Employee Data Protection Notice
Valid since 21.2.2023. Older version could be found here.
1 Introduction
At Barona, the protection of your privacy is important. As our employee, you can trust that we process your personal data in a careful and transparent manner, respecting your right to privacy. In processing your personal data, we abide by the General Data Protection Regulation and other data protection legislation, and we always follow the best privacy practices.
2 Purposes of data processing and processed data types
We collect and process personal data only for the following, specifically determined purposes. Below you can see a list of the types of personal data we process for each purpose. Part of the processed personal data may be categorized as special categories of personal data.
Processing related to organizing, managing, changing and terminating an employment relationship
- Name and contact information
- Social security number
- Employee ID
- Information related to employment contract and other possible obligations
- Information related to skills and competence, such as language proficiency and education
- Information related to work assignments, such as title and job description
- Information related to performance, such as statistics and other documentation
- System access rights, user accounts and potential log information
- Information required for access control
- Information relating to working hours and shifts
- Sick absences
- Information related to the support and monitoring of working ability
- Picture
Payment of salary and other remuneration
- Bank account information
- Information related to remuneration, such as monetary salary, benefits or other ways of compensation, information related to taxation and employer fees
- Taxation number and Valtti card number
- Travel expenses
- Information from the access control system related to monitoring of work hours and absences
- Sick absences, annual leaves and other leaves or agreed absences
- Trade union membership and retention of the membership fee from salary
Product and service development
- Analytical data and statistics may be used for service development or for automatizing certain processes
3 Legal basis
Data protection legislation requires that processing of personal data is based the legal bases included in the GDPR. We process your personal data based on the following legal basis:
Contract
Managing and fulfilling contractual obligations is one of the most important legal bases we rely on. For example, processing of information related to your education and training, work hours, bank account, and other matters related to management of your employment is done based on the employment contract in force between you and Barona.
Legitimate interest
Legitimate interest is used as a legal basis when systems’ log information is processed. When relying upon legitimate interest, we evaluate and consider the significance of the interest according to data protection legislation, ensuring that it does not cause an unreasonable risk or impediment to you.
Consent
In certain situations, we process your personal data only if you have given explicit consent beforehand. For example, information on trade union membership is processed only if you consent to retaining the membership fee directly from your salary.
Legal obligation
We process some personal data based on a legal obligation. For example, processing tax information is based on a legal obligation.
4 Sources of personal data
Personal data is mainly collected directly from you before and during employment. In special situations determined by legislation, we may also collect personal data from external sources, such as official registers. For example, if your work assignments require conducting a security or credit report, information is collected from official registers based on your consent. If personal data is collected from official registers, you are informed of this action beforehand. We may also receive personal data from other group companies as described in the section, “Transfers of personal data”.
5 Transfers and disclosures
We process personal data confidentially, and we never sell, rent, or otherwise needlessly disclose your personal data to external parties.
5.1 Transfers of personal data
When the data controller (herein Barona) gives personal data to a third party for them to use for their own purposes, this situation is considered a data transfer. Barona transfers data to the following entities:
- In relation to an assignment, personal data is transferred to the customer company but only to the extent necessary for the assignment;
- Companies that belong to the Barona or the Bravedo group. If you e.g., wish to apply for another position within the group, your personal data may be transferred to the new group company.
- Other parties managing matters related to the employment relationship, such as pension insurance companies, accident insurance companies, trade unions and parties offering occupational health care;
- Competent authorities, such as the tax authority, debt recovery authority, or the Social Insurance Institution to the extent that legislation requires or based on your explicit consent.
5.2 Disclosures of personal data
If a data controller reveals personal data to a third party without the third party processing the personal data according to their own purposes, the situation is considered a personal data disclosure. For example, if a certain business process, such as suitability evaluation, is outsourced, the personal data related to the business operation may be disclosed to the third party.
The collected personal data is partly processed and stored outside the EU/EEA, for example when service providers are located outside the EU. The service providers used have contractually committed to ensuring adequate level of data protection in all processing activities
6 Technical and organizational measures
As your employer, we protect your personal data with appropriate technical and organizational safeguards against loss, unauthorized access, and other misuse. Examples of such measures include the use of firewalls, encryption techniques, backup copies and safe data rooms.
Access to your personal data is controlled by internal measures, such as electronic and physical access control, limited access credentials and monitoring policies. Your personal data is processed only by employees who are authorized to do so based on their role.
7 Automated decision-making
Automated decision-making refers to decision made fully automatically, for example based on an algorithm without human intervention. The processing of your personal data at Barona does not include automated decision-making.
8 Retention times
We store your personal data only as long as necessary for the purposes of the data processing, unless a law requires a longer retention time. Personal data regarding your employment is stored for the period required by law.
After the retention time has ended, your personal data is either written over in the backup copies and system background or made unidentifiable by irrevocably changing the personal data into a form that does not enable identifying an individual person.
Below you can see typical retention times for personal data. The retention time is counted from, for example, the creation of the data.
