Privacy policy

Privacy Notice for Haaga-Helia Online

In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Art. 13 and 14)


Published on the website (English version only)

1. Controller

Haaga-Helia University of Applied Sciences Ltd

Business ID 2029188-8

Ratapihantie 13

00520 Helsinki, Finland

2. Controllers’ contact persons

Ari Björkqvist

3. Controller’s data privacy officer

Teija Aarnio

+358 40 488 7001

Requests concerning the exercising of the data subject’s rights should be addressed to the controller’s data privacy officer.

4. Purpose and lawfulness of processing of personal data

In order to provide and execute services of Haaga-Helia Online, the controller processes personal data related to customers’ orders and courses. Personal data are also processed for managing customer and user relationship, for communication purposes and to handle feedback. (GDPR art. 6 (1) b, performance of a contract).

Further, personal data can be used for marketing purposes e.g. communicate new courses and to improve Haaga-Helia Online services and website (GDPR art. 6 (1) f, legitimate interest).

5. Scope and personal data categories processed

Data subjects

  • Customers, customer’s contact persons, and registered users of Haaga-Helia Online
  • Persons contacting the controller via the Haaga-Helia Online website

Personal data categories

The following personal data shall be processed in the connection with Haaga-Helia Online (the list is not exhaustive and not all of the data listed is necessarily present for every data subject):

  • Identification and contact data such as name, email, address, phone number, customer type, country and language
  • Data related to services such as details of orders and ongoing/completed courses, payment details and payment method, login details and account usage information
  • Communication data such as emails and information on forms sent via website
  • Certain information about users’ devices, such as IP address

6. Regular data sources

Personal data are primarily collected from the data subjects themselves.

Additionally, the controller collects personal data related to the purpose of use of the data file, generated as part of the controller’s operation.

7. Storage periods

The personal data are only stored for as long as and to the extent that each category of data is needed, proportionate to the purpose of processing of the personal data. The controller has the right to delete the user account and the information on it when the account has been unused for two years, unless longer storage period is needed for statutory purposes or for solving potential disputes. The information on the contact form sent via website will be deleted 90 days after receipt of it.

8. Disclosures of personal data

Personal data may be shared with third parties that are contractual business partners of the controller, and to other similar parties that are involved in providing services of Haaga-Helia Online.

9. Transfers and disclosures of data to outside of the EU or ETA

Data are not habitually transferred to outside the EU or ETA, nor processed outside the EU or ETA, unless this is necessary for the technical implementation of the processing (for example if the technical maintenance of systems is located outside the EU or ETA), or in order to manage international functions related to the purpose of use of the personal data.

In transferring personal data, the controller complies with the standard contractual clauses approved by the European Commission in relation to the transfer of personal data to third-party countries, or alternatively implements other appropriate safeguards, or alternatively ensures that the third-party country can guarantee a sufficient level of data protection.

10. Data security principle

Access to databases and systems containing personal data are only available to such employees of the controller or of subcontractors working on the controller’s behalf, whose work duties entitle them to handle the data. Every user of the data has an individual username and password for the systems.

The database containing personal data are stored on a server which is placed in a locked facility that may only be accessed by specifically appointed persons whose work duties entitle them to do so. The server is protected by an appropriate firewall and technical security systems.

11. Rights of the data subject

Requests concerning the exercising of the data subject’s rights should be addressed to the controller’s data privacy officer. The data subject has the following rights:

  1. The right to obtain from the controller confirmation as to whether or not personal data concerning the data subject are being processed, and, where that is the case, access to the personal data.  
  2. The right to obtain from the controller without undue delay the rectification of inaccurate personal data, as well as the right to have incomplete personal data completed.
  3. The right to obtain from the controller the erasure of personal data without undue delay, where one of the following grounds applies:
    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
    • the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;
    • the personal data have been unlawfully processed;
    • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  4. The right to obtain from the controller restriction of processing, where one of the following applies:
    • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or
    •  the data subject has objected to processing, pending the verification of whether the legitimate grounds of the controller override those of the data subject.
  5. The right to receive the personal data, which data subject has provided to the controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent or performance of the contract pursuant to the GDPR, and the processing is carried out by automated means.
  6. The right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  7. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data infringes the GDPR.