1. Joint controllers 


Pl. Marii Skłodowskiej-Curie 5

60-965 Poznan


+48 61 833 3881



Postfach 101344

03013 Cottbus


+49 355 69-0


Campus Mont Houy

59313 Valenciennes cedex 9


+33 3 27 51 12 34


Avda. de los Castros, s/n

39005 Santander


+34 942 20 22 23


Place du Parc , 20

7000 Mons


+32 65 37 31 11


Piazza Università, 2

95131 Catania


+39 095 730 7777


Wolffintie 32

65200 Vaasa


+358 29 449 8000

1. Personal data processor 

Mediamaisteri Oy
PO Box 82 (Erkkilänkatu 11) 

33101 Tampere
Phone +358 10 281 8000

2. Contact persons in matters concerning the data file

In data protection matters, the contact point for data subjects are the EUNICE partner DPO’s, whose contact details are as follows:

Poznan University of Technology (PUT)

Piotr Otomański

Politechnika Poznanska, Pl. M. Sklodowskiej

Curie 5

60-965 Poznan, Poland

+48 61 665 3631                                                                                 

Brandenburg University of Technology Cottbus -Senftenberg (BTU)

Sergey Romanov

VG1C, R. 2.40, Konrad Wachsmann Allee 5 

03046 Cottbus

+49(0)355/69 -2112

Université Polytechnique Hauts-de France (UPHF)


Campus Mont Houy 59313 Valenciennes Cedex 9 France

 +33 3 27 51 13 36

Universidad de Cantabria (UC)

Gema Bilbao Prieto

Avenida de los Castros, 54 39005 Santander (Cantabria)


University of Mons (UMONS)


23, Place du Parc

7000 Mons

+32 65 37 37 02

University of Catania (UNICT)

Giuseppina Gravagna

Piazza dell'Università, 2. Palazzo Centrale. 95131


+39 095 7307376 ;

University of Vaasa (UVA)

Sami Kinnunen

University of Vaasa,

Wolffintie 34, 65200 Vaasa

+358 40 588 4282

3. Purpose of processing personal data

We process your personal data for the following purposes:


  • Management of user rights in the learning environment (1) (3)

  • Management and assessment of completed studies and compilation of related statistics (1) (2)

  • Communication as well as study-related advice and guidance (1) (2) (3)

  • Resolution of technical problems and misuse (3)

  • Monitoring of student activity (1) (2)

4. Legal basis for processing personal data 

The processing of personal data is based on (1) compliance with a legal obligation (e.g., the Universities Act 558/2009 and decrees issued pursuant to it, the Universities of Applied Sciences Act 932/2014, the Act on the National Registers of Education Records, Qualifications and Degrees 884/2017), (2) performance of a task in the public interest or in the exercise of official authority vested in the controller, and (3) legitimate interest.

5. Categories of personal data to be processed 

Basic data  

  • Identifiers: name, national learner ID

  • Login data: login method, username, linked login profiles

  • Contact data (email address) 

Study-related data 


  • Course registration data 

  • Course and other study-related assessments/grades 

  • Assignments returned in courses and their assessments/grades 

Communication data

  • Discussions and communication stored in the system by users regarding, for example, study-related advice and guidance

  • Blog entries

Data about the use of Eunice learning platform

  • Browser session data

  • Support requests

6.  Storage periods

User profiles will be removed one year after the last login. Courses will be hidden from students six months after the last course date. Courses will be hidden from teachers 12 months after the last course date. 

To the extent data are transferred to be processed in registers independently managed by controllers, the storage periods will be determined in accordance with legislation (e.g., data on completed studies are retained permanently in accordance with legislation) and with the archiving plans or information management plans of the educational institutions in question.

7. Where we obtain data

We obtain personal data related to user logins from the organisation that manages the credentials in question (Haka federation, Google login, Moodle login). Study-related data are obtained from the users themselves, or they are generated in connection with the use of the service and the completion of studies. Users themselves can produce data for the service, e.g., by publishing blog entries and storing files. Communication-related data are obtained from users. Browser session data are automatically generated in connection with the use of the service.

8. Recipients of personal data and transfers outside the EU or EEA 

Personal data are not transferred outside the EU or EEA. 

