Processing of personal data in basic education

Date of publication: 1.8.2024 (Updated: 5.8.2025)

City of Espoo

Juha Nurmi, Director of Finnish Basic Education

Barbro Högström, Director of Swedish Education and Cultural Services

Email: firstname.lastname@espoo.fi
Tel. +358 9 81621  (switchboard)

Principals / school directors are responsible for tasks related to the register as regards the schools that they manage. The data subject can contact a principal / school director to receive more detailed information about the register or their own rights.

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

• Organisation of teaching and taking care of tasks that arise from the education provider’s relationship with the pupil.
• Assessment of teaching and compiling statistics for the City of Espoo. When statistics are compiled, the data is processed anonymously.
• Providing statutory information on schools’ pupil numbers for government data collection purposes.

Espoo’s Growth and Learning Sector uses the following city-level systems and electronic environments in which pupils’ and potentially guardians’ personal data is processed:

• school administration system Primus and Kurre (includes Wilma, which is the browser-based user interface of Primus and Kurre)
• work environment Google Workspace for Education (including Classroom, Meet, Forms)
• work environment Microsoft M365 (including Teams, OneDrive, Forms)
• school library system Axiell Aurora
• digital learning materials Edustore
• route planning software ReittiGIS
• digital assessment tool Digilukiseula
• solutions related to the provision of ICT services (e.g. device management). 

The purposes for which personal data related to the organisation of teaching is processed in the aforementioned systems and environments are specified in greater detail below.

Personal data may also be processed in school-specific applications used in teaching. The data subject can contact the principal / school director to receive more detailed information about the register or their own rights.

For the purpose of organising basic education, personal data may also need to be processed outside of the aforementioned systems/environments, e.g. to support assessments conducted by teachers, prepare school transport decisions, organise school lunch (special diets), manage swimming lessons at swimming pools, organise school trips or camps, produce surveys, process materials related to assessment of teaching, and to perform duties laid down in the Act on Compulsory Education, and carry out activities related to the provision of ICT services, such as device management. 

Personal data stored in the register may also be processed when it is necessary for the purposes of testing the information systems, for example when the education provider introduces a new information system.

Primus, Kurre and Wilma  

Primus and Kurre 

• Organisation of basic education and monitoring the completion of compulsory education (sections 4 and 26 of the Basic Education Act).
• Taking care of tasks that arise from the education provider’s relationship with the pupil.
• Performance of duties laid down in the Act on Compulsory Education.
• Provision of support for learning and school attendance in accordance with section 20 a of the Act on Primary and Secondary Education (assessment, plan and related documents)
• Online form for hearings related to support for learning and school attendance in Finnish-language basic education
• Organisation of school transport.
• Creation of a user identity for the study environment’s electronic services (Microsoft M365, Google Workspace for Education).
• Provision of a mobile device management service (Apple School Manager / Jamf School).
• Administration of user accounts for the Wilma user interface.
• School-specific statutory pupil number data is disclosed for government data collection purposes based on data in Primus (Act on the Financing of Educational and Cultural Provision, Act on Central Government Transfers to Local Government for Basic Public Services).
• Data in Primus is used to compile statistics for the City of Espoo. When statistics are compiled, the personal data is processed anonymously.
• Pupils’ subject and course selection data is stored in Kurre’s work plan software for the purpose of preparing work plans.

Wilma (browser-based interface of the Primus and Kurre school administration system)  

Wilma can be used to carry out:  

• absence recording
• pupil assessment
• registration of new pupils
• course selection and course registration
• cooperation between schools and homes
• communication (communication with and notifications to guardians and guardians’ messages to schools)
• surveys and their feedback
• notes and feedback concerning the pupil’s school attendance and performance (school notes)
• secondary school selections and related information
• communication of decisions related to the pupil if the pupil’s guardian has provided their consent for this.

Microsoft M365 

• organisation of basic education (M365 includes electronic tools and user-produced content)
• management of M365 access rights
• enabling of interaction between users within their own groups
• use of email services.

Google Workspace for Education

• organisation of basic education (Google Workspace includes electronic tools and user-produced content)
• management of Workspace access rights
• enabling of interaction between users within their own groups
• management of devices connected to the service and the software and applications used on them (e.g. Chrome, Classroom and Drive). 

School library system Axiell Aurora

• Implementation of library activities supporting basic education (section 47 of the Basic Education Act)
• The system has three components: the library system, the self-service user interface and the online library. The pupil data is in the library system, and the self-service user interface and the online library Axiell Arena make use of the pupil data entered into the system.

Digital learning materials Edustore

• The procurement channel Edustore for the procurement of digital and printed learning materials and related supporting materials and supplies.

