1.1. This data protection policy explains the procedure of processing personal data and the data concerning the private life of individuals at the University of Tartu (“university”; registry code 74001073, address Ülikooli 18, 50090 Tartu, email firstname.lastname@example.org). Personal data are any data concerning an identified or identifiable natural person, revealing the person’s physical, mental, physiological, economic, cultural or social identity, relationships and affiliation or origin. Processing of personal data is any operation performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use and communication of personal data.
1.2. The university processes personal data only if there is a legal basis for it and only as long as necessary to achieve the objective of processing or to comply with legal obligations. The university applies all relevant organisational, physical and technical security measures to protect the personal data that are at the university’s disposal from unauthorised and non-compliant use, disclosure or damage.
1.3. The processing of electronic and paper documents (including the terms of storage) and the rights of access are governed at the university by the following bylaws:
1.3.1. Documentary Procedure Rules,
1.4. The university processes personal data only in full compliance with legislation governing personal data protection, including upon communication of personal data to processors located in non-European Union countries. The university may use processors located in third countries, for example, in mailing list management.
1.5. The data protection policy does not deal with the way the university processes data of legal persons or how other persons process personal data. Nor does the policy cover the processing of personal data on external websites to which there are links on the university’s web pages.
2.1. As controller, the university processes the data of persons who apply for studies at the level of professional higher education, bachelor’s or master’s, integrated bachelor’s and master’s study or doctoral study (degree study). The university processes the personal data of student candidates on the basis of the consent given via the admissions information system (SAIS for curricula taught in Estonian) or the international student application management system DreamApply. The scope and principles of processing of personal data submitted via SAIS can be found here. The same principles for DreamApply are available here.
2.2. SAIS receives the student candidate’s personal data from other national registers (for example, Population Register, Estonian Education Information System (EHIS)). If it is impossible to request data for a student candidate via SAIS from such registers (for example, the student candidate submits the admission application before graduating from the previous level of study or if the student’s name is changed during the admissions period), or if upon applying for degree study the student candidate submits the application on paper, the university will make an independent request for data. The university makes a request for the personal data of an international student candidate, including requests for educational data, on the basis of the student candidate’s consent, from Estonian ENIC/NARIC Centre (Academic Recognition Information Centre), a unit of Archimedes Foundation.
2.3. After making the admission decision, the university enters the student’s personal data in the Study Information System (SIS) and processes them based on the principles described in chapter 3.
3.1. As controller of personal data, the university processes the following personal data of degree students through SIS and other information systems that support teaching and studies:
3.1.1. name and surname, personal identification number, date and place of birth, country of origin, citizenship and contact details. The processing of these personal data results from the University of Tartu Act and Universities Act and is necessary for the purpose of identifying the student, organising teaching and studies, creating a user account for the student in the university’s computer system, and issuing academic documents. The university uses contact details also to send invitations to participate in surveys conducted by the university and important information about activities of the university’s organisations (for example, Student Council) and at the university (for example, events, alumni activities, mentorship programme);
3.1.2. educational data required for organising teaching and studies, for example, data on previous education, data on currently acquired education (curriculum and electives, form of study and workload, date of start and end of studies, study results) and work experience;
3.1.3. data required to apply for and verify grants, stipends, exemption from tuition fee, and academic leave, including financial data, for example, the bank account number, data regarding family members, and data on service in the Defence Forces;
3.1.4. special categories of personal data contained, for example, in medical certificates submitted to apply for exemption from tuition fee and to give reasons for failure to appear for an exam, and applications to request an academic leave, applications for the right to take part in studies during academic leave, and applications for stipends.
3.2. The legal basis for processing student data is the university’s legal obligation and/or task carried out in the public interest (organisation of study). The legal basis arises from national legislation (for example, Universities Act, University of Tartu Act, Study Allowances and Study Loans Act, Professions Act, Aliens Act), the performance of which is governed by government regulations (for example, Regulation on Student Scholarships, Regulation on the Format and Statute of Diplomas and Diploma Supplements, Regulation on the Statute of the Estonian Education Information System), and the university bylaws (for example, Admission Rules, Study Regulations, Procedure for Recognition of Prior Learning and Professional Experience, Conditions of Reimbursement of Study Costs, Procedure for Applying for, Granting and Payment of Stipends and Study Allowances, Regulation of Study Information System, Procedure for Awarding Professions, Rules of Residency).
