Aalto University privacy notice for partnership services
In force from 9.5.2018
Updated 19.11.2019 & 11.11.2024 & 13.11.2024 & 27.2.2025, 4.4.2025 and 12.6.2025
General provisions concerning privacy and protection of personal data are included in Aalto University Data Protection Policy. Also Records Management Plan (TOS) regulates processing personal data. In addition, Aalto University has appointed Data Protection Officer (dpo@aalto.fi).
At Aalto, our operations take place in compliance with the Act on the Openness of Government Activities (621/1999). Pursuant to the principle of openness set out in the act, information in the possession of a university is public unless otherwise provided by law. Compliance with the act may obligate the university to disclose personal data to third parties.
Why and on what basis does Aalto University process your personal data?
A purpose of the processing of personal data is to better understand the needs of Aalto University’s internal and external customers, alumni and partners, as well as to improve the quality of our operations, the selection of new services, and the targeting and depth of our customer services. An additional goal is to ensure the data subject´s rights through maintaining correctness of personal data, and to further Aalto University’s societal impact as well as the university’s relationship management and engagement with individuals and with industry.
The university may also process personal data for data protection purposes and to prevent and investigate data breaches or misuse.
The processing of personal data is based on the controller's statutory duties and legitimate interest. If the personal data collected in connection with alumni and partnership activities is used for direct marketing for commercial purposes, it is carried out on the basis of legitimate interest. In this case, we comply with the provisions on electronic direct marketing issued in the Act on Electronic Communications Services.
Aalto University maintains an Alumni register (CRM) based on legal obligations. Personal data in alumni register is used to help administer alumni memberships, mentoring program, relations, activities and communications as well as for Aalto University alumni operations and service marketing purposes. The data may also be used to generate statistical information for Aalto University’s use. The processing of personal data is based on the legal obligations and legitimate interest of the controller.
What personal data does Aalto University collect and process?
The personal data processed by the university may be divided into the following categories:
Identification data:
- name and contact details
- date of birth (alumni and staff)
- gender and nationality (alumni)
Links to social media pages of the data subject. Link to theses, published with consent of the author.
Information relating to alumni activities, degrees and theses, published with consent of the author.
Career information provided through the mentoring program.
Information relating to billing.
- bank account
- receipts or voucher material
Information relating to marketing impact
How do we collect personal data?
Data on alumni required to maintain Alumni register is recorded from the Aalto University and Aalto University Executive Education Ltd´s student information system. Data on alumni graduated between 1960-2021 has been recorded to Alumni register in 2021 and this has been supplemented in 2024.
Alumni data can also be received from the data subjects as they register to alumni membership.
Period for which personal data is stored
Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation. The storage of data on Aalto University students follows the applicable privacy notices as well as the university’s data management plan. When a person no longer has a valid study right included in the transfer and the purpose for processing personal data in the partnership system ends, their data will be deleted no later than one year after the last valid study right included in the transfer has ended.
A person who has completed a degree program through Aalto University Executive Education and Professional Development (Aalto University Executive Education Ltd, Aalto EE) is part of the Aalto University alumni community.
To qualify for Aalto EE alumni status, participants must meet one of the following criteria:
- complete Aalto EE's or its predecessors' Master of Business Administration (MBA), Executive Master of Business Administration (Executive MBA, EMBA), or Doctor of Business Administration (DBA) program, or
- complete an organization-specific tailored Executive MBA program, or
- complete an open enrollment program with a duration of more than four months.
Starting from 1st of January 2025, participants can also qualify for alumni status by completing:
- an open enrollment program with at least ten full days of interactions over time, either face-to-face or online, or
- a combination of open enrollment programs that together total at least ten full days of interaction.
This policy does not affect Aalto EE's current alumni. It is effective for participants starting programs after 1st of January 2025. Days accumulated before this date will not be considered.
More information about Aalto EE's alumni activities and the studies that qualify for alumni status can be found: .
Alumni can also provide and update their contact information themselves via the alumni website: For alumni | Aalto University.
What personal data does Aalto University Executive Education Ltd collect and process?
