Description of Processing Activities
- Last update: 11.04.2023
Controller
Customer
Processor
Talenom
Why we process personal data
- Personal data is processed and stored to provide the services provided by the Processor in a contractual relationship between the Processor and the Controller.
- Personal data is also processed and stored to fulfill requirements of applicable law or regulations, or to meet a request by a judicial or administrative authority
- To produce and develop the services ordered by the Customer from the Processor
- The customer’s employees for the implementation of payroll and HR management
- Customer’s private customers to track receivables
- Shareholders of a limited company for the administration of a limited company
- Members of the association for the administration and invoicing of the association
- Shareholders of a housing company for the administration and invoicing of a housing cooperative
- Due diligence information (KYC) required by anti-money laundering legislation
- Beneficial ownership information
Talenom has a legitimate interest in processing personal data for the purpose of directing the marketing and sales of Talenom’s services, as well as for improving the quality of Talenom’s products and services.
What personal data do we process?
Categories of data subjects and categories of personal data:
- Customer’s payroll and reward recipients for the implementation of payroll and HR management (PAY)
- For monitoring and collecting the receivables of the customer’s private customers (ACC, COL)
- Shareholders of a limited company for the administration of a limited company (LIM)
- Association members for the administration and invoicing of associations (ASS)
- Shareholders of a housing cooperative for the administration and invoicing of a housing cooperative (HOU)
- Benefits paid under the Motor Liability Insurance, Patient Insurance, Accident Insurance, Pharmaceutical Injury Insurance and Environmental Damage Insurance Act (INS)
The personal data processed include:
- name (PAY, ACC, COL, LIM, ASS, HOU, INS)
- address, telephone number, e-mail address (PAY, ACC, COL, LIM, ASS, HOU, INS)
- e-invoicing address, Online service usage information, user ID (PAY, ACC, COL, LIM, ASS, HOU, INS)
- personal ID, language (PAY, COL, LIM, HOU, INS)
- account information (PAY, ACC, LIM, ASS, HOU, INS)
- enforcement information (PAY, ACC, LIM, ASS, HOU, INS)
- dividends, shareholder loans (ACC, LIM)
- tax amount, tax card, employment contract (PAY, LIM)
- absences, holidays, medical certificates (PAY, LIM)
- health information (PAY, COL, INS)
- gender (PAY)
- employment information (PAY)
- salary data and bases, benefits (PAY)
- trade union membership fee information (PAY)
- working hours reports, unit price (PAY)
Regular sources of information
In addition to its own data, the Customer adds personal data of its personnel and customers to the Processor’s information services. Personal data may be added based on electronic and/or physical material provided by the customer.
In addition to this, personal data is collected from the tax authorities, the Social Insurance Institution of Finland, insurance companies, trade unions, credit services, the Digital and Population Data Services Agency, enforcement authorities and other parties whose data must be processed in the service provided by the Processor.
Users’ device information is collected automatically in order to develop the services and products offered by the Processor and to develop customer service, using, for example, internet browser cookies from Processor’s digital products and online services.
Disclosure of Personal Data Policies
Personal data is disclosed to the Customer’s Auditor without a separate authorization for the implementation of the agreement between the Customer and the Auditor. In the case of the Client’s other partners, such as lawyers and consultants, the Client will be asked for a separate written authorization to disclose the data. When handing over written material, a data disclosure certificate is drawn up, which indicates the basic information of the material disclosed, to whom the data has been disclosed and when. This certificate of release is stored in customer folders for any subsequent obligation to provide evidence. In connection with the disclosure of digital material, personal user credentials are created for the customer company’s partner in the Processor’s information system, with which the Customer’s partner receives the disclosed information. The Customer’s request to create user credentials to the information system and give access to the Customer’s data also includes the Customer’s consent to the disclosure of the Customer’s data to the respective partner.
Data is disclosed to tax authorities, financial institutions, electronic money communities, pension insurance companies, insurance companies, trade unions, the Social Insurance Institution of Finland or earnings-related pension funds without the Customer’s authorization or consent when the disclosure of data is separately regulated by law. The processing of digital data is monitored with the help of event data from information systems, i.e. the storage of log data, and their automatic or manual monitoring. In addition, if necessary, the log data can be used as evidence of what events have taken place.
Talenom may disclose personal data to any entity within the Talenom Group. Talenom does not sell or rent personal data to other parties.
Categories of recipients of personal data – including those in third countries and international organisations
The Processor may disclose the Customer’s personal data within the limits of applicable legislation and in accordance with the terms of the agreement between the Processor and the Customer. Register data may be disclosed, for example, to tax authorities, pension insurance companies, insurance companies, trade unions, the Social Insurance Institution of Finland, earnings-related pension funds, financial institutions, electronic money communities, Confederation of Finnish Industries or Statistics Finland.
The processor has a legal obligation to disclose personal data to the authorities based on legal requests for information received from them in writing.
Mainly personal data will not be transferred outside the European Union (“EU”) or the European Economic Area (“EEA”). Data transfers outside the EU or EEA are made in accordance with the standard contractual clauses of the EU’s General Data Protection Regulation concerning data transfers.
