Citec Group
Privacy Policy, Human Resources (“HR”)

1. Registrar

Citec Oy Ab (”Registrar”)
Business identity code: 1866176-3
Address: Po Box 109, 65101 Vaasa, Finland
Phone: +358 6 3240 700
E-mail: privacy@citec.com

2. The use of and grounds for personal data

The HR register has been created to fulfil the obligations the Registrar has as an employer, as well as for creating new employments and recruitments.

The register is used and is necessary e.g. for salary payments and other payments of remuneration. The data in the HR register is furthermore used in other processes and systems concerning the personnel administration. The data will be used for e.g. planning, maintenance, for follow-up and for compiling statistics regarding personnel, salary and employment. The data will also be used to administer legislative and voluntary tasks for employers, such as working time management and work task allocation. The registered are persons who have an objective relationship with the Registrar, either as employees, former employees, job applicants, external consultants or as trustees for the board of directors.

Only data which are necessary for managing tasks regarding the employment are stored in the HR register. The Registrar uses the data in the register concerning employees or trustees to manage tasks which belong to the Registrar according to applicable law, collective agreements or specific decisions or provisions. The register is also used for recruiting employees, for supporting the internal mobility of the personnel, as a tool for the employees, as a tool for leading the personnel and for the administration of travelling costs.

The primary ground for handling personal data are obligations set out in applicable laws and regulations for the Registrar, legitimate interests of the Registrar and rights and obligations caused by employment agreements and second, the consent of the registered. The use of a HR register is based on i.a. the Employment Contracts Act in the countries concerned, those collective agreements which obliges the Registrar and additional legislation concerning labor law and HR related matters.

3. The information content and groups of personal data of the register

The following information concerning the personnel of the Registrar and potential personnel of the Registrar can be stored in the register:

  • Basic information (i.a. name, date of birth, social security number, contact details, user ID)
  • Information regarding the employment
  • Information regarding payment (account number, salary indicators, membership in labor union)
  • Information regarding payment of salary and commissions and other payments of salary nature
  • Information from performance reviews and career development
  • Information regarding training
  • Information regarding work time follow-up
  • Information regarding travelling
  • Tax deduction card and other taxation-related information
  • Information regarding sick leave or other absences
  • Information regarding qualifications and education
  • E-mail address
  • Information about next of kin for emergency situations
  • Finland & Norway only when necessary: Information about dependents younger than 10 years

When recruiting, data regarding the applicant’s name, address details, date of birth, qualification, CV and additional information will be collected through an electronic applicant form.

4. The regular information sources of the register

The data is normally collected from the registered himself, as well as from tax authorities and other authorities, line managers and/or insurance companies. Data is also collected when sending a job application or when participating in events.
The data can also be updated by using the Registrar’s other registers and from authorities and other enterprises to the extent allowed by applicable legislation.

5. Storage of personal data

The Registrar stores personal data only as long as is necessary for achieving the purposes defined in this register description acknowledging the limitations set out in the applicable laws. Due to obligations in the applicable legislation, the data might have to be stored longer than the time period mentioned above. The storage time of the data will be defined according to applicable law, but with the following outset:

  • Employment agreements and distance employment agreements, 10 years
  • Notice of absence, 2 years
  • Documents regarding establishment of vacation, 5 years
  • Notice of vacation, saved vacation or additional vacation pay, 2 years
  • Agreement regarding change of additional holiday pay, 5 years
  • Decision/certification regarding termination of employment, 10 years
  • Job certificates including appendices, 10 years
  • Mandate regarding labor union fee, entire validity time
  • Presentation of labor union fees, 10 years
  • Documentation regarding payment of salary, commissions and other additional payments, 10 years
  • Reports regarding access controls or work time follow-up, entire validity of employment
  • Notes from the performance review, 3 years
  • Cautions and reprimands, 5 years after such caution or reprimand took place
  • Job description, 10 years after termination/expiry of the employment

Outdated and unnecessary information will be destroyed in an appropriate way. The data will be marked in the register in the same way as the registered has reported it and the data will be updated when the registered reports an update to the registrar.

6. Transfer of personal data

The Registrar can use subcontractors and service providers to: maintain occupational health service and check-ups, mandatory insurances, tax authorities, construction site notifications and trade unions. Personal data can be transferred to the subcontractors and service providers of the Registrar insofar they participate in the enforcement of the purposes which are defined in this privacy policy.
Such third parties cannot use personal data for any other purposes than the ones defined in this privacy policy and to the purposes which have been defined by the Registrar. Registrar obliges third parties to keep your information confidential and to keep their data protection at a level high enough to protect your personal data.

Information will not be transferred to 3rd Parties outside EU or outside the European Economic Area. However, information may, when necessary, be transferred to Citec Group Companies located outside EU and/or the European Economic Area. In such cases, appropriate safeguards are adhered to at all times.

Personal data can be transferred in accordance with the demands set by a competent authority and in accordance with the conditions based on law.

7. The rights of the registered

Right to access
The registered has the right to control the data which is being stored about the registered in the personnel register of Registrar. The right of access can be denied on the grounds prescribed in the applicable legislation. As a starting point, the right of access is free of charge.

Right to oppose and limit
The registered has the right to oppose the handling of data that concerns the registered if the registered considers that the Registrar has handled the data illegally or that the Registrar does not have the right to handle data concerning the registered.
The right to oppose does not apply to the extent handling of the data is necessary for the Registrar to fulfil its legal obligations or necessary on another legal ground.

Right to eliminate
The registered has the right to have wrongful data corrected or imperfect data complemented. The registered also has the right to demand data which concerns the registered to be deleted from the personnel register of the Registrar.
The right to eliminate does not apply to the extent handling and storing of the data is necessary for Registrar to fulfil its legal obligations or necessary on another legal ground.

Right to transfer
Insofar the registered themselves have delivered data to the personnel register of the Registrar, and this data is handled on the basis of the consent of the registered, or an assignment, the registered has the right to get this data in mainly electronic form and the right to transfer this data to another registrar.

Prohibition against direct marketing
The registered has the right to prohibit that his or her data is used for direct marketing purposes.

Right of appeal
The registered has the right to appeal to the competent regulatory authority in case the Registrar has not complied with the applicable regulation of data protection

Other rights
If data is handled on the basis of the consent of the registered, the registered has the right to cancel the consent by informing the Registrar about this in accordance with section eleven in this privacy policy.

8. Contact

The registered shall send a request regarding the registered’s rights by post to the address mentioned in section one.
The Registrar may ask the registered to specify the request and to prove the registered’s identity before the enquiry is handled. The Registrar can refuse to fulfil the request on grounds specified in the applicable legislation.

The Registrar will answer the request within one (1) month from the date when the request was made.

9. Automatic decision making and profiling

The data in the register is neither used for automatic decision-making nor for profiling.

10. Principles for protecting the register

Protecting registered data is important for the Registrar. Manual material is stored in a locked space and can be reached only by people who are entitled to the information. Data concerning the health of the employees and sensitive data are stored separately from other personal data.

The data is stored in electronic systems, which are protected by firewalls, passwords and other technical solutions. Only the staff of the Registrar and other defined persons who need the data for the purposes of performing their assignments have access to the register. Everyone using the register is bound by confidentiality.

11. Changes in the Privacy Policy

The Registrar is constantly developing its business and therefore reserves the right to make changes to this Privacy Policy by informing about this on its intranet site. Changes may also need to be made due to changes in the applicable legislation. The Registrar recommends the registered individuals to familiarize themselves with the Privacy Policy on a regular basis.

(The Privacy Policy was last updated on 26 June 2018)