Introduction

The protection of your privacy is important to us. Barona Oy (henceforth “Barona”) is therefore committed to protecting your privacy in the best way possible, and to processing your personal data transparently, in accordance with the law in force at a given time, and in accordance with good data protection practices.

This data protection privacy statement reflects how we collect, process and protect your personal data throughout our business.

Data Protection Privacy Statement Personnel

1. Use and processing of personal data

We collect and process personal data only to the extent that this data is necessary for our our business operations, and in order to offer and develop our services. We collect and process your personal data in order to be able to provide and offer employment search services, to bring job applicants and employing organisations together, to develop the services that are associated with these functions at any given time, to manage customer communication and customer relationships, and to implement marketing and advertising. We also process personal data when the law requires us to do so, or when our legitimate interests enable us to do so.

Personal data is generally collected directly from you during the time we have a customer relationship. In certain situations, we also collect data from other external sources with your expressed permission, or within the bounds permitted by law.

The purpose of the processing determines what sort of data we collect in each situation, and for what purpose. We process the following personal data only when there are lawful grounds for doing so, for the purposes specified below.

Purpose of processing personal data Legal basis for processing
Provision of services
In order to form a customer relationship and to provide employment search services, we collect the following data from the job applicant: contact information and other individually-identifying data (e.g. date of birth), data that is necessary for the assessment of the job applicants suitability (e.g. training, vocation, special competencies, driving licence information, ability to use an automobile as part of work duties), data concerning the job applicant’s employment search (his/her desire for a position that he/she has applied to, desired wages, desired workplace, and any information related to the initiation and termination of a job), and data related to the job applicant’s work experience (e.g. information related to the job applicant’s previous or current employment relationship, such as who the employers have been, times when employment relationships have begun, the duration of these employment relationships, the nature of past/current job duties, and recommendations given by employers). Additionally, we may record e.g. a recruiter’s assessment of a person’s suitability for a given role, any references, and communications related to the service that takes place between the employment seeker and an employing organisation.

Insofar as legislation permits and requires, we also collect the following from the employment seeker: credit information, the results of any security screenings, the presentation of a criminal records extract and unique ID information associated with it, and data related to personal and aptitude assessment tests and drug tests. To verify a person’s right to work, we conduct a verification of citizenship.

From employing organisations, we collect basic information such as name and contact details, and the name and contact information of the contact person.

Agreement

Consent

Legitimate interest

Statutory requirement

Rendering of services
In order to render services, we process and record such items as the following during the service process: ordering information, information on meetings between people, any other contact between parties, possible recordings of such meetings and of telephone calls, data related to the service — such as information on which employing organisation that is also a client of the data controller has the introduction of the applicant been sent to –, and particular data related to a client organization of the data controller, such as its industry of operation and size. Consent

Legitimate interest

Customer service, customer communication and customer billing
In customer service, customer communication and customer billing, we process data related to customer relationships, payment data, and data regarding newsletter subscriptions and customer feedback. Legitimate interest
Analysis, compilation of statistics, and development of the business and services
For the purpose of analysis, compilation of statistics, and development of the business and services, we collect and process information regarding customer relationships and client organizations, such as services preferred by the customers and customer feedback, as well as information related to job search, such us use of services, city, and age. Legitimate interest
Direct marketing and marketing campaigns
We process personal data (e.g. contact information and data on services used by job applicantsand employing organisations) in order to market our services. We use personal data for direct e-marketing (via e-mail and text message) only on the basis of consent provided beforehand.

We may also engage in marketing by telephone or mail, if this is permitted by law.

Consent

Legitimate interest

Analysis of the use of our website
On the basis of consent provided by the customer, we analyse the use of our website: such as IP addresses, operating systems, browser versions and workstation models, as well as the websites from which people have reached Barona’s web service. Consent

2. Automatic decision-making

Processing of your personal data does not entail any automatic decision-making. “Automatic decision-making” refers to decisions made entirely automatically, without a person participating in the decision-making process.

3. Sensitive data

Special forms of personal data, so-called ”sensitive personal data” include personal data from which race or ethnic origin, political opinions, religious or philosophical conviction, trade union membership, genetic and biometric information, or information related to health status, sexual behaviour or sexual orientation of a natural person becomes apparent.

Processing of your personal data does not include the processing of sensitive data.  

