Privacy Policy
Talenom’s privacy policy describes the practices and principles related to the processing of personal data. The privacy policy helps you understand what personal data we collect and why, as well as how we process, protect, store and delete your personal data.
This privacy policy applies to Talenom’s website, marketing, customer register, financial management services for customers, related information systems and recruitment.
Data protection at Talenom
- Last update:
Why do we process personal data?
Talenom stores and processes personal data to provide services in a contractual relationship between Talenom and Talenom’s customers.
Talenom may be obliged to disclose personal data if required to do so under applicable law or regulations, or to meet a request by a judicial or administrative authority.
Talenom has a legitimate interest in processing personal data for the purpose of directing the marketing and sales of Talenom’s services, as well as for improving the quality of Talenom’s products and services.
Talenom has a legitimate interest to process personal data to provide Talenom’s Debt Collection Services. When personal data is processed based on legitimate interest, a balance test defined by the data protection authority has been carried out.
The processing of personal data is based on separate consent for the following processing operations:
- Recruitment
- Credit check during recruitment
- Direct marketing
The data subject has the right to withdraw their consent at any time via a link in marketing messages.
What personal data do we process?
Talenom processes, among other things, the following personal data:
- Contact information, such as first and last name, address, phone number, email address
- Personal ID and date of birth
- Due diligence information required by the Money Laundering Act (KYC information)
- Position and share of ownership in the company
- PEP-information (Political influence)
- Country of taxation and birth, nationality
- Beneficial ownership information of the company
- Health information (e.g. in connection with the probate service of counselling services)
- Customer history, such as contacts and changes in services
- Call and other recordings of our customer service cases
- User credentials to Talenom electronic services
- Log information from the use of the services
- Device name and ID
- Information provided by Cookies
- Information provided voluntarily by the registered in the recruitment process
- Marketing prohibitions and consents
In some of its services, Talenom processes personal data on behalf of Talenom’s customer.
In such cases, the customer is the Controller of the generated personal data register and Talenom acts as the Processor of the personal data, in the capacity defined by the General Data Protection Regulation.
In this case, the processing activities related to the processing of personal data have been separately agreed with Talenom’s customer, using the Description of Personal Data Processing Activities included in this document: Description of Processing Activities
Regular sources of information
In most cases, we receive your data directly from you, for example in the following situations:
- You become a customer of Talenom and use our products and services
- You participate in surveys, campaigns or Talenom events
- You call our customer service or send a message in the chat
- If you apply to work for us
In addition, we receive information about:
- Registers maintained by authorities
- eg. From the Finnish Patent and Registration Office and the Business Information System, Suomi.fi
- Digital and Population Data Services Agency
- Trust network
- Almatalent.fi – information service
- On sanctions lists
- Vainu.com – information service
- Asiakastieto.fi – information service
- Other services that provide public contact information
- From the contact forms on the Talenom.com website
- Talenom’s internal information sources
How do we take care of our customers’ data protection?
Technical protection of data in registers
The data contained in the register that is processed electronically is technically protected, for example with firewalls, password policy and by offering Talenom’s customers two-factor authentication to customer information systems.
The data transfer between the customer and Talenom’s services is encrypted with TLS (Transport Layer Security) technology. Data is backed up regularly and backups are stored in a different location than where the primary data is located.
Talenom conducts internal and third-party assessments and audits that cover both the technical security of critical information systems and the processes and guidelines for administrative information security and data protection.
Administrative protection of registers
Talenom has an information security policy that every new employee goes through when they start working at Talenom. The information security policy describes the general rules on information security and data protection that are mandatory for the employee.
Talenom staff’s information security and data protection awareness is regularly maintained in various ways: By organizing both regular information sharing sessions on information security and data protection for the entire company’s personnel, and by organizing mandatory information security and data protection training for employees every year.
The data contained in the registers can be accessed based on separately granted access rights to Talenom’s employees and subcontractors acting on behalf of Talenom. User access rights are regularly reviewed. System administrators’ access rights are monitored and removed when the user no longer needs them. The access rights of employees who have left Talenom are removed at the end of the employment relationship.
In accordance with the information security policy, the customer’s data is only processed by a Talenom employee whose work duties require it. The processing of customer data on other grounds is prohibited, even if the employee would have a technical access to customer data based on his or her role and business reasons.
All Talenom’s personnel, and subcontractors acting on Talenom’s behalf, have a duty of confidentiality in relation to all Talenom’s customer and personal data. The obligation of confidentiality is recorded in the employment contracts of Talenom’s personnel and in agreements with third parties, including sanctions for violation of confidentiality.
Physical protection of data in registers
Customer data is processed in information systems located in the data center in Finland or in Cloud services located in the European Union.
In data centers located in Finland, the most important production systems have been duplicated in two physically separated data centers to ensure safety, data preservation and service continuity in normal and exceptional situations.
These data centers provided by the service provider use certified safety practices, access control and monitoring procedures.
Disclosure of data and use of processors
Talenom may, if necessary, disclose personal data to any company within the Talenom Group.
In certain cases, Talenom must also disclose personal data to authorities if required by applicable law or regulation or a request from a judicial or administrative authority.
Talenom may disclose non-sensitive personal data to its partners for the purpose of developing services, monitoring quality and marketing.
Talenom discloses the KYC data of TiliJaska customers to the electronic money community PPS EU SA in accordance with anti-money laundering legislation. The disclosure of data is based on an agreement between Talenom and PPS EU SA, in which case the data protection practices of the PPS EU SA apply to the processing of personal data. You can access the privacy policy from this link.
