PRIVACY POLICY
TABLE OF CONTENTS
We take great care to keep your information safe. We don’t store any information about you personally unless you give us permission to have that information, or we’ve gathered it ourselves for direct marketing purposes from publicly available sources (like for instance your website). Read here our Privacy Policies for Business Customers, suppliers and marketing (Privacy Policy 1) and Job Applicants (Privacy Policy 2).
You can ask us what information we store about you or ask us to delete any information we have about you at any time. We will need about a month to process such requests which you can do by sending us an email to tietosuoja@salomaa.fi (business customers, suppliers and marketing registers), johanna.rantahalvari@salomaa.fi (job applicants) or info@quru-analytics.com (more specific info about your website visitor data).
Privacy Policy 1: Quru’s Business Customers, suppliers and marketing
1. Controller and contact points in privacy questions and requests
Quru Oy, business ID: 2273368-6
Visiting address: Annankatu 28, FI-00100 Helsinki
Postal address: Annankatu 28, FI-00100 Helsinki
Phone: +358 9 695 7710
Contact point in all privacy questions and requests: tietosuoja@salomaa.fi
2. Legal basis for and purposes of processing personal data
The legal basis for processing personal data by the Controller are:
- Performance of a contract between the Controller and its business customer, supplier or business partner (Company) as well as fulfilment of requests of the data subject prior to entering into a contract, e.g. requests for information or quotation, newsletter subscriptions or purchase orders;
- Controller´s legitimate interest for management of customer, supplier, partner or other similar relationship between the Controller and the Company, e.g. delivery of products and services; creation, management and development of the relationship; development of products, services and businesses; communication with the Company, including customer and supplier feedback and satisfaction surveys;
- Controller´s legal obligations as well as its legitimate interest for detection, prevention and investigation of fraud, money laundering and other criminal offences and misuse;
- Controller´s and its business partners´ legitimate interest for targeting and sending direct marketing of products and services (incl. newsletters) by mail, phone calls, email, text messages or other electronic communication (including newsletters); and for carrying out opinion polls, surveys and marketing research, arrangement of promotional sweepstakes, contests and other events;
- Controller´s and its business partners´ legitimate interest for targeting and performance of digital advertising in their own and other internet and mobile media, services and applications;
- Controller´s and its business partners´ legitimate interest for analyzing, profiling, segmentation of the data subjects and their data in the context of and for the purposes explained above;
- Consent of the data subject when it is necessary for locating the data subject or collecting data about the use of Controller´s Internet or mobile services by the means of cookies, advertising ids or other similar tracking technology for the purposes defined in this policy. See more details about the use of cookies and website visitor data from the section 3 below.
3. Data subjects and categories of personal data
The Controller processes personal data of the contact persons of its prospective, current, and former business customers, suppliers and business partners. Following categories of personal data are processed for the purposes described above:
- Basic information of the data subject, e.g: name, title, profession, and position; data about the employer, employment related contact data (postal address, e-mail address, phone number), year of birth, gender, native and service language, preferred way of communication;
- Marketing data, e.g: positions and activities in business and public service; professional preferences and interests; other information provided by the data subject; marketing efforts performed; participation to events; direct marketing and other permissions and consents (opt-in), restrictions and bans (opt-out);
- User data of digital services, e.g: registration data required for a digital account, such as username, nickname, password and any other identifier; information about the service use, such as data about the use of agreed services, browsing of Controller´s websites, ads seen or clicked by the user, e.g. the device model, individual device and/or cookie identifier, the channel through which the service is accessed (web browser, mobile browser, application), browser version, IP address, session identifier, session time and duration, screen resolution and operating system; location data. Read more about the user data of digital services below.
About the Website Visitor Data:
- We follow what you do on our website anonymously, so no personal information is ever sent to our analytics system, Google Analytics (GA) unless you give us permission to do so. Anonymous users will be asked every time they return to our website if we can follow what they do during their visit (discussed in point 2 & 3 below).
- By giving us permission to follow you using GA cookies what you’re agreeing to is allowing us to monitor your web browser (I.E Chrome or Internet Explorer) moving between our web pages and logging the information to our Analytics system as an individual user. This shows us what you looked at on our website, where you found us, how long you’ve been there and whether you signed up for anything for instance. Once you leave our website we don’t share that information anywhere else but we will be able to identify your browser if you come back.