4. Handover and transfer of data

We process your data confidentially, and do not hand it over to third parties except in the following cases:

  • Internally within our corporate group: The data is processed within Barona Companies’ registries that are related to the purposes mentioned in this privacy statement and
  • Public authorities: we may need to hand over certain data to authorities or administrators of the law in cases where there is a legally mandated requirement to do so. We do so only upon a valid decision from a court, or upon an order or subpoena from a public authority.
  • Mergers and acquisitions: when a corporate acquisition or corporate reorganisation takes place, the acquiring party may obtain access to essential customer data.
  • Consent: we may hand over your personal data to third parties if you have given your consent for us to do so. Your application for a open position at a specified employing organisation will be regarded as consent to surrenderapplicant information for the employing organisation.

In processing the data we have collected, we also use subcontractors and service providers (e.g. for technical maintenance and for the implementation of campaigns and direct marketing) that only have the right to process your data to the extent required by the agreed-on service. This means that they will not be able to use your data for their own purposes. We contractually require them to ensure a sufficient level of data protection, as well as the legality of the processing.

The data we collect is in part stored and processed outside the European Economic Area in cases where e.g. our service provider is located, or stores data, outside the European Economic Area. The service provider we use is contractually bound to ensure that a sufficient level of data protection is guaranteed in all processing of your personal data.

5. Data security

We have appropriate technical and organisational means of data security in order to safeguard your personal data from loss, misuse or other equivalent illegal access. Such means include e.g. the use of firewalls, encryption techniques, and secure areas for IT hardware.

Access to your personal data is also internally restricted through physical and electronic access control, granting of user rights, and the monitoring of such rights. Your personal data is only processed by employees who have the right to do so within the framework of their work duties.

6. Access to data and exercise of rights

You have the right to inspect what data we have collected in our registry regarding you, and to have an effect on how we use it. You have the ability to decide whether you wish to receive direct marketing, and in certain cases, you have the right to be forgotten or request the transfer of your data to another data controller. Below, we describe what rights pertain to you within the framework of the legislation currently in effect:

  • Right to revoke consent

As the processing of personal data is based on your consent, you have the right to revoke your consent at any time. For example, you may revoke consent you have given for direct e-marketing at any time.

  • Right of review and correction

At any time, you have the right to review what data we have collected regarding you, or to receive assurance that there is no personal data on you in our registry. If your data are erroneous, inaccurate or insufficient, you may send us a rquest for correction or addition.

  • Restriction of or opposition to processing

If your data is incorrect in some aspect, you have the right to demand a temporary restriction on processing, until we have verified that the data is correct. In certain situations, you will also have the right to oppose the processing of your data entirely.

  • Right to prohibit direct marketing

Additionally, you may prohibit direct marketing at any time (including profiling for direct marketing purposes).

  • Right to be forgotten

In certain situations, you have the right to be forgotten. We will delete all data that we have collected regarding you if the personal data is no longer needed for the purposes for which it was originally collected. We will also delete the data if the processing of personal data was based on consent and you withdraw your consent, or if you express opposition to the processing of your personal data, unless there are other grounds for the processing.

  • Right to transfer data from one system to another

You may request transfer of your personal data, in which case we will deliver your personal data to you in machine-readable form, so that you may keep it yourself or transfer it to another data controller (e.g. to another service provider). If it is technically possible, we will also transfer your information directly to another data controller upon your request. This is possible only in situations where we process your personal data on the basis of your consent or an agreement, and it only applies to data that you yourself have submitted to us (for example, a CV).

  • Right of appeal

In addition to the formerly mentioned rights, you have the right to make an appeal to a supervisory authority regarding the processing of your personal data.
If you want to file a claim, or if you have questions related to your rights or this data protection privacy statement, contact us by e-mail at privacy@barona.fi or by mail at Barona Privacy, Töölönlahdenkatu 3B, 00100 Helsinki.

7. Storage of data

We store your personal data for as long as is required for the purposes of processing, as long as the law requires us to do so, or until we receive a deletion request.

We store your data only for as long as is needed to fulfil the purposes specified in Section 1, always within the bounds set by currently-effective law. All information related to the seeking of employment is stored in our registry for 2 years following the final step taken or the final contact made.  

Customer data related to employing organisations will be deleted within a reasonable amount of time from when the customer relationship ends. With regard to data associated with other purposes that have been mentioned in this privacy statement, the data will be preserved for as long as the consent remains in effect.