3.3. The university processes the personal data of students in several information systems: SIS, document management information system, and e-learning environments Moodle and Mahara. To use Moodle and Mahara, students do not have to submit additional data, because the data is automatically transferred from the SIS. Users of e-learning environments may complete their user profile with voluntary information (for example, a photo, city, interests), which helps to improve the user convenience of the e-learning environment. The legal basis for processing these data is the user’s consent. The user has the right to edit or delete these data at any time.
3.4. If a student applies for a grant from non-university persons or organisations (for example, cooperation partners, grant providers) or participates in projects funded and controlled by non-university persons, the university will forward the student’s data to such persons. In such cases, the basis for processing personal data is the student’s consent given by submitting the application.
3.5. After the student has graduated from degree study, the university publishes the student’s name in the alumni list. In the case of legitimate interest, the university may use the university graduates’ contact details to introduce opportunities of further study and alumni activities to them.
4.1. As controller of personal data, the university processes the personal data of people who learn in continuing education courses (for example, continuing education programmes, degree courses as continuing education). The university processes primarily the following personal data of continuing education learners for the purpose of organising continuing education:
4.1.1. name and surname, personal identification number, contact details, place of work, education and professional experience information, payer details;
4.1.2. for continuing education learners who participate in a course intended for students of general education schools, including a Youth Academy course, the continuing education learner’s school, class, and the name and surname of the subject teacher;
4.1.3. for applicants for the international summer university, data presented on the application form;
4.1.4. data for continuing education learners as presented on the registration forms, and their study results on completion of continuing education programmes;
4.1.5. other personal data of continuing education learners. The university collects these data on the basis of the consent of the continuing education learner and at the request of the financer of continuing education depending on the contract. The university informs the continuing education learner separately of collecting these data.
4.2. The legal basis for processing of continuing education learners’ data is, depending on the type of continuing education, either the university’s legal obligation or a task carried in the public interest. The legal basis results from national legislation (for example, Adult Education Act, Aliens Act), the performance of which is governed by regulations (for example, Regulation on the Statute of the Estonian Education Information System) and university bylaws (for example, Regulation for Continuing Education, Procedure for payment of tuition fees for continuing education, Procedure for issue of continuing education certificates, Regulation of Study Information System). In the case of a paid training course, the legal basis for processing personal data may be the contract concluded with the continuing education learner.
4.3. If the continuing education learner gives a separate consent,
4.3.1. the university will use the learner’s email address to send information about other training courses organised by the university, by including the learner on the relevant mailing list. Continuing education leaners can delete their name from the mailing list at any time, using the link in the mailing list message;
4.3.2. the university will process the personal data supplied voluntarily by the continuing education learner (for example, health data included in the free text field) to perform the contract concluded with the learner and/or to comply with a legal obligation.
4.4. The university may use the contact details of school-leavers who have participated in continuing education, on the basis of consent, in its marketing activities to offer them opportunities for further education in the university’s degree programmes.
4.5. In the case of legitimate interest, the university may send the data on the participation of a general education student in training courses, including Youth Academy courses, to the school of the student. The university may also, in the case of legitimate interest, communicate information on a continuing education learner to a third person who has paid for the continuing education (for example, the employer of the continuing education learner).
4.6. The university processes the personal data of continuing education learners pursuant to clause 3.3 in several information systems: SIS, document management information system, and e-learning environments Moodle and Mahara.
4.7. If the continuing education learner has registered to a university’s training course via the continuing education information system Juhan, the learner’s data are sent to the university, who is the processor. After the training course, the university will send the study results to the Juhan information system. The university is authorised to do so on the basis of the consent given by the continuing education learner during registration as a user of the Juhan information system, and the contract made by the university with the operator of the Juhan information system (see also the Terms and conditions of use of the Juhan information system for continuing education).
4.8. Training materials that contain personal data (for example, registration sheets) will be destroyed after the expiry of the limitation period for contestation and for the financer of the training course to file a claim.
5.1. As controller, the university processes mainly the following data of a person applying for a job at the university:
5.1.1. data required for identification, primarily name, surname and personal identification number;
5.1.2. data required to contact the person: email address, telephone number and mailing address;
5.1.3. data required for employment, for example, information on education, continuing education and professional experience, research and development, including a list of scientific publications.
