Privacy at Xamk Pulse bases on the Data Protection Act 1050/2018 and the GDPR, EU General Data Protection Regulation 679/2016. This privacy statement document specifies the information on processing personal data at Xamk Pulse.
1. Data controller
South-Eastern Finland University of Applied Sciences (business ID: 2472908-2)
PL 68 (Patteristonkatu 3 D)
company main number: +358 40 655 0555
2. Contact details in register matters
More information on data protection and the processing of personal data is available through the email of Xamk’s Training and Education Coordinator Piia Pöysä at: email@example.com and the email of Xamk’s Data Protection Coordinator at firstname.lastname@example.org.
3. Register name
The register name is Xamk Pulse which comprises the online store system and the Claned learning platform.
4. Purpose of the processing of personal data
South-Eastern Finland University of Applied Sciences is committed to protecting the privacy of its users and to complying with data protection legislation and good data protection practices in its operations. The processing of personal data is necessary for South-Eastern Finland University of Applied Sciences to provide services to all its customers and students. This privacy statement describes the practices of South-Eastern University of Applied Sciences concerning the collection and processing of personal data.
Personal data are collected for example due to delivering orders, allocating payments correctly, identifying customers and / or persons registered/ indicated by customers, verifying customer transaction history and transaction rights, reporting and marketing. Personal data are also collected to enable logging in to the Claned learning environment.
Information on the online service users is collected to determine access rights and to monitor service use. The online service system creates log files containing personal data for the purposes of customer history and troubleshooting.
5. Legal basis for processing personal data
The lawfulness of processing personal data bases on Article 6 of the GDPR 679/2016 as follows:
Legal basis follows Article 6 (1)(b) when processing personal data is necessary for executing contracts which data subjects enter through online store purchases and payments. This also applies to taking necessary steps at the data subjects’ request prior to entering such contracts.
According to Article 6 (1)(a), by accepting the Xamk Pulse Privacy statement and Terms of service data subjects give consent to the processing of their personal data for one or more specific purposes. This consent results in a contract between data subjects and the data controller. When registering to the Claned learning platform, data subjects accept the service provider’s terms of service.
Processing personal data has legal basis, according to Article 6 (1)(f), when processing is necessary to achieve legitimate data controller or third-party interests. This legitimate interest of the data controller bases on a relevant and appropriate relationship between data subjects and the controller, resulting from the data subjects being the data controller’s customers, and from the processing taking place for purposes that the data subjects could have reasonably expected at the time of the personal data collection and in the context of an appropriate customer relationship.
6. Information content of the register
Possible personal data to register include the following:
- general customer register: customer number, first name, last name, local address, post office, telephone number, email address, order history, username and direct marketing authorization
- order register: contact information, ordered products
- course registration: name, contact information, guardian information, if necessary
- mailing lists: email address
Personal data will be stored in the registers until they are deleted manually. Order information is stored until deleted manually or on a scheduled basis. Electronic receipt records are stored until deleted manually, but at least for six years.
7. Regular sources of information
The main sources of information are online store customers when placing orders, registering and making their online payments.
8. Regular destinations of disclosed data
No personal data will be disclosed to third parties. Personal data may be transmitted to other systems of the data controller, such as the cash register system, accounting, invoicing, access control and learning environments. Depending on the payment service provider, customers’ contact information is transmitted to the payment system when paying for the order to facilitate problem situations and returning payments.
9. Data transmission outside the EU or the EEA
No personal data will be transmitted outside the EU or the EEA.
10. Register security principles
The online store system maintenance is protected by user specific login names, passwords and access rights. The data in the database is protected by usernames and passwords and processing the data is limited to the use of the online store system. The data stored in the system is protected by operating system level permissions. All communications between the online store maintenance, the online store and the payment service provider are SSL-secured.
The online store server maintenance connection is only allowed for the server and system providers. The online store system provider has full access to view and delete all data collected. Only data controllers with such work-related responsibilities are entitled to access and delete the data collected.
11. Right to inspect personal data
Data subjects have the right to access and inspect the personal data stored in the register and to receive copies of the data. Inspection requests must be made electronically or in writing and addressed to the contact person in the register.
12. Right to demand the correction of data (rectification)
Data subjects have the right to demand incorrect data in the Xamk Pulse register to be corrected or deleted. Correction requests must be addressed electronically or in writing to the contact person of the register.
13. Other rights related to processing personal data
Data subjects have the right to prohibit the data controller from processing person-specific data for the purposes of direct mail, distance selling and other direct marketing as well as market and opinion research.