After this, your data will first be removed from the view of our users, and following the cautionary period, it will finally be deleted from our backup copies as well, or will be made unidentifiable, via being irreversibly modified into a form from which the individual person is no longer recognisable.

8. Use of cookies

We may collect information concerning your computer via the use of cookies and other equivalent techniques. A cookie is a small text file that the browser saves onto your computer. Cookies contain a unique identifier, and are used so that we can identify and count the number of browsers visiting our website. You have the right to block the use of cookies, but this may affect the functionality of our service. You may empty cookies from the settings of your browser.

9. Changes to the data protection privacy statement

We are continually developing our data protection practices, and for this reason, we may change this data protection privacy statement from time to time. The changes may also be based on a change in legislation. We recommend that, from time to time, you revisit this page containing the data protection privacy statement in order to make note of any changes. If needed, we may also notify you of changes directly.

10. Data controller and contact information

Barona Oy is the data controller for your personal data. If you have any questions or comments, contact us:

Barona Oy

Business ID         2808477-9

Address              Töölänlahdenkatu 3 B, 00100 Helsinki

E-mail     privacy@barona.fi

Telephone           +358020 198 3460

 

Data Protection Privacy Statement Personnel Barona Oy

Introduction

The protection of your privacy is important to us. Barona Oy (henceforth “Barona”) is therefore committed to protecting your privacy in the best way possible, and to processing your personal data transparently, in accordance with the law in force at a given time and with good data protection practices.

This data protection privacy statement describes how we collect, process and protect the personal data of our own staff, including you, throughout our business.

1. Use and processing of personal data

We collect and process your personal data only to the extent that this data is necessary for managing employment relationships and fulfilling employer obligations. The purpose of processing personal data is to manage affairs related to the employment relationship of personnel who are employed at Barona Oy and companies that, at a given point in time, belong to the same corporate group as it. Such include e.g. the tracking of working hours and absences, payroll administration, access control, and functions related to the starting, management, development and termination of the employee’s employment relationship.

Personal data is generally collected directly from you before and during your employment relationship. In certain situations, we also collect information from other, external sources with your express consent, and within the bounds permitted by law.

Consent is not necessary if there are legally-permitted conditions for acquiring personal credit information or criminal record information for the purpose of investigating a person’s trustworthiness. In such a case, we will inform the person beforehand on the obtaining of such information concerning him/her in order to investigate his/her trustworthiness.

The purpose of the processing determines what sort of data we collect in each situation, and for what purpose. We process the personal data of yours that is mentioned below only on lawful bases, for the purposes specified below.

 

Purpose of processing personal data Legal basis of processing
Management of employment relationship (employment contract, initiating and concluding the employment relationship, measures taken during the employment relationship, and documents relating to these measures)
Kun teemme työsopimuksen ja sovimme työsuhteesta, keräämme sinulta itseltäsi työsuhteen hoidon kannalta tarpeelliset tiedot. Näitä ovat

Basic information

  • first and last name(s)
  • Personal ID Number
  • sex
  • contact information (e.g. address information, e-mail address, and phone numbers)
  • bank contact information
  • contact information of a close relative designated by the employee

Information related to the employment relationship, such as

  • the employment application and other information related to the application process (e.g. training and degree information, work and professional experience, information on positions of trust, information about competency as well as personal and aptitude assessment tests, and data about drug screening and personal credit information, and the results of security screenings), insofar as it is necessary from the standpoint of managing the employment relationship
  • if a given job position requires it, a security screening of an employee can be done; prior to this screening, the employee will be informed of what it means, and asked for his/her written permission to have it done
  • employment contract and other possible commitments and contracts associated with the employment relationship
  • data concerning the content of work positions, such as title and work descriptions
  • documents related to citizenship and the right to work
  • employment relationship-related data that concerns the employer’s responsibilities (e.g. data related to the insuring and taxation of personnel, data related to collaborative procedures, and data concerning procedures motivated by the former, and concerning capacity to work)
  • data concerning occupational health, such as the employee’s health status, if the data was collected from the employee him-/herself or was collected elsewhere with the employee’s written consent, and the processing of the data is necessary in order to investigate sick-leave wages or benefits associated with a comparable health condition, or to investigate whether there is a justified reason for absence from work, or if the employee expressly wishes to have his/her capacity to work investigated on the basis of health status-related data
  • data related to work equipment (e.g. data related to computers and other mobile devices designated for the personnel member, data related to the use of these, personnel’s e-mail addresses and telephone numbers, data related to access- and ID cards and keys, and data related to other tools, protective equipment and work clothing handed over to the person)
  • data on user licences related to work duties, and the user IDs and passwords associated with these licences
  • data related to the provision of employment benefits
  • data concerning termination of employment relationship (e.g. an agreement concerning the termination of the employment relationship, a work certificate, data related to retirement, exit surveys)

In records, data on the modification of the aforementioned data types may also be processed.

