Data protection policy
1.1. This data protection policy explains the procedure of processing personal data and the data concerning the private life of individuals at the University of Tartu (“university”; registry code 74001073, address Ülikooli 18, 50090 Tartu, email email@example.com). Personal data are any data concerning an identified or identifiable natural person, revealing the person’s physical, mental, physiological, economic, cultural or social identity, relationships and affiliation or origin. Processing of personal data is any operation performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use and communication of personal data.
1.2. The university processes personal data only if there is a legal basis for it and only as long as necessary to achieve the objective of processing or to comply with legal obligations. The university applies all relevant organisational, physical and technical security measures to protect the personal data that are at the university’s disposal from unauthorised and non-compliant use, disclosure or damage.
1.3. The processing of electronic and paper documents (including the terms of storage) and the rights of access are governed at the university by the following bylaws:
1.3.1. Documentary Procedure Rules,
1.3.2. Regulations for ensuring security in the buildings of the University of Tartu,
1.3.3. List of Documents of the University of Tartu,
1.3.4. Accounting Policies and Procedures.
1.4. The university processes personal data only in full compliance with legislation governing personal data protection, including upon communication of personal data to processors located in non-European Union countries.
1.5. The data protection policy does not deal with the way the university processes data of legal persons or how other persons process personal data. Nor does the policy cover the processing of personal data on external websites to which there are links on the university’s web pages.
2.1. As controller, the university processes the data of persons who apply for studies at the level of professional higher education, bachelor’s or master’s, integrated bachelor’s and master’s study or doctoral study (degree study). The university processes the personal data of student applicants on the basis of the consent given via the admissions information system (SAIS for curricula taught in Estonian) or the international student application management system DreamApply. The scope and principles of processing of personal data submitted via SAIS can be found here. The same principles for DreamApply are available here.
2.2. SAIS receives the student applicant’s personal data from national registers (for example, Population Register, Estonian Education Information System (EHIS) and Examinations Information System (EIS)), or the data are entered in the system by the applicant or by a university employee based on the documents submitted (on paper) by the applicant. The student applicant gives the consent for processing his or her personal data in SAIS both when the data are entered in the system by the applicant him- or herself and when they are entered by the university based on his or her application, submitted on paper or electronically. To verify the data, the university may make enquiries to national registers via SAIS. The university may also repeat register enquiries to verify the completion of studies if the studies were ongoing at the time of submitting the application or, on the basis of the applicant’s notice, to update his or her name if it has changed. The university may verify the validity and authenticity of documents submitted by the applicant (for example, international language certificates) from relevant registers and submit, based on the applicant’s consent, the international student applicant’s personal data, including educational data, to the Estonian ENIC/NARIC Centre (Academic Recognition Information Centre), a unit of Education and Youth Board.
2.3. The university enters the admitted student’s personal data in the Study Information System (SIS) and processes them based on the principles described in chapter 3.
3.1. As controller of personal data, the university processes the following personal data of degree students through SIS and other information systems that support teaching and studies:
3.1.1. name and surname, personal identification number, date of birth, country of origin, citizenship and contact details. The processing of these personal data results from the University of Tartu Act and Higher Education Act and is necessary for the purpose of identifying the student, organising teaching and studies, creating a user account for the student in the university’s computer system, and issuing academic documents. The university also uses contact details to send invitations to participate in the university’s surveys and important information about activities of the university’s organisations (for example, Student Union) and of the university (for example, events, alumni activities, mentoring programme);
3.1.2. educational data required for organising teaching and studies, for example, data on previous education, data on currently acquired education (curriculum and electives, form of study and workload, date of start and end of studies, study results) and work experience;
3.1.3. data required to apply for and verify grants, stipends, exemption from tuition fee, and academic leave, including financial data, for example, bank account number, data regarding family members, and data on service in the Defence Forces;
3.1.4. special categories of personal data contained, for example, in medical certificates submitted to apply for exemption from tuition fee and to give reasons for failure to appear for an exam, and applications to request an academic leave, applications for the right to take part in studies during academic leave, and stipend applications;
3.1.5. data for providing study-related, career and psychological counselling services.
3.2. The legal basis for processing student data is the university’s legal obligation and/or task carried out in the public interest (organisation of study). The legal basis arises from national legislation (for example, Higher Education Act, University of Tartu Act, Study Allowances and Study Loans Act, Professions Act, Aliens Act), the performance of which is governed by government regulations (for example, the regulation on student scholarships, the uniform grading system in higher education and the conditions for and procedure of issuing diplomas and diploma supplements, regulation on the statute of the Estonian Education Information System), and the university bylaws (for example, Admission Rules, Study Regulations, Conditions of Reimbursement of Study Costs, Procedure for Applying for, Granting and Payment of Stipends and Study Allowances, Regulation of Study Information System, Procedure for Awarding Professional Qualifications, Rules of Residency).
