Aalto EE Service Portal Privacy Notice
Last updated on July 9, 2024.
Tietosuojailmoitus suomeksi
Aalto EE Service Portal provided by Aalto University Executive Education Oy (“Aalto EE” or “we) or its group companies (see Contact Information), also referred to as "Service Portal," "Portal," or "Service," serves Learners and Organizational Customer Representatives ("user(s)," "end user(s)," or "you"). This document details how we manage your personal and customer data when you are utilizing our Service Portal.
Please note that our Service Portal may feature links to external services or websites. This Privacy Notice does not encompass the handling of personal data by these external platforms. These external links may redirect you to other electronic services provided by Aalto EE, where registration or login might be possible using credentials from the Service Portal. We advise reviewing the terms and privacy policy relevant to the processing of personal data for those services upon their use. Some links might also lead to third-party services or websites not governed by Aalto EE.
Within this document, Learning Services include but are not limited to (“inter alia”) courses, training sessions, training programs, online courses, micro-credentials, exams, competency tests, and their related components. Learning Data comprises information such as participation, achievements, certificates, grades, and other pertinent data associated with the learning services. Organizational Customer Services refers to Learning Data Sharing and service Provisioning.
1 Contact Details
Controller
Aalto University Executive Education Oy,
Business ID 0590964-3
Runeberginkatu 14-16
00100 Helsinki
+358 10 837 3700
dpo@aaltoee.fi
The Group includes Aalto Executive Education Academy Pte Ltd, (UEN: 200000295R), 10 Anson Road #05-01, International Plaza, Singapore 079903, a subsidiary of Aalto EE registered in Singapore.
2 Signing Up for and Utilizing Service Portal
You can only join as a user by explicit invitation. You activate the Service Portal by registering as a user by creating your own personal user account. After registration, you can use your user ID to log in to your user account.
The registration and use of the Portal is bound by the Terms of Use of the Service Portal. While registering to the Portal, you accept and agree to the Terms of Use and these principles of processing of your personal data as described in this document. It is not possible for you to register and use the service without accepting these terms. You are provided with this Privacy Notice as part of the Terms of Use upon registration, and it will always be available in its updated form on the Portal (Profile > Consents).
3 Identification
Registration and the use of the Service Portal require strong electronic identification, for example, with online banking credentials or a Finnish mobile certificate/ID. Alternatively, you can identify yourself with your passport using a separately downloadable reading application, where the identification service verifies your identity by comparing the photo you took during identification with the photo saved on your identity card*. When you use strong identification, you give an assignment to a third-party identification service to identify you so that you can complete your registration in the Portal. During electronic identification, the terms of the agreement between you and the identification service provider, to which Aalto EE is not a contracting party, are applied, and the identification service providers have their own privacy policies, which Aalto EE does not disclose in this Privacy Notice. Strong authentication service providers are independent controllers and are responsible for the processing of personal data in accordance with applicable legislation. Aalto EE has ensured that all its stakeholders comply with data protection legislation and handle your personal data carefully.
*) Currently, the electronic identification using a passport is inactive until further notice.
4 Sources of Processing of Data Subjects' Personal Data
You provide your personal information to use this Service Portal. Aalto EE collects customer data during registration in the Portal and during the customer relationship.
Registration in the Portal requires that you, as a user and data subject, provide Aalto EE with the information marked as mandatory in the registration form. In addition, the Portal may process other personal data related to your customer encounters, for example, when you fill in online forms.
In connection with the identification process, the identification service discloses your identification data to Aalto EE, which processes the data received only to identify you.
5 Purposes of Use of Personal Data and Legal Basis for Processing
5.1 Basic Principles
The Service Portal processes your personal data primarily to provide you with Learning Services and Organizational Customer Services. Your data may also be utilized for managing information, development, and supervisory activities in line with data protection laws. For statistical analysis, the data is fully anonymized.
The predominant legal basis for processing personal data is its necessity for fulfilling the contract you agreed to upon initiating use of the Service Portal.
