Privacy Policy

Arkki | Pyry Kantonen, 2018

You are here:

Arkki maintains a student registry in the Eepos service, which is a student management and operational system designed for basic art education. The privacy policy explains what data we collect and how we process it.

Arkki’s Registry and Privacy Policy

This is the registry and privacy policy of the Children and Youth Architecture School Arkki ry, in accordance with the Finnish Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Created on May 24, 2018. Last updated on March 20, 2020.

1. Data Controller

Lasten ja nuorten arkkitehtuurikoulu Arkki ry

Tallberginkatu 1 C 106, 00180 Helsinki

www.arkki.fi / info@arkki.fi / 050-525 8668

2. Contact Person Responsible for the Registry

Jaana Räsänen, jaana@arkki.fi, 050 522 1571

3. Name of the Registry

Personal data and educational registry of students, parents, and employees.

4. Legal Basis and Purpose of Processing Personal Data

The legal basis for processing personal data in accordance with the EU General Data Protection Regulation is the Act on Basic Art Education (633/1998).

The registry is maintained in the Eepos educational management system. Eepos is a management system designed for basic art education, which we use to manage the data of students, parents, and teachers, as well as to organize educational activities. Only administrative staff and teachers of the institution have access to the service.

The purpose of processing personal data is to organize educational activities. The registry is used to manage information necessary for organizing education and generated during operations. The registry stores data regarding students’ education, educational arrangements, and learning outcomes.

The data is not used for automated decision-making or profiling.

The administration of the institution processes the study data of students. Students’ personal data is only processed when necessary to maintain the integrity of the registry.

Teachers at the institution only process data related to students that are relevant to their current teaching duties. Teachers do not have access to the precise personal or address information of students or parents.

5. Contents of the Registry

The data stored in the registry includes: the student’s name, social security number, contact information (phone number, email address, address), IP address of the internet connection, billing information, studies and study history, completed studies and certificates, attendance records, guardian’s name, social security number, contact information (phone number, email address, address), permissions for the use of images and materials, teacher’s name, social security number, contact information (phone number, email address, address, and bank account details), teaching duties, organized teaching hours, statistical data related to educational activities, and the number of students.

6. Regular Sources of Information

The data stored in the registry is obtained from the client via online forms during registration, by email, phone, client meetings, and other situations where the client provides their information.

7. Regular Data Disclosures and Data Transfers Outside the EU or EEA

Data related to an individual is not regularly disclosed to third parties. Statistical data related to educational activities (e.g., the number of students and teaching hours, without identifying details) is regularly provided to the Finnish National Agency for Education and Statistics Finland. Data may be published as agreed with the client.

Data is not transferred outside the EU or EEA.

8. Data Retention Period

The institution is required to permanently retain the study records of students as well as the personal data of students and parents in the student registry. The retention periods for all registries and physical documents and their copies are governed by the Archives Act (Archives Act 23.9.1994/831). Data may be anonymized upon the registered person’s request. The retention period allows for temporary interruption and resumption of studies without the loss of the student’s historical data. It also allows for the issuance of a participation certificate after the completion of studies.

9. Principles of Registry Protection

Care is taken in processing the registry, and data processed electronically is properly secured. All sensitive personal data of students, guardians, and teachers is stored in strongly encrypted databases and backups.

Access to browsing data is restricted by defining user rights individually. The registry only produces the necessary and required printouts, which contain the names of the parties concerned and information about the nature of the matter, taking into account confidentiality obligations. Data obtained from the registry is stored carefully, and the users of personal data are bound by confidentiality obligations.

When registry data is stored on internet servers, the physical and digital security of the hardware is appropriately managed. The data controller ensures that the stored data, server access rights, and other information critical to the security of personal data are treated confidentially and only by employees whose job description includes this responsibility. Appropriate security measures are also taken for workstations.

The service provider processes personal data only to the extent necessary for providing the services. The data controller requires service providers to maintain an adequate level of data security to protect personal data.

10. Rights of the Data Subject

Right to Access Personal Data

The data subject has the right to obtain confirmation from the data controller on whether their personal data is being processed and to review the personal data stored in the registry. The data subject also has the right to receive a copy of the processed personal data. Requests for access must be sent to the data controller as specified in Section 2 and must be in writing and signed. The request for access may be denied on legal grounds.

Right to Rectification

The data controller shall correct, delete, or supplement any inaccurate, unnecessary, incomplete, or outdated personal data in the registry, either on its own initiative or at the request of the data subject (by contacting the data controller as specified in Section 2). The data subject also has the right to request that the data controller restrict the processing of their personal data, for example, when the data subject is awaiting a response from the data controller regarding the rectification or deletion of their data.

Right to Object to Processing of Personal Data

The data subject has the right to object to the processing of their personal data based on the legitimate interest of the data controller. The data subject also has the right to prohibit the processing and disclosure of their personal data for purposes other than educational activities by notifying the data controller as specified in Section 2.

Right to Withdraw Consent

If personal data is processed based on the data subject’s consent, the data subject has the right to withdraw their consent by notifying the data controller as specified in Section 2.

Right to Data Portability

To the extent that the data subject has provided data to the registry, which is processed based on a contract between the data controller and the data subject or with the data subject’s consent, the data subject has the right to receive such data in a structured, commonly used, and machine-readable format and the right to transfer this data to another data controller (if technically possible).

Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the relevant supervisory authority if the data controller has not complied with the applicable data protection regulations.

11. Other Rights Related to the Processing of Personal Data

Individuals whose data is in the registry have the right to request the deletion of their personal data from the registry (“right to be forgotten”). Likewise, the data subjects have other rights under the EU General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations. Requests must be sent in writing to the data controller. The data controller may require the requester to prove their identity. The data controller will respond to the client within the time frame specified in the EU General Data Protection Regulation (usually within one month).