The processing of personal data has been outsourced to the Eunice administrator. The administrator is bound by a non-disclosure obligation and does not have the right to disclose data to third parties or use data for purposes other than the implementation of the controllers’ commission. The data protection of the service has been arranged with the administrator, for example, by concluding agreements on the processing of personal data.

9. Principles of personal data protection 

Personal data are processed confidentially, and the processors are bound by a non-disclosure obligation. The right to use personal data has been limited with the help of user right groups so that each user can only access the data they need in their work.

Your personal data will be protected according to the Code of Conduct for Service Providers a common standard for the research and higher education sector to protect your privacy.

Those employed by the University and serving in elected positions are bound by the non-disclosure obligation referred to in section 23 of the Act on the Openness of Government Activities. In addition, during the term of their employment, University employees may neither utilise nor divulge to third parties the employer’s trade secrets (Employment Contracts Act, Chapter 3, section 4). 

Systems containing personal data are protected by firewalls and other technical safeguards. Login and use of the systems is monitored. Devices and servers containing personal data are located in locked facilities and can be accessed only by designated persons.

10. Automated decision-making and profiling 

Personal data processed in the service are not used for profiling or for decision-making based on automated means.

11. Rights of data subjects 

Data subjects have the right to obtain information on the processing of personal data and to inspect the data concerning them that are stored in the data file. Data subjects have the right to request the rectification or supplementation of erroneous, deficient or inaccurate data as well as the erasure of unnecessary personal data. 

Depending on the basis of the processing, data subjects may have the right to request the erasure of their personal data. However, they do not have this right in cases where personal data are processed for the purpose of compliance with a legal obligation or for the exercise of public authority vested in the educational institution.

In certain situations, data subjects may have the right to request that the processing of their personal data be restricted until the data, or the basis for their processing, have been appropriately verified and rectified or supplemented.

If data subjects themselves have submitted data to the register which are processed on the basis of consent or agreement, they have the right to obtain such data in machine-readable format and to transfer the data to another controller. If personal data are processed on the basis of consent, data subjects have the right to withdraw their consent.

For special personal reasons, data subjects have the right to object to the processing of their personal data when the basis for processing is the performance of a task carried out in the public interest, the exercise of official authority or the controller’s legitimate interest. When making a request, data subjects must identify the specific situation based on which they object to the processing. The controller may only refuse to carry out a request on statutory grounds. Data subjects also have the right to object to the processing of their personal data for the purposes of direct marketing.

Data subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data violates the applicable data protection legislation. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, PO Box 800, 00521 Helsinki, In addition to the above, data subjects have the right to use administrative and legal remedies.


12.  How to exercise your rights

Enquiries and requests concerning the processing of personal data, as described in this data protection statement, can be addressed to the contact person mentioned at the beginning of this statement. Queries should be made in writing or in person.

13. Joint controllers

As a rule, the controllers referred to at the beginning of this data protection statement are joint controllers of the personal data processed in the service. In addition, the controllers may process the personal data in the EUNICE learning platform as independent controllers. 

The joint controllers are jointly responsible for the processing of personal data in the service in accordance with the General Data Protection Regulation of the EU and other applicable data protection legislation. The joint controllers have set out procedures and responsibilities related to the processing of personal data by agreement. The joint controllers may disclose to each other data required for the provision of the service, provided that all recipients have a statutory right to process the data. Data can be processed only for the same purposes for which they were originally collected. 

Each joint controller takes appropriate technical and organisational measures for its part to ensure the security of the processing of personal data and to process personal data in accordance with applicable law. 

As described in this data protection statement, the administrator of the platform acts as the primary point of contact for data subjects, for example, to enable them to exercise their rights. However, despite the above, data subjects always have the right to contact any of the joint controllers if they wish to exercise their rights related to the processing of personal data described in this data protection statement. 


14. Changes to this data protection statement

We may occasionally update or change the content of this data protection statement. In such cases, we will post the updated data protection statement on our website, indicating the date of the update. If the changes are significant, we may also inform you about them in other ways, such as by email or by notifying you about the matter on our website.  

This data protection statement was updated in December 2022.