Data Protection and Privacy Policy

Date of editing 9.1.2023

Data protection is important to us, and we wish to explain how we process personal data and for which purposes we process the data. Humak follows the principles of integrating data protection into all operations by default. In basic operations, data protection is taken into consideration in fields such as management, procurements, development, operational processes and technical solutions.

Registrar Humak University of Applied Sciences
Ilkantie 4, 00400 Helsinki, Finland
Puh. +358 020 7621 390
Registrar’s responsible person Principal/CEO Jukka Määttä
Contact person in privacy and data protection issues Format of email:

Communications manager Jarmo Röksä

Data Protection Officer ICT-Manager Ari Savander
Name of the Register Customer register of Open UAS
User register of
Administration of personal data. Humak as the data controller is responsible for complying with the data protection principles defined in the law at all stages of processing personal data. All processing of personal data must be done carefully and in compliance with the law and Humak’s data protection policy.

Personal data must be processed appropriately and only for a specific purpose. The processing of personal data is done with the consent of the person in question or on other legitimate grounds defined by the law. To perform its duties, Humak will process the personal data of various interest groups in addition to the personal data of staff and students.

Humak processes personal data based on the General Data Protection Regulation of the EU, the University of Applied Sciences Act, the Government Decree on Universities of Applied Sciences and the consent of the

Humak collects data ( | Open UAS) when a customer registers to the studies in open university of applied sciences.  In the personnel data is always anonymized and the cookies are opted out by default. The user register consists of Humak staff and the students who has been given rights to update the contents of the websites.

In open UAS website the personal data is processed to implement the agreement between the data controller and the data subject and, based on the data subject’s consent, to process registrations, orders, contacts, transactions, marketing, reporting and other measures related to customer service or website maintenance, and to receive donations.

Purchase and transaction data and location data processed in the register can also be used for marketing measures and customer communication if the used actively selects the cookie practices in the webpage. The visit history of individual visitors is always anonymized, except for purchases in the online store.

Personal data in the register can also be processed in connection with sending the newsletter, participating in events, trainings and other marketing measures but only if the user gives a consent to it.

If the data subject does not provide the requested information to the extent that the data is related to the registration of the open university of applied sciences or the maintenance of the website, the data controller cannot accept the registration of the data subject nor commit to an agreement between the data controller and the data subject on the organization of education or the right to update the website.

Legal basis for processing personal data The groups of people whose data can be processed are participants in training organized by the controller, those who have given marketing permission, or buyers of other services or products who log in separately to the online service.
Data in the register The register stores the following self-declared and saved data in the system by the customer of the open amk online store:

  • Name
  • Username
  • Email
  • Telephone
  • Street adress
  • Post number
  • City
  • Country
  • Total amount of the purchases in order to calculate the annual maximum study fee
  • Information required to get a discounted price (alumni, labour market status)
  • Purchased courses
  • Order number
  • Order status
  • Notes in the order service and eventual communication with the customer

Payment transaction service is a third party service collecting the payments securely. Paytrail is storaging:

  • Name
  • Email
  • Telephone
  • Adress
  • Purchased product
  • Amount of purchase
  • Transaction number, date, time and payment method


Information systems that use the register Humak’s website and its affiliate * sites (subdomains).

Open UAS website, ecommerce:

Regular sources of information Google Analytics
Google Tag Manager
Zendesk-chat (ent. Zopim)
In addition MailChimp-service is used for news letters when the user has given a consent for the correspondance.
Regulatory disclosures of intormation Register data can be shared within the organization and to the authorities in cases required by law. In addition, the register data is transferred to the defined personal data processor in the student affairs administration. Register data can be accessed by persons with the main user level of the website and administrators of the online store.
Data transfer outside the EU or ETA Our website uses the Indian VWO service, which means that information related to the use of the website is transferred outside the EU. However, VWO is committed to complying with GDPR requirements. More information can be found at the link below.

VWO privacy policy

In addition, we use MailChimp service for direct marketing and communication, which is committed to complying with GDPR requirements. More information can be found at the link below.

MailChimpin Privacy Policy

Our website uses a chat service provided by Zendesk from the United States. If the user decides to provide their email address via chat, the address is saved in Zendesk’s system.

Zendesk chat GDPR compliance

Securing the data Information storage is technically protected. Physical access to data is prevented by means of access control and other security measures.

Access to information requires sufficient rights and identification. Unauthorized access is also prevented e.g. with the help of firewalls and technical protection. Logging in to the website is blocked from unknown IP addresses outside operational area and strong password policy is obligatory.

Only the data controller and specially designated technical persons can access the register data. Only named persons have the right to process and maintain the data in the register.

Users are bound by a duty of confidentiality. The registry data is backed up securely and can be restored if necessary. The level of information security is audited at frequent intervals either by external or internal auditing.

Employees have the right to see only such information as they need in their work.

Rights of registrants The register statement can be seen on Humak’s website. A person in the register has the right, among other things:

Ask the controller for access to personal data concerning him. In addition, the data subject has the right to request the rectification, correction or deletion of the data in question or to limit the processing or to object to the processing, as well as the right to transfer the data from one system to another. The request must be made in writing to the keeper of the register.

To the extent that the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw consent to the storage of his data at any time. This does not affect the legality of the processing carried out before the cancellation. The request must be made in writing to the keeper of the register.

The inspection request must be made in person or in writing. The right of inspection shall be exercised without delay. Without undue delay, the controller must, on his own initiative or at the request of the data subject, correct, delete or supplement the data in the register that is incorrect, unnecessary, incomplete or outdated in terms of the purpose of the processing. (Finnish Personal Data Act § 29). If the correction of information is refused, a written certificate of refusal will be given. The registered person has the right to refer the matter to the data protection commissioner. The data protection commissioner can issue an order to the data controller to correct the information.

Changes to the privacy statement We reserve the right to change this privacy statement. The content of the data protection statement should be checked regularly.