Privacy Policy
Talenom’s privacy policy describes the practices and principles related to the processing of personal data. The privacy policy helps you understand what personal data we collect and why, as well as how we process, protect, store and delete your personal data.
This privacy policy applies to Talenom’s website, financial management services for customers, related information systems and recruitment.
Data protection at Talenom
- Last update:
Why do we process personal data?
Talenom stores and processes personal data to provide services in a contractual relationship between Talenom and Talenom’s customers.
Talenom may be obliged to disclose personal data if required to do so under applicable law or regulations, or to meet a request by a judicial or administrative authority.
Talenom has a legitimate interest in processing personal data for the purpose of directing the marketing and sales of Talenom’s services, as well as for improving the quality of Talenom’s products and services.
The processing of personal data is based on separate consent for the following processing operations:
- Recruitment process
- Direct marketing
The data subject has the right to withdraw their consent at any time via a link in marketing messages.
What personal data do we process?
Talenom processes, among other things, the following personal data:
- Contact information, such as first and last name, address, phone number, email address
- Personal ID and date of birth
- Due diligence information required by the Money Laundering Act (KYC information)
- Beneficial ownership information of the company
- Health information (e.g. in connection with the probate service of counselling services)
- Customer history, such as contacts and changes in services
- Call and other recordings of our customer service cases
- User credentials to Talenom electronic services
- Log information from the use of the services
- Information provided by Cookies
- Information provided voluntarily by the registered in the recruitment process
- Marketing prohibitions and consents
In some of its services, Talenom processes personal data on behalf of Talenom’s customer.
In such cases, the customer is the Controller of the generated personal data register and Talenom acts as the Processor of the personal data, in the capacity defined by the General Data Protection Regulation.
In this case, the processing activities related to the processing of personal data have been separately agreed with Talenom’s customer, using the Description of Personal Data Processing Activities included in this document: Description of Processing Activities
Regular sources of information
In most cases, we receive your data directly from you, for example in the following situations:
- You become a customer of Talenom and use our products and services
- You participate in surveys, campaigns or Talenom events
- You call our customer service or send a message in the chat
- If you apply to work for us
In addition, we receive information about:
- Registers maintained by authorities
- eg. From the Finnish Patent and Registration Office and the Business Information System
- Almatalent.fi – information service
- On sanctions lists
- Vainu.com – information service
- Asiakastieto.fi – information service
- Other services that provide public contact information
- From the contact forms on the Talenom.fi website
- Talenom’s internal information sources
How do we take care of our customers’ data protection?
Technical protection of data in registers
The data contained in the register that is processed electronically is technically protected, for example with firewalls, password policy and by offering Talenom’s customers two-factor authentication to customer information systems.
The data transfer between the customer and Talenom’s services is encrypted with TLS (Transport Layer Security) technology. Data is backed up regularly and backups are stored in a different location than where the primary data is located.
Talenom conducts internal and third-party assessments and audits that cover both the technical security of critical information systems and the processes and guidelines for administrative information security and data protection.
Administrative protection of registers
Talenom has an information security policy that every new employee goes through when they start working at Talenom. The information security policy describes the general rules on information security and data protection that are mandatory for the employee.
Talenom staff’s information security and data protection awareness is regularly maintained in various ways: By organizing both regular information sharing sessions on information security and data protection for the entire company’s personnel, and by organizing mandatory information security and data protection training for employees every year.
The data contained in the registers can be accessed based on separately granted access rights to Talenom’s employees and subcontractors acting on behalf of Talenom. User access rights are regularly reviewed. System administrators’ access rights are monitored and removed when the user no longer needs them. The access rights of employees who have left Talenom are removed at the end of the employment relationship.
In accordance with the information security policy, the customer’s data is only processed by a Talenom employee whose work duties require it. The processing of customer data on other grounds is prohibited, even if the employee would have a technical access to customer data based on his or her role and business reasons.
All Talenom’s personnel, and subcontractors acting on Talenom’s behalf, have a duty of confidentiality in relation to all Talenom’s customer and personal data. The obligation of confidentiality is recorded in the employment contracts of Talenom’s personnel and in agreements with third parties, including sanctions for violation of confidentiality.
Physical protection of data in registers
Customer data is processed in information systems located in the data center in Finland or in Cloud services located in the European Union.
In data centers located in Finland, the most important production systems have been duplicated in two physically separated data centers to ensure safety, data preservation and service continuity in normal and exceptional situations.
These data centers provided by the service provider use certified safety practices, access control and monitoring procedures.
Disclosure of data and use of subcontractors
Talenom may, if necessary, disclose personal data to any company within the Talenom Group.