- The reason for this is so we can learn more about loyal visitors and serve them with content they like to read. As a point of reference this is how I (as the writer of this post) was identified by Google Analytics (CID=1435667394.1483367191). No personally identifiable information is passed to GA, but I am recognised by the same identifier if and when I return to the website logging me as a return visitor and building a history of what I look at.
- If being identified in our analytics system as a number like 1435667394.1483367191 bothers you, then you should never click “Yes Got It” on the privacy overlay to our website. If you don’t click “Yes Got It” we will create an anonymous identifier for your browser.
- If now that you’ve understood how we monitor what you do on our website how we identify you, and you’re Ok with it, click “Yes, Got it”.
- If you’re still unsure you can ask for more information by sending us an email to info@quru-analytics.com.
- Data related to contacts and communication, e.g: feedback and contact requests, emails, digital forms, chat discussions, phone call recordings;
- Data about the use of social media, eg: The Controller´s website may include Social Media Features, such as the Facebook Like button and Share button. The Controller can receive a comment or link that the user share from the Controller´s website on Facebook. The Controller can also receive user´s public profile data on Facebook, and any information that Facebook user shares with the Controller´s services. Your interactions with these Features are governed by the privacy policy of the company providing it, for example Facebook: https://www.facebook.com/about/privacy/update?ref=old_policy and Linkedin: https://www.linkedin.com/legal/preview/privacy-policy
- Profile and segment data, e.g: customer and marketing segments and profiles derived by statistical analysis of the above described data and other segmentation and classification data from regular sources.
Only basic data and marketing data as defined above are processed for the purposes of direct marketing to the contact persons of prospective or former customers.
4. Regular sources of personal data
Personal data are collected directly from the data subject when the data subject is registering or using a web site or other service; sending request for contact or information or filling in a form; purchasing or ordering, contracting, participating events, otherwise interacting with the Controller personally, by phone or digitally. Personal data can also be collected and updated from the websites of companies, public and private company and business registers, public authorities, postal operators, public telephone directories (e.g. Suomen Asiakastieto Oy, Fonecta Oy, Posti Oy), direct marketing and other data brokers, and other similar public and private registers.
5. Disclosure and transfer of data
Controller may disclose personal data to other companies in the Salomaa Group and to Controller´s business partners when it is necessary for the purposes defined in this policy, e.g. to deliver or provide agreed products or services. Otherwise, personal data will not be disclosed to third parties except with the consent of the data subject.
Controller may outsource ICT, marketing, communication and other functions to third party suppliers, vendors, or other sub-contractors. In such case the Controller may transfer personal data to these sub-contractors to the extent necessary for the provision of their services. These sub-contractors will process personal data on behalf of the Controller and must comply with the Controller´s instructions and this privacy policy. Controller will ensure through contractual measures that the personal data is processed in compliance with the legislation.
Controller may also transfer personal data to be processed in a country outside the European Union and the European Economic Area. Unless the European Commission has decided that that the level of data protection is adequate in such a country, the Controller will ensure adequate data protection with the processor by using standard contractual clauses approved by the European Commission (decision C (2010)593) or by other lawful means.
6. Data security and retention
Access to personal data will be permitted only to persons who need to process data as a part of their employment. All data is kept in locked premises secured with physical access control. Digital data is protected by firewalls, user rights managements and other technical means.
Personal data will be retained as long as it is necessary for the purposes. After the relationship between the Controller and the Company has ended or after the Controller gets informed that the data subject no longer is a contact person of the Company, the personal data will be deleted with the following exceptions:
- User data of digital services and data related to contacts and communication shall be retained for five years after the above defined events.
- Anonymized data can be retained permanently.
- Basic data and marketing data of the data subject can be retained permanently for direct marketing purposes.
- When retention is permitted by valid legislation.
(Note that data related to the Company is not personal data and can be retained by the Controller e.g. correspondence, purchase orders, data about the use Controller´s products and services when such acts have been performed on behalf of the Company.)
7. Access, rectification and other rights of the data subject
Every data subject has a right to inspect his/her personal data stored in the register and the right to demand rectification or erasure of the data. The data subject may also at any time withdraw a previously given consent for processing his/her personal data. Withdrawing the consent does not affect the lawfulness of processing performed before the withdrawal of the consent.
The data subject has a right to object processing of his/her personal data or to demand restriction of processing of the data and to lodge a complaint with the supervisory authority about the processing.
If the data subject has provided personal data to the controller and the processing is based on his/her consent of on a contract, the data subject has a right to receive such data in a structured, commonly used and machine-readable format and a right to transmit those data to another controller in compliance with valid legislation.