3.3. The university processes the student’s personal data in several information systems. The main information systems are SIS, document management information system, Moodle, Mahara, Zoom, Panopto, BigBlueButton. Students may take into use various environments for their studies, for example, Overleaf, Coursera, Grammarly, etc. Users of e-learning environments may complete their user profile with voluntary information (for example, a photo, city, interests). The legal basis for processing these data is the user’s consent. The user has the right to edit or delete these data at any time.
3.4. If a student applies for a grant from non-university persons (for example, cooperation partners, grant providers) or participates in projects funded and controlled by non-university persons, the university will forward the student’s data to such persons. In such cases, the basis for processing personal data is the student’s consent given at the time of submitting the application.
3.5. After the student has graduated from degree study, the university publishes the student’s name in the alumni list. In the case of legitimate interest, the university may use the graduates’ contact details to promote further education opportunities and alumni activities.
4.1. As controller of personal data, the university processes the personal data of people who learn in continuing education courses (for example, continuing education programmes, degree courses as continuing education). For the purpose of organising continuing education, preparing documents and reporting, the university processes primarily the following personal data of continuing education learners:
4.1.1. name and surname, personal identification number, contact details, place of work, education and professional experience information, payer details;
4.1.2. for continuing education learners who participate in a course intended for students of general education schools, including a Youth Academy course, the continuing education learner’s school, class, and the name and surname of the subject teacher;
4.1.3. for applicants for the International Summer University, data presented on the application form;
4.1.4. continuing education learners’ data as presented on the registration forms, and their study results on completion of the continuing education programmes;
4.1.5. other personal data of continuing education learners. The university collects these data based on the consent of the continuing education learner and at the request of the financer of continuing education depending on the contract. The university informs the continuing education learner separately of collecting these data.
4.2. The legal basis for processing of continuing education learners’ data is, depending on the type of continuing education, either the university’s legal obligation or a task carried in the public interest. The legal basis results from national legislation (for example, Adult Education Act, Aliens Act), the performance of which is governed by regulations (for example, regulation on the statute of the Estonian Education Information System) and university bylaws (for example, Regulation for Continuing Education, Procedure for payment of tuition fees for continuing education, Procedure for issue of continuing education certificates, Regulation of Study Information System). In the case of a paid course, the legal basis for processing personal data may be the contract signed with the continuing education learner.
4.3. If the continuing education learner gives a separate consent,
4.3.1. the university uses the learner’s email address to send information about other training courses organised by the university, by including the learner in the relevant mailing list. Continuing education leaners may remove themselves from the mailing list at any time, using the link in the mailing list message;
4.3.2. the university processes the personal data supplied voluntarily by the continuing education learner (for example, health data included in the free text field) to perform the contract concluded with the learner and/or to comply with a legal obligation.
4.4. The university may use the contact details of school-leavers who have participated in continuing education, on the basis of consent, in its marketing activities to offer them opportunities for further education in the university’s degree programmes.
4.5. In the case of legitimate interest, the university may send the data on the participation of a general education student in training courses, including Youth Academy courses, to the school of the student. The university may also, in the case of legitimate interest, communicate information on a continuing education learner to a third person who has paid for the continuing education (for example, to the continuing education learner’s employer).
4.6. The university processes the personal data of continuing education learners pursuant to clause 3.3 in several information systems: SIS, document management system, and e-learning environments Moodle and Mahara.
4.7. If the continuing education learner has registered to a university’s training course via the continuing education information system Juhan, the learner’s data are sent to the university, who is the processor. After the training course, the university will send the study results to the Juhan information system. The university is authorised to do so on the basis of the consent given by the continuing education learner during registration as a user of the Juhan information system, and the contract made by the university with the operator of the Juhan information system (see also the Terms and conditions of use of the Juhan information system for continuing education).
4.8. Course materials that contain personal data (for example, registration sheets) are destroyed after the expiry of the time limit for contestation and for the financer of the training course to file a claim.
5.1. The personal data of job applicants is restricted information to which third persons (including competent authorities) gain access only in cases provided by law. As the controller, the university processes mainly the following data of a person applying for a job at the university:
5.1.1. data required for identification, primarily name and surname and personal identification number;
5.1.2. data required to contact the person: email address, telephone number and postal address;
5.1.3. data required for employment, for example, information on education, continuing education and professional experience, and research and development, including a list of scientific publications;
5.1.4. data about citizenship and, if necessary, the legal grounds for residence or employment in Estonia.
