KY's Privacy Statement for
Activity Points Register
EU General Data Protection Regulation 2016/679
1. Controller of the register and contact information
Controller: Aalto-yliopiston kauppatieteiden ylioppilaat ry (”Association”)
Business ID: 22149760-2
Address: Konemiehentie 4, 02150 Espoo
Email: palvelu@ky.fi
Phone: +358 40 353 8283
Contact person: Aada Hakakoski, Executive Director
Email: aada.hakakoski@ky.fi
Phone: 0500 430 546
2. Name of the register
Activity Points Register of Aalto University Business Students.
3. Data subjects
This register includes data of people that operate within the environment of the Association and have been actively participating in the Association’s activities (“Data subjects”).
4. Legal basis and purpose of gathering personal data
The legal basis for gathering personal data is consent.
The purpose of the register is keeping track of the activity points that data subjects collect when they are participating in activities. The contact information of the members of the Association is updated during the membership within the data system (“System”), upkeeping the benefits and rights of the member and ensuring them a chance to join invitational events.
5. Data content
The register contains contact information of the people that operate within the Association’s environment, personal data of the associations members and other useful information related to the associations’ membership. This includes following data:
Data subject’s first and last name;
Data subject’s email address;
Data subject’s positions of trust in the Association;
Data subject’s starting year of studies.
6. Regular sources of information
Personal data is collected from the data subjects themselves.
7. Regular disclosures and transfers of personal data
Personal data is regularly disclosed to the workgroup that prepares the Association’s acknowledgements. Personal data is also regularly transferred to the member register of Aalto University Business Students in terms of information about positions of trust within the Association.
Personal data can be disclosed to Association’s cooperation partners in order to carry out services related to the membership. Personal data can be disclosed to Association’s cooperation partners in order to carry out services that are not related to the membership only with the data subject’s consent.
Personal data can be transferred to other service providers in order to execute the System. The service provider executing the technical maintenance of the member register may transfer personal data in accordance with applicable privacy legislation and this privacy statement.
8. Transfers of personal data outside of EU or the EEA
Personal data won’t be transferred outside the European Union or the European Economic Area by the Association. However, the Association may use a service provider that is located outside of the EU or the EEA. The transfer of personal data outside of EU or the EEA is always carried out on one of the following legal grounds:
The European Commission has decided that an adequate level of data protection has been ensures in the recipient country;
The Association has implemented the appropriate safeguards for the transfer of personal data using standard terms of privacy approved by the European Commission. The data subject has the right to obtain a copy of these standard clauses by contacting the Association’s contact person; or
The data subject has consented to the transfer of their personal data, or there is a lawful ground for the transfer.
Access to the personal data is limited to what is necessary in order to carry out the services. The transfer of personal data outside of the EU or the EEA is always based on current legislation on the processing of personal data and is carried out in accordance with that legislation.
9. Protection of personal data and information security
All digitally handled personal data is stored securely in the Association’s System. Access to the System is limited to only authorized individuals that need the access in order to handle their work assignments. These individuals use their personal usernames and passwords to access the System.
Personal data is secured from outsiders and the use of member data is supervised. Personal data sent outside the Association is encrypted. Workstations and storages are secured.
Suomen Ekonomit ry (0202108-3) and Microsoft are responsible for the technical maintenance and protection of the member register.
10. Retention period of data
Personal data is stored in the register for as long as the data subject is a member of the Association’s association register.
Personal data will be retained for a maximum of 10 years after the membership has ended on the basis of the Association’s legitimate interest. Personal data may be stored for longer time periods if the applicable legislation or Association’s contractual obligations require it.
11. Data subject’s rights
The data subject has the right to object to the processing of his/hers personal data for direct marketing purposes at any given time. The data subject may provide the Association with channel-specific consents and restrictions (e.g. prohibit marketing via email).
In addition, the data subject has per se following rights at any time in accordance with applicable data protection legislation:
receive information about the processing of his/hers personal data;
have access to his/hers own personal data and inspect his/hers personal data processed by the Association;
demand correction and supplementation of inaccurate or incorrect personal data;
demand the removal of own personal data;
withdraw his/hers consent and object to the processing of personal data insofar as the processing of personal data is based on consent;
receive his/hers personal data in digital form and transfer those to another service provider given that the data subject has delivered the data to the Association personally, the Association processes the personal data in question based on consent and the processing is automatic; and
demand the processing of his/hers personal data to be restricted.
The data subject must submit the request for execution of the above-mentioned according to section 13 of this privacy statement. The Association may ask the data subject to specify the request in writing and verify the data subject’s identity before processing the request. The Association may refuse to execute the request based on applicable legislation.
12. Right to complain to supervising authority
Each data subject has the right to complain to the relevant supervising authorities or to the supervisory authorities of the Member State of the European Union where the data subject’s resident or workplace is located if the data subject sees that his/hers personal data has not been processed according to applicable data protection legislation.
13. Contact information
Requests considering the data subject’s rights, questions about this privacy statement and other contacts should be sent via email to the contact person.
