Privacy Notice for Processing Personal Data of External Workforce

Privacy Notice for Processing Personal Data of External Workforce

Drafted on 29.5.2023

 

1. Controller

Enersense International Oyj (2442767-4) and/or group company in question.

Konepajanranta 2 28100 Pori, FINLAND

(hereafter “we”)

2. Contact for the register

You may contact us, if you have any concerns related to the processing of personal data or the exercise of your rights under the EU Data Protection Regulation. Please contact us by email at privacy@enersense.com

3. What is the purpose and the legal basis for processing personal data and what data do we process?

In order to comply with certain legal reporting obligations, we process the following personal data of our contractors and workers at our worksites:

Personal dataPurpose of processingLegal basis
Basic information, such as name, date of birth, national identification number or other identifier, tax details.

Contact details,such as private e-mail address, private phone number, home address.

Information regarding your work tasks and employer, such as name, contact information and business ID of the employer, working location, information about the task and the purpose and scope of work, start and end date of work. 		Execution of the project, supervision and measurement of work performance, ensuring the safety of the construction site or other working environment, and fulfilling reporting obligationsCompliance with statutory obligations (such as the Act on Tax Assessment Procedure, Decree on the Safety of Construction Work, Occupational Safety and Health Act)
Information related to occupational safety, such as information regarding site-specific orientation and training, information regarding accidents, records of participation in activities that enhance well-being at work.Execution of the project, supervision and measurement of work performance, ensuring the safety of the construction site or other working environment, and fulfilling reporting obligationsCompliance with statutory obligations (Decree on the Safety of Construction Work, Occupational Safety and Health Act)
Information regarding site-specific access permits, , such as access event information, access control key number and access right groupEnsuring safety of the construction site, facilities and people moving around in the area, supervision of work performance.Legitimate interest.
Information regarding foreign labour and working abroad, such as name and contact information of national representatives, copy of residence permit card or residence permit number, citizenship, copy of passport or identity card.Execution of the project, inspecting the grounds for the worker’s right to work, fulfilling reporting obligations Compliance with statutory obligations (Act on Posting Workers, Aliens Act)
Information regarding contractor liability, such as information on the applicable collective agreement, certificates of taking out employee pension insurance and payment of pension insurance contributions, and certificates on the determination of employees' social security.Execution of the project, fulfilling reporting obligationsCompliance with statutory obligations (Act on Contractor’s Obligations and Liability)
Information necessary for taxation, Information necessary for taxation, such as identification information about the reporting party and the contact person with contact information, the location of the construction site, information about the foreign employee's insurance, information about the nature of the employment relationship, identification information about the employer and the contractor, and information about the contractor and his employee processed on the basis of the contract.Fulfilling reporting obligations related to taxationCompliance with statutory obligations (Act on Tax Assessment Procedure, Decision of the Tax Administration on reporting obligations regarding worksites).
Information relating to user administration and data log systems, use of electronic communication services, (software and software platforms enabling communication or cooperation over the internet between two or more parties such as email software and servers, various types of instant messengers and internet calls, electronic cooperation and team tools, etc. are considered as such software and software platforms) such as the first and last name or nickname, email address, physical work address/location, role or position in the organisation, username and password, browsing and search information, access rights, IP address, session ID, routing information, MAC address, device ID, and time stamp and identifier information of the sender(s) and recipient(s). To enable processing of personal and other data in our other information systems as well as monitoring, guidance, solving fault conditions, prevention and investigation of data breaches and running use analysis.Our legitimate interest as well as your legitimate interest. Our right to organising business operations in order to implement communication and to organise the work of our employees and others working on our behalf, to prevent and solve fault conditions and unintentional and deliberate data protection deviations in our data systems, in order to Our legitimate interest as well as your legitimate interest. Our right to organising business operations in order to implement communication and to organise the work of our employees and others working on our behalf, to prevent and solve fault conditions and unintentional and deliberate data protection deviations in our data systems, in order to ensure the continuity of our operations and to prevent and minimize any damages as well as monitor the use, adding, alteration or erasure of, or access to, data systems containing personal data and other confidential information. Above mentioned actions are necessary to ensure the continuity of the operations, and to implement various legal or contractual reporting and accountability obligations, your rights and legal protection as well as the compliance of good data processing practice.
Photos and video recordingsOrganising work and managing human resources, internal and external information sharing, e.g., when duties require the person working on our behalf to be identified or reached based on their contact details and photo

Marketing.		Our legitimate interest based on organising business operations and work duties

Consent.

4. From where do we receive the data?

The primary source of the data stored in the register is the contractor or the worker him/herself. Data can also be collected and updated from public and private registers within the limits allowed by law.

Data regarding access events is collected automatically via access card or similar badge or device when a person uses his/her access rights.

5. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

We disclose personal data in accordance with the requirements of the law to the authorities, such as the tax authority, the occupational safety and health authority, public employment and business services, the personnel representative, and the occupational safety representative. We can also disclose information to our partners to fulfil obligations arising from contracts.

We primarily process the data ourselves, but we also use subcontractors in our operations who process personal data on behalf of us, for example when offering IT administration services. When we use data processors, we have ensured through contractual arrangements that the data processor processes personal data only in accordance with our written instructions.

We transfer personal data outside of the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the subcontractor has committed to use the EU Commission’s standard contractual clauses and other additional safeguards.

6. How do we protect the data and for how long do we store it?

Only those of our employees, who on behalf of their work have the right to process personal data, are entitled to use the systems containing personal data. The register is protected with the necessary technical and organisational precautions. Each user has a personal username and password to the system. The data is collected into databases that are protected with firewalls, passwords and other technical measures. The databases and their backups are kept in locked premises and only predesignated persons have access to the data. All paper records are also kept in locked premises and may only be accessed by persons, who have on behalf of their work have the right to process the data.

We store your personal data only for as long as is necessary for the purposes of processing, taking into account the storage periods provided by law. The information required by the Tax Assessment Procedure Act and the Occupational Safety Act is stored for at least six years from the end of the year in which the worksite was completed. Information needed to fulfil contractor liability obligations are stores at least two years after the completion of the contract in question.

We assess the need to store data regularly considering the applicable legislation. Additionally, we take all the reasonable measures to ensure that no data, which is incompatible for the purposes of the processing, obsolete or incorrect, is stored in the register. We correct or erase such data without delay.

 

7. What are your rights as a data subject?

You have the right to inspect the personal data stored in the register concerning yourself and the right to demand rectification or erasure of the data. Insofar as the processing is based on consent, you also have the right to withdraw or change your consent. Withdrawing your consent does not affect the lawfulness of processing before the withdrawal of the consent.

You have the right to object or to demand restriction of the processing of your data and to lodge a complaint with the supervisory authority.

On grounds relating to your particular situation, you also have the right to object other processing activities when the legal basis of processing is the legitimate interest. In connection with your request, you shall identify the specific situation, based on which you object to the processing. We can refuse the request of objection only on legal grounds.

8. Who can you contact?

The contacts and requests concerning this privacy notice must be submitted in writing to the contact point mentioned in section two (2).