured with SSL. The University's own login system is used for employee's and administrator's user identification. Employees handling personal information are bound by confidentiality.

The general Data Security Description of the University: Data Security Description