Talenom discloses the KYC information of Accounts and Cards customers to Alisa Bank Plc in accordance with the anti-money laundering legislation. The disclosure of data is based on an agreement between Talenom and Alisa Bank Plc, in which case the data protection practices of Alisa Bank Plc apply to the processing of personal data . You can access the privacy policy from this link.
Talenom does not sell or rent personal data to any other party.
Talenom uses processors who assist Talenom and/or provide part of our services. In this context, personal data may be transferred into the systems of the processors in question in order to provide the service. These processors are usually video surveillance, marketing or recruitment partners, operators or software development cooperation network companies. Talenom enters into a Data Processing Agreement (DPA) with its processors to protect the privacy rights and freedoms of data subjects.
List of processors:
Enfo Oyj; Data center service provider in Finland
Microsoft Oy; Cloud service provider in the European Union
Team Tailor AB; Recruitment and employer image services
Choice HR Oy; Recruitment and employer image services
Certego Oy; Video surveillance of premises
Securitas Technology Oy; Video surveillance of premises
CRM-Service Oy; CRM system provider and administrator
DigitalBooker Finland Oy; Appointment management system provider
LeadDesk Oyj; Call Management System Provider
Efecte Finland Oy; Efecte system provider for IT and support service management and Whistleblower-channel
Suomen Turvaposti Oy; Service provider for encrypted email
Visma Solutions Oy; Digital signature Visma Sign
Scrive Finland Oy; Digital signature
Alisa Pankki; Banking as a service
PPS EU SA; Banking as a service
Google (Yhdysvallat); Statistics on the use of digital services
Hubspot (Yhdysvallat); Marketing automation tool and chatbot -service
Twilio; Text messaging service
Telia Finland Oyj; Text messaging service
Smilee.io; Chatbot -service
ZEF Oy; Tool for sending and analyzing customer satisfaction surveys
AON Assessment Finland Oy; Recruitment tool for evaluating a potential employee
Transfer of data outside the EU/EEA
Mainly personal data is not transferred outside the European Union or the European Economic Area.
The contact information used in marketing communications and the statistical data generated by the use of Talenom’s electronic systems, as well as the data stored in the recruitment service, are transferred outside the EU / EEA to servers located in the United States. These are protected by the respective service providers in accordance with European Union data protection legislation.
Data transfers outside the EU / EEA are carried out in accordance with the standard contractual clauses for data protection approved by the European Commission.
Processors that transfer data outside the EU/EEA:
- Google Analytics
- Hubspot
How long do we keep the data?
Talenom processes personal data throughout the customer relationship.
Company information and information on the company’s decision-makers is stored at Talenom permanently, because the information is automatically updated for us from the business information system.
When the customer relationship ends, personal data is stored to the extent necessary to comply with our legitimate interests.
We store the due diligence information (KYC data) required by the Money Laundering Act for five years after the end of the customer relationship, as required by law.
We will maintain the direct marketing information until further notice.
After 3 months, recorded phone calls are automatically deleted from information systems.
The data stored in the recruitment register is deleted from the system at the request of the data subject or automatically after 12 months.
Data related to debt collection is stored until the assignment has ended or the complaint period until the debt has expired. The storage period is three (3) years.
How do we use cookies and web analytics?
Talenom collects information with cookies to improve the user experience on our site and services, evaluate use patterns of the content and support marketing.
Cookies are small text files that are stored on the website visitor’s terminal device.
The following information is stored about the data subject:
- User’s IP address
- Time of visit
- Pages visited and duration of visit
- Browser type used
- Terminal version and operating system
- Where the user came from and where the user goes after using the site
By using Talenom’s website, the user accepts the use and storage of cookies on their computer.
The visitor can prevent the use of cookies by changing the browser settings so that the browser does not allow the storage of cookies. In this case, the user accepts that for some services, the blocking of the use of cookies may, however, affect the functionality of the service.
Users’ terminal device data is collected automatically for the development of electronic products and customer service, using, for example, internet browser cookies, or similar technologies.
Rights of the data subject
In accordance with sections 15-22 of the European Union’s General Data Protection Regulation, the data subject has the right to:
- right of access to personal data
- rectification of data
- erasure of data
- restriction of processing
- transfer data from one system to another
- object to the processing of their personal data
- lodge a complaint with the supervisory authority
You can object to the processing of your personal data for direct marketing purposes at any time.
The exercise of some of the data subject’s rights is limited by other mandatory legislation, based on which Talenom has the right and obligation to refuse on reasonable grounds the rectification, erasure, restriction of processing or transfer of data from one system to another. The processing may continue if it is necessary for the establishment, exercise or defence of legal claims.
The registered must address a written request based on their rights by e-mail to: tietosuoja@talenom.fi.
Contact details of the controller and data protection officer
Controller
Talenom Oyj, 2551454-2
Yrttipellontie 2, 90230 Oulu
puh. 0207 525 000 (switchboard)
Data Protection Officer
Enni Kaivorinne
E-mail: tietosuoja@talenom.fi
Data breach notification policies
Notification to the data subject is made by the controller if the data breach is likely to result in a high risk to his or her rights and freedoms. The notification describes the nature of the data breach and the measures taken as required by the GDPR.
It is the data controller’s duty to notify the data protection authority within 72 hours of disclosure if the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The notification is made in accordance with the instructions of the Data Protection Ombudsman in force at the time.
Limitations
This privacy policy does not apply to third-party websites, applications or services that may be available through additional services provided by partners in Talenom’s services.
By opening the partner’s website, the customer leaves Talenom’s service, allowing the third party to collect and share the information they have collected about the customer.
Talenom recommends that our customers always review the privacy policies of a third-party service before allowing the collection and use of their own personal information on those services.