1. Controller
University of Helsinki
Business Identity Code: 0313471-7
P.O. Box 3 (Fabianinkatu 33)
00014 University of Helsinki
2. Contact person
Elina Ekholm / Jere Reinikainen
Email: firstname.lastname@helsinki.fi
The Data Protection Officer of the University of Helsinki can be reached at: tietosuoja@helsinki.fi.
3. Name of register
Customer register of the University of Helsinki’s online payment service
4. Purpose and legal basis for the processing of personal data
Personal data is collected and processed for the purpose of handling orders, managing customer relationships, ensuring the correct allocation of payments, and for the technical maintenance and development of the online payment service. Registration is not required to use the online payment service. The online store software creates log files containing personal data for the purposes of software usage history and troubleshooting.
The processing of personal data is based on the agreement between the controller and the customer, as well as statutory obligations.
5. Data content of the register
The following personal and order information is stored in the register:
The minimum data required is for online payment portal payments (online payments are received from another University of Helsinki information system):
- payer’s first and last name
- payer’s email address
- payer’s IP address
- the language used by the payer (Finnish, English, Swedish)
- additional order and payment details: product/service purchased, price, value added tax, order and payment date, payment method (information received from Verifone; no payment card numbers), possible refund
When the online payment service operates as an online store, for example in the case of University of Helsinki events, conferences, and student fees, other information may be collected on a case-by-case basis in addition to the above, such as:
- participant’s title
- participant’s organization
- participant’s country
- special dietary information (if meals are provided)
- student’s first and last name
- student’s student number or date of birth (not social security number)
- right to study
- faculty
We use a secure SSL encrypted connection to process credit card and other order information. We do not store credit card information in our data systems; it is processed and stored in Verifone’s secure PCI DSS certified system.
6. Regular sources of data
The main source of information is customers when placing orders, registering and paying online. The data source may also be external systems (the University of Helsinki’s own information systems) that are integrated with the University of Helsinki’s online payment service.
7. Retention period of personal data
The retention period of personal data is based on the retention period of accounting records and receipts as specified in the Accounting Act. According to the Accounting Act, supporting documents must be kept for at least six years after the end of the accounting period. The material required by the Accounting Act (PDF copies of receipts and accounting report) is stored on the designated server of the University of Helsinki. The personal data of orders to the online payment service itself are automatically anonymised two years after the order.
8. Regular disclosure of data and the transfer of data outside the EU or the European Economic Area
The register will not be disclosed to third parties. Personal data may be transferred as necessary to other systems maintained by the controller, such as the cash register system and accounting system.
No data will be disclosed or transferred outside the EU or the European Economic Area.
9. Principles for protecting the register
The right to use the register requires user rights determined by the University of Helsinki, and the register is located on a University of Helsinki server protected by a firewall and user authorisation.
Information will be distributed both internally and externally to the following groups:
• University of Helsinki staff who need the information to perform their work tasks
• Authorities as required by law (e.g. tax authorities)
• Partners and subcontractors (e.g., parties related to payment and delivery) necessary to process orders and manage customer relationships
Access to the information in the register can only be granted to pre-determined members of the register controller’s staff whose job description includes processing the information. These staff members are bound by confidentiality.
10. Your rights and exceptions to rights
The contact address for matters concerning the rights of the data subject is the contact information provided in section 2 of this notice.
- Right of access: you have the right to know whether your personal data are being processed and which of your personal data are being processed. You may also request a copy of the personal data being processed.
- Right to rectification: if your personal data are inaccurate or incorrect, you have the right to request that they be rectified or completed.
- Right to erasure: you have the right to request that your personal data be erased if the personal data are no longer necessary for the purposes for which they were collected, or if the personal data have been processed unlawfully. However, the right to erasure does not apply if the processing of personal data is necessary for compliance with a statutory obligation.
- Right to restriction of processing: you have the right to request the restriction of processing of your personal data. This means that we will store your data but will not otherwise process them. You have this right in the following cases: You contest the accuracy of the personal data, in which case processing will be restricted for the period during which the university can verify their accuracy. / The processing is unlawful and you oppose the erasure of the personal data and request restriction of their use instead. / The university no longer needs the personal data for the purposes of processing, but you need them for the establishment, exercise, or defence of legal claims
- Right to lodge a complaint: If you have questions or concerns about the processing of your personal data, you may always contact us. You also have the right to lodge a complaint with the Office of the Data Protection Ombudsman if you consider that the processing of your personal data has infringed applicable data protection legislation. Contact details: Office of the Data Protection Ombudsman, Tietosuoja.fi/en, Switchboard: +358 29 56 66700, Registry: +358 29 566 6768, Email: tietosuoja@om.fi