ReittiGIS

• Route planning software ReittiGIS for arranging pupil admission, school journeys and school transport.

Digital assessment tool DigiLukiseula

• DigiLukiseula is a research-based tool for assessing the pupil’s reading and writing skills and related support needs. DigiLukiseula is used in grades 1, 2, 4 and 7. The results are utilised at the pupil, group, school and municipal levels. At the school and municipal levels, the data is not processed from the perspective of individual pupils but for the purpose of analysing city-level results for the development of teaching.

Equipment related to the provision of ICT services

• The device management service ensures that workstations and mobile devices used in schools and by pupils are managed in a secure manner. The service makes it possible to ensure that pupils use the devices they obtain from the school only for learning purposes. It also ensures that the devices are up-to-date and enables the controlled distribution of applications.
• The printing service is used for secure printing. It allows pupils to print documents in a secure and controlled manner.

Article 6, paragraph 1, point c of the EU’s General Data Protection Regulation: processing is necessary for compliance with a legal obligation to which the data controller is subject, i.e. for the purpose of organising basic education in accordance with the Basic Education Act and the performance of duties laid down in the Act on Compulsory Education.

Special categories of personal data: According to section 6 of the Data Protection Act, Article 9(1) of the Data Protection Regulation does not apply to any processing of data that is provided by law or that derives directly from a statutory duty set out for the data controller by law. Processing of special categories of personal data is derived from duties set out for an education provider by the Act on Compulsory Education or the Basic Education Act. 

The processing of personal identity codes is based on section 29, subsection 1 of the Data Protection Act. The identification of the data subject and their personal data is important for the performance of a statutory duty. 

Azure AD management and logs

• Privacy notice Azure AD management and log register (in Finnish)

Primus, Kurre and Wilma

• the pupil’s name, personal identity code, contact information and photograph
• the pupil’s AD account for the Wilma user interface and pupil network
• the guardians’ name and contact information and Wilma user account
• information concerning the pupil’s role (comprehensive school pupil; home-school pupil; subject student; hospital teaching)
• information on selections concerning subjects and syllabuses
• the pupil’s assessment information
• decisions concerning the pupil
• the pupil’s school history
• the pupil’s immigration-related information
• information related to school transport
• information concerning the pupil’s absences
• information related to the reprimanding and disciplining of the pupil (disciplinary educational discussion, detention)
• other information related to teaching and the organisation of teaching (e.g. Finnish as a second language, support for learning and school attendance, language programme, language immersion and bilingual teaching, religion and ethics subjects)
• the pupil’s participation in afternoon activities, the service provider and operating time (full-time/part-time)

• pedagogic documents: assessment, plan and related documents

  Special categories of personal data processed include information on religious or philosophical convictions and possibly information related to health.

Microsoft M365

• person’s first and last name
• user ID
• email address
• learner ID
• encrypted unique identifier
• school-related information (teaching groups, school, class, school ID)
• role: staff/student
• IP address
• information produced or added by the pupil

Content produced by the pupil and guardian means pictures, texts, links, videos and audio files uploaded to the system.

The user can, for example, add their own description of themselves and their area of responsibility, their mobile phone number, location information, competence information, date of birth and other areas of interest to the service, to be viewed by everyone / limited users. The user can allow the utilisation of the information content that they produce and obtain information about their networking and closest friends.

Google Workspace for Education

• the pupil’s name
• user account
• school
• grade and groups
• encrypted unique identifier
• information produced or added by the user themselves.

An administrator can save information such organisations’ names, websites, phone numbers, addresses and account suspension in the service. In addition to this, Google collects information from end users, the entering of which is based on information entered by the user themselves, e.g.: phone number, a photograph of the user, date of birth, the user’s device-specific information, such as hardware model, operating system version, individual device identified and mobile network used, including mobile phone number. Google can connect the device identifier or phone number to a Google account.

School library system Axiell (Aurora)

• Identifiable data: Name, school, class, email address, user name, library card number, loan details, group's teacher, PIN code/password
• Pseudonymised data: Object ID that acts as a customer’s technical identifier but does not include, for example, a personal identity code or other identifying information.

Digital learning materials Edustore

• User name
• Name of school
• Class
• Encrypted unique identifier
• Email address

ReittiGIS

• From the population information system, the name, personal identity code, home address, mother tongue and citizenship of persons of compulsory education age or younger.
• Integration into Primus, from which pupils can be imported onto the map. The pupil’s attribute data will then also include information about their school.
• Pupil-specific school journeys, measured based on their home address.