Contact person: Aada Hakakoski, Executive Director
Email: aada.hakakoski@ky.fi
The data subject may also contact us personally or in writing at the address below:
Aalto-yliopiston kauppatieteiden ylioppilaat ry
Konemiehentie 4
02150 Espoo
14. Changes to this privacy statement
This privacy statement has been accepted by the Executive Board of the Association in its meeting on 4.3.2021. This privacy statement can be updated from time to time, for example, when legislation changes. This privacy statement was last updated 4.9.2024.
KY's Privacy Statement for
Association Register
EU General Data Protection Regulation 2016/679
1. Controller of the register and contact information
Controller: Aalto-yliopiston kauppatieteiden ylioppilaat ry (”Association”)
Business ID: 22149760-2
Address: Konemiehentie 4, 02150 Espoo
Email: palvelu@ky.fi
Phone: +358 40 353 8283
Contact person: Aada Hakakoski, Executive Director
Email: aada.hakakoski@ky.fi
Phone: 0500 430 546
2. Name of the register
Association Register of Aalto University Business Students.
3. Data subjects
This register includes data of associations that operate within the environment of the Association and are a member of the association register (“Data subjects”). It also contains personal data of the members of said associations.
4. Legal basis and purpose of gathering personal data
The legal basis for gathering personal data is consent.
The purpose of the register is keeping the contact information of the members of the Association up to date during the membership within the data system (“System”), upkeeping the benefits and rights of the member and marketing.
5. Data content
The register contains contact information of the associations that operate within the Association’s environment, personal data of the associations members and other useful information related to the associations’ membership. This includes following data:
Data subject’s name;
Data subject’s registration number or business ID;
Data subject’s purpose of existence;
Data subject’s email address;
Data subject’s home page;
Data subject’s annual meeting date;
Data subject’s board’s term duration;
Data subject’s board’s members’ first and last names;
Data subject’s board’s members’ areas of responsibility;
Data subject’s chairman’s and vice chairman’s email addresses; and
Data subject’s chairman’s and vice chairman’s phone numbers.
6. Regular sources of information
Personal data is collected from the data subjects themselves.
7. Regular disclosures and transfers of personal data
Personal data is regularly disclosed to the Foundation for Business Students in Aalto University when data subjects apply for grants and scholarships. Personal data is also regularly transferred to the member register of Aalto University Business Students in terms of information about positions of trust within the Association.
Personal data can be disclosed to Association’s cooperation partners in order to carry out services related to the membership. Personal data can be disclosed to Association’s cooperation partners in order to carry out services that are not related to the membership only with the data subject’s consent.
Personal data can be transferred to other service providers in order to execute the System. The service provider executing the technical maintenance of the member register may transfer personal data in accordance with applicable privacy legislation and this privacy statement.
8. Transfers of personal data outside of EU or the EEA
Personal data won’t be transferred outside the European Union or the European Economic Area by the Association. However, the Association may use a service provider that is located outside of the EU or the EEA. The transfer of personal data outside of EU or the EEA is always carried out on one of the following legal grounds:
The European Commission has decided that an adequate level of data protection has been ensures in the recipient country;
The Association has implemented the appropriate safeguards for the transfer of personal data using standard terms of privacy approved by the European Commission. The data subject has the right to obtain a copy of these standard clauses by contacting the Association’s contact person; or
The data subject has consented to the transfer of their personal data, or there is a lawful ground for the transfer.
Access to the personal data is limited to what is necessary in order to carry out the services. The transfer of personal data outside of the EU or the EEA is always based on current legislation on the processing of personal data and is carried out in accordance with that legislation.
9. Protection of personal data and information security
All digitally handled personal data is stored securely in the Association’s System. Access to the System is limited to only authorized individuals that need the access in order to handle their work assignments. These individuals use their personal usernames and passwords to access the System.
Personal data is secured from outsiders and the use of member data is supervised. Personal data sent outside the Association is encrypted. Workstations and storages are secured.
Suomen Ekonomit ry (0202108-3) and Microsoft are responsible for the technical maintenance and protection of the member register.
10. Retention period of data
Personal data is stored in the register for as long as the data subject is a member of the Association’s association register.
Personal data will be retained for a maximum of 10 years after the membership has ended on the basis of the Association’s legitimate interest. Personal data may be stored for longer time periods if the applicable legislation or Association’s contractual obligations require it.
11. Data subject’s rights
The data subject has the right to object to the processing of his/hers personal data for direct marketing purposes at any given time. The data subject may provide the Association with channel-specific consents and restrictions (e.g. prohibit marketing via email).
In addition, the data subject has per se following rights at any time in accordance with applicable data protection legislation:
receive information about the processing of his/hers personal data;
have access to his/hers own personal data and inspect his/hers personal data processed by the Association;
demand correction and supplementation of inaccurate or incorrect personal data;
demand the removal of own personal data;
withdraw his/hers consent and object to the processing of personal data insofar as the processing of personal data is based on consent;
receive his/hers personal data in digital form and transfer those to another service provider given that the data subject has delivered the data to the Association personally, the Association processes the personal data in question based on consent and the processing is automatic; and
demand the processing of his/hers personal data to be restricted.