When the processing is based on legitimate interest, data subject has a right to object such processing on grounds relating to data subject´s particular situation. In the request, the data subject must specify his/her particular situation.
The controller may require the data subject to specify any request in writing and to prove his/her identity.
Privacy Policy 2: Applicant Register
1. Controller
Quru Oy (hereafter “We” or “the Company”)
Address: Annankatu 28, FI-00100 Helsinki
Phone: +358 9 695 7710
2. Contact for register
Johanna Rantahalvari: johanna.rantahalvari@salomaa.fi
3. Name of Register
APPLICANT REGISTER
4. What is the purpose and legal basis for the processing of the personal data?
The processing of personal data is based on:
- The data subject’s consent and/or
- Provisions set out in labour law that place obligations and special rights on the controller and data subject;
Processing personal data is required to enable and manage our recruitment process, support the allocation of human resources, manage the necessary recruitment data for the applicants (data subjects) to allow contacting the applicants and to provide support for decision making in the final stages of the recruitment process.
5. What data do We process?
Relating to the recruitment process, We process the following data of the applicants:
- Data subject’s basic information such as *name, date of birth, gender, native language;
- Data subject’s contact details such as *e-mail address, *phone number, address;
- Information related to the job in question such as job description, including information on the nature and type of employment, the person in charge of the recruitment process, desired salary and details regarding commencement of employment. Further details will be provided in the job listing;
- Information related to suitability for the job and other relevant details (background, etc.) that the data subject has offered during the application process, such as photographs, information on education, profession, work history (such as employers, commencement and duration of employment, nature of tasks), language skills, other special skills, a description of personal characteristics, certificates and appraisals, links to online portfolios, profiles and other sources and references;
- Information regarding the data subject’s progress in the recruitment process such as upcoming follow-up interviews or recruitment process termination;
- Other possible information wilfully offered by the data subject during the application process or information otherwise published specifically for professional purposes, such as their LinkedIn profile.
All personal data marked with an asterisk is required to carry out the recruitment process.
6. Where do We get the data from?
The primary source for the data stored in the register is the applicant in question. Other sources may be used in accordance with the law. If necessary, We may also request information from recruitment consultants.
By applying for a job, the applicant consents to the Company collecting data from their public professional profile in the scope that is necessary to deem suitability for the job in question.
7. Who do We provide or transfer the data to? Is the data transferred outside the EU or the EEA?
Any information regarding the applicants that is stored in the register can be shared, with the applicant’s consent, to companies within the corporate group in order to connect applicants with employers.
We will only share personal data according to current legislation with parties who have a legal and/or contractual right to receive data from the register. We may also share data for other purposes in accordance with Finnish legislation.
We utilise subcontractors working on our behalf to process the personal data. Salomaa Yhtiöt Oy is the data processor for personal data within the Company’s system and HR support services. Additionally, We use subcontractors to process personal data for the following services:
- Human resources and recruitment services
- Legal services
- IT services
The data subjects’ privacy is ensured through data processing agreement with the subcontractors. We cannot name all our subcontractors, in part due to projects in development, so only the types of subcontractors used are disclosed. We will only share data from the register with the aforementioned third parties unless explicit consent is sought and received from the data subject. The data will not be transferred outside the EU or EEA.
8. How do We safeguard the data and for how long do We store it?
Databases containing personal data are available only to employees who have the right to process applicant data for the purposes of their work. The register is protected with the necessary technical and organisational precautions. The data is stored in databases that are protected with usernames, passwords, firewalls and other technical procedures. The register is stored on protected administrator servers. All connections to the servers are SSL protected. All persons processing the data are bound by professional secrecy. The databases and their backups are kept in locked spaces and only previously specified persons have access to the data.
We will store the personal data for as long as is necessary for our purposes. As a rule, the data can be used for six (6) months for recruitment purposes. All data will be expunged within two (2) years. Should an applicant become our employee, We will store information provided during the application process as part of their employee profile in accordance to the notice regarding employee data.
9. What are your rights as a data subject?
As a data subject, you have the right to inspect any information in the register pertaining to you and to demand the correction or deletion of incorrect information. Any such requests should be addressed in writing or in person to the contact person listed in section 2.
From 25 May 2018, all data subjects have a right based on the GDPR to protest the processing of their data or to request restricted processing as well as the right to lodge a complaint to the authorities regarding the handling of their personal data.