The personal data processed by Aalto Executive Education Ltd on behalf of Aalto University may be divided into the following categories:
Identification data:
- name and contact details
- date of birth (alumni and staff)
- gender and nationality (alumni)
Links to social media pages of the data subject.
Information relating to alumni activities and completed degree programs (lifewide learning), courses and degrees.
How do we collect personal data?
Data on alumni required to maintain Alumni register is recorded from the Aalto University and Aalto University Executive Education Ltd´s student information system. Data on alumni graduated between 1960-2021 has been recorded to Alumni register in 2021 and this has been supplemented in 2024.
Alumni data can also be received from the data subjects as they register to alumni membership.
Period for which personal data is stored
Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation. The storage of data on Aalto University students follows the applicable privacy notices as well as the university’s data management plan. When a person no longer has a valid study right included in the transfer and the purpose for processing personal data in the partnership system ends, their data will be deleted no later than one year after the last valid study right included in the transfer has ended.
Personal data on donors is collected in connection with their donations. The personal data is used in communications for donors, for example, in donor newsletters and in invitations to stakeholder events. For all donations of €10,000 or more, sufficient information about the donor's background and the origin of the donation must be obtained before accepting the donation. Donor information may be published and remain online permanently (e.g. donor names may be on a webpage) if the donor granted consent for this when making a donation. The processing of personal data is based on the compliance with the controller's legal obligations, the performance of a contract, legitimate interest, or the data subject's consent.
What personal data does Aalto University collect and process?
The personal data processed by the university may be divided into the following categories:
Identification data:
- name and contact details
- date of birth (alumni and staff)
Information relating to the donations.
Donor wealth information available from public sources.
How do we collect personal data?
The data is for the most part collected from the data subjects themselves through their registrations or through other contact with them.
Personal data may be collected and updated to ensure the correctness of the data using other personal data files of Aalto when a legal basis for it exists, as well as from the following: the Finnish Trade Register; online services and software applications of companies; authorities and companies providing services concerning personal data; and any publicly accessible online sources. Aalto University may use external screening tool providers, acting as independent controllers concerning the services, to identify potential private donors who could align with our strategic objectives. The data of the tool provider has been collected from public sources or other data providers. In addition, personal data may be collected as separately agreed from Aalto's partners, for example, for the implementation of joint events. Personal data is deleted from Aalto University´s registers when the basis for data processing ends.
Period for which personal data is stored
Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation. The management of the donation relationship is based on the customer relationship created in connection with the donation and requires the maintenance and development of the donor relationship during and after the donation process. Data related to donations is stored in accordance with the records management plan (TOS).
Stakeholder database includes information on our stakeholders (companies and other organisations) and their contact persons and representatives as well as individuals whom, due to their position or professional duties, Aalto may wish to contact as experts, mentors, partners, visiting lecturers, research subjects, or for other roles in Aalto University activities or those billed by Aalto University, such as tuition fees or those billing Aalto University. Personal data collected for partnership activities may be used for communications about the work of Aalto or of a part of Aalto as well as in other stakeholder communications. The processing of personal data is based on the legitimate interest of the controller and on the controller’s legal obligations (for example data related billing, teaching, implementation of regulation concerning restrictive measures), and the data may be collected and updated from internal and external registers to ensure their accuracy.
What personal data does Aalto University collect and process?
The personal data processed by the university may be divided into the following categories:
Identification data:
- name and contact details
- date of birth (alumni and staff)
- gender and nationality (alumni)
Links to social media pages of the data subject. Link to theses, published with consent of the author.
Information relating to alumni activities, degrees and theses, published with consent of the author.
Career information provided through the mentoring program.
Information relating to billing.
- bank account
- receipts or voucher material
Information relating to marketing impact
How do we collect personal data?
Data is primarily collected from the persons themselves on the basis of registration or other contact.
Personal data may be collected and updated to ensure the correctness of the data using other personal data files of Aalto when a legal basis for it exists, as well as from the following: the Finnish Trade Register; online services and software applications of companies; authorities and companies providing services concerning personal data; and any publicly accessible online sources. In addition, personal data may be collected separately from Aalto's partners, for example, for the implementation of joint events. Personal data will be deleted from Aalto University's registers when the basis for processing the data expires.