The table below shows for what purposes Aalto EE processes your personal data, what are the legal bases for processing, and what kind of personal data it collects. The purposes of processing are explained in more detail below the table.
|
Purpose of processing |
Legal basis |
Types |
|
Manage digital identity and access rights
Customer relationship management
Communicating learning data for employers to see (see also Sharing learning service-specific learning data)
Acquiring learning services and assigning them to employees |
agreement |
*) mandatory information Identification data generated by Aalto EE:
|
|
Sharing learning service-specific learning data for employers to see |
consent of the data subject |
|
|
Single sign-on (SSO) provision |
agreement |
|
|
Management of identity verification when using a passport (data provided by an external identification service provider) |
agreement |
|
|
Manage identity verification when using online banking credentials or a mobile certificate/ID |
agreement |
|
|
Marketing communications and targeting
|
consent of the data subject OR legitimate interest of the controller |
|
5.2 Managing Your Digital Identity and Permissions
We process your personal data to enable the use of the Service and manage your access rights.
5.3 Customer Relationship Management
We process your personal data so that you can use the Service Portal to start using Learning Services, to receive and review completions or assessments, to monitor the progress of your studies and to retrieve digital certificates or proofs for participation.
5.4 Communicating Learning Information for Employers to See
The customer organization and Aalto EE may have a mutual agreement on Learning Data Sharing. Aalto EE may share information about the completion and validity of the Learning Service with a designated contractual partner (typically your employer) with your explicit consent. If you are a supervisor of a Learning Data Sharing Agreement (employer's representative), Aalto EE will process your personal data to enable this role.
5.5 Provisioning of Learning Services to Employees
The customer organization and Aalto EE may have a mutual Provisioning Agreement on Learning Services, which allows named company representatives to assign them to employees. If you are an administrator of a Provisioning Agreement, Aalto EE processes your personal data to enable this role.
5.6 To Offer Single-Sign-On (SSO)
You can log in to the electronic services used in the production of the Learning Service included in Aalto EE's service portfolio with your Service Portal user ID by using Aalto EE's single-sign-on (SSO) service. Your personal data will be used to identify you in such a service.
Aalto EE's electronic services currently include the following services:
- This Service Portal at https://serviceportal.aaltoee.fi | Terms
- Learning environment ALEX at https://alex.aaltoee.fi | Terms
- Proctored exam platform DigiExam at https://digiexam.com and https://app.digiexam.com
- Aalto EE Key access management application (downloadable for iPhone and Android phones).
5.7 Managing Identity Verification When Using Online Banking Credentials, Mobile Certificate/ID, or Passport
An external identification service provider provides your personal data to Aalto EE, which uses it to identify and identify you.
5.8 Marketing Communications and Targeting
You can decide whether you want to receive digital direct marketing. Through marketing communications, we inform you about our Learning Services and their contents. If you have not taken a stand on the marketing consent question during registration or later in your Profile, Aalto EE may send you information about its services based on its legitimate interest. However, you always can object to digital direct marketing and processing of your personal data for marketing purposes by using the unsubscribe link provided in any such message. Learn more at www.aaltoee.fi/privacy.
6 Transfer and Disclosure of Personal data
Aalto EE may use subcontractors to provide its services, and when personal data is processed (transferred) to a third country outside the EU/EEA, Aalto EE has ensured and safeguarded that there is a legal basis for such a transfer and that sufficient and appropriate level of data protection is provided as required by applicable legislation.
Aalto EE may need to disclose certain information to recipients, such as public or law enforcement authorities, when required by law, but will only do so based on an appropriate legal order or subpoena issued by the relevant court. In the event of mergers or acquisitions, the acquiring party may also have access to necessary customer information.
7 Purposes of Use and Retention of Personal Data
Aalto EE has determined the retention periods based on the purpose of the processing and applicable legislation, and regularly reviews the personal data it collects to ensure that the personal data in its possession is not stored longer than necessary or required by law.
The retention periods are defined as follows:
|
Use |
Default retention period |
Max. retention period |
|
Maintaining the user's digital identity in CIAM (Customer Identification and Access Management) and the Service Portal. |
3 years after last login. |
Until the user account is deleted. * |
|
User consent or denial or revoked consent to share Learning Data based on the Learning Data Sharing Agreement. |
On a contract-by-contract basis until the user does not have any valid consents or when the agreement terminates. |
Until the user account is deleted. * |
|
Information that a user (usually an employee) has been invited to join a Learning Data Sharing Agreement and give consent to share Learning Data related to the Learning Service with a contractual partner (usually an employer). |
Until the invitation is canceled. |
Until the user account is deleted. * |
|
Information that the user has been invited to use the learning service through a Provisioning Agreement (usually in the name of his/her employer). |
Until the invitation is canceled. |
Until the user account is deleted. * |
|
Information that the user has accepted or declined an invitation to use the learning service through a Provisioning Agreement |
6 years** |
7 years** |
|
User's ongoing or completed learning services and related learning data |
Until the user account is deleted. *** |
According to the information management plan related to study data. *** |
|
The user's own achievements, i.e. evidence of completed learning services. |
Until the user account is deleted. *** |
According to the information management plan related to study data. *** |
|
The user's completed learning service and related learning data, if it has a defined expiration date. |
2 years after expiration. *** |
According to the information management plan related to study data. *** |
|
Personal data used to verify the user's identity using a passport, the source of which is the identification service. |
90 days |
90 days |
*) All processing of personal data included in the Service Portal is tied to the existence of a user account. If you, as a user, delete your user account, the processing of all your personal data in the Service Portal ends and the data related to you, including personal data, managed by the Service Portal is deleted.
