Privacy Notice and Information for Data Subjects
This notice forms part of the information and accountability requirements laid down in the EU General Data Protection Regulation (EU 2016/679). The Jyväskylä Educational Consortium Gradia describes here and in its other activity- and register-specific privacy notices the key information related to the processing of personal data. This document is reviewed and updated as necessary.
Date of preparation: 4 December 2025
1. Name of the Register
Ceepos online payment interface
2. Data Controller
Jyväskylä Educational Consortium Gradia
Visiting address: Viitaniementie 1 A, 40720 Jyväskylä
Postal address: PL 472, 40101 Jyväskylä
3. Responsible Officer for the Register, Title and Contact Information
Jyväskylä Educational Consortium Gradia
Director of Finance and Administration, Piia Rissanen (functional responsibility)
Tel. +358 40 341 5101, piia.rissanen@gradia.fi
4. Contact Person for the Register, Title and Contact Information
Jyväskylä Educational Consortium Gradia, Financial Services
Accountant Heli Jäsberg (main user)
Tel. +358 40 341 4431, heli.jasberg@gradia.fi
5. Contact Details of the Data Protection Officer
The Data Protection Officer supports the controller in implementing data protection, assists data subjects in exercising their rights, and cooperates with authorities.
Data Protection Officer: Records Management Specialist Tarja Myllylä
Email: tietosuojavastaava@gradia.fi
Telephone: +358 40 341 5114
6. Purpose of Processing Personal Data
6.1 Purpose of the Register
Personal data are collected, among other things, to correctly allocate payments, to identify the customer and/or the person specified by the customer, and for reporting purposes. Personal data are also collected for ordering copies of certificates, locating the correct certificate, and delivering certificates.
Data on software users are collected to define access rights and to monitor usage. The software generates log data containing personal data for tracking usage history and resolving problem cases.
6.2 Is the Register an Official Register?
The register is an official register.
The register is not related to voluntary public administration activities.
6.3 Automated Decision-Making, Including Profiling
Not used.
7. Legal Basis for Processing Personal Data
7.1 Consent of the Data Subject
No.
When and how consent is given: not applicable.
7.2 Performance of a Contract
No.
7.3 Legal Obligation (e.g. employer obligations, student administration)
Yes.
Applicable legislation: Accounting Act (1337/1998)
7.4 Public Interest or Exercise of Official Authority (e.g. HR, research, statistics, archiving)
No.
Applicable legislation: none
7.5 Legitimate Interest (does not apply to official activities)
No.
8. Personal Data Stored in the Register
Possible personal data stored include:
General customer register: customer number, first name, last name, email address.
Order register: payment number, products ordered and related details.
Certificate copy register: name, personal identity code, contact details, information related to study place and field.
Personal data are stored until they are manually deleted. Order data are stored until manual or scheduled deletion. Electronic receipt histories are stored until manually deleted, but for at least six years.
9. Regular Sources of Data
External systems that process payment transactions and are integrated with the online payment interface.
10. Data retention period or criteria for determining the retention period
Data are stored for at least six years as required by the Accounting Act, but are deleted no later than after seven years.
Data of registered users are deleted if the account has not been used for two years.
11. Are personal data regularly disclosed?
No.
Personal data are not disclosed to external parties. Data may be transferred to the controller’s other systems such as cash register systems, accounting, invoicing, access control, and booking systems.
Depending on the payment service provider, customer contact details may be transmitted to the payment system when making a payment to facilitate problem resolution and refunds.
12. Are personal data transferred to third countries or outside the EU or EEA?
No.
13. What are the principles of data protection?
Persons processing personal data are bound by a duty of confidentiality. Particular attention is paid to the protection of confidential data and special categories of personal data referred to in the General Data Protection Regulation. Provisions on confidentiality are laid down, among others, in Section 42 of the Act on Vocational Education and Training, Section 32 of the General Upper Secondary Schools Act, and Section 24 of the Act on the Openness of Government Activities.