- Employment contracts and documents relevant for managing it: period of employment + 10 years
- Employee profile: period of employment
- Income-tax cards: until the financial statement of the year in question is finished
- Sick-leave reports: 2 years
- Debt recovery proceeding orders: 10 years
- Social Insurance Institution’s (KELA) applications and decisions: 6 years
- Accident notices, applications and decisions: 20 years
- Contracts regarding parental leave, nursing leave and partial nursing leave: 10 years
- Study leave contracts: 10 years
- Other contracts regarding employment: 10 years
- Co-operation negotiations minutes and contracts: permanent
- Employment certificates: 10 years
- Salary documents: 10 years
- Documents regarding annual leave, leave pay and compensation: 10 years
- Travel and expense invoices: 10 years
- Salary cards: 50 years
- Tax authority’s annual notice: 6 years
- Employment list regarding employment pension: 6 years
- TVR salary notice: 6 years
- Salary notices for accident insurance: 6 years
- Data subject access requests: 2 years
9 Data subject rights
9.1 Right to be informed
You have the right to be informed about the processing of your personal data in a concise, transparent, intelligible, and accessible from, presented in clear and plain language. The purpose of this privacy notice is to address the right to be informed and help you understand how we process your personal data. If after reading this notice you have further questions, you can contact us as advised in the “Contact information” section.
9.2 Right to access
You have the right to get confirmation of what personal data we process concerning you. Thereby, you can evaluate and confirm that the data is processed lawfully. Additionally, you have the right to ask and receive a copy of the personal data we process. Instructions for requesting a copy of your data can be found in the next section, “Exercising data subject rights”.
9.3 Right to data portability
In certain situations, you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format and, if desired, transmit that data to another controller. This right exists when we process your personal data based on consent or contract and the data processing is digital in nature.
9.4 Right to rectification
Our goal is to maintain personal data in a current and accurate form and to delete false, insufficient or inaccurate personal data without delay. You have the right to demand the rectification of inaccurate personal data concerning you and completion of insufficient personal data.
9.5 Right to restrict processing
The restriction of processing means that, in addition to storage, the personal data subject to the restriction can only be processed
- with your consent,
- for the establishment, exercise or defense of legal claims,
- for the protection of the rights of another natural or legal person, or
- for reasons of important public interest of the Union or a Member State.
The right exists in the following situations:
- The data subject contests the accuracy of the personal data. In such cases, the processing will be restricted for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of its use instead.
- The controller no longer needs the personal data for the purposes of the processing, but it is required by the data controller for the establishment, exercise or defence of legal claims.
- The data subject has objected to the processing of the personal data for purposes other than direct marketing and is awaiting verification on whether the legitimate grounds of the controller override those of the data subject.
9.6 Right to object to data processing
In certain situations, you have the right to object to data processing by requesting that your data will not be processed at all. If the data is processed for the performance of a task carried out for reasons of public interest, in the exercise of official authority or for the purposes of the compelling legitimate interests pursued by us or a third party, you have the right to object to the processing on grounds relating to your particular situation.
In such cases, the processing must be stopped unless
- the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or
- the processing is necessary for the establishment, exercise or defense of legal claims
If the personal data is processed for direct marketing, you have the right to object to the processing without any specific grounds, after which the data may no longer be processed for purposes of direct marketing.
9.7 Right to erasure and to be forgotten
In certain situations, you have the right to be forgotten, or to have your personal data erased entirely. This right exists when, for example, the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, the processing was based on consent and you withdraw the consent, or the personal data has been processed unlawfully.
9.8 Right to withdraw consent
When your personal data is processed based on consent, you have the right to withdraw your consent at any time. If you withdraw your consent, processing of personal data will not be continued unless another legal basis, such as legal obligation, requires continuing the processing of data.
9.9 Right to file a complaint to a supervisory authority
In addition to the rights mentioned previously, you have a right to file a complaint to a supervisory authority if you believe that our privacy practices do not follow the General Data Protection Regulation. A complaint can be filed, for example, if the rights described in this notice are not implemented appropriately. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.
10 Exercising data subject rights
If you have questions regarding the aforementioned rights or you wish to examine your personal data or otherwise exercise your rights, please be in contact with us. The contact information of our data protection officer can be found at the end of this notice.
Exercising your rights is generally free of charge. In certain situations defined by law, for example, if you request multiple copies of your personal data, we may request a fee equivalent to the cost of implementing your request beforehand.
We respond to all requests without undue delay, at the latest one month after the request has been received. We will inform you about the measures we have taken in order to complete your request. If for some reason we have to decline your request, we will inform you about the refusal and reasoning for it in one month after the request has been received.
If there are multiple requests, or they are complex, we may require additional time of up to 2 months for implementing the request. In this case, we will inform you about the need for additional time and reasoning for the delay in one month after receiving the request.
If you want to file a complaint to the supervisory authority, more information can be found on the website of the Office of the ata Protection Ombudsman: https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman
11 Data controller and contact information
Data controller is the entity, who decides how and why personal data is processed. Barona decides, the purposes and measures for processing its employees’, including your, personal data. Thereby, Barona is the data controller for the personal data processing.
Barona has appointed a data protection officer, who is an internal data protection expert. The data protection officer supervises the processing of personal data, advises employee’s regarding data protection matters and acts as a contact person for requests and questions regarding data subject rights.
Contact information of the data controller:
Barona Oy
Company ID: 2808477-9
Töölönlahdenkatu 3 B,
00100 Helsinki, Finland
Contact information of the data protection officer:
privacy@barona.fi
020 198 3460
Updates to the data protection statement
We continuously improve our privacy practices, which is why this privacy notice will also be updated occasionally. Updates may be due to changes in legislation. We recommend, that you re-visit this page to be informed about any possible changes. If needed, we may also inform you directly about any changes in our privacy practices.