Processing of personal data at Clinical Research Institute HUCH

This page informs employees of Clinical Research Institute HUCH and recipients of salaries and/or remunerations about how their personal data is processed by the Institute.

The EU General Data Protection Regulation (GDPR) 2016/679 came into force on May 24, 2016. The application of the GDPR began after a transition period on May 25, 2018, after which the processing of all personal data falling within its scope must be GDPR-compliant.

The definition of “personal data” used in GDPR is considerably broader than the definition in the Finnish Personal Data Act: “[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

According to the GDPR, an email address or the IP address of a smartphone, for example, comprise personal data if they can be employed to identify the user of the device.

The GDPR includes many issues that were already covered in their main respects in Finnish legislation, but also entirely new obligations.

Henkilötietojen käsittely





Privacy statement concerning personnel and salary administration


Register controller

Clinical Research Institute HUCH
hyksinstituutti (at)
Mannerheimintie 105, P.O. Box 710, FI-00029 HUS
Phone (HUS switchboard): +358 9 4711

Contact and responsible person

The contact person responsible for the register is the officer in charge of HR at Clinical Research Institute HUCH:

Financial Manager Minna Aromaki,
tel. + 358 50 359 6940
email: ext-minna.aromaki (at),
address: P.O. BOX 700, FI-00029 HUS

The contact person responsible for the personnel and salary administration register is Ilkka Tavio, Financial Manager at Clinical Research Institute HUCH. The contact person responsible for the register ensures that register functions are planned and implemented in accordance with regulations and provisions together with the Data Protection Officer of HUS.

Clinical Research Institute HUCH is a limited liability company that is wholly owned by the Hospital District of Helsinki and Uusimaa (HUS). The Data Protection Officer (DPO) of HUS Group is also the DPO of Clinical Research Institute HUCH. You can contact the HUS DPO at:

Petri Hämäläinen
eutietosuoja (at)

The task of the contact person is to answer questions and queries about the register. In addition, payroll clerks will provide information related to their tasks.

Financial Manager Minna Aromäki
ext-minna.aromaki (at)
P.O. BOX 710, FI-00029 HUS

Personnel Secretary Taru Sorsa
ext-taru.sorsa (at)
P.O. BOX 710, FI-00029 HUS

Purpose and legal basis for processing personal data

The legal basis for processing personal data at Clinical Research Institute HUCH with respect to the personnel and salary administration register in accordance with GDPR is always one of the following three:

I. consent of the person (documented, freely given, specific, informed and unambiguous)
II. an agreement to which the data subject is a party
III. legitimate interest of the register controller, such as an employment relationship.

Data is not used for automated decision-making or profiling.

With the register, the Institute carries out the tasks that belong to it as an employer under law and collective bargaining agreements. The data that the Institute requires on its employees and shop stewards in the handling of its employer tasks is entered into the system. The most typical areas in which this data is used are:

  • payroll accounting and salary payment
  • storing data that affects pensions
  • collecting withholding taxes
  • determining the benefits of salary earners
  • compiling statistics on personnel

The upkeep of the register is based on legislation such as:

Data content of the register

The personnel and salary administration register consists of paper documents or information systems that contain data required for the individual identification of people, such as name, personal identity code and contact information, as well as information on pay and service relationship. The necessary information is entered into the register:

  1. Existing documents relevant to the competence of a person and the terms and conditions of his/her service relationship, such as copies of school, education and work certificates, commissions, employment contracts, decisions on leaves of absence, etc.
  2. Written employment contracts made with persons.

The register consists of the following information systems:

  1. Digia Enterprise 7.4
  2. Outlook email boxes are used for handling employee pay-related issues
  3. Through Basware, Digia’s salary administration automation system, salary calculations are sent to Aditro, which in cooperation with Finnish banks produces the salary calculations for e-banking purposes.
Transfer of data outside the EU or EEA

Data is not transferred outside the EU or EEA. Data is not disclosed to third parties for marketing purposes.

Principles of register protection

Care is taken in the processing of the register and data processed with information systems is appropriately protected. When register data is stored on Internet servers, the physical and digital information security of the hardware is appropriately safeguarded. The register controller ensures that stored data, server access rights and other data that is of critical importance for the protection of personal data are processed in confidence only by those who are employed to do so.

When employees sign their employment contract with Clinical Research Institute HUCH, they commit to non-disclosure, both at and outside work, of any confidential information related to their work or of which they become aware. This non-disclosure obligation continues after the end of the employment relationship.

Register data may only be accessed by persons who require it in the performance of their jobs. Payroll clerks and the financial manager may access the data.

The register data is processed with the due care required by the GDPR. Protection is based on passwords and other restrictions to ensure that unauthorized persons cannot access the data.

Hardcopy materials are stored in locked premises that can be accessed only by those who need to access them in the performance of their work.

Rights of data subjects

Those entered in the register (“data subjects”) have the right to request that their personal data be erased from the register (“right to be forgotten”). Furthermore, data subjects also have other rights under the GDPR. You have the right to be:

  • informed of the processing of your personal data;
  • obtain access and inspect your personal data;
  • ask for incorrect or inaccurate personal data to be corrected and supplemented;
  • demand erasure of your personal data;
  • withdraw consent and object to the processing of your personal data insofar as said processing is based on your consent;
  • object to the processing of your personal data on the basis of grounds relating to your personal situation insofar as the processing of this personal data is based on our legitimate interest;
  • receive your personal data in a machine-readable format and send it to another controller, provided that you have personally submitted said data to us, we process the data on the grounds of an agreement or your consent, and this processing is automated; and
  • request the restriction of the processing of your personal data.

Requests are to be sent in writing to the controller or can be presented when visiting in person. The controller will ask the person making the request to prove their identity if required. The controller will reply to the customer within the time limit set in the GDPR (generally within one month). An individual data subject can personally check the registered personal data by making an appointment with a payroll clerk.

Right to lodge a complaint to the supervisory authorities

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

Contact information of the supervisory authority:

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, FI-00530 Helsinki
Postal address: P.O. Box 800, FI-00531 Helsinki
Switchboard phone number: +358 29 566 6700
Registry phone number: +358 29 566 6768
Email: tietosuoja (at)