The data subject must submit the request for execution of the above-mentioned according to section 13 of this privacy statement. The Association may ask the data subject to specify the request in writing and verify the data subject’s identity before processing the request. The Association may refuse to execute the request based on applicable legislation.
12. Right to complain to supervising authority
Each data subject has the right to complain to the relevant supervising authorities or to the supervisory authorities of the Member State of the European Union where the data subject’s resident or workplace is located if the data subject sees that his/hers personal data has not been processed according to applicable data protection legislation.
13. Contact information
Requests considering the data subject’s rights, questions about this privacy statement and other contacts should be sent via email to the contact person.
Contact person: Aada Hakakoski, Executive Director
Email: aada.hakakoski@ky.fi
The data subject may also contact us personally or in writing at the address below:
Aalto-yliopiston kauppatieteiden ylioppilaat ry
Konemiehentie 4
02150 Espoo
14. Changes to this privacy statement
This privacy statement has been accepted by the Executive Board of the Association in its meeting on 4.3.2021. This privacy statement can be updated from time to time, for example, when legislation changes. This privacy statement was last updated 4.9.2024.
KY's Privacy Statement for
Event Signup Register
EU General Data Protection Regulation 2016/679
1. Controller of the register and contact information
Controller: Aalto-yliopiston kauppatieteiden ylioppilaat ry (”Association”)
Business ID: 22149760-2
Address: Konemiehentie 4, 02150 Espoo
Email: palvelu@ky.fi
Phone: +358 40 353 8283
Contact person: Aapo Rissanen, IT Coordinator
Email: aapo.rissanen@ky.fi
Phone: +358 40 353 8277
2. Name of the register
Event Signup Register of Aalto University Business Students.
3. Data subjects
This register includes personal data of individuals attending the Association’s events (“Data subjects”).
4. Legal basis and purpose of gathering personal data
The legal basis for gathering personal information, complying with the EU GDPR, is the legitimate interest of the controller of the register.
The purpose of the register is to collect and process the personal data needed to organize the events.
5. Data content
The register contains information needed to organize the Association's events. This includes following data:
Data subject’s first and last name;
Data subject’s email address;
Data subject’s phone number;
Data subject’s special dietary needs;
Data subject’s preferred communication language; and
Alternating event-specific information.
6. Regular sources of information
Personal data is collected from the data subjects themselves.
7. Regular disclosures and transfers of personal data
Personal data is not disclosed or transferred regularly.
Personal data can be disclosed to Association’s cooperation partners in order to organize the Association’s events. Personal data can be disclosed to Association’s cooperation partners for other than event-related purposes only with the data subject’s consent.
Personal data can be transferred to other service providers in order to execute the personal data system (“System”). The service provider executing the technical maintenance of the member register may transfer personal data in accordance with applicable privacy legislation and this privacy statement.
8. Transfers of personal data outside of EU or the EEA
Personal data won’t be transferred outside the European Union or the European Economic Area by the Association. However, the Association may use a service provider that is located outside of the EU or the EEA. The transfer of personal data outside of EU or the EEA is always carried out on one of the following legal grounds:
The European Commission has decided that an adequate level of data protection has been ensures in the recipient country;
The Association has implemented the appropriate safeguards for the transfer of personal data using standard terms of privacy approved by the European Commission. The data subject has the right to obtain a copy of these standard clauses by contacting the Association’s contact person; or
The data subject has consented to the transfer of their personal data, or there is a lawful ground for the transfer.
Access to the personal data is limited to what is necessary in order to carry out the services. The transfer of personal data outside of the EU or the EEA is always based on current legislation on the processing of personal data and is carried out in accordance with that legislation.
9. Protection of personal data and information security
All digitally handled personal data is stored securely in the Association’s System. Access to the System is limited to only authorized individuals that need the access in order to handle their work assignments. These individuals use their personal usernames and passwords to access the System.
Personal data is secured from outsiders and the use of member data is supervised. Personal data sent outside the Association is encrypted. Workstations and storages are secured.
Treanglo Oy (2623329-1) and Google LLC (US41503674) are responsible for the technical maintenance and protection of the event signup register.
10. Retention period of data
Personal data is stored only for as long as necessary and data will be deleted from the register within a reasonable time after the event has ended. For a normal event this usually means two weeks after the event has ended. If some of the information is still required after this for exceptional reasons such as collecting delayed payments, can the data of the affected data subjects be retained until the situation has passed.
Personal data will be retained for a maximum of 10 years after the event has ended on the basis of the Association’s legitimate interest. Personal data may be stored for longer time periods if the applicable legislation or Association’s contractual obligations require it.
11. Data subject’s rights
The data subject has the right to object to the processing of his/hers personal data for direct marketing purposes at any given time. The data subject may provide the Association with channel-specific consents and restrictions (e.g. prohibit marketing via email).