The register does not contain confidential material.
13.1 Protection of manually processed (paper) data
No paper records are included.
13.2 Protection of electronically stored data
The software administration is protected by usernames and passwords, as well as user group-specific access rights. Data stored in the database are protected by usernames and passwords, and data processing is restricted to use within the online store system only. Data stored on disks are protected by operating system-level access rights. All data traffic between the system provider’s systems, the online store, and the payment service provider is secured using SSL encryption.
Maintenance access to the online store server is permitted only for server and system providers. The software provider has full access to view and delete all collected data.
14. Rights of the data subject
The identity of the data subject is verified before exercising their rights.
If the exercise of the data subject’s rights is refused, the responsible official for the register shall provide the data subject with a written decision including the grounds for refusal.
The data subject has the following rights:
14.1 Right of access
Under Article 15 of the EU General Data Protection Regulation, the data subject has the right of access to personal data concerning them.
Requests for access shall be addressed to the contact person for the register, either by submitting a signed form printed from the website and sent to the consortium’s administration, by visiting in person, or by another reliably verified method. Forms are available at: www.gradia.fi/tietopyynnöt.
Access is free of charge once per year. Requests are usually fulfilled within one month. The right of access may only be refused in exceptional cases.
The data are provided by the main user of the register.
14.2 Right to rectification
Under Article 16 of the EU General Data Protection Regulation, the data subject has the right to request the correction of inaccurate personal data concerning them. Requests shall be addressed to the contact person for the register.
The controller shall, without undue delay, rectify, erase, or supplement personal data in the register that are inaccurate, unnecessary, incomplete, or outdated, either on its own initiative or at the request of the data subject.
Requests for rectification shall be made orally or in writing to the contact person and, if the request is refused, in writing to the responsible official for the register.
14.3 Right to erasure
Under Article 17 of the EU General Data Protection Regulation, the data subject has the right to obtain the erasure of personal data concerning them without undue delay. Requests shall be addressed to the contact person for the register.
The right to erasure does not apply to statutory registers.
14.4 Right to restriction of processing
Under Article 18 of the EU General Data Protection Regulation, the data subject has the right to restrict the processing of their personal data, for example if the accuracy of the data is contested. In certain cases, processing may continue despite the restriction.
14.5 Right to data portability
Under Article 20 of the EU General Data Protection Regulation, the data subject has the right to transfer their personal data from one system to another, provided that the processing is based on consent or a contract and is carried out by automated means. The data subject also has the right to have the data transmitted directly from one controller to another, where technically feasible.
The right to data portability does not apply to statutory registers.
14.6 Right to object
Under Article 21 of the EU General Data Protection Regulation, the data subject has the right to object to the processing of their personal data, for example for communication purposes. The objection must be submitted electronically or in writing and addressed to the responsible official for the register.
Personal data from this register are not disclosed for direct marketing, market or opinion research, directories, or genealogical research without the data subject’s consent.
14.7 Right to lodge a complaint with a supervisory authority
Under Article 77 of the EU General Data Protection Regulation, the data subject has the right to lodge a complaint with a supervisory authority, i.e. the Office of the Data Protection Ombudsman, if they consider that the processing of personal data infringes the Regulation.
Contact details of the Office of the Data Protection Ombudsman:
Website: https://tietosuoja.fi/yhteystiedot
Postal address: P.O. Box 800, FI-00521 Helsinki, Finland
Information to data subjects and privacy notices
Register descriptions are available on the Jyväskylä Educational Consortium’s website and intranet:
www.gradia.fi/gradia/rekisteriselosteet
Last updated: 23 September 2024 Tarja Myllylä, 20 November 2024 Liisa Lahtinen and Tarja Myllylä, 4 December 2025 Tarja Myllylä, Liisa Lahtinen, Heli Jäsberg and Miia Issakainen.