Technical and organisational security measures
Technical protection of data in registers
The data contained in the register that is processed electronically is technically protected, for example with firewalls, password policy and by offering Talenom’s customers two-factor authentication to customer information systems.
The data transfer between the customer and Talenom’s services is encrypted with TLS (Transport Layer Security) technology. Data is backed up regularly and backups are stored in a different location than where the primary data is located.
Talenom conducts internal and third-party assessments and audits that cover both the technical security of critical information systems and the processes and guidelines for administrative information security and data protection.
Administrative protection of registers
The processor protects the Customer’s data from unauthorized access and dissemination. Only the employees of the Processor and subcontractors acting on behalf of the Processor have access to the data contained in the register based on separately granted access rights. Access rights are monitored, and the creation of unsafe user access combinations are prohibited by the user access management policy and their creation is controlled as part of the access management process. The access rights of the administrators are regularly checked and are deleted when the user no longer needs them. The access rights of employees who have left the processor are removed from all systems upon termination of employee’s employment.
The customer’s data is only processed by a Talenom employee whose work duties require it. It is forbidden for processor’s employees to process personal data on other grounds, even if the employee would have a technical access to customer data based on his or her role and business reasons. All of Processor’s personnel and subcontractors acting on its behalf have a duty of confidentiality in relation to all the Customer’s financial management information and personal data. The obligation of confidentiality is recorded in the employment contracts of Talenom’s personnel and in agreements with third parties, including sanctions for violation of confidentiality.
Employees who process customer data are trained through regular trainings, where the legality criteria for doing the work are an integral part of the training. The information security and data protection awareness of the processor’s staff is regularly maintained in various ways, for example, by organizing regular information sessions on information security and data protection for the entire personnel of the company and by arranging mandatory information security and data protection training for employees every year, in order to pass the subject matter test. The Processor has drawn up an information security policy that each new employee of the Processor becomes familiar with when starting their work. The existence and location of the information security policy are communicated in regular information security trainings and employees are reminded of the binding nature of the information security policy. The information security policy describes the general rules on information security and data protection that are binding on the employee, whether they are technical rules, information security processes or practices and instructions suitable for everyday work.
Physical protection of data in registers
Customer data is processed in information systems located in the data center in Finland or in Cloud services located in the European Union.
In data centers located in Finland, the most important production systems have been duplicated in two physically separated data centers to ensure safety, data preservation and service continuity in normal and exceptional situations.
These data centers provided by the service provider use certified safety practices, access control and monitoring procedures.
Customer’s obligations
The customer is responsible for the implementation and maintenance of adequate technical and organizational information security measures in their own information systems and physical environments.
Planned deletion periods for data groups
The Processor deletes the Customer’s personal data from its information systems to the extent required by law when the Customer leaves the Processor.
The deletion of data occurs one + ten (1+10) years after the Customer’s exit. After deletion from the operational information systems, the data will be automatically deleted within six (6) months of the backups.
Rights of the data subject
In accordance with sections 15-22 of the European Union’s General Data Protection Regulation, the data subject has the right to:
- right of access to personal data
- rectification of data
- erasure of data
- restriction of processing
- transfer data from one system to another
- object to the processing of their personal data
- lodge a complaint with a supervisory authority
The exercise of some of the data subject’s rights is limited by other mandatory legislation, based on which Talenom has the right and obligation to refuse on reasonable grounds the rectification, erasure, restriction of processing or transfer of data from one system to another. An example of such legislation is, for example, the Accounting Act, which stipulates the retention of payroll receipts, regardless of the rights of the data subject in the GDPR.
In situations where the data subject wishes to inspect or amend his or her data from data belonging to a personal register owned by a Talenom customer, the data subject must make a request for an inspection or change of the data to the controller, and the controller takes care of the implementation of the request for inspection or change of data together with the data processor Talenom. In this case, the controller must address a written request for verification to the following address: tietosuoja@talenom.fi.
Controller’s instructions to data processor
The customer may describe separately in separate documentation the more detailed instructions given to the processor for the processing of personal data, which the Processor stores in customer-specific file folders, as part of the customer-specific instructions.
Data breach notification
Controller
The notification is made by the Processor to the Controller without undue delay after the disclosure of the data protection breach. The notification describes the nature of the data breach and the measures taken as required by law.
Registered
Notification is given to the data subject by the Controller if the data breach is likely to result in a high risk to his or her rights and freedoms. The notification describes the nature of the data breach and the measures taken as required by law.
Supervisory authority
It is the Controller’s duty to notify the National Data Protection Authority within 72 hours of being reported if the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The Processor assists the Controller in notifying the National Data Protection Authority of a separate request. The notification is made in accordance with the instructions of the Finnish Data Protection Ombudsman in force at the time.
Processor (Service Provider) and contact information
Processor’s name: Talenom Oyj
Data Protection Officer: Enni Kaivorinne
Tel. 0207 525 535
Email: privacy@talenom.fi
Address: Yrttipellontie 2, 90230 Oulu
Tel. 0207 525 000 (switchboard)
Contact information of the subcontractor
The customer has given general consent to the use of subcontractors. The accounting firm provides a list of subcontractors upon request.