5.2. By submitting the information required for applying for the job, the person is presumed to agree to processing their personal data for the purpose of employment. By submitting information on referees in the application documents, the person is presumed to agree that the university may contact them.
5.3. If an applicant who is rejected gives a separate consent, the university may propose the applicant to take part, if suitable, in another competition for a job announced by the university. The university will keep the application documents of an applicant who is rejected, based on legitimate interest, to resolve possible legal disputes. The university will keep the application documents for one year from the rejecting decision.
5.4. For preselection of candidates, the university may use psychometric tests (for example, mental fitness test and personality test), if the candidates have consented to that in the test environment. Based on the interpretation of test results, the university may get more personal data (for example, personal characteristics) of the applicant from the test organiser, who is the processor of personal data. The university will not make decisions in relation to applicants based solely on automated processing.
5.5. Personal data are processed differently upon the recruitment of academic staff (teaching and research staff) and non-academic staff.
5.5.1. When non-academic staff are recruited, only employees involved in the recruitment process will see the relevant application documents. The documents and the personal data contained in them are not disclosed to third persons. The personal data of an applicant is restricted information to which third persons (including competent authorities) gain access only in cases provided by law.
5.5.2. The positions of academic staff are generally filled by the university by open competition and the selection takes place in several steps, in the course of which personal data are processed differently from the way it is done upon the recruitment of non-academic staff. The open competition is organised pursuant to the Regulations for Recruitment of Teaching and Research Staff.
6.1. As controller, the university processes the following personal data of university employees to comply with obligations arising from the employment contract and from legislation (for example, tax legislation, employment and labour laws, Accounting Act).
6.1.1. data required to identify the person: name and surname, personal identification number and citizenship;
6.1.2. contact details necessary for entry into and performance of the employment contract: email address, telephone number and postal address;
6.1.3. family and social data; for example, data regarding the employee’s children for providing child-related leave, death certificate of an employee or employee’s next of kin to pay funeral grant, documents certifying the duty to serve in the Defence Forces or participate in reservist training;
6.1.4. data on qualifications and professional training;
6.1.5. financial data; for example, bank account number, application for calculation of basic exemption and information on pension;
6.1.6. data regarding the employment relationship; for example, documents of appraisal interviews;
6.1.7. data on the employee’s state of health; for example, health certificates, decisions of medical examinations, radiation monitoring data, data on accidents at work and occupational diseases.
6.2. The university may, with the consent of the employee, process the employee’s personal data concerning trade union membership to withhold the trade union’s membership fee from the employee’s salary.
6.3. The university also processes personal data for the purposes of legitimate interests to perform its administrative duties and ensure security (including upon the registration of employee data in databases).
7.1.For the purpose of guarding the buildings and rooms owned and used by the university, and protecting the people and property in them, the university has a legitimate interest to use a video surveillance system. In doing so, the university follows the Regulations for ensuring security in buildings of the University of Tartu and Technical requirements for security systems and requirements for passive means of protection and electronic security systems. When video surveillance equipment is installed, the university will ensure that the surveillance covers the immediate surroundings and entrances to the building, accesses to other floors and, if necessary, doors to special-purpose rooms. The use of the video surveillance system in the building is communicated on a sign placed on the front door.
7.2. Access to the video recordings and the real-time video image is available to the staff of the university’s in-house security service for the performance of their duties. Third parties, including other university employees, have no access to the video recordings and the real-time video image. The university will only transfer the video recordings to third parties (mainly to the Police and Border Guard Board) based on a formal request and upon legal obligation.
7.3. The video surveillance system saves the video recordings on the university’s central servers where they are stored for 30 calendar days.
8.1. The university records its most important events and allows third persons to view video and photo materials of public interest on the UTTV video portal and the university website. The university also records teaching and research activities (for example, conferences and lectures) at the request of structural units. The controller of the personal data created as a result of video and photo recording, primarily the images of persons, is the university.
8.2. For historical and cultural purposes, the university stores photo and video material for an unspecified term. The university may use photos taken at public events in the social media and for advertising campaigns without asking the consent of the person.
9.1. Personal data may be contained in requests for explanation, memoranda, requests for data, communications and other letters that the university has received from institutions or individuals. The university registers all documents created and acquired in the course of the activities of the university, including documents that contain personal data, in its document register.
