Skip to content

Laurea's privacy statement for video surveillance and access control

Data controller

Laurea University of Applied Sciences Ltd, Ratatie 22, 01300 Vantaa, Finland

  • Controller’s contact person: President, CEO Jouni Koski, jouni.koski@laurea.fi
  • Person in charge of the personnel register: Director, teemu.ylikoski@laurea.fi
  • Contact details of the data protection officer: Marjo Valjakka, marjo.valjakka@laurea.fi

Purpose and legal basis for the processing of personal data

The purpose of the processing of personal data is to ensure the safety of those spending time in the premises and in the immediate vicinity of Laurea University of Applied Sciences, to protect property and to prevent and investigate situations that endanger security and property.

The lawfulness of the processing of personal data is based on the legitimate interest of Laurea University of Applied Sciences in ensuring a safe work and study environment for employees and students, and in key management, on an agreement between Laurea and its personnel.

Personal data categories to be processed

Images of persons moving within the camera control area are recorded in the camera surveillance register.   

The data will be kept for a minimum of 14 days and a maximum of 30 days.

The names of key holders, key identification numbers, Laurea's unit or other organisation, permitted access areas and, if necessary, the expiry date of the key rights are recorded in the access control.

Locks with a touch reader store the name of the key holder and the time of the access if the door is opened using the reader. The data is stored for one year and then destroyed.

No automatic decision-making or profiling is carried out on the basis of personal data.

Regular sources of information

  • Image material recorded by surveillance cameras
  • Key information from the person themselves
  • Lock-specific information on access control system readers

Statutory disclosure and transfer of data

The data is processed in Laurea's lobby services and can be disclosed to the Director of Security at Laurea or to a designated deputy when the Director of Security is not available. Data is not disclosed to other parties at Laurea.

If necessary, information may be disclosed to the police authorities for criminal investigation.

Personal data are not transferred outside the EU or ETA area.

The principles how the register is secured

The data security and data protection guidelines of Laurea University of Applied Sciences are followed in the management of the register. The use is restricted by means related to the network and access rights.

The rights of data subjects

The rights of data subjects are determined in accordance with Articles 15–22 of the EU’s General Data Protection Regulation.

Right of access

Data subjects may request access to the data concerning themselves. The request is made in writing to the person responsible for the register. The request must specify the data it concerns. A request may be refused if it is manifestly unfounded or unreasonable.

Right to rectification

Data subjects may request the person in charge of the register to rectify their data. Changing the content of camera surveillance is an unreasonable requirement, so the content will not be changed.

Right to erasure

Data subjects may request the person in charge of the register to delete their data. In camera surveillance, removing an individual's data from the register is unreasonable, so the individual's data is not deleted at the request of the individual.

Right to restriction of processing

The data subject has the right to restrict the processing of data in the following cases. The data may still be stored but not otherwise processed without the data subject’s consent.

  • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
  • The processing is unlawful and the data subject opposes the erasure of their personal data and requests the restriction of their use instead;
  • The controller no longer needs the personal data for the purposes of the processing but the data subject needs them for the establishment, exercise or defence of legal claims.

Data subjects have the right to file a complaint with the data protection authority.

The data protection officer is the contact person in questions related to the data subject’s rights.