**) In accordance with accounting regulations, related to the acquisition and use of the service for 6+1 years.
***) Your studies and study attainments, as well as the personal data necessary to identify them, are stored in Aalto EE's customer and participant management register, where the purposes and storage periods of the processing differ from those described in this document. With regard to your studies and study attainments, only the data that is in Aalto EE's customer and participant management register, whose processing activities and rights can be found in Aalto EE's general privacy policy, can be processed in the Service Portal. The controller has defined the retention period of study data as 50 years in its data management plan.
If you would like more detailed information about retention periods, please contact us with a request to our Data Protection Officer.
8 Technical and Organizational Security Measures
Aalto EE has an appropriate data security policy and procedures to protect personal data from loss, misuse, or unauthorized access. Aalto EE manages protection against unauthorized or illegal access and processing with role-based access management, which means that each employee is given access to resources and personal data based on the employee's role and job description. Strong electronic identification of end-users is in place. Usage is recorded and monitored. All data connections are encrypted, and data in the service is backed up regularly.
9 Your Rights as a Data Subject
You have certain rights in relation to your personal data, such as the right to access, update, delete and receive a copy of your data. You can exercise your rights by sending a request to dpo@aaltoee.fi.
A list of your rights and explanations are listed below.
|
Right to information |
You have the right to be informed about our organization and the processing of your personal data. In addition, you have the right to receive information about the parties to whom your personal data may be disclosed.
|
|
Right of access |
You have the right to know that we process your personal data and to have access to this data. |
|
Right of correction |
You have the right to ask us to correct/rectify inaccurate personal data concerning you, and you can manage a number of personal data yourself in the Service Portal. |
|
Right to erasure ("right to be forgotten") |
You have the right to request the erasure of your personal data. In certain cases, this right may be limited by a legal obligation to retain such data in accordance with mandatory legal restrictions that we notify you of. You can delete your user account from the Profile page. This action terminates the processing of your personal data in the Service Portal. It does not delete your studies or study attainments in Aalto EE's customer and participant management register, or your consent or prohibition to direct marketing. If you wish to exercise this right, please contact Aalto EE via the Data Protection Officer. |
|
Right to restriction of processing |
You have the right to restrict the processing of your personal data. Restricting processing means that we restrict the processing of certain data to storing it only. Please note that restricting the processing of your personal data may negatively affect your ability to use the service we provide. |
|
Right to data portability |
You have the right to request your personal data from us in a structured, commonly used and machine-readable format that allows the transfer of such data to another controller. You can download your information from the Profile page. |
|
Right to object to processing |
In certain cases, you have the right to object to the processing of your personal data. In this case, we will analyze whether the legal bases for data processing are sufficient to continue processing or whether we will stop processing your personal data altogether. |
|
Rights related to automated decision-making |
You have the right not to be subject to a decision based solely on automated processing which produces legal or similar effects concerning you. It means that you have the right to demand human intervention to review decisions made during automated processing. We do not make decisions based solely on automated processing of personal data that would have legal or other similarly significant effects. |
|
Right to withdraw consent |
If the processing of personal data is based on your consent, you have the right to withdraw your consent unconditionally at any time. However, this does not affect the lawfulness of processing based on consent before its withdrawal. You can manage consents on the Profile page under Consents. |
|
Right to lodge a complaint with a supervisory authority |
If you consider that the processing of your personal data infringes data protection laws, such as the GDPR, you have the right to lodge a complaint with your local data protection authority. |
Changes to this Notice
We reserve the right to update this Privacy Notice if our operations change. In this situation, we will endeavor to notify you of updates. This Privacy Notice was last updated on July 9, 2024.