Privacy Policy

1. Data Controller

Tampere University
Education and Learning

Tampere University Foundation
Tampereen yliopisto
33014 TAMPEREEN YLIOPISTO
Tel. 0294 52 11

Business ID 2844561-8

2. Contact person

Contact person of the EXAM system:
Officer Piia Asunmaa
Tel. +358 0294 52 11
Email: examservices.tau@tuni.fi

Administrator of the EXAM system:
System Analyst Mikko Lammi, IT Services
System Analyst Esko Laakso, IT Services

Administrator of the video proctoring system:
Safety Officer Sami Heino, Facilities and Infrastructure

3. Data protection officer

dpo@tuni.fi

4. Name of the register

EXAM electronic examination system

5. Purpose of processing personal data and lawful basis for processing

Purpose of processing personal data:

The EXAM system is used at Tampere University primarily to create, book, complete and mark electronic examinations.

The University collects personal data on EXAM users to:
– manage user rights,
– contact exam takers,
– supervise learning and assess student performance,
– verify the identity of students who complete electronic examinations
– investigate academic fraud suspicions
– generate learning analytics data

The personal data stored in the event log of the EXAM system is used to re-solve technical issues.

Lawful basis for processing: Public interest or the exercise of official authority

Data subjects may withdraw their consent to the processing of their personal data by contacting the person identified above.

6. Contents

Information on courses, students and teachers as well as examination results are stored in the EXAM system.

Mandatory personal data collected on all EXAM users:
Given name(s)
Family name
Student number(s)
Email address
Home institution
User role

Information on the course connected with the examination
Examination details (time, place, designated computer)
Students’ answer sheets (must be retained for a minimum of six months after the examination date)
Marker’s comments and the final grades

All examination sessions are recorded on video (incl. audio) and also the keycard info is collected. Computer data may be copied.

7. Sources of information

With user consent, their name, student number, email address, language, home institution and role therein is retrieved from their home institution’s records when they log in to the EXAM system via HAKA.

8. Authorised disclosure of information and recipients

Disclosure of data stored in the EXAM system:

External use:
The data stored in the EXAM system is not disclosed for external use.

Internal use:
Examination papers and answer sheets can be accessed by:
– the teacher(s) who created the exam
– the administrator of the EXAM system

Video recordings of examination sessions can be accessed by:
– the administrator of the EXAM system
– the administrator of the video proctoring system
– parties involved in academic fraud suspicions

Real-time video recordings can also be accessed by:
– the administrator of the EXAM system
– the administrator of the video proctoring system
– exam invigilators
– service assistants

The Data Controller has signed a contract to outsource processing activities: Yes, please specify: CSC service agreement

9. Transfer of data outside the EU or the EEA

Is data stored in the EXAM system transferred to a country or an international organisation located outside the EU or the EEA: No

The EXAM interfaces are accessible in countries outside the EU and the EEA. Users are required to comply with the data protection policies and procedures of Tampere University.

10. Data protection principles

A) manual data

B) electronic data

Access to the EXAM system requires a username and password. Users are required to comply with the data protection principles of Tampere University. Personal data is encrypted before it is transferred across the internet. The data saved in the EXAM system is stored on server managed by service provider. The data controller may delete personal data from the EXAM system but data is not automatically deleted.

11. Data retention period or criteria for determining the retention period

Video recordings are generally stored for up to 90 days.

Students’ answer sheets are stored for two years after the exam date. Overall results are registered to university’s study register.

12. Existence of automated decision-making or profiling, the logic involved and the significance of the envisaged consequences for data subjects

The data stored in the EXAM system is used to carry out automated decision-making, including profiling: No

13. Rights of data subjects

Data subjects have the following rights under the EU’s General Data Protection Regulation (GDPR):

Right of access
Data subjects are entitled to find out what information the University holds about them or to receive confirmation that their personal data is not processed by the University.

Right to rectification
Data subjects have the right to have any incorrect, inaccurate or incomplete personal details held by the University revised or supplemented without undue delay. In addition, data subjects are entitled to have any unnecessary personal data deleted.

Right to erasure
In exceptional circumstances, data subjects have the right to have their personal data erased from the Data Controller’s records (‘right to be forgotten’).

Right to restrict processing
In certain circumstances, data subjects may request the University to restrict the processing of their personal data until the accuracy of their data, or the basis for processing their data, has been appropriately reviewed and potentially revised or supplemented.

Right to object
In certain circumstances, data subjects have the right to object to their personal data being processed at any time.

Right to data portability
Data subjects have the right to obtain a copy of the personal data that they have submitted to the University in a commonly used, machine-readable format and transfer the data to another Data Controller.

Right to lodge a complaint with a supervisory authority
Data subjects may lodge a complaint with a supervisory authority in their permanent place of residence or place of work, if they consider the processing of their personal data to violate the provisions of the GDPR (EU 2016/679). In addition, data subjects may follow other administrative procedures to appeal against a decision made by a supervisory authority or to seek a judicial remedy.

The Data Controller follows a GDPR-compliant procedure for responding to subject access requests.