In addition, the data subject has per se following rights at any time in accordance with applicable data protection legislation:
receive information about the processing of his/hers personal data;
have access to his/hers own personal data and inspect his/hers personal data processed by the Association;
demand correction and supplementation of inaccurate or incorrect personal data;
demand the removal of own personal data;
withdraw his/hers consent and object to the processing of personal data insofar as the processing of personal data is based on consent;
receive his/hers personal data in digital form and transfer those to another service provider given that the data subject has delivered the data to the Association personally, the Association processes the personal data in question based on consent and the processing is automatic; and
demand the processing of his/hers personal data to be restricted.
The data subject must submit the request for execution of the above-mentioned according to section 13 of this privacy statement. The Association may ask the data subject to specify the request in writing and verify the data subject’s identity before processing the request. The Association may refuse to execute the request based on applicable legislation.
12. Right to complain to supervising authority
Each data subject has the right to complain to the relevant supervising authorities or to the supervisory authorities of the Member State of the European Union where the data subject’s resident or workplace is located if the data subject sees that his/hers personal data has not been processed according to applicable data protection legislation.
13. Contact information
Requests considering the data subject’s rights, questions about this privacy statement and other contacts should be sent via email to the contact person.
Contact person: Aapo Rissanen, IT Coordinator
Email: aapo.rissanen@ky.fi
The data subject may also contact us personally or in writing at the address below:
Aalto-yliopiston kauppatieteiden ylioppilaat ry
Konemiehentie 4
02150 Espoo
14. Changes to this privacy statement
This privacy statement has been accepted by the Executive Board of the Association in its meeting on 4.3.2021. This privacy statement can be updated from time to time, for example, when legislation changes. This privacy statement was last updated 4.9.2024.
KY's Privacy Statement for
Member Register
EU General Data Protection Regulation 2016/679
1. Controller of the register and contact information
Controller: Aalto-yliopiston kauppatieteiden ylioppilaat ry (”Association”)
Business ID: 22149760-2
Address: Konemiehentie 4, 02150 Espoo
Email: palvelu@ky.fi
Phone: +358 40 353 8283
Contact person: Aada Hakakoski, Executive Director
Email: aada.hakakoski@ky.fi
Phone: 0500 430 546
2. Name of the register
Member Register of Aalto University Business Students.
3. Data subjects
This register includes personal data of current and former members, volunteers and contact persons of the Association (“Data subjects”).
4. Legal basis and purpose of gathering personal data
The legal basis of gathering personal information is the maintenance of a member register as required by the Associations Act (503/1989) 11§ 1. subsection and in some cases fulfilling Association's co-operation agreements.
The purpose of the register is keeping the contact information of the members of the Association up to date during the membership within the personal data system (“System”), upkeeping the benefits and rights of the member and marketing.
5. Data content
The register contains Association’s members personal data and contact information as well as other necessary information related to the membership. This includes following data:
Data subject’s first and last name;
Data subject’s address;
Data subject’s date of birth;
Data subject’s social security number;
Data subject’s email address;
Data subject’s phone number;
Identification of digital communication;
Data subject’s student number;
Data subject’s starting year of studies;
Data subject’s stage of studies upon joining the Association;
Data subject’s positions of trust within the Association; and
Information about grants and scholarships the data subject has applied for.
6. Regular sources of information
Personal data is collected from the data subjects themselves upon joining the Association. Information about positions of trust are collected from the associations, committees and working groups that operate within the Association’s environment and from the association register of Aalto University Business Students. Information about the data subject’s stage of studies is received from Aalto University School of Business in order to accept and end memberships.
7. Regular disclosures and transfers of personal data
Personal data is regularly disclosed to (1) the Foundation for Business Students in Aalto University when data subjects apply for grants and scholarships, and to (2) Finnish Business School Graduates, as all Association’s student members are its members.
Personal data can be disclosed to Association’s cooperation partners in order to carry out services related to the membership. Personal data can be disclosed to Association’s cooperation partners in order to carry out services that are not related to the membership only with the data subject’s consent.
Personal data can be transferred to other service providers in order to execute the System. The service provider executing the technical maintenance of the member register may transfer personal data in accordance with applicable privacy legislation and this privacy statement.
8. Transfers of personal data outside of EU or the EEA
Personal data won’t be transferred outside the European Union or the European Economic Area by the Association. However, the Association may use a service provider that is located outside of the EU or the EEA. The transfer of personal data outside of EU or the EEA is always carried out on one of the following legal grounds:
The European Commission has decided that an adequate level of data protection has been ensures in the recipient country;
The Association has implemented the appropriate safeguards for the transfer of personal data using standard terms of privacy approved by the European Commission. The data subject has the right to obtain a copy of these standard clauses by contacting the Association’s contact person; or
The data subject has consented to the transfer of their personal data, or there is a lawful ground for the transfer.
Access to the personal data is limited to what is necessary in order to carry out the services. The transfer of personal data outside of the EU or the EEA is always based on current legislation on the processing of personal data and is carried out in accordance with that legislation.