Digital assessment tool DigiLukiseula

The following data is stored in the system maintained by the Niilo Mäki Instituutti:

• learner ID
• name or part of the name of the pupils registered for the service by the teacher
• teaching group of pupils registered for the service by the teacher
• for 7th-graders, as indicated by the pupil: gender, mother tongue (Finnish/Swedish/other), most recent grades in mother tongue, mathematics, Swedish and English, whether the pupil has been found to have difficulty reading or writing, a survey of reading and writing experiences
• pupil’s results from the service

How is data processed in the system? At the City of Espoo, the results of DigiLukiseula are entered into Primus. For the purpose of processing the assessment results, they will be combined with background information available in Primus (e.g. school, gender, mother tongue and support measures) in order to analyse and monitor the reading and writing skills of different groups.  This assessment material is pseudonymised. This data is not processed from the perspective of individual pupils, but for the purpose of analysing city-level results for the development of teaching.

Equipment related to the provision of ICT services

• Device management (workstations and mobile devices)

In workstation management, information about the devices includes the model, serial number, operating system and login information, as is usual in remote management solutions. The system also shows the name of the school or office where the device has been placed.

In mobile device management, we have adopted a model where login is not required, and therefore, there is no need to process pupils’ personal data. In mobile device management, information about the devices includes the model, serial number and operating system, as is usual in remote management solutions. The system also shows the name of the school or office where the device has been placed.

All usernames or group names are sequential alphanumeric strings, such as koulunnimi.ipad.oppilas01. This username is artificial and is not linked to a specific person but a device. It is a device-specific virtual username for shared mobile devices.

User IDs for the remote management environment are created for teachers serving as system administrators. These system administrators can add content (apps) to devices, limit the number of apps in use at each lesson, and move devices from one management group to another. In order to create the user IDs, the following information is collected on the system administrator teachers: first and last name and email address.

• Printing service

The printing service allows pupils to print documents through various devices and systems, for example a Windows computer, iPhone, iPad, Android phone or tablet, Mac, Chromebook or email. The user’s name and username and the name of the school are stored in the printing service.

Personal data processed outside of the systems and electronic environments

This personal data may include, for example, the pupil’s identifying and contact information, information related to assessment, and health information (school transport, school lunches, support measures, special teaching arrangements, absences or suspension of compulsory education).

• The basic information of pupils starting basic education is transferred to the Primus and Kurre school administration system from the Trimble Locus population information system maintained by the City of Espoo. After this, pupils’ and their guardians’ basic information is updated into the Primus school administration system from Trimble Locus once a week (those who moved to, from, or within Espoo). Population information on Espoo residents of compulsory education age or younger are imported from Trimble Locus to the ReittiGIS application.
• Guardians supplement and update personal data using a pupil registration form or in Wilma.
• The majority of the information stored in the register consists of information related to the pupil’s education, created in the organisation of education.

Changing schools 

• A pupil’s previous school may disclose to their new school public information necessary to the new school for arranging instruction for the pupil (section 16, subsection 3 of the Act on the Openness of Government Activities).
• In order to perform the duties laid down in the Act on Compulsory Education, a school has the right to obtain from another education provider or municipality the necessary information related to the pupil’s school application, being granted and accepting a place at school and starting and suspending their studies (section 23, subsection 1 of the Act on Compulsory Education)
• Notwithstanding provisions on confidentiality, a school has the right to obtain, from another education provider or the municipality in charge of steering and monitoring, information necessary for the performance of its educational duties laid down in the Act on Compulsory Education. Such information includes information on the pupil’s compulsory education, previous studies and suspension of studies. (section 23, subsection 2 of the Act on Compulsory Education)

Pedagogic documents

Pedagogic documents are prepared with the help of the Wilma interface as part of multidisciplinary cooperation in accordance with the Basic Education Act. The person responsible for pedagogic documents is the class supervisor or class teacher.

Electronic study environment services

Electronic study environment services are produced with the user identity of Visma’s Primus school administration system (name, encrypted unique identifier, school, class, grade, teaching groups, email address, username).

In the Microsoft M365 service, user identities are administered by the Microsoft user directory, which is described in more detail in the city’s centralised access management and log register.

Online form for hearings related to support for learning and school attendance

In the processing of the online form for hearings related to support for learning and school attendance in Finnish-language basic education, the guardians’ personal identity codes are obtained through strong electronic identification (suomi.fi).

DigiLukiseula

The results are obtained from the system maintained by the Niilo Mäki Instituutti, in which pupils complete the DigiLukiseula assessment as part of their regular schoolwork. Pupils log in to the Niilo Mäki Intituutti’s system using their Espoo user IDs via the MPASSid identification service.

