Privacy Notice for the Employee Register Privacy Notice for the Employee Register Drafted on: 13.1.2023 1. ControllerEnersense International Oyj (2442767-4) and/or group company in question. Konepajanranta 2 28100 Pori, FINLAND (hereafter “we”) Enersense International Oyj and/or group companies may act as joint controllers for the processing activities done within the Enersense group. Consequently, they are considered joint controllers of such personal data under article 26 of the EU General Data Protection Regulation (GDPR). Enersense Group has established necessary documentation regarding the joint activities. 2. Contact for register mattersEmail: firstname.lastname@example.org 3. What is the purpose and the legal basis for processing personal data and what data do we process?Providing personal data is a requirement for us to be able to manage our employer obligations. We process the following personal data necessary for your employment or internship: Personal dataPurpose of processingLegal basisBasic information, such as name, date of birth, national identification number or other identifier, photo, language, emergency contact person, tax and bank account details. Contact details, such as private e-mail address, private phone number, home address. Organising work and managing human resources and related employer and other obligations, such as payroll.The enforcement of your employment or internship contract. The compliance of the statutory obligations (such as the Employment Contracts Act) of the employer during and after the employment. Consent for the emergency contact person. Information of the employment, such as profession and/or position, practice/team/department, work and education history, language skills, expertise and/or special type of education, participance to trainings, work related travelling, work related expenses, duration of the employment, information of verbal notes and written warnings and reason for the termination of the employment and other related information, absences.Organising work and managing human resources and related employer and other obligations. Operational planning and development regarding our personnel.The enforcement of your employment or internship contract. The compliance of the statutory obligations (such as the Employment Contracts Act) of the employer during and after the employment. Our legitimate interest based on promoting business activities, using data systems, training employees and exploiting the employment benefits we offer.Information regarding health, such as statements regarding pre-employment- and physical examinations, information regarding medical certificates, project-based drug tests and other case-by-case alcohol tests.Managing human resources and related employer and other obligations.Consent.Information related to employment benefits including devices and credit cards bestowed on you, such as computer and mobile phone, complementary gifts by the employer.Managing human resources and related employer and other obligations, such as payroll.The enforcement of your employment or internship contract. The compliance of the statutory obligations (such as the Employment Contracts Act) of the employer during and after the employment. Our legitimate interest based on promoting business activities, training employees and exploiting the employment benefits we offer. Performance reviews, development discussions, rewarding practices, and related information such as development goals and interests as well as information concerning salary, compensation, and grades etc. Organising work and managing human resources and related employer and other obligations. Operational planning and development regarding our personnel. The enforcement of your employment or internship contract. Our legitimate interest based on promoting business activities, using data systems, training employees and exploiting the employment benefits we offer.Information concerning tracking working hours and time records. Annual leave and absence details. Organising work and managing human resources and related employer and other obligations.The compliance of the statutory obligations (such as the Employment Contracts Act) of the employer during and after the employment.Record of a membership in a trade union for the employees whose membership fees are deducted from their salary. Managing human resources and related employer and other obligations, such as payroll.Consent.Information related to wellbeing and safety at work such as records of participation in activities that enhance well-being at work, working capacity negotiations (such as memorandums of discussions) and information concerning accidents. Managing human resources and related employer and other obligations. Operational planning and development regarding our personnel.The compliance of the statutory obligations (such as the Employment Contracts Act) of the employer during and after the employment. Our legitimate interest based on promoting business activities, using data systems, training employees and exploiting the employment benefits we offer.Other possible information related to the employment such as information regarding resourcing, extract form the criminal record of those who have right of representation for public procurements, other information you have provided such as answers to employee surveys on, for example, employee satisfaction, polls on various topics. Organising work and managing human resources and related employer and other obligations.Consent.Photos and video recordingsOrganising work and managing human resources, internal and external information sharing, e.g., when duties require the employee to be identified or reached based on their contact details and photo. Marketing.Our legitimate interest based on organising business operations and work duties. Consent.Information relating to user administration and data log systems, use of companies’ electronic communication services (software and software platforms enabling communication or cooperation over the internet between two or more parties such as email software and servers, various types of instant messengers and internet calls, electronic cooperation and team tools, etc. are considered as such software and software platforms) such as the first and last name or nickname, email address, physical work address/location, role or position in the organisation, username and password, browsing and search information, access rights, IP address, session ID, routing information, MAC