9. Protection of personal data and information security
All digitally handled personal data is stored securely in the Association’s System. Access to the System is limited to only authorized individuals that need the access in order to handle their work assignments. These individuals use their personal usernames and passwords to access the System.
Personal data is secured from outsiders and the use of member data is supervised. Personal data sent outside the Association is encrypted. Workstations and storages are secured.
Suomen Ekonomit ry (0202108-3) is responsible for the technical maintenance and protection of the member register.
Possible print documents are protected by storing them in a locked space preventing access from third parties.
10. Retention period of data
Personal data is stored in the register for as long as the data subject is a member of the Association or the retention is justified by executing benefits and rights related to the Association.
Personal data will be retained for a maximum of 10 years after the membership has ended on the basis of the Association’s legitimate interest. Personal data may be stored for longer time periods if the applicable legislation or Association’s contractual obligations require it.
11. Data subject’s rights
The data subject has the right to object to the processing of his/hers personal data for direct marketing purposes at any given time. The data subject may provide the Association with channel-specific consents and restrictions (e.g. prohibit marketing via email).
In addition, the data subject has per se following rights at any time in accordance with applicable data protection legislation:
receive information about the processing of his/hers personal data;
have access to his/hers own personal data and inspect his/hers personal data processed by the Association;
demand correction and supplementation of inaccurate or incorrect personal data;
demand the removal of own personal data;
withdraw his/hers consent and object to the processing of personal data insofar as the processing of personal data is based on consent;
receive his/hers personal data in digital form and transfer those to another service provider given that the data subject has delivered the data to the Association personally, the Association processes the personal data in question based on consent and the processing is automatic; and
demand the processing of his/hers personal data to be restricted.
The data subject must submit the request for execution of the above-mentioned according to section 13 of this privacy statement. The Association may ask the data subject to specify the request in writing and verify the data subject’s identity before processing the request. The Association may refuse to execute the request based on applicable legislation.
12. Right to complain to supervising authority
Each data subject has the right to complain to the relevant supervising authorities or to the supervisory authorities of the Member State of the European Union where the data subject’s resident or workplace is located if the data subject sees that his/hers personal data has not been processed according to applicable data protection legislation.
13. Contact information
Requests considering the data subject’s rights, questions about this privacy statement and other contacts should be sent via email to the contact person.
Contact person: Aada Hakakoski, Executive Director
Email: aada.hakakoski@ky.fi
The data subject may also contact us personally or in writing at the address below:
Aalto-yliopiston kauppatieteiden ylioppilaat ry
Konemiehentie 4
02150 Espoo
14. Changes to this privacy statement
This privacy statement has been accepted by the Executive Board of the Association in its meeting on 4.3.2021. This privacy statement can be updated from time to time, for example, when legislation changes. This privacy statement was last updated 4.9.2024.
KY's Privacy Statement for
Office Personnel Register
EU General Data Protection Regulation 2016/679
1. Controller of the register and contact information
Controller: Aalto-yliopiston kauppatieteiden ylioppilaat ry (”Association”)
Business ID: 22149760-2
Address: Konemiehentie 4, 02150 Espoo
Email: palvelu@ky.fi
Phone: +358 40 353 8283
Contact person: Aada Hakakoski, Executive Director
Email: aada.hakakoski@ky.fi
Phone: 0500 430 546
2. Name of the register
Office Personnel Register of Aalto University Business Students.
3. Data subjects
This register includes personal data of individuals working or being a part of the executive board of the Association or Aalto University Business Students Foundation (“Data subjects”).
4. Legal basis and purpose of gathering personal data
The legal basis for gathering personal information, complying with the EU GDPR, is consent.
The purpose of the register is to collect and process the personal data needed to organize work in the Association.
5. Data content
The register contains information needed to organize the Association's work. This includes following data:
Data subject’s first and last name;
Data subject’s email address;
Data subject’s phone number;
Data subject’s special dietary needs;
Data subject’s personal identification number;
Data subject’s home address;
Data subject’s account number;
Data subject’s ICE contact’s name;
Data subject’s ICE contact’s number.
6. Regular sources of information
Personal data is collected from the data subjects themselves.
7. Regular disclosures and transfers of personal data
Personal data is not disclosed or transferred regularly.
Personal data can be disclosed to Association’s cooperation partners in order to organize the Association’s events. Personal data can be disclosed to Association’s cooperation partners for other than event-related purposes only with the data subject’s consent.
Personal data can be transferred to other service providers in order to execute the personal data system (“System”). The service provider executing the technical maintenance of the member register may transfer personal data in accordance with applicable privacy legislation and this privacy statement.
8. Transfers of personal data outside of EU or the EEA
Personal data won’t be transferred outside the European Union or the European Economic Area by the Association. However, the Association may use a service provider that is located outside of the EU or the EEA. The transfer of personal data outside of EU or the EEA is always carried out on one of the following legal grounds:
The European Commission has decided that an adequate level of data protection has been ensures in the recipient country;
The Association has implemented the appropriate safeguards for the transfer of personal data using standard terms of privacy approved by the European Commission. The data subject has the right to obtain a copy of these standard clauses by contacting the Association’s contact person; or
The data subject has consented to the transfer of their personal data, or there is a lawful ground for the transfer.