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

The data is confidential in accordance with section 24 of the Act on the Openness of Government Activities and section 40 of the Basic Education Act.

Koski

The national centralised integration service for study rights and study records (KOSKI) collects pupils’ study records and study rights in a single service. The information is collected directly from the pupil register. (Act on the National Registers of Education Records, Qualifications and Degrees 884/2017)

Changing schools or transferring to a general upper secondary school or vocational education and training

• If the pupil transfers to another comprehensive school, the school may transfer public information necessary for arranging instruction for the pupil to the new school (section 16, subsection 3 of the Act on the Openness of Government Activities).
• Notwithstanding provisions on confidentiality, if a pupil transfers to education activities organised by another education provider, the former education provider must without delay forward information necessary for arranging instruction for the pupil to the new education provider. The information must also be provided at the request of the new education provider. (section 23, subsection 3 of the Act on Compulsory Education) 

Outreach youth work

• An education provider may disclose the identifying information and contact details of a young person who has completed their basic education but who is not pursuing any studies beyond the completed basic education to the young person’s municipality of residence for outreach youth work purposes (Youth Act, section 11, subsection 2, paragraph 1 and subsection 4, paragraph 1).

Pupil welfare services

• The Western Uusimaa Wellbeing Services County’s school social workers and psychologists as well as school nurses have, on the basis of section 23 of the Act on Information Management in Public Administration, limited access (viewing access) to the pupil’s necessary information (name, personal identity code, contact information and guardians’ names and contact information). With the consent of the person in question, limited access (viewing access) may apply to the pupil’s absence information and lesson notes.
• The education provider may disclose the pupil’s necessary information in situations provided for by law, for example when the pupil’s situation is addressed through multi-professional cooperation with pupil welfare professionals (Basic Education Act, sections 16a and 17).

Transfer of data to service providers

The service providers used in the organisation of education (such as the providers of electronic environments) process pupils’ personal data to the extent necessary for the provision of the service. The City of Espoo is always the controller of the data.

Microsoft’s subcontractors

• List of subcontractors used by Microsoft: https://go.microsoft.com/fwlink/p/?linkid=2096306(external link, opens in a new window)

Google’s subcontractors

• List of subcontractors used by Google Workspace: https://gsuite.google.com/intl/en/terms/subprocessors.html(external link, opens in a new window)

Transfer of data to other systems

• transfer of pupils’ address information to the ReittiGIS application for the purpose of processing pupil placement and school transport.
• HSL business portal for pupils’ public transport tickets
• Movit, chartered transport management system
• transfer of pupils’ data to the Finnish National Agency for Education’s Studyinfo
• data specified in the Statistics Act to Statistics Finland
• use of the survey tool (Webropol).

Based on the specific written consent of the data subject’s / underage pupil’s guardian or other legal representative, data may also be transferred to other parties. Data may be disclosed if there is a specific provision on such access or on the right of such access in an Act. (section 26 of the Act on the Openness of Government Activities)

The disclosure of public information from a personal data register controlled by an authority is based on section 16, subsection 3 of the Act on the Openness of Government Activities. According to this provision, the party requesting access must have the right to record and use such data. Personal data can only be disclosed following a detailed request for data (section 13, subsection 2 of the Act on the Openness of Government Activities).

Pedagogic documents

• The documents contain confidential information.
• Notwithstanding provisions on confidentiality, if a pupil transfers to education activities organised by another education provider, the former education provider must without delay forward information necessary for arranging instruction for the pupil to the new education provider. The information must also be provided at the request of the new education provider. (section 23, subsection 3 of the Act on Compulsory Education)
• Those participating in pupil welfare work have the right to disclose to one another and to the pupil’s teacher, principal and the authority responsible for education operations under the Basic Education Act information necessary for the appropriate arrangement of instruction for the pupil (section 40, subsection 2 of the Basic Education Act).

Based on section 21 of the Basic Education Act, personal data may be disclosed for the purpose of organising external education evaluation (such as a PISA or TIMSS survey or an evaluation by the Finnish Education Evaluation Centre). The personal data disclosed for this purpose includes only the data necessary for organising the evaluation. Individual pupils are not evaluated.

Personal data is mainly processed in systems and data warehouses located within the European Union (EU) and the European Economic Area (EEA). Some of the processors of personal data or the services they provide are located outside the EU/EEA, and in these cases personal data is also transferred outside the area. The data in the systems is transferred outside the EU/EEA, for example, in situations where the IT system or cloud service used for the processing of personal data is located on a server outside the EU/EEA, such as a server of a service provider based in the US.

