Privacy Policy on the Processing of Personal Data of our Employees
The purpose of this notice is to inform our employees or interns about how we process their personal data during their employment. We take seriously our compliance with the EU General Data Protection Regulation as well as other applicable personal data processing legislation when processing personal data. We also ensure that processing is secure and that our data protection practices allow for the full exercise of data subjects’ rights.
Controller
Tikka Spikes Oy (2018171-8)
Kirkkokatu 11, 41160 Tikkakoski
(hereinafter “we”)
Contact
Finance Director Anne Mustamäki
+358 50 5894 228
anne.mustamaki@tikkaspikes.fi
Any communication or request concerning this document should be made in writing or in person to the contact person indicated in this section.
Personal data processed, purpose of processing and legal basis
|
Personal data |
Purpose of processing |
Legal basis |
|
Basic information such as name, date of birth, social security number or other unique identifier, language of service, tax and bank account details Contact information such as email address, phone number, home address |
Organising work and managing employment relations and our employer and other related obligations |
Enforcement of an employment or training contract |
|
Legal obligation (labour legialation) |
||
|
Information on the employment relationship, such as job and/or job title, department, work and training history, language skills, specific qualifications and/or training, participation in training, job measurement information, duration of employment, absence information, information on verbal and written warnings, reason for termination of employment and related information. |
Organising work and managing employment relations and our employer and other related obligations |
Enforcement of an employment or internship contract |
|
Legal obligation (labour law) |
||
|
Planning and developing our business with people in mind |
Our legitimate interest based on promoting the conduct of our business, using our information systems, training our employees and taking advantage of the employment benefits we offer |
|
|
Development disscussions and appraisals and related information, such as development needs and interests and information on salary discussions or employment benefits |
Organising work and managing employment relations and our related employer and other obligations |
Enforcement of an employment or internship contract |
|
Planning and developing our business with people in mind |
Our legitimate interest based on promoting the conduct of our business, using our information systems, training our employees and taking advantage of the employment benefits we offer |
|
|
Information on monitoring working time, working time and annual leave records |
Organising work and managing employment relations and related employer and other obligations |
Legal obligation (e.g. labour laws) |
|
Information on your health status, such as certificates of admission to work and health examinations, drug tests and medical certificates. |
Managing our employment and related employer and other obligations Payment of sick pay or equivalent health-related benefits, determination of whether there is a valid reason for absence from work and, at the worker’s request, determination of fitness for work on the basis of health records |
Consent |
|
Statutory obligation (labour law) |
||
|
Information about your salary and employment benefits, including credit cards and devices such as your computer and mobile phone. |
Payment of salaries Provision of employment benefits |
Enforcement of an employment or internship contract |
|
Statutory obligation (labour law) |
||
|
Information on trade union membership for persons whose membership fees are deducted from their salary. |
Managing employment matters and related employer and other obligations, such as payment of wages and salaries |
Consent |
|
Information related to well-being at work, safety and health at work, such as information on participation in well-being at work activities, information from job satisfaction surveys and information on capacity-to-work meetings (such as the memorandum of the capacity-to-work meeting) and information on accidents. |
Managing employment relations and related employer and other obligations |
Legal obligation (e.g. labour laws |
|
Planning and developing our business with people in mind |
Our legitimate interest based on the promotion of our business, the use of information systems |
|
|
Any other information, such as information related to resourcing, other information provided by you |
Organising work and managing employment relations and related employer and other obligations |
Consent |
|
Software and software platforms that enable communication or collaboration between two or more parties over the Internet, such as e-mail software and servers, instant messaging and Internet telephony, electronic collaboration and team tools, etc. |
Enabling employees to use electronic communication services and troubleshooting |
Our legitimate interest based on the promotion of our business, the use of information systems, the resolution of errors in information systems and data protection breaches. |
|
Information related to user management and access control, such as IP address, log information, other identifying information. |
Supervising, guiding, troubleshooting, preventing, investigating and analysing the use of data processing and compliance with security guidelines. |
Our legitimate interest in preventing and resolving errors and data breaches in our information systems |
Data sources
As a rule, we get the information from the employee himself. Other sources of information are used within the limits set by law. This may include, for example, information from supervisors and information generated by the use of systems.
In addition, personal data may also be collected and updated for the purposes described in this Privacy Policy from publicly available sources and on the basis of information obtained from public authorities or other third parties, within the limits of applicable law.