Access to the personal data is limited to what is necessary in order to carry out the services. The transfer of personal data outside of the EU or the EEA is always based on current legislation on the processing of personal data and is carried out in accordance with that legislation.
9. Protection of personal data and information security
All digitally handled personal data is stored securely in the Association’s System. Access to the System is limited to only authorized individuals that need the access in order to handle their work assignments. These individuals use their personal usernames and passwords to access the System.
Personal data is secured from outsiders and the use of member data is supervised. Personal data sent outside the Association is encrypted. Workstations and storages are secured.
Google LLC (US41503674) is responsible for the technical maintenance and protection of the Office members register.
10. Retention period of data
Personal data is stored only for as long as necessary and data will be deleted from the register within a reasonable time after the event has ended. For a normal event this usually means two weeks after the event has ended. If some of the information is still required after this for exceptional reasons such as collecting delayed payments, can the data of the affected data subjects be retained until the situation has passed.
Personal data will be retained for a maximum of 10 years after the event has ended on the basis of the Association’s legitimate interest. Personal data may be stored for longer time periods if the applicable legislation or Association’s contractual obligations require it.
11. Data subject’s rights
The data subject has the right to object to the processing of his/hers personal data for direct marketing purposes at any given time. The data subject may provide the Association with channel-specific consents and restrictions (e.g. prohibit marketing via email).
In addition, the data subject has per se following rights at any time in accordance with applicable data protection legislation:
receive information about the processing of his/hers personal data;
have access to his/hers own personal data and inspect his/hers personal data processed by the Association;
demand correction and supplementation of inaccurate or incorrect personal data;
demand the removal of own personal data;
withdraw his/hers consent and object to the processing of personal data insofar as the processing of personal data is based on consent;
receive his/hers personal data in digital form and transfer those to another service provider given that the data subject has delivered the data to the Association personally, the Association processes the personal data in question based on consent and the processing is automatic; and
demand the processing of his/hers personal data to be restricted.
The data subject must submit the request for execution of the above-mentioned according to section 13 of this privacy statement. The Association may ask the data subject to specify the request in writing and verify the data subject’s identity before processing the request. The Association may refuse to execute the request based on applicable legislation.
12. Right to complain to supervising authority
Each data subject has the right to complain to the relevant supervising authorities or to the supervisory authorities of the Member State of the European Union where the data subject’s resident or workplace is located if the data subject sees that his/hers personal data has not been processed according to applicable data protection legislation.
13. Contact information
Requests considering the data subject’s rights, questions about this privacy statement and other contacts should be sent via email to the contact person.
Contact person: Aada Hakakoski, Executive Director
Email: aada.hakakoski@ky.fi
The data subject may also contact us personally or in writing at the address below:
Aalto-yliopiston kauppatieteiden ylioppilaat ry
Konemiehentie 4
02150 Espoo
14. Changes to this privacy statement
This privacy statement has been accepted by the Executive Board of the Association in its meeting on 4.3.2021. This privacy statement can be updated from time to time, for example, when legislation changes. This privacy statement was last updated 4.9.2024.
KY's Privacy Statement for
CCTV Surveillance System
EU General Data Protection Regulation 2016/679
1. Controller of the register and contact information
Controller: Aapo Rissanen, IT Coordinator
Users: Aada Hakakoski, Executive Director; Pyry Pietikäinen, Service Advisor; Aleksi Markula, Service Advisor; Ella Kuhalampi, Service Advisor
Business ID: 22149760-2
Address: Konemiehentie 4, 02150 Espoo
Email: service@ky.fi
Phone: +358 40 353 8283
Contact person: Aapo Rissanen, IT Coordinator
Email: aapo.rissanen@ky.fi
Phone: +358 40 353 8277
2. Name of the register
Recording Video Surveillance (CCTV) System of Tech Storage Room, KY's Association Storage Room (Contactor) and Montonen meeting room.
3. Data subjects
This register includes the personal data of individuals captured on the CCTV system installed in the tech storage room, KY's Association Storage Room (Contactor) and Montonen meeting room (“Data subjects”).
4. Legal basis and purpose of gathering personal data
The legal basis for gathering personal information, complying with the EU GDPR, is the legitimate interest of the controller of the register. The purpose of the register is to collect and process the personal data needed to ensure the security, protection, and proper use of the property (reservable assets) within the tech storage room. In addition, in the KY's Association Storage Room (Contactor), the purpose of the register is to collect and process the personal data needed to ensure the security and protection of the property (property of associations) stored in the KY's Association Storage Room (Contactor). In the Montonen meeting room, the purpose of the register is to collect and process the personal data needed to ensure the security and protection of the property stored in the Montonen meeting room.
5. Data content
The register contains video footage capturing the activities within the tech storage room, KY's Association Storage Room (Contactor) and Montonen meeting room. This includes the following data: Data subject’s image; and Any other identifiable information captured by the CCTV system.
