EU General Data Protection Regulation 2016/679

KY collects personal data for seven different purposes. For each of these purposes, we have formed separate privacy statements, all of which are viewable on this page by choosing the associated register below.

KY's Privacy Statement for

Activity Points Register

EU General Data Protection Regulation 2016/679


Controller of the register and contact information

Controller: Aalto-yliopiston kauppatieteiden ylioppilaat ry (”Association”)
Business ID: 22149760-2
Address: Konemiehentie 4, 02150 Espoo
Phone: +358 40 353 8283

Contact person: Heidi Riihimäki, Executive Director
Phone: 0500 430 546


Name of the register

Activity Points Register of Aalto University Business Students.


Data subjects

This register includes data of people that operate within the environment of the Association and have been actively participating in the Association’s activities (“Data subjects”).


Legal basis and purpose of gathering personal data

The legal basis for gathering personal data is consent.

The purpose of the register is keeping track of the activity points that data subjects collect when they are participating in activities. The contact information of the members of the Association is updated during the membership within the data system (“System”), upkeeping the benefits and rights of the member and ensuring them a chance to join invitational events.


Data content

The register contains contact information of the people that operate within the Association’s environment, personal data of the associations members and other useful information related to the associations’ membership. This includes following data:

  • Data subject’s first and last name;

  • Data subject’s email address;

  • Data subject’s positions of trust in the Association;

  • Data subject’s starting year of studies.


Regular sources of information

Personal data is collected from the data subjects themselves.


Regular disclosures and transfers of personal data

Personal data is regularly disclosed to the workgroup that prepares the Association’s acknowledgements. Personal data is also regularly transferred to the member register of Aalto University Business Students in terms of information about positions of trust within the Association.

Personal data can be disclosed to Association’s cooperation partners in order to carry out services related to the membership. Personal data can be disclosed to Association’s cooperation partners in order to carry out services that are not related to the membership only with the data subject’s consent.

Personal data can be transferred to other service providers in order to execute the System. The service provider executing the technical maintenance of the member register may transfer personal data in accordance with applicable privacy legislation and this privacy statement.


Transfers of personal data outside of EU or the EEA

Personal data won’t be transferred outside the European Union or the European Economic Area by the Association. However, the Association may use a service provider that is located outside of the EU or the EEA. The transfer of personal data outside of EU or the EEA is always carried out on one of the following legal grounds:

  • The European Commission has decided that an adequate level of data protection has been ensures in the recipient country;

  • The Association has implemented the appropriate safeguards for the transfer of personal data using standard terms of privacy approved by the European Commission. The data subject has the right to obtain a copy of these standard clauses by contacting the Association’s contact person; or

  • The data subject has consented to the transfer of their personal data, or there is a lawful ground for the transfer.

Access to the personal data is limited to what is necessary in order to carry out the services. The transfer of personal data outside of the EU or the EEA is always based on current legislation on the processing of personal data and is carried out in accordance with that legislation.


Protection of personal data and information security

All digitally handled personal data is stored securely in the Association’s System. Access to the System is limited to only authorized individuals that need the access in order to handle their work assignments. These individuals use their personal usernames and passwords to access the System.

Personal data is secured from outsiders and the use of member data is supervised. Personal data sent outside the Association is encrypted. Workstations and storages are secured.

Suomen Ekonomit ry (0202108-3) and Microsoft are responsible for the technical maintenance and protection of the member register.


Retention period of data

Personal data is stored in the register for as long as the data subject is a member of the Association’s association register.

Personal data will be retained for a maximum of 10 years after the membership has ended on the basis of the Association’s legitimate interest. Personal data may be stored for longer time periods if the applicable legislation or Association’s contractual obligations require it.


Data subject’s rights

The data subject has the right to object to the processing of his/hers personal data for direct marketing purposes at any given time. The data subject may provide the Association with channel-specific consents and restrictions (e.g. prohibit marketing via email).

In addition, the data subject has per se following rights at any time in accordance with applicable data protection legislation:

  • receive information about the processing of his/hers personal data;

  • have access to his/hers own personal data and inspect his/hers personal data processed by the Association;

  • demand correction and supplementation of inaccurate or incorrect personal data;

  • demand the removal of own personal data;

  • withdraw his/hers consent and object to the processing of personal data insofar as the processing of personal data is based on consent;

  • receive his/hers personal data in digital form and transfer those to another service provider given that the data subject has delivered the data to the Association personally, the Association processes the personal data in question based on consent and the processing is automatic; and

  • demand the processing of his/hers personal data to be restricted.

The data subject must submit the request for execution of the above-mentioned according to section 13 of this privacy statement. The Association may ask the data subject to specify the request in writing and verify the data subject’s identity before processing the request. The Association may refuse to execute the request based on applicable legislation.


Right to complain to supervising authority

Each data subject has the right to complain to the relevant supervising authorities or to the supervisory authorities of the Member State of the European Union where the data subject’s resident or workplace is located if the data subject sees that his/hers personal data has not been processed according to applicable data protection legislation.


Contact information

Requests considering the data subject’s rights, questions about this privacy statement and other contacts should be sent via email to the contact person.

Contact person: Heidi Riihimäki, Executive Director

The data subject may also contact us personally or in writing at the address below:

Aalto-yliopiston kauppatieteiden ylioppilaat ry
Konemiehentie 4
02150 Espoo


Changes to this privacy statement

This privacy statement has been accepted by the Executive Board of the Association in its meeting on 4.3.2021. This privacy statement can be updated from time to time, for example, when legislation changes. This privacy statement was last updated 5.4.2023.

Back to the top