This Privacy Notice describes the practices concerning data security and data protection used by Uudenmaan Koulutuskeskus Oy and the processes and tecnology with which Uudenmaan Koulutuskeskus Oy protects their customer data. This Privacy Notice is applied to Uudenmaan Koulutuskeskus Oy’s website, recruiting process, and services and training courses intended for customers.
This Privacy Notice does not apply to any third-party websites, applications, or services that may be used via additional partner services provided by the services of Uudenmaan Koulutuskeskus Oy. Uudenmaan Koulutuskeskus Oy recommends that their customers are always aware of data protection practices of any third-party services before allowing personal data collection and data use in said services.
Data Protection Principles
The data protection principles of Uudenmaan Koulutuskeskus Oy are: disclosure of the legal basis and purpose of data processing, disclosure of collected and processed data, technical, administrative, and physical protection of data, lawful data verification, and the opportunity to request data revision.
Personal Data Registers and Descriptions of Personal Data Register Files
Personal Data Processing on Behalf of Controller
Uudenmaan Koulutuskeskus Oy will not process personal data on behalf of other controllers.
Technical Protection of Data Registers
All electronically processed data in the registers is protected technically with firewalls, passwords, and through other technical means widely accepted in the data security sector. All data transfer between a customer and Uudenmaan Koulutuskeskus Oy is encrypted with SSL (Secure Socket Layer) technology. All data is regularly backup copied, and the copies are stored in a different location to where the primary data is stored. Uudenmaan Koulutuskeskus Oy executes internal and third-party-executed evaluations which also include the technical security of critical data systems.
Administrative Register Protection
Only specific employees working for Uudenmaan Koulutuskeskus Oy and employees working for companies commissioned and acting on behalf of Uudenmaan Koulutuskeskus Oy have access to register data based on specifically granted access rights. The access right of users are monitored regularly, and access right controlling politics prohibit creating dangerous access right combinations. Particularly the main access rights of main users in different systems are checked regularly and removed when they are no longer needed by the user. Employees whose employment contracts with Uudenmaan Koulutuskeskus Oy have been terminated are removed of their access rights to all systems at the time of termination of employment contract.
All personnel of Uudenmaan Koulutuskeskus Oy and any third-party persons working on its behalf are under professional confidentiality regarding all customer and personal data of Uudenmaan Koulutuskeskus Oy. Professional confidentiality, along with related sanctions, is stated in the employment contracts of the personnel of Uudenmaan Koulutuskeskus Oy. Professional confidentiality, along with related sanctions, is stated in all third-party contracts.
Employees processing the customer data of Uudenmaan Koulutuskeskus Oy are regularly trained. The training mostly comprises of the legal basis of their work. Data security and data protection awareness of the personnel of Uudenmaan Koulutuskeskus Oy is regularly maintained by: Organising bulletins to the company’s whole personnel regarding data security and data protection, and with an annual, mandatory training to the employees regarding data security and data protection during which the employees must pass an exam regarding the subject in order to pass the training. All new employees learn the data security policits of Uudenmaan Koulutuskeskus Oy in the beginning of their employment. Regular data security trainings remind the employees of the existence and location of the data security politics as well as of the validity of said politics. Data security politics describe the general rules that obligate employees regarding data security and data protection, whether they are technical rules, data security processes, or practices and instructions applied to everyday work.
Physical Protection of Register Data
Customer data is processed in data systems located in a data centre in Finland or in cloud services located inside the European Union. In data centres located in Finland, the most important production systems are duplicated into two separate data centres in order to ensure security, data preservation, and continuity of service under normal conditions as well as exception conditions. Security practices certified by the service producer, access control, and surveillance are implemented in these data centres.
Manually maintained material is stored in facilities into which access has been suspended with access control, and the most important facilities are under CCTV supervision in case of necessary examining and verifying of a physical security breach.
Rights of Registered Persons
According to Data Protection Regulation 15-22 § by the European Union, a registered person has the right to:
- Verify personal data
- Revise data
- Delete data
- Limit data processing
- Move data from one system to another
Access any personal data stored in the data systems of Uudenmaan Koulutuskeskus Oy. Execution of rights of registered persons may be limited by some other mandatory legislation, based on which Uudenmaan Koulutuskeskus Oy has the right and obligation to rightly deny revision, deletion, limitation of data processing, or moving of data from one system to another. An example of such legislation is the set of common accounting standards that control the keeping of payroll-related receipts regardless of the registered person’s rights specified in Data Protection Regulation.
In such cases where the registered person wishes to verify or revise their data stored in a register owned by a customer of Uudenmaan Koulutuskeskus Oy, the registered person must issue a request to the data controller in order to verify or revise data. The data controller controls the execution of verification requests and revision requests together with personal data processor Uudenmaan Koulutuskeskus Oy. In such cases, the data controller must issue a written verification request to the email address below.
All verification and revision requests must include the specific personal data to be verified and provide the name of the register to which the request refers. All requests are to be sent to: email@example.com. A registered person may execute their personal data rights determined in Personal Data Act once per year without charge.
Data Protection Breach Notification Practices
Data controller notifies the registered person only if the data protection breach is likely to cause significant risk to their rights and freedoms. The notification describes the nature of the data protection breach as well as the procedures implemented, in compliance with the law.
In such cases where the data protection breach is related to personal data in a personal data register owned by a customer of Uudenmaan Koulutuskeskus Oy, the customer of Uudenmaan Koulutuskeskus Oy is responsible for informing registered persons. A notification to the data controller is to be made within a reasonable timeframe after the manifestation of the data protection breach. The notification describes the nature of the data protection breach as well as the implemented procedures, in compliance with the law.
A notification to a data protection authority is to be made within the 72-hour timeframe after the manifestation defined by the law if the data protection breach is likely to cause significant risk to a natural person’s rights and freedoms. The notification describes the nature of the data protection breach as well as the implemented procedures, in compliance with the law.
Revision of Privacy Notice
Uudenmaan Koulutuskeskus Oy constantly develops its business operations and reserves the right to make changes to this Privacy Notice by notifying it via its electronic services and in the context of customer communication. All changes may be based on changes to the legislation and on the execution of following subsequent stipulations.