Oomi Oy’s staff register

This privacy statement provides data subjects, i.e. the controller’s staff, and the supervisory authority with the information required by data protection legislation on how and why Oomi Oy processes the personal data of its staff.

1  Controller

Oomi Oy
Business ID: 3101315-4
Postal address: P.O. Box 95, 01301 Vantaa
Website: www.oomi.fi

2  Persons responsible for the register and their contact information

Person responsible for the register
Mervi Suorsa
Postal address: P.O. Box 95, 01301 Vantaa
Street address: Peltolantie 27, 01300 Vantaa

Data protection officer
Tuija Rouhiainen
Postal address: P.O. Box 95, 01301 Vantaa
Street address: Peltolantie 27, 01300 Vantaa

Enquiries about data protection
tietosuoja@oomi.fi

3  Name of register 

Oomi Oy’s staff register (‘the Staff Register’)

4  Purpose and legal basis of the processing of personal data 

The primary basis of the processing of personal data is the employer obligations imposed on the controller and the rights granted to employees in legislation. As an employer, Oomi Oy may, in order to fulfil its statutory obligations and implement employment contracts, process the personal data of its employees in contexts such as the following:

  • measures related to the start of employment, such as drawing up the employment contract and confidentiality agreement;
  • measures related to the end of employment, such as preparing the certificate of employment;
  • measures related to absences, such as certificates of employment, Kela applications and study leave agreements;
  • implementation of the right to direct work;
  • payment of salaries and other benefits;
  • taking care of pensions and taxes;
  • working hours tracking;
  • management of leaves;
  • implementation of occupational health care;
  • measures related to occupational safety;
  • bookings related to business trips and reimbursement of travel expenses;
  • taking out insurance policies;
  • taking care of statutory insurance policies.

In other respects, the processing of employees’ personal data is based on Oomi Oy’s legitimate interests related to maintaining and developing employment relationships. On this basis, personal data may be processed in contexts such as the following:

  • measures related to supervising and assessing work performance;
  • management of access rights and user IDs;
  • internal reporting, such as statistics and retention of historical data (including photographs).

Oomi Oy’s legitimate interest is related to Oomi Oy’s role as employer as well as examination and development of its business. Oomi Oy’s legitimate interest may also be related to physical safety or data security or Oomi Oy’s need to protect its rights and property.

5  Data content of the register 

In the context of the Staff Register, Oomi Oy may process data related to data subjects: 

  • basic information about the data subject (such as names, date of birth, personal identity code, address, gender); 
  • data related to the use of systems; 
  • contact information (such as address, phone number and email address; name and phone number of next of kin); 
  • data related to the payment of salaries (such as data about salaries, working hours, the employment relationship and absences as well as data related to the tax card and bank account); 
  • data related to the person’s ability to work  (such as sick leaves); 
  • data required for the switchboard (such as name, phone number, job title);  
  • data related to employment benefits (such as name, email address, phone number); 
  • photographs and videos (without a personal identifier); 
  • data related to working hours tracking and access control (such as name, clock-in and clock-out times, access routes, camera surveillance); 
  • basic information required for personnel surveys (name, email address, organisation details); 
  • possible other information collected with the specific consent of the data subject. 

6  Regular sources of data 

Data concerning data subjects is regularly received from the data subjects themselves when they become employed by Oomi Oy, when they use Oomi Oy’s personnel services or when some other proper connection is established between Oomi Oy and the data subject (e.g. pensioners, board members). 

Personal data may also be collected and updated from the authorities and other third parties within the limits permitted by the applicable legislation for the purposes described in this privacy statement.  

7  Regular disclosures of data and data transfer outside the EU or EEA 

Personal data may be disclosed for the purposes described in this description of data file and within the limits permitted and required by the legislation, official regulations and instructions issued by industry associations that are in force at the time.  

Third parties that provide Oomi Oy with services related to HR may also have access to the data. Oomi Oy ensures, through contracts and agreements, that these parties do not process the personal data other than in accordance with Oomi Oy’s instructions and this privacy statement.

Oomi Oy does not transfer data to countries other than EU and EEA countries.

8  Data retention period 

Data is retained only for as long as it is necessary to fulfil the purposes defined in this privacy statement. After this, the data is deleted, unless we are obligated to retain the data in accordance with legislation or the rights and obligations based on the contract between the parties.  

9  Principles of register protection 

Personal data is protected by means that are generally acceptable and reasonable in the sector, such as with access passes, training, firewalls and passwords.  

Only identified employees of the controller or companies acting on assignment by or on behalf of the controller have access to the personal data processed in the Staff Register in accordance with the access rights granted by Oomi Oy. Oomi Oy takes into account the applicable legislation and official regulations regarding ensuring confidential processing of personal data.  

10  Rights of data subjects

Right of access

Data subjects have the right to see what data is recorded about them in the Staff Register. Data access requests must be sent by email to HR@ensin.fi or submitted in person on location. 

Right to object to the processing of personal data

On account of their special personal situation, data subjects have the right to object to being profiled and to other processing measures carried out by the controller on the data subject’s personal data in so far as the data processing is based on the controller’s legitimate interest. When making the request, the data subject must identify the situation based on which they are objecting to the processing. The controller may refuse to fulfil the request concerning the objection on grounds provided by law.

Right to request rectification or deletion of data or restriction of processing

Data subjects have the right to request Oomi Oy to rectify, delete or complete any personal data in the register that is incorrect, unnecessary, insufficient or outdated for the purpose of processing.

Data subjects also have the right to request the controller to restrict the processing of their personal data in situations such as when the data subject is waiting for the controller to reply to their request regarding the rectification or deletion of their data.

Data subjects are personally responsible for the correctness of the data they provide. Data subjects must notify the controller of any changes to the data they have provided.

Right to withdraw consent

If the personal data processing is based on the data subject’s consent, the data subject has the right to withdraw their consent by notifying Oomi Oy of this.

Right to transfer data from one system to another

In so far as the data subject has personally provided the register with data that is processed in order to fulfil the contract between the data subject and Oomi Oy or based on consent given by the data subject, the data subject generally has the right to receive the data in machine-readable format or transfer it to another controller. 

11  Filing a complaint with the data protection supervisory authority 

If the data subject deems that the processing of personal data is in breach of the applicable legislation or that the data subject’s statutory rights have been infringed upon, they may file a complaint about the matter with the relevant data protection supervisory authority. In Finland, the legality of the processing of personal data is monitored by the Data Protection Ombudsman, whose contact information can be found at the following address: www.tietosuoja.fi/en/home.  

12  Changes to the privacy statement  

We retain the right to change and update this privacy statement. You can find the up-to-date privacy statement on our website at oomi.fi/en/privacy-statements/staff-register.

4 May 2020