In certain cases, Talenom must also disclose personal data to authorities if required by applicable law or regulation or a request from a judicial or administrative authority.
Talenom may disclose non-sensitive personal data to its partners for the purpose of developing services, monitoring quality and marketing.
Talenom discloses the KYC data of TiliJaska customers to the electronic money community PPS EU SA in accordance with anti-money laundering legislation. The disclosure of data is based on an agreement between Talenom and PPS EU SA, in which case the data protection practices of the PPS EU SA apply to the processing of personal data. You can access the privacy policy from this link.
Talenom discloses the KYC information of TiliJaska customers to Fellow Bank Plc in accordance with the anti-money laundering legislation. The disclosure of data is based on an agreement between Talenom and Fellow Bank Plc, in which case the data protection practices of Fellow Bank Plc apply to the processing of personal data . You can access the privacy policy from this link.
Talenom does not sell or rent personal data to any other party.
Upon request, Talenom will provide an up-to-date list of the subcontractors it uses.
Transfer of data outside the EU/EEA
Mainly personal data is not transferred outside the European Union or the European Economic Area.
The contact information used in marketing communications and the statistical data generated by the use of Talenom’s electronic systems, as well as the data stored in the recruitment service, are transferred outside the EU / EEA to servers located in the United States. These are protected by the respective service providers in accordance with European Union data protection legislation.
Data transfers outside the EU / EEA are carried out in accordance with the standard contractual clauses for data protection approved by the European Commission.
Subcontractors that transfer data outside the EU/EEA:
- Google Analytics
- Hubspot
- Mailchimp
- Hotjar (Tilijaska service)
- TeamTailor (recruitment service)
- Choice HR (recruiment service)
How long do we keep the data?
Talenom processes personal data throughout the customer relationship.
Company information and information on the company’s decision-makers is stored at Talenom permanently, because the information is automatically updated for us from the business information system.
When the customer relationship ends, personal data is stored to the extent necessary to comply with our legitimate interests.
We will maintain the direct marketing information until further notice.
After 3 months, recorded phone calls are automatically deleted from information systems.
The data stored in the recruitment register is deleted from the system at the request of the data subject or automatically after 12 months.
How do we use cookies and web analytics?
Talenom collects information with cookies to improve the user experience on our site and services, evaluate use patterns of the content and support marketing.
Cookies are small text files that are stored on the website visitor’s terminal device.
The following information is stored about the data subject:
- User’s IP address
- Time of visit
- Pages visited and duration of visit
- Browser type used
- Terminal version and operating system
- Where the user came from and where the user goes after using the site
By using Talenom’s website, the user accepts the use and storage of cookies on their computer.
The visitor can prevent the use of cookies by changing the browser settings so that the browser does not allow the storage of cookies. In this case, the user accepts that for some services, the blocking of the use of cookies may, however, affect the functionality of the service.
Users’ terminal device data is collected automatically for the development of electronic products and customer service, using, for example, internet browser cookies, or similar technologies.
Rights of the data subject
In accordance with sections 15-22 of the European Union’s General Data Protection Regulation, the data subject has the right to:
- right of access to personal data
- rectification of data
- erasure of data
- restriction of processing
- transfer data from one system to another
- object to the processing of their personal data
- lodge a complaint with the supervisory authority
You can object to the processing of your personal data for direct marketing purposes at any time.
The exercise of some of the data subject’s rights is limited by other mandatory legislation, based on which Talenom has the right and obligation to refuse on reasonable grounds the rectification, erasure, restriction of processing or transfer of data from one system to another.
The registered must address a written request based on their rights by e-mail to: tietosuoja@talenom.fi.
Contact details of the controller and data protection officer
Controller
Talenom Oyj, 2551454-2
Yrttipellontie 2, 90230 Oulu
puh. 0207 525 000 (switchboard)
Data Protection Officer
Enni Kaivorinne
Tel. 0207 525 535
E-mail: tietosuoja@talenom.fi
Data breach notification policies
Notification to the data subject is made by the controller if the data breach is likely to result in a high risk to his or her rights and freedoms. The notification describes the nature of the data breach and the measures taken as required by the GDPR.
It is the data controller’s duty to notify the data protection authority within 72 hours of disclosure if the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The notification is made in accordance with the instructions of the Data Protection Ombudsman in force at the time.
Limitations
This privacy policy does not apply to third-party websites, applications or services that may be available through additional services provided by partners in Talenom’s services.
By opening the partner’s website, the customer leaves Talenom’s service, allowing the third party to collect and share the information they have collected about the customer.
Talenom recommends that our customers always review the privacy policies of a third-party service before allowing the collection and use of their own personal information on those services.