9.2. The university has imposed restriction on access to documents that contain personal data. The university issues restricted information, including documents that contain personal data, solely to such institutions and persons who have a lawful right to receive it (for example, persons conducting pretrial procedure or the court). If a third person submits a request for restricted information, the university will decide on a case-by-case basis whether the document can be issued in part or in whole.
10.1 In the course of the joint activities of the university and its cooperation partners, the personal data of data subjects are processed for the provision of a service agreed between the parties in a contract.
10.2 The services related to cooperation partners and the personal data processed in the course of provision of the services are generally the following:
10.2.1 rental of premises (name, surname, personal identification number, phone number, vehicle plate number of person to whom a parking space is allocated)
10.2.2 issue of access card (first name, surname, personal identification number, date of birth, card number)
10.2.3 organising of events (first name, surname, personal identification number, phone number, e-mail, information on food and special needs, video image, video and audio recordings, photos)
10.2.4 managing the information displayed by surveillance equipment (image of a person, records of access card use)
11.1. On its website (www.ut.ee and sub-pages), the university uses the following types of cookies:
11.1.1. session cookies, which are temporary and are erased immediately after the browser is closed. The university uses session cookies to ensure the proper functioning and convenient use of the website;
11.1.2. persistent cookies, which are stored on the visitor’s computer or device after the browser is closed. The university uses persistent cookies, for example, to identify visitors who have visited the website before, and store their user preferences (for example, the language setting). The university also uses persistent cookies to analyse website statistics and determine the average duration of a visit, to assess and improve the functioning and the user convenience of the website.
11.1.3. third-party cookies.
11.1.4. authentication cookies are used to verify the identity of a logged-in user.
11.2. Visitors who do not allow cookies must change their browser’s privacy settings. This may restrict the visitor’s access to the services and functions provided on the university’s website.
12.1. A data subject is a natural person whose personal data are processed. Depending on the legal basis of processing of personal data, data subjects have the right:
12.1.1. to obtain confirmation as to whether the university processes personal data concerning them, and access to the data collected concerning them. The university as controller may reject a data subject’s request if its objective is other than being notified of processing or verification of the lawfulness of processing;
12.1.2. to demand the rectification of inaccurate personal data collected regarding them, or completion of incomplete personal data;
12.1.3. to demand the university to delete, without undue delay, their personal data, which the university no longer has legal basis to process or which the university no longer needs for the purpose for which it was collected or otherwise processed;
12.1.4. to withdraw their consent at any time, if the personal data are processed on the basis of data subject’s consent. This does not affect the lawfulness of data processing that occurred before the consent was withdrawn;
12.1.5. to demand the university to restrict the processing of personal data, in case:
220.127.116.11. the data subject has contested the personal data on the basis of accuracy. The university will restrict the processing until the accuracy of the data is verified;
18.104.22.168. the processing of personal data is illegal but the data subject does not request the deleting of personal data;
22.214.171.124. the university no longer needs the personal data for processing, but the data subject needs them for preparing, filing or defending a claim;
126.96.36.199. the data subject has filed an objection to processing personal data. The university will restrict the processing until it is verified whether the university’s lawful reasons outweigh the data subject’s reasons;
12.1.6. to receive the personal data which they have submitted to the university and communicate them to another controller. The right to transfer data applies solely to personal data, which the persons themselves have provided to the university and which the university processes by automated means and on the basis of a consent or a contract. For example, the right to transfer data does not apply to job applicants, because their data are not processed by automated means;
12.1.7. to file an objection against processing their personal data, if the processing of data is based on legitimate interest, or if the processing is necessary for the performance of public duties or in the public interest.
12.2. With any questions relating to the processing of personal data and to exercising the above rights of the data subject, the data subject may contact the university's data protection specialist by email at email@example.com. Upon getting a request, the university may ask the data subject to specify which information or which operations of personal data processing the request relates to. The university will reply to the request within 30 days after receiving the request. If more time is needed to reply to the request, the university may extend the term for responding by a reasonable time. One copy of the personal data processed is issued to the data subject free of charge, but for additional copies the university may charge a reasonable fee to cover administrative costs.
12.3. If the data subject holds the opinion that the way how the university processes personal data conflicts with the legislation regulating the processing of personal data, the data subject has the right to lodge a complaint with Data Protection Inspectorate (email firstname.lastname@example.org, phone number +372 627 4135) or another agency, in particular, with a supervisory authority of the data subject’s residence or place of work.