Period for which personal data is stored
Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation. The storage of data on Aalto University staff and students follows the applicable privacy notices as well as the university’s records management plan. When a person no longer has a valid study right included in the transfer and the purpose for processing personal data in the partnership system ends, their data will be deleted no later than one year after the last valid study right included in the transfer has ended. Data related to partnership activities will be deleted after the relationship ends.
The university processes students' personal data for the provision of partnership services (events, newsletters, commissioned theses for publication, alumni activities, marketing services) and for statutory tasks (billing related to tuition fees, invention disclosures, alumni registry). The data is used to stay in touch with graduates for lifelong learning and alumni services, and to evaluate the effectiveness of university education. Additionally, the university may process personal data for marketing communication or other specific purposes. To ensure the accuracy and quality of information, the personal data of Aalto University degree students is recorded from the student register into the alumni register at the beginning of their studies. Degree information is updated in the alumni register upon graduation. The processing of personal data is based on the legitimate interest of the data controller.
What personal data does Aalto University collect and process?
The personal data processed by the university may be divided into the following categories:
Information relating to billing
- bank account
- receipts or voucher material
- Data relating to alumni activities, degrees and theses, published with consent of the author.
How do we collect personal data?
Data on alumni required to maintain Alumni register is recorded from the Aalto University and Aalto University Executive Education Ltd´s student information system. Data on alumni graduated between 1960-2021 has been recorded to Alumni register in 2021 and this has been supplemented in 2024.
Personal data may be collected and updated to ensure the correctness of the data using other personal data files of Aalto when a legal basis for it exists, as well as from the following: the Finnish Trade Register; online services and software applications of companies; authorities and companies providing services concerning personal data; and any publicly accessible online sources. In addition, personal data may be collected separately from Aalto's partners, for example, for the implementation of joint events. Personal data will be deleted from Aalto University's registers when the basis for processing the data expires.
Period for which personal data is stored
Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation. The storage of data on Aalto University staff and students follows the applicable privacy notices as well as the university’s data management plan. When a person no longer has a valid study right included in the transfer and the purpose for processing personal data in the partnership system ends, their data will be deleted no later than one year after the last valid study right included in the transfer has ended. Data related to the employment relationship of the staff is deleted after the employment relationship has ended. Data related to partnership activities will be deleted after the relationship ends. The management of the donation relationship is based on the customer relationship created in connection with the donation and requires the maintenance and development of the donor relationship during and after the donation process. Data related to donations is stored in accordance with the data management plan.
To whom do we disclose personal data?
Aalto University uses external service providers, who may process personal data as part of their services. The service providers are considered data processors to the extent that they process personal data and do so in accordance with the aims defined by Aalto University.
As a part of the university’s societal impact work, we engage in broad collaboration with various businesses and public organisations, and we participate in activities of ecosystems that share the goals of the university and are in line with the university’s interests. The university requires of its partners trustworthiness and a code of conduct, and responsibility for protecting personal data is arranged according to the GDPR for each collaborative relationship.
In order to measure and direct the impact of our work, we need to follow the scale and, if possible, relevance of our networks and collaborations. This requires transparency as well as effective utilisation of both human and technical resources. We may disclose needed personal data to these collaborative partners (incl. authorities such as the Ministry of Education and Culture) on a case-by-case basis.
Based on act of openness and separately drawn agreement we can also disclose personal data to collaborative partners such as Aalto University alumni associations. Information related to fundraising and donations is handled confidentially, securely, and with respect for privacy. The university discloses information received upon request to external parties if legislation (such as the Act on the Openness of Government Activities) requires it.
Transfer of personal data to third countries
A data protection policy of the university is that particular care is to be taken when transferring personal data outside the EU and the EEA to countries that do not offer the data protection required by the European General Data Protection Regulation (GDPR). Transfers of personal data outside the EU and EEA are done in accordance with the requirements of the GDPR, using as a basis e.g. its reference to decisions made on the adequacy of the level of protection provided (Article 45), utilising standard agreement clauses and following other data protection measures in accordance with the GDPR.