5.2. If the applicant has submitted the required information, the university presumes that the applicant agrees to processing their personal data for the purpose of employment. By submitting the referees’ details in the application documents, the applicant is presumed to consent that the university may contact them. More information about processing job applicants’ data at the University of Tartu can be found here.
5.3. If an applicant who is rejected gives separate consent, the university may propose the applicant take part in another competition when the university announces a suitable job. The university will keep the documents of unsuccessful applicants, based on legitimate interest, to resolve possible legal disputes for one year, starting from the negative decision.
5.4. For the preselection of applicants, the university may use psychometric tests (for example, mental ability and personality tests) if applicants consent to the testing in the test environment. Based on the interpretation of test results, the university may get more personal data (for example, personal characteristics) of the applicant from the test organiser, who is the processor of personal data. The university does not make decisions on applicants based solely on automated processing.
5.5. Job applicants’ data are processed with the Recrur recruitment software.
5.5.1. When recruiting support staff, only employees involved in the recruitment process can access the application documents.
5.5.2. Academic staff positions are generally filled by the university through public recruitment procedure. Application documents are reviewed by employees involved in the recruitment process, members of a decision-making body and, for the posts of professor and associate professor, also by external experts. The public recruitment procedure is organised according to the Regulations for Recruitment of Academic Staff.
6.1. To comply with obligations arising from the employment contract and from legislation (for example, tax legislation, employment and labour laws, Accounting Act), the university as a controller processes the following personal data of university employees:
6.1.1. data required to identify the person: name and surname, personal identification number and citizenship;
6.1.2. contact details necessary for entry into and performance of the employment contract: email address, telephone number and postal address;
6.1.3. family and social data; for example, data regarding the employee’s children for providing child-related leave, death certificate of an employee or employee’s next of kin to pay funeral grant, documents certifying the duty to serve in the Defence Forces or participate in reservist training;
6.1.4. data on qualifications and professional training;
6.1.5. financial data; for example, bank account number, application for calculation of basic exemption and information on pension;
6.1.6. data regarding the employment relationship; for example, documents of appraisal interviews and evaluation;
6.1.7. data on the employee’s state of health; for example, health certificates, decisions of medical examinations, radiation monitoring data, data on accidents at work and occupational diseases.
6.2. The university may, with the consent of the employee, process the employee’s personal data concerning trade union membership to withhold the trade union’s membership fee from the employee’s salary.
6.3. The university employees’ email addresses, telephone numbers and office locations, which are intended for work-related communication, are made public on the university’s website based on legitimate interest so customers can contact the employees.
7.1. For the purpose of guarding the buildings and rooms owned and used by the university, and protecting the people and property in them, the university has a legitimate interest to use a video surveillance system. In doing so, the university follows the Regulations for ensuring security in buildings of the University of Tartu and Technical requirements for security systems and requirements for passive means of protection and electronic security systems. When video surveillance equipment is installed, the university will ensure that the surveillance covers the immediate surroundings of and entrances to the building, accesses to other floors and, if necessary, doors to special-purpose rooms. The use of the video surveillance system in the building is communicated on a sign placed on the front door.
7.2. Access to the video recordings and the real-time video image is available to the staff of the university’s in-house security service for the performance of their duties. Third parties, including other university employees, have no access to the video recordings and the real-time video image. The university will only transfer the video recordings to third parties (mainly to the Police and Border Guard Board) based on a formal request and upon legal obligation.
7.3. The video surveillance system saves the video recordings on the university’s central servers where they are stored for 30 calendar days.
7.4. In some instances, the university uses a video analytics-based system operated by a processor. The recordings are kept on the processor’s server for one calendar month.
8.1. The university records its most important events and allows third persons to view video and photo materials of public interest on the UTTV video portal and the university website. The university also records teaching and research activities (for example, conferences and lectures) at the request of structural units. The controller of the personal data created as a result of video and photo recording, primarily the images of persons, is the university.
8.2. For historical and cultural purposes, the university stores photo and video material for an unspecified term. Photos taken at public events may be used by the university in the social media and advertising campaigns without asking the consent of the person.
9.1. Personal data may be contained in requests for explanation, memoranda, requests for information, communications and other letters that the university has received from institutions or individuals. The university registers all documents created and acquired in the course of its activities, including documents that contain personal data, in its document register.
9.2. The university has imposed restriction on access to documents that contain personal data. The university issues restricted information, including documents that contain personal data, solely to such institutions and persons who have a lawful right to receive it (for example, persons conducting pretrial procedure or the court). If a third person submits a request for restricted information, the university will decide on a case-by-case basis whether the document can be issued in part or in whole.