In situations where personal data is transferred outside the EU/EEA, safeguards are established to maintain the high level of data protection required by European legislation even after the personal data has been transferred. These safeguards include an adequacy decision by the European Commission and a commitment to the required safeguards, such as the EU-US Data Privacy Framework, by the recipient of personal data. Required safeguards may also include the use of standard contractual clauses adopted by the European Commission as part of agreements concluded with personal data processors, in addition to which the processors are required to observe appropriate technical and administrative safeguards.

Primus, Kurre and Wilma

Data is not transferred outside the EU or the EEA.

Library system Axiell Aurora

Data is not transferred outside the EU or the EEA.

Digital learning materials Edustore

Data is not transferred outside the EU or the EEA.

ReittiGIS

Data is not transferred outside the EU or the EEA.

Digital assessment tool DigiLukiseula

Data is not transferred outside the EU or the EEA.

Electronic study environment services

• Microsoft M365

Personal data is transferred outside the European Union or the European Economic Area. Microsoft Corporation is a US company involved in the EU-US Data Privacy Framework. 

Microsoft Professional Services’ personal data processing agreement:

https://www.microsoft.com/licensing/docs/view/Professional-Services-Data-Protection-Addendum-DPA(external link, opens in a new window)

• Google Workspace for Education

Personal data is transferred outside the EU or the EEA. Google LLC is a US company involved in the EU-US Data Privacy Framework.

Standard contractual clauses approved by the European Commission: https://gsuite.google.com/terms/mcc_terms.html(external link, opens in a new window), and Google’s amendment:

https://gsuite.google.com/terms/dpa_terms.html(external link, opens in a new window)

Workstation management

Data is not transferred outside the EU or the EEA.

Mobile device management

• Apple School Manager

Personal data is transferred outside the EU or the EEA. 

The terms of Apple’s services, including standard contractual clauses approved by the European Commission, are available on Apple’s website.

https://www.apple.com/legal/education/data-transfer-agreements/datatransfer-eu-en.pdf(external link, opens in a new window)

• Jamf School

Personal data is transferred outside the EU or the EEA. Jamf Software, LLC is a US company involved in the EU-US Data Privacy Framework.

The service used by Espoo is provided through a data centre in Germany (eu-central-1). 

Information about the locations of the Jamf cloud service: https://learn.jamf.com/en-US/bundle/technical-articles/page/Jamf_Cloud_Hosted_Data_Region_Information.html(external link, opens in a new window). 

Information about Jamf’s information security: https://learn.jamf.com/en-US/bundle/jamf-school-security-overview/page/Jamf_School.html(external link, opens in a new window)

Printing service

Data is not transferred outside the EU or the EEA.

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

Personal data is stored in the pupil register for one (1) year from the end of the use of the service. Statutory obligations regarding the storage of data are taken into account in the deletion of the data. The information and documents in electronic environments are stored and archived in the online services in accordance with the Growth and Learning Sector’s records management plan for one year after the end of compulsory education.

Personal data and data on grades are archived and stored permanently. Applications and decisions are stored for the duration of compulsory education plus ten (10) additional years. Data on examination questions and answers related to assessment are stored for one (1) school year in the case of primary schools and until final assessment plus six (6) additional months in the case of lower secondary schools. School-leaving certificates, certificates of school discontinuation, and certificates on voluntary additional basic education are stored permanently. End of school year certificates, interim certificates and study unit certificates are stored for the duration of compulsory education. Pedagogic documents related to learning support are stored for the duration of compulsory education plus ten (10) additional years. Data concerning absences are stored for one school year plus one (1) additional year.

The population data contained in ReittiGIS on persons of compulsory education age and younger is updated in the system regularly. In connection with the update, data on those over compulsory education age will be deleted. The school journey measurement results are deleted from the system once the data has been transferred to Primus and/or to a document used in the work.

DigiLukiseula: The pupil’s personal data is stored in the system of the Niilo Mäki Instituutti for 48 months from the creation of the pupil ID. The personal data is then deleted, after which the anonymised screening results are kept by the Niilo Mäki Instituutti for research and development purposes. The City of Espoo stores personal data in its pupil register. Pseudonymised assessment data is stored for a maximum of seven years, during which time it is possible to monitor pupils’ results from first to seventh grade. Schools may store the summary obtained from the system of the Niilo Mäki Instituutti for one (1) year.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: 

12 February 2025, Lukuseula removed from processing methods; Digilukiseula content updated; HSL and Movit added to section 9 (Transfer of data to other systems).

5 August 2025: Mobile device management as a processing method was changed and extended to include the provision of all ICT services. The reform of support for learning, which entered into force on 1 August 2025, has been taken into account.