Personal data register of incident reporting
Register controller and contact information
Diaconia University of Applied Sciences, P.O. Box 12, 00511 Helsinki
https://www.diak.fi/diak/contact/
Data protection officer’s e-mail: tietosuojavastaava@diak.fi
What is the purpose of processing personal data?
The purpose of processing data in the Incident reporting personal data register is to manage and resolve reports of misconduct, faults, security risks or other incidents.
What is the basis for processing the data?
Processing personal data is based on legitimate interest or legal obligation (Whistleblower Act). The legitimate interest is to address misconduct, faults and security risks and other incidents.
Whose personal data does the register contain?
The incident reporting personal data register contains personal data about persons who have filed or processed incident reports or are in some way related to the incident process. The register therefore contains data about Diak’s current and former employees and students. The register typically contains names and contact details of people. In addition, reports may also include different kinds of indirect personal data, which the person who filed the report entered into the system. This personal data register may also contain sensitive information that is difficult to predict, but may regard suspicions of a criminal offence, for example.
Where was the data collected?
The data in the incident reporting personal data register is obtained from the person who reported the incident. Filing an incident report is voluntary.
What personal data does the register contain?
The incident reporting personal data register includes the following information: name and contact details of the person who filed the incident report, names of report processors, and matters revealed in the report, which may contain direct or indirect personal data of the person that the report pertains to. Reports may also reveal sensitive information, such as suspicions of a crime.
How long is personal data stored in the register?
Data in the incident reporting personal data register is generally stored for two years. In some cases (for example in crime investigations), data may need to be stored for longer.
How is data protected?
Digital materials: The data is saved in an information system to which users have personal user IDs. The data in the system can only be accessed and used by controllers who have access rights to it as part of their job. Diak’s systems are protected with access rights, passwords, two-factor authentication, surveillance and firewalls.
Paper materials: Paper materials are not collected, but if they are created, they will be stored in a locked and access-controlled room, and will be disposed of in a locked trash container (“data protection bin”).
Will the data be disclosed to external parties?
Data is not disclosed to external parties, except by request to the authorities as part of a crime investigation, for example.
Is the data subject to automatic decision-making?
Systems using the register do not have automatic decision-making functions.
Will data be transferred outside of the EU/EEA?
Data will not be transferred outside the EU/EEA.
Data is transferred or disclosed outside the EU/EEA, where and to whom:
As a rule, the personal data contained in the register is not transferred outside the European Union or the European Economic Area or to international organisations. However, due to the international nature of the operations, Diak may use resources, applications and servers located outside the EU or EEA when providing the services. In these cases, Diak ensures that there is a legal basis for the transfer of data and that personal data is protected, for example by requiring standard contractual clauses approved by the EU Commission and compliance with appropriate technical and organizational security measures. In addition, where appropriate, a TIA assessment will be carried out in connection with such data transfer, as well as monitoring the overall level of data protection in known countries. In all cases, the data transfer is carried out in accordance with the General Data Protection Regulation and only to the extent strictly necessary.
What rights do I have?
You have the right to information on how and for what purpose your personal data will be processed. You can also request access to records of your personal data, and request that incorrect information be rectified.
You can also submit a request to delete your data or restrict its use. However, in some cases the data cannot be deleted or its use restricted, for example if the personal data is being processed to fulfil a legal obligation, complete a task in the public interest orexercise public authority vested in Diak.
In certain situations, you also have the right to transfer the personal data you have provided to us to another controller or to object to the processing of your personal data, i.e. to request that we do not process them at all. In addition, you may request that we do not make a decision on your part based solely on automated processing of personal data.
If you would like to know more about the processing of your data or exercise your rights, you can contact Diak’s Data Protection Officer (tietosuojavavavaava@diak.fi) or submit a request using the form found on Diak’s website https://www.vismasignforms.com/form/fa53720e-cc71-4b92-b062-6db43e0d33d3.
You also always have the right to lodge a complaint with a supervisory authority. If necessary, you can also contact the Data Protection Ombudsman, a government official who supervises the processing of personal data in Finland.
Contact information:
Office of the Data Protection Ombudsman
P.O. Box 800, 00531 Helsinki
tietosuoja(at)om.fi
Tel. +358 29 566 6700
www.tietosuoja.fi
General advice for individuals: Tel. +358 29 566 6777