address, device ID, and time stamp and identifier information of the sender(s) and recipient(s).To enable processing of personal and other data in our other information systems as well as monitoring, guidance, solving fault conditions, prevention and investigation of data breaches and running use analysis.Our legitimate interest as well as your legitimate interest. Our right to organising business operations in order to implement communication and to organise the work of our employees and others working on our behalf, to prevent and solve fault conditions and unintentional and deliberate data protection deviations in our data systems, in order to ensure the continuity of our operations and to prevent and minimize any damages as well as monitor the use, adding, alteration or erasure of, or access to, data systems containing personal data and other confidential information. Above mentioned actions are necessary to ensure the continuity of the operations, and to implement various legal or contractual reporting and accountability obligations, your rights and legal protection as well as the compliance of good data processing practice.4. From where do we receive the data?The primary source of the data stored in the register is you. Other sources may be used in accordance with the law. Such data can be e.g. information received from managers and data resulting from the use of databases or software. Additionally, personal data may be collected and updated for the purposes described in this privacy notice from publicly available sources and from authorities or other third parties in accordance with the applicable legislation. Such updating of data is performed manually or by automated means. 5. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?We disclose personal data in a manner permitted and obligated by the current legislation to parties, who based on legislation, collective agreements and/or contract have the right to receive data from the register, such as the tax authorities, the Social Insurance Institution, pension and accident insurance providers, employment and execution authorities, occupational healthcare-, financial-, and legal service providers, teleoperators, and benefit providers. We may also disclose data for other purposes in accordance with the applicable legislation. However, we will only disclose data for purposes related to the employment. In business transaction situations or in order to acquire funding we may disclose some of your personal data described above to the extent required by each case to such companies who we have agreed to share the information in order to evaluate our company value, and to prepare and execute any actions necessary for the circumstances. However, nondisclosure agreements will be obtained accordingly in these cases. We will transfer medical certificates received from elsewhere than occupational health care to our occupational health care service. You have the right to prohibit the transfer of your medical certificate by contacting the person mentioned in section two (2). We use subcontractors for processing personal data on behalf of and for us. We have outsourced the processing of personal data to subcontractors for the following services: – Financial management (incl. payroll and accounting services) – Human resources – IT management – Following outsourced services: facility management and car leasing services We have ensured the protection of your data by making necessary contracts with the subcontractors. We cannot name all our subcontractors, in part due to projects in development, so we have decided on naming only the types of subcontractors. Most of these systems and their providers are available up-to-date through your own access to the databases i.e. you use the systems at your work. We transfer personal data outside of the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the subcontractor has committed to use the EU Commission’s standard contractual clauses and other additional safeguards. 6. How do we protect the data and for how long do we store it?Only those of our employees, who on behalf of their work have the right to process personal data, are entitled to use the systems containing personal data. The register is protected with the necessary technical and organisational precautions. Each user has a personal username and password to the system. The data is collected into databases that are protected with firewalls, passwords and other technical measures. The databases and their backups are kept in locked premises and only predesignated persons have access to the data. All paper records are also kept in locked premises and may only be accessed by persons, who have on behalf of their work have the right to process the data. We store your personal data only for as long as is necessary for the purposes of processing personal data, taking into account the storage periods provided by law, such as the laws applicable to employment contracts, accounting and prepayment. We assess the need to store data regularly considering the applicable legislation. Additionally, we take all the reasonable measures to ensure that no data, which is incompatible for the purposes of the processing, obsolete or incorrect, is stored in the register. We correct or erase such data without delay. 7. What are your rights as a data subject?You have the right to inspect the personal data stored in the register concerning yourself and the right to demand rectification or erasure of the data. You may also inspect your data stored in the register and update and edit some of these by means of a technical access, username and password. Insofar as the processing is based on consent, you also have the right to withdraw or change your consent. Withdrawing your consent does not affect the lawfulness of processing before the withdrawal of the consent. You have the right to object or to demand restriction of the processing of your data and to lodge a complaint with the supervisory authority. On grounds relating to your particular situation, you also have the right to object other processing activities when the legal basis of processing is the legitimate interest. In connection with your request, you shall identify the specific situation, based on which you object to the processing. We can refuse the request of objection only on legal grounds. 8. Who can you contact?The contacts and requests concerning this privacy notice must be submitted in writing to the contact point mentioned in section two (2).