Transfers, disclosures and recipients of personal data
We disclose personal data as permitted and required by applicable law to entities that have a legal, collective agreement and/or contractual right to receive information from the register, such as the tax authority, the National Social Insurance Institution (KELA), pension and accident insurance companies, employment and enforcement authorities and occupational health care providers, financial and legal service providers, telecom operators and employment benefit providers.
We hand over medical certificates from outside the occupational health service to the occupational health service. The employee has the right to refuse to provide the medical certificate to the occupational health service by informing our contact person.
We use subcontractors working for us to process personal data. We use external IT systems (including payroll, accounting, Microsoft Office 365) and personal data is stored on servers managed and protected by these system providers.
In the event of acquisitions and/or in order to obtain financing, your personal data as described above may be disclosed or, to the extent necessary in each specific case, processed by the companies with which we have entered into a contract to establish the value of our company and to prepare and implement other measures relevant to the situation. In these situations, we will respect confidentiality obligations as appropriate.
The data will not be processed or transferred outside the European Union or the European Economic Area, unless this is necessary for the technical implementation of the data processing. Where personal data is processed outside the EU/EEA, we will ensure that the subcontractor is bound by the EU Commission’s Model Clauses for the processing of personal data or other approved safeguards.
General description of technical and organisational safeguards
Access to the system containing personal data is only available to our employees who are entitled to process employee data as part of their job. Each user has his/her own user name and password for the system. We have signed agreements with system providers and other partners who process personal data, in which our partners have committed to comply with the data protection and security requirements of the GDPR.
Databases containing personal data are protected by passwords and access levels. The data is located in an environment protected by appropriate security software and technical arrangements. Manually processed documents containing personal data are kept in locked storage facilities. The security of our user management and logging systems is technically and administratively organised in accordance with industry practices and procedures.
Retention period of personal data
We will only keep your personal data for as long as necessary for the purpose for which it is processed, taking into account the retention periods required by law, such as employment contracts, accounting and withholding tax laws. Typical retention periods for employee data are described by type of data below. Personal data may be kept for longer than the retention periods mentioned below if there is a specific reason to do so, such as in the case of suspected criminal offences and their investigation by the authorities.
We regularly assess the necessity of data retention in the light of applicable law. In addition, we will take reasonable steps to ensure that no personal data incompatible with the purposes of the processing, or which are out of date or inaccurate, are kept in the register. We will correct or destroy such data without undue delay.
|
Data group |
Retention period |
|
Salary data |
10 years after the end of the financial year |
|
Vouchers and correspondence relating to business transactions (when they contain, for example, the name or contact details of an employee) |
6 years after the end of the financial year |
|
Certificate of employment |
10 years after termination of employment |
|
Time sheets |
As a rule 6 years |
|
Other information and documents not required for record-keeping purposes or as a basis for issuing a certificate of employment (e.g. work performance management and well-being at work information) |
Up to 2 years after termination of employment |
Worker’s rights
|
Right |
In which situations |
|
Check the information stored about yourself |
Always |
|
Request the correction of incorrect or outdated information |
Always |
|
Request the deletion of data |
Where the employee has withdrawn consent or one of the other conditions set out in Article 17 of the GDPR is met. |
|
Withdraw consent |
Where processing is based on consent |
|
Object to the processing of data |
Where the processing is based on legitimate interests and involves a particular personal situation or where the data are processed for direct marketing purposes. |
|
Request restriction of processing (e.g. until requests for data are resolved and settled) |
If the accuracy of the data is contested or one of the other conditions set out in Article 18 of the GDPR is met. |
|
File a complaint about the processing of your personal data with the Data Protection Ombudsman |
Always |
The above requests, denials and cancellations may be made by submitting them in writing, signed by the employee, to the contact person mentioned above.
We may need to ask you for certain information to verify your identity and your right to exercise your rights. This is a security measure to ensure that personal information is not disclosed to anyone who is not authorised to receive it. We may also contact you to request further information about your request to speed up our response.
We will respond to requests and enquiries from employees about the exercise of data subjects’ rights within one month.
INFORMATION ON THE DRAFTING AND UPDATING OF THE PRIVACY POLICY
|
DATE |
BRIEF DESCRIPTION |
|
22.10.2024 |
Policy prepared |