10.1 In the course of the joint activities of the university and its cooperation partners, the personal data of data subjects are processed for the provision of a service agreed between the parties in a contract.
10.2 The services related to cooperation partners and the personal data processed in the course of provision of the services are generally the following:
10.2.1 rental of premises (name, surname, personal identification number, phone number, vehicle plate number of the person to whom a parking space is allocated)
10.2.2 issue of access cards (first name, surname, personal identification number, date of birth, card number)
10.2.3 organising of events (first name, surname, personal identification number, phone number, e-mail, information on food and special needs, video image, video and audio recordings, photos)
10.2.4 managing the information displayed by surveillance equipment (image of a person, records of access card use)
11.1. On its website (www.ut.ee and sub-pages), the university uses the following types of cookies:
11.1.1. session cookies, which are temporary and are erased immediately after the browser is closed. The university uses session cookies to ensure the proper functioning and convenient use of the website;
11.1.2. persistent cookies, which are stored on the visitor’s computer or device after the browser is closed. The university uses persistent cookies, for example, to identify visitors who have visited the website before, and store their user preferences (for example, the language setting). The university also uses persistent cookies to analyse website statistics and determine the average duration of a visit, to assess and improve the functioning and the user convenience of the website.
11.1.4. authentication cookies are used by the website to verify the identity of a logged-in user.
11.2. If visitors do not allow cookies, their access to the services and functions provided on the university’s website may be restricted.
11.3. The university’s website uses Facebook Pixel and Google Analytics services.
12.1. A data subject is a natural person whose personal data are processed. Depending on the legal basis of processing of personal data, data subjects have the right:
12.1.1. to obtain confirmation as to whether the university processes their personal data, and access the data collected about them. The university as controller may reject a data subject’s requests if their goal is other than being informed of processing or verification of the lawfulness of processing;
12.1.2. to demand the rectification of inaccurate personal data collected regarding them, or completion of incomplete personal data;
12.1.3. to demand the university to delete, without undue delay, their personal data, which the university no longer has legal basis to process or which the university no longer needs for the purpose for which it was collected or otherwise processed;
12.1.4. to withdraw their consent at any time, if the personal data are processed on the basis of consent. This does not affect the lawfulness of data processing that occurred before the consent was withdrawn;
12.1.5. to demand the university to restrict the processing of personal data, in case:
126.96.36.199. the data subject has contested accuracy of the personal data. The university restricts the processing for the time needed to verify the accuracy of the personal data;
188.8.131.52. the processing of personal data is illegal but the data subject does not request the deleting of personal data;
184.108.40.206. the university no longer needs the personal data for processing, but the data subject needs them for preparing, filing or defending a claim;
220.127.116.11. the data subject has filed an objection to processing personal data. The university will restrict the processing until it is verified whether the university’s lawful reasons outweigh the data subject’s reasons;
12.1.6. to receive the personal data which they have submitted to the university and communicate them to another controller. The right to transfer data applies solely to the personal data which the persons themselves have provided to the university and which the university processes by automated means and on the basis of a consent or a contract. For example, the right to transfer data does not apply to job applicants, because their data are not processed by automated means;
12.1.7. to file an objection against processing their personal data, if the processing of data is based on legitimate interest, or if the processing is necessary for the performance of public duties or in the public interest.
12.2. With any questions relating to the processing of personal data and to exercising the above-mentioned rights of the data subject, the data subject may contact the university's data protection specialist by email at firstname.lastname@example.org. Upon getting a request, the university may ask the data subject to specify which information or which operations of personal data processing the request relates to. The university will reply to the request within 30 days from receiving the request. If more time is needed to reply to the request, the university may extend the term for responding by a reasonable time. One copy of the personal data processed is issued to the data subject free of charge, but for additional copies the university may charge a reasonable fee to cover administrative costs.
12.3. If the data subject holds the opinion that the way how the university processes personal data conflicts with the legislation regulating the processing of personal data, the data subject has the right to lodge a complaint with Data Protection Inspectorate (email email@example.com, phone number +372 627 4135) or another agency, particularly with a supervisory authority of the data subject’s residence or place of work.
13.1. In case of a personal data breach that can present a potential risk to a data subject’s rights and freedoms at the University of Tartu, the university will prepare the required documents and take measures to stop the violation immediately.
13.2. When a breach poses a high risk to a data subject’s rights and freedoms, the university must immediately notify the data subject so they can take necessary precautions to mitigate the situation.