Period for which personal data is stored
Personal data is stored for as long as is necessary in relation to the purposes for which it was collected and processed or for as long as is required by law or regulation. The storage of data on Aalto University staff and students follows the applicable privacy notices as well as the university’s data management plan. When a person no longer has a valid study right included in the transfer and the purpose for processing personal data in the partnership system ends, their data will be deleted no later than one year after the last valid study right included in the transfer has ended. Any data concerning the contractual employment relationship of Aalto staff will be erased at the termination of the employment relationship. Any data concerning partnership activities will be erased at the termination of the partnership. The management of donation relationships is based on the customer relationship established at the time of donation and requires the maintenance and development of the donor relationship during and after the donation process. Information related to donations is retained in accordance with the data management plan.
Rights of the data subject concerning personal data
Under the GDPR, you have the right to review your information and rectify any inaccurate or erroneous personal data. In addition, with certain exceptions, you have the right to erase your data. If he processing of personal data is based on your consent, you also have the right to withdraw your consent. You find more information on your rights listed below.
According to the GDPR, you have a right to know what information on yourself is stored in the personal data file. You have the right to request that any inaccurate or erroneous data on yourself be rectified without undue delay. If data you wish have rectified or erased is maintained by an Aalto partner, we will request that the partner take the appropriate measures.
Barring certain exceptions, the GDPR guarantees your right to have your erased, or as it is termed, your right to be forgotten. However, this right does not obtain in cases where the university’s right as the controller to process personal data is based on the university’s obligation to perform tasks carried out in the public interest or in the exercise of official authority. If the processing of personal data is based on your consent, you may also withdraw your consent. In that case, you may submit a request to us to erase data concerning yourself from our system. If there is no other legal grounds for processing your data, we will erase it.
If you contest the accuracy of the personal data or the lawfulness of the processing, or or if you have exercised your right to object to the processing, you may request that the processing of the personal data be restricted to storage only. The processing of the data is then confined to its storage only until, for example, the accuracy of the data is verified. If you do not have the right to request erasure of the data, you may request instead that Aalto University limit its processing to only that needed in order to store the data.
You always have the right to object to the processing of your personal data when the processing is for marketing purposes.
You may exercise your rights by submitting a GDPR-compatible request via Aalto’s personal data portal:
Note, however, that if the matter concerns a change of contact information or other routine changes, you should contact: servicedesk(at)aalto.fi.
If you have questions regarding this privacy notice, you may contact the Aalto University data protection officer:
Data protection officer: Sirpa Syrjälä
Tel.: (exchange) 09 47 001
Email: dpo@aalto.fi
If you, the data subject, consider the processing of your personal data to be an infringement of privacy protection legislation, you have the right to lodge a complaint with the data protection ombudsman (www.tietosuoja.fi), which is the supervisory authority.
We have an obligation to communicate personally any security breach of personal data to those data subjects whom the breach concerns. The right enters into force if the breach is likely to result in a high risk to the rights and freedoms of the individual, e.g. in the form of identity theft, payment fraud or other criminal activity.
An information security team operates at Aalto (email security(at)aalto.fi) to process reported data protection and information security incidents concerning the university and to help resolve them, investigating whether data breaches have occurred.
Your responsibility
You are responsible for the information you supply or make available 91ÇàÇà²Ý University recipients, and you must ensure the accuracy of the information.
Amendments to the privacy notice
Aalto University updates this notice as needed. Updated versions of this notice will show the date of the new version at the beginning of the document. If we make changes to content of this notice, we will take appropriate measures to keep you informed in a manner consistent with the significance of the change. We encourage you to check this notice often to be aware of how Aalto University protects your data.
Other privacy notices
Aalto University maintains several privacy notices. For example, if you have university username, attend university events, or visit our campus, please find information about the processing of your personal data in order to implement these services on the University Privacy Statements page.
Privacy notice for Aalto University communication and events
Privacy notice for Aalto University communication and events
Privacy notices
Aalto University's privacy notices
Controller, register person-in-charge and contact information
The controller of personal data in partnership activities is Aalto University.
The register person-in-charge is Ville Krannila.
Tel.: (exchange) 09 47 001
Email: crm-support(at)aalto.fi
The Aalto University Data protection officer is Sirpa Syrjälä.
Tel.: (exchange) 09 47 001
Email: dpo(at)aalto.fi