6. Regular sources of information
Personal data is collected from the CCTV surveillance system installed in the tech storage room, KY's Association Storage Room (Contactor) and Montonen meeting room.
7. Regular disclosures and transfers of personal data
Personal data is not disclosed or transferred regularly. Personal data can be disclosed only to law pre-trial investigation authorities if required by law or at the request of the individual who was recorded. Personal data can be disclosed to Association’s cooperation partners for security analysis purposes only with the data subject’s consent. Personal data can be transferred to other service providers in order to execute the personal data system (“System”). The service provider executing the technical maintenance of the CCTV system may transfer personal data in accordance with applicable privacy legislation and this privacy statement.
8. Transfers of personal data outside of EU or the EEA
Personal data won’t be transferred outside the European Union or the European Economic Area by the Association. However, the Association may use a service provider that is located outside of the EU or the EEA. The transfer of personal data outside of EU or the EEA is always carried out on one of the following legal grounds:
The European Commission has decided that an adequate level of data protection has been ensured in the recipient country;
The Association has implemented the appropriate safeguards for the transfer of personal data using standard terms of privacy approved by the European Commission. The data subject has the right to obtain a copy of these standard clauses by contacting the Association’s contact person; or
The data subject has consented to the transfer of their personal data, or there is a lawful ground for the transfer.
Access to the personal data is limited to what is necessary in order to carry out the services. The transfer of personal data outside of the EU or the EEA is always based on current legislation on the processing of personal data and is carried out in accordance with that legislation.
9. Protection of personal data and information security
All digitally handled personal data is stored securely in the Association’s System locally in a locked space. Access to the System is limited to only authorized individuals who need access in order to handle their work assignments. These individuals use their personal usernames and passwords to access the System.
Personal data is secured from outsiders, and the use of member data is supervised. Personal data sent outside the Association is encrypted. Workstations and storages are secured.
KY’s IT sector is responsible for the technical maintenance and protection of the CCTV system.
10. Retention period of data
Personal data is stored only for as long as necessary, and data will be deleted from the register within a reasonable time as determined by the Association’s data retention policy. This usually means a maximum of 30 days unless there are exceptional circumstances such as ongoing investigations related to a security incident or if there is any suspicion of theft or unauthorized access to the property that is being protected by this system. Personal data may be stored for longer time periods if the applicable legislation or Association’s contractual obligations require it.
11. Data subject’s rights
The data subject has the right to object to the processing of his/hers personal data at any given time. In addition, the data subject has per se the following rights at any time in accordance with applicable data protection legislation:
receive information about the processing of his/hers personal data;
have access to his/hers own personal data and inspect his/hers personal data processed by the Association;
demand correction and supplementation of inaccurate or incorrect personal data;
demand the removal of own personal data;
withdraw his/hers consent and object to the processing of personal data insofar as the processing of personal data is based on consent;
receive his/hers personal data in digital form and transfer those to another service provider given that the data subject has delivered the data to the Association personally, the Association processes the personal data in question based on consent and the processing is automatic; and
demand the processing of his/hers personal data to be restricted.
The data subject must submit the request for execution of the above-mentioned rights according to section 13 of this privacy statement. The Association may ask the data subject to specify the request in writing and verify the data subject’s identity before processing the request. The data subject must be able to identify to the controller when he or she entered the controlled area so that the recording can be found within a reasonable time. The Association may refuse to execute the request based on applicable legislation.
12. Right to complain to supervising authority
Each data subject has the right to complain to the relevant supervising authorities or to the supervisory authorities of the Member State of the European Union where the data subject’s resident or workplace is located if the data subject sees that his/hers personal data has not been processed according to applicable data protection legislation.
13. Contact information
Requests considering the data subject’s rights, questions about this privacy statement and other contacts should be sent via email to the contact person.
Contact person: Aapo Rissanen, IT Coordinator
Email: aapo.rissanen@ky.fi
The data subject may also contact us personally or in writing at the address below:
Aalto-yliopiston kauppatieteiden ylioppilaat ry
Konemiehentie 4
02150 Espoo
14. Changes to this privacy statement
This privacy statement has been accepted by the Executive Board of the Association in its meeting on 3.11.2021. This privacy statement can be updated from time to time, for example, when legislation changes. This privacy statement was last updated 4.9.2024.
KY's Privacy Statement for
Ky Office CCTV Surveillance System
EU General Data Protection Regulation 2016/679
1. Controller of the register and contact information
Controller: Arttu Lääkkölä, Managing Director
Users: Aada Hakakoski, Executive Director of KY ry
Business ID: 2210538-0
Address: Konemiehentie 4, 02150 Espoo
Email: arttu.laakkola@ky.fi
Phone: +358 40 353 8283
Contact person: Arttu Lääkkölä, Managing Director
Email: arttu.laakkola@ky.fi
Phone: +358 40 024 1961
2. Name of the register
KY Office Recording Video Surveillance (CCTV) System.
