This statement describes how PeDaTa Oy processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and Finnish Data Protection Act.

This data protection statement has been prepared in accordance with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.

Our customer service responds to registry-related questions and feedback within three business days.

Contact us: asiakaspalvelu@ekampus.fi

eKampus Customer Registry

The purpose of processing is:

• Managing the customer relationship
• Implementing the rights and obligations of the customer and data controller
• Providing and developing web services
• Supporting teaching and learning

Legal basis: Performance of a contract (GDPR Article 6(1)(b))

Legitimate interest in service development and security assurance

The registry may contain the following information about users:

• Name (first name and last name)
• Email address
• Mobile and/or other phone number (optional)
• Organization and position (teachers and educational institutions)
• Organization address
• User address (when needed for product deliveries)
• Connection log (login information)
• Service usage data (completed tasks, tests, progress)
• Technical data (IP address, browser type, operating system)

The registry is compiled from information provided by users themselves during registration, service use, and contacts.

Social login (Google, Microsoft) provides only name and email address with user consent.

The data controller does not disclose personal data to third parties, except:

• At the request of Finnish authorities as required by law
• To teachers at educational institutions for student licenses purchased by the institution
• To processors to enable service operation (see section 9)

Personal data is retained as long as:

• Access rights are valid
• Legal retention obligation requires it
• Legitimate interest requires it (e.g., billing, customer relationship management)

Data deletion:

• Data can be deleted at the request of the user or institution's main administrator
• Upon deletion, the user is immediately removed from active use
• Data is retained in backups for 3 months after deletion for possible restoration
• After this, data is permanently deleted from all systems

Upon expiry of access rights, users are responsible for transferring or deleting their own saved content before access expires.

Personal data is processed confidentially and is protected with appropriate technical and organizational measures.

Security measures:

• Passwords are encrypted using secure encryption methods (bcrypt) and are not stored in plain text
• Network connection is protected with TLS/SSL encryption (HTTPS connection)
• All data transfer between user devices and the service is encrypted
• Servers are protected with firewalls and other technical measures
• Access to personal data is restricted to only those who need it for their work duties
• Service use is secure even in remote use situations (e.g., use from home)

Data processors:

GDPR-compliant processing agreements have been made with all data processors.

Connection log stores:

• Logging user's name
• Login timestamp
• IP address

Error logs store:

• Error information related to service operation and possible service interruptions
• Error logs do not store unnecessary personal data

Log data retention period:

• Log data is retained only as long as necessary to ensure service operation and security
• Log data is automatically deleted after a defined period

Data subjects have the right to:

• Right of access: Obtain information about processing of personal data and a copy of the data
• Right to rectify incorrect or incomplete data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing in certain situations
• Right to data portability from one system to another
• Right to object to processing of their data
• Right to withdraw consent (if processing is based on consent)
• Right to lodge a complaint with the supervisory authority

Exercising rights:

Contact our customer service: asiakaspalvelu@ekampus.fi

We respond to requests within one month

Supervisory authority:

The service does not perform automated decision-making or profiling as defined in Article 22 of the EU Data Protection Regulation that would have legal effects on the data subject.

The service analyzes learning progress and provides feedback, but these are not automated decisions in the sense meant by GDPR.

In the event of personal data security breaches, we act in accordance with the EU Data Protection Regulation (GDPR):

• We immediately assess the severity and scope of the situation
• We contain damage and implement corrective measures
• We notify the supervisory authority within 72 hours of the data security breach if necessary
• We notify affected data subjects if the breach is likely to result in a high risk to their rights and freedoms
• We document data security breaches and related measures
• We implement technical and organizational measures to prevent similar situations in the future

The service does not anonymize or pseudonymize user basic data (name, email, address) because they are necessary for:

• User account functionality
• Implementation of teaching and learning monitoring
• Ensuring possible product deliveries

However, data is processed only to the extent required by service operation (data minimization).

The service uses necessary cookies:

• Session cookies to maintain login
• To store user preferences (e.g., language selection, theme)
• Security cookies for CSRF protection

The service does not use tracking cookies or analytics cookies without user consent.

If you have questions about data protection or wish to exercise your rights, contact us: