Employee privacy policy
This privacy policy is valid since April 22, 2025. (Older versions of the privacy policy can be found here)
Introduction
At Barona, it is important to us that you can trust us to handle your personal data in a careful and transparent manner and with respect for your privacy. When processing your personal data, we strictly comply with the General Data Protection Regulation (GDPR) and other data protection legislation, and we always strive to act in accordance with good data protection practices. This data protection notice describes how we collect, process and protect the personal data of our personnel.
This data protection notice is updated regularly. The current version is always available at https://policies.barona.fi/employee-privacy-policy/.
Data controller’s contact information
Barona Oy
Business ID 2808477-9
Workery East, 8th floor, Pasilan Asema-aukio 1,
FI-00520 Helsinki
Contact information of the data protection officer
Lauri Huhtanen
privacy@barona.fi
+358 20 198 3460
Processing of personal data
| Purpose of processing | Legal basis | Types of personal dat | Retention periods |
| Organisation and management of the employment relationship | Contract | * Name and contact information * Personal identity code * Employee number * Duration and type of employment * Title, position and job description * Photo * Data related to competence, qualifications and skills * Data on work performance * Employment-related documents, such as an agreement on parental leave * Data related to working hours and shifts * Nationality * Data related to the right to work, such as residence permit and copy of passport | Usually 10 years after the end of the employment relationship, another retention period based on legislation may apply to some documents |
| Payment of wages, salary and other remuneration | Contract, legal obligation, consent (applies to processing data about trade union membership) | * Name * Employee number * Duration and type of employment * Bank account details * Pay * Data on other remuneration and allowances, such as employment benefits * Tax information, such as tax number * Data on travel allowances, such as travel expense reports * Data on working hours and absences, including absences due to sickness and annual leave * Data on trade union membership (if the membership fee is deducted directly from the pay) * Data on the garnished amount for enforcement | Payroll documents, such as pay slips, are retained for 10 years after the end of the financial period Salary records are retained for 50 years after the end of the financial period Sick leave certificates will be retained for two years |
| Organising occupational health care and monitoring and supporting work ability | Legal obligation | * The types of data processed are described in the supplementary data protection notice of the Work Ability Management Services. | The retention periods are described in the supplementary data protection notice of the Work Ability Management Services. |
| Management of devices, systems and access rights | Legitimate interest | System access rights and user IDs Log data collected about the use of systems Data on the devices given to the employee | Data related to the use of systems, access rights and user IDs as well as devices is retained for the duration of the employment relationship, log data is retained for 12 months |
| Access control and video surveillance for safety and security | Legitimate interest | * Data related to access control, such as data collected on the use of electronic keys * Video surveillance recordings (described in more detail in the separate Data Protection Notice for Video Surveillance) | Video surveillance recordings and data related to access control are retained for a maximum of 12 months |
| Product and service development | Legitimate interest | * Analytics on the use of services or products * Statistics on personnel | Product and service development data is retained for 24 months |
| Communications related to the employment relationship | Legitimate interest | * Name * Phone number * Date of birth * Employee ID * Type and duration of employment | The data will be retained for one month after the end of the employment relationship |
Sources of personal data
Personal data is usually collected directly from you before and during the employment relationship. Personal data may also be collected from external sources in, for example, the following situations:
- Tax-related data is obtained directly from the Tax Administration
- If the employment relationship requires, for example, checking your extract from the criminal records, credit report or qualifications, the data will be obtained from registers maintained by the authorities
- Personal data may be obtained from other companies in the same group if you change workplaces within the group, for example
You may be asked to consent to the collection of personal data from external sources. However, consent will not be sought if the collection of personal data is based on, for example, the employer’s legal obligation.
Disclosure of personal data
Disclosure refers to an event in which the data controller (here Barona) provides personal data to a third party that uses it for its own purposes. Personal data may be disclosed to the following parties:
- Barona’s client company in connection with a recruitment process or an assignment. Such disclosure of data will take place to the extent necessary to enable the arrangement.
- Other companies in the Bravedo and Barona Group. For example, if you change workplaces within the Group, the data stored about your employment relationship may be transferred to your new workplace.
- Parties handling matters related to the employment relationship, such as pension insurance companies, accident insurance companies, trade unions or occupational health care providers.
- The authorities, such as the Tax Administration, the National Enforcement Authority Finland or Kela, in the case of a legal obligation.
Processors of personal data
We use external service providers, such as system providers, to process personal data. The service providers process personal data as data processors on behalf of Barona. We use contractual and technical measures to ensure that the service providers we use process your data in accordance with legislation and good data protection practices.
We use third-party processors to process personal data for the following purposes:
- Management of employees’ personal data
- Payment of wages, salary and other remuneration
- Arranging occupational health care and supporting work ability
- Management of devices, systems and access rights
- Access control and video surveillance
- Analysis of the use of services or products
- Communications
- Electronic signatures for documents
Data transfers outside the EU/EEA
In some cases, the service providers we use may process personal data outside the EU/EEA, e.g. in the United States. Personal data will only be transferred outside the EU/EEA area when the requirements of the data protection legislation are fulfilled. The service providers we use are contractually obligated to ensure that an adequate level of data protection is guaranteed in all processing of personal data.
Safeguarding your personal data
We use appropriate technical and organisational safeguards to protect personal data against loss, unauthorised access and other misuse. Examples of such measures include the use of firewalls, encryption technologies, backups and secure computer rooms. Access to your personal data is internally restricted through electronic and physical access control, as well as through policies for granting and controlling access to different systems. Access to personal data is restricted to those employees who have the right to access it within the scope of their duties.
Rights of data subjects
The data subjects have many rights that they can exercise to influence the processing of their personal data. The rights below can be exercised by sending a request on the matter by email to privacy@barona.fi.
| Right to obtain information | The data subject has the right to obtain information on the processing of their personal data we perform in a transparent and easy-to-understand way. This data protection notice describes the basics of the processing of personal data. If you have any questions regarding data protection, please ask for additional information by using the contact information provided at the beginning of this notice. |
| Right of access | The data subject has the right to obtain information on what personal data regarding them we are processing and receive a copy of the data in question. As requested, the data controller will deliver a copy of the personal data being processed or information that the data subject’s personal data is not being processed. |
| Right to rectification | Data subjects have the right to request rectification or correction of their data, in which case we will complete inaccurate or incorrect data. |
| Right to erasure (“right to be forgotten”) | The data subject has the right to have all their personal data erased, i.e. the right to be forgotten. This right may be limited, for example, by a legal obligation to retain the personal data in question. |
| Right to restrict processing | The data subject has the right to request the restriction of personal data processing. The limitation of processing means that the data will be retained, but they will be processed in other ways only based on permission, for legal request, for protecting the rights of another person, or for an important reason related the common interests of the EU or a Member State. The restriction of processing is applicable in case, for example, the legality of processing has been disputed. Then, the processing of data is limited until its legality has been ensured. |
| Right to data portability | Data subjects have the right to request the transfer of personal data from one system to another. This right is applicable when the personal data has been collected directly from the data subject and the processing is based on a contract or consent. |
| Right to object | The data subject has the right to object to the processing of personal data on the basis of a personal reason if the grounds for processing is legitimate interest, public interest or exercise of official authority. The processing of the data is stopped unless the processing is necessary for some other justified reason. |
| Rights related to automated decision-making | The data subject has the right to not be subject to decision-making based solely on automated processing and which results in legal effects or other significant effects. The data subject has the right to request that a human reviews decisions that are based on automated decision-making. We do not make decisions based solely on automated processing of personal data that would have legal or other significant effects. |
| Right to withdraw consent | If the processing of personal data is based on your consent, you have the right to withdraw the consent at any time. However, this does not affect the lawfulness of any processing based on consent that took place before the withdrawal of consent. The processing of personal data may continue after the withdrawal of consent if another legal basis for the processing is applicable. |
| Right to lodge a complaint with the supervisory authorit | The data subject has the right to lodge a complaint on the processing of personal data with a competent supervisory authority. In Finland, the data protection authority is the Office of the Data Protection Ombudsman. |