Privacy policy in accordance with General Data Protection Regulation (”GDPR”, EU regulation 2016/679) – Employee register
Controller
Ardor Oy
Konsantie 31, 21260 Raisio FINLAND
Business ID: 2175980-9
Person responsible for the register
Henri Hyvärinen, CEO
henri.hyvarinen@ardor.fi
+358 40 523 7576
Name of the register
Employee register
Information content of the register
The personal data register of employees contains information about Controller’s own employees, agency workers, employees of Controller’s subcontractors and jobseekers. The following data can be processed: first and last names, Finnish personal identity number or date of birth, foreign personal identity number or date of birth, home address, telephone number and e-mail address, employment-related information, bank details, statistical information, possible trade union and debt enforcement documents, information and documentation on skills, permits and qualifications, tax number, passport (copy) documentation, work permit (copy) documentation and A1 certificate documentation.
Which data is processed, depends on the category of employee.
Purpose of the processing of personal data and the legal basis for the processing
The legal basis and purpose of the processing of the personal data is:
- the contractual relationship between the data subject and the Controller
- execution of the Controller’s legal obligations.
The employee register contains information on employees that is necessary for establishing and maintaining an employment relationship between the Controller and the job seeker and for fulfilling the Controller’s statutory obligations.
The personal data collected to the register is regularly obtained from the data subject himself or herself. In order to fulfill legal obligations, the personal data on agency workers and employees of subcontractors is also obtained from the staffing agency and from the subcontractor.
Recipients or groups of recipients of personal data
The personal data will not be disclosed to third parties, with the exception of the Controller’s co-operation partners who process the data on behalf of the Controller, on the basis of a co-operation agreement between the parties, such as salary calculations and accounting offices.The personal data is disclosed to the authorities to the extent permitted and bound by existing legislation.
The personal data is disclosed in connection with various systems in connection with the cloud services of various providers, in which case the system provider acts as a collector of personal data in accordance with EU General Data Protection Regulation. These systems include e.g. email system, cloud storage services, financial management system or software and employee time tracking system or software.
Transfer of personal data to a third country
Personal data will not be disclosed outside the EU or the EEA.
If, exceptionally, the personal data is disclosed outside the EU or the EEA, in such a case, the requirements of data protection legislation shall be complied with in the transfer of data and, for example, standard contractual clauses of the European Commission shall be used when agreeing on the transfer of data with those processing the personal data; or the Controller ensures that the transfer of data is based on specific criteria, such as the data subject’s consent.
Personal data retention period
Personal data shall be retained for as long as it is necessary to retain it in order to meet the purpose for which it has been collected in accordance with this privacy policy. Personal data that has remained passive is taken into account in the retention of personal data, and it is erased on a regular basis.Data concerning work time records, payroll records, annual leave records, employment certificates and injuries and health conditions of employee are kept at least in accordance with the relevant laws (eg. Working Hours Act, Employment Contracts Act and Accounting Act).
The rights of data subjects in the processing of personal data
- Right to inspect the data and right to the rectification: The data subject has the right to inspect what data concerning them has been recorded in the personal data register and to receive a copy of the data. The data subject must send the inspection request by email to the Person responsible for the register. The Controller rectifies, erases or complements personal data that is incorrect or unnecessary of its own accord or at the demand of the data subject.
- Right to restriction of processing: The data subject has the right to obtain from the Collector restriction of processing of data if the data subject, for example, contests the accuracy of the personal data; the processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of its use instead; or the Controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
- Right to erasure: The data subject has the right to have the Controller erase data concerning him or her for example if the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; the data subject withdraws the consent on which the processing was based and there is no other legal basis for the processing; the personal data has been processed unlawfully; or the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- Right to data portability: The data subject has the right to receive the personal data that he or she has provided to a controller in a structured, commonly used and machine-readable format and, if desired, transmit that data to another controller. The right to data portability may not have an adverse effect on the rights and freedoms of others.
- Right to withdraw consent: The data subject has the right to withdraw his or her consent to the processing of personal data by notifying the Controller by e-mail.
- Right not to be subject to a decision based solely on automated processing: The data subject has the right to demand human involvement in decisions that concern him or her. Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Right to object: The data subject has the right to object to the processing of his or her personal data if the data is processed for the purposes of the compelling legitimate interests pursued by the controller or a third party.
- Right to lodge a complaint with the supervisory authority: The data subject shall have the right to lodge a complaint on the processing of personal data with the supervisory authority, which is in Finland Data Protection Ombudsman.
Changes to the data protection practice
The Controller has the right to make changes to this privacy policy and the related data.
The Controller recommends that the data subjects view this privacy policy on a regular basis in order to obtain information about any changes that may have been made to it.