3. Data subjects
This register includes the personal data of individuals captured on the CCTV system installed in the KY Office building’s general facilities (“Data subjects”).
4. Legal basis and purpose of gathering personal data
The legal basis for gathering personal information, complying with the EU GDPR, is the legitimate interest of the controller of the register. The purpose of the register is to collect and process the personal data needed to ensure the security and protection of property and personnel within the KY Office spaces.
5. Data content
The register contains video footage capturing the activities within the KY Office’s general facilities (lobby, hallway, and doors). This includes the following data: Data subject’s image; and Any other identifiable information captured by the CCTV system.
6. Regular sources of information
Personal data is collected from the CCTV surveillance system installed in the KY Office’s general facilities including the lobby, the hallway, and the doors.
7. Regular disclosures and transfers of personal data
Personal data is not disclosed or transferred regularly. Personal data can be disclosed only to law pre-trial investigation authorities if required by law or at the request of the individual who was recorded. Personal data can be disclosed to Association’s cooperation partners for security analysis purposes only with the data subject’s consent. Personal data can be transferred to other service providers in order to execute the personal data system (“System”). The service provider executing the technical maintenance of the CCTV system may transfer personal data in accordance with applicable privacy legislation and this privacy statement.
8. Transfers of personal data outside of EU or the EEA
Personal data won’t be transferred outside the European Union or the European Economic Area by the Association. However, the Association may use a service provider that is located outside of the EU or the EEA. The transfer of personal data outside of EU or the EEA is always carried out on one of the following legal grounds:
The European Commission has decided that an adequate level of data protection has been ensured in the recipient country;
The Association has implemented the appropriate safeguards for the transfer of personal data using standard terms of privacy approved by the European Commission. The data subject has the right to obtain a copy of these standard clauses by contacting the Association’s contact person; or
The data subject has consented to the transfer of their personal data, or there is a lawful ground for the transfer.
Access to the personal data is limited to what is necessary in order to carry out the services. The transfer of personal data outside of the EU or the EEA is always based on current legislation on the processing of personal data and is carried out in accordance with that legislation.
9. Protection of personal data and information security
All digitally handled personal data is stored securely in the Association’s System locally in a locked space. Access to the System is limited to only authorized individuals who need access in order to handle their work assignments. These individuals access the System in supervision of the controller of the register that is the only individual that has access to the System. The controller of the register uses their personal usernames and passwords to access the System.
Personal data is secured from outsiders, and the use of member data is supervised. Personal data sent outside the Association is encrypted. Workstations and storages are secured.
As part of KY Foundations security contract for KY Office is Securitas Oy responsible for the technical maintenance and protection of the CCTV system.
10. Retention period of data
Personal data is stored only for as long as necessary, and data will be deleted from the register within a reasonable time as determined by the data retention policy of a third-party contractor used (Securitas Oy). The data might be stored for longer periods of time if there are exceptional circumstances such as ongoing investigations related to a security incident or if there is any suspicion of theft or unauthorized access to the property that is being protected by this system. Personal data may be stored for longer time periods if the applicable legislation or Association’s contractual obligations require it.
11. Data subject’s rights
The data subject has the right to object to the processing of his/hers personal data at any given time. In addition, the data subject has per se the following rights at any time in accordance with applicable data protection legislation:
receive information about the processing of his/hers personal data;
have access to his/hers own personal data and inspect his/hers personal data processed by the Association;
demand correction and supplementation of inaccurate or incorrect personal data;
demand the removal of own personal data;
withdraw his/hers consent and object to the processing of personal data insofar as the processing of personal data is based on consent;
receive his/hers personal data in digital form and transfer those to another service provider given that the data subject has delivered the data to the Association personally, the Association processes the personal data in question based on consent and the processing is automatic; and
demand the processing of his/hers personal data to be restricted.
The data subject must submit the request for execution of the above-mentioned rights according to section 13 of this privacy statement. The Association may ask the data subject to specify the request in writing and verify the data subject’s identity before processing the request. The data subject must be able to identify to the controller when he or she entered the controlled area so that the recording can be found within a reasonable time. The Association may refuse to execute the request based on applicable legislation.
12. Right to complain to supervising authority
Each data subject has the right to complain to the relevant supervising authorities or to the supervisory authorities of the Member State of the European Union where the data subject’s resident or workplace is located if the data subject sees that his/hers personal data has not been processed according to applicable data protection legislation.
13. Contact information
Requests considering the data subject’s rights, questions about this privacy statement and other contacts should be sent via email to the contact person.
Contact person: Arttu Lääkkölä, Managing Director
Email: arttu.laakkola@ky.fi
The data subject may also contact us personally or in writing at the address below:
Aalto-yliopiston kauppatieteiden ylioppilaat ry
Konemiehentie 4
02150 Espoo
14. Changes to this privacy statement
This privacy statement has been accepted by the Executive Board of the Association in its meeting on 4.9.2024. This privacy statement can be updated from time to time, for example, when legislation changes. This privacy statement was last updated 4.9.2024.