Data provided by the employment seeker him-/herself

Consent

Legitimate interest

Statutory requirement

Payment of wage- and other compensations
  • data related to compensation payable on the basis of an employment relationship (monetary wages, fringe benefits, and other means of remuneration and data related to the former, taxation information and data related to employer contributions, transport invoices and kilometre reimbursements)
  • data related to the tracking of work hours and to absences (data obtainable from access management systems, sickness-related absences, annual leave, and other leaves or agreed-on absences)
Statutory requirement

Legitimate interest

Management of competence and performance
  • data regarding the development within person’s work duties (data related to training and to performance appraisals and other development-related discussions)
  • data concerning employees’ ability to fulfil their work duties (e.g. information on proficiency and language skills)
  • data related to the performance of work duties (e.g. recordings of customer service calls that are a part of a person’s work duties, documents and reports related to the ability of a given person to fulfil his/her work duties)
Consent

Legitimate interest

Statutory requirement

Communication, contact and staff events
We process personal data (e.g. contact information, telephone numbers, and e-mail addresses) in our communications to our personnel concerning matters related to a given employment relationship, and when organising staff events. We may contact our personnel by e-mail, mail or phone. We may record telephone calls to ensure the quality of the customer service. Your profiled personal data may be used to improve the efficiency of communication between us. In order for us to serve you in the best way possible, we may, for example, direct your phone calls to the customer service staff member who is, at a given moment, the best person to address the matters concerning when we were previously in contact. Profiled data will not be used for automatic decision making. Consent

Legitimate interest

Use and processing of personal data in Barona Oy outside Finland in the area of the EU
In companies outside Finland that, at a given point in time, are part of Barona Oy, data collected may include (in addition to the aforementioned data) data that is required by local legislation, such as a person’s passport number, local social security number, and parents’ full names. In Poland and Spain, the full names of both parents of employees, and employees’ passport numbers, are collected.

 

2. Automatic decision-making

Processing of your personal data does not entail any automatic decision-making. The term “automatic decision-making” refers to decisions made entirely automatically, without a person participating in the decision-making process.

3. Sensitive data

Special forms of personal data, so-called ”sensitive personal data” include personal data from which race or ethnic origin, political opinions, religious or philosophical conviction, trade union membership, genetic and biometric information, or information related to health status, sexual behaviour or sexual orientation of a natural person becomes apparent.

Processing of your personal data does not include the processing of sensitive data.

The processing of sensitive data is only permitted if such processing is necessary for the purposes of compliance with our obligations in the area of labour law, social security or social protection, or if you have given your express consent.

  • Trade union membership
    If the employee wishes, and provides written permission for it, trade union membership fees can be deducted from an employee’s wages and accounted to the employee’s trade union.
  • Health status data
    Data concerning an employee’s health status may be processed if the data was collected from the employee him-/herself, or from elsewhere with the employee’s written consent, and the processing of the data is necessary in order to investigate sick-leave wages or benefits associated with a comparable health condition, or to investigate whether there is a justified reason for absence from work, or if the employee expressly wishes to have his/her capacity to work investigated on the basis of health status-related data

4. Handover and transfer of data

We process your data confidentially, and do not hand it over to third parties, except in the following cases:

  • Internally within our corporate group: data may be processed in the shared records of Barona companies. With the express permission of the employee, we may hand over personal data within Group companies for employment purposes.
  • Public authorities and other parties associated with the fulfilment of employer obligations: personal data saved in the records may be handed over, in a manner permitted and required by legislation currently in force, or with the consent of the data subject, to authorities that have a legally-founded right to obtain data from the records, such as the tax authority or the Social Insurance Institution (KELA) and other parties associated with the management of affairs concerning employment relationships, such as pension- and accident insurance companies, trade unions and occupational health service providers.
  • Mergers and acquisitions: when corporate acquisitions or corporate reorganisations take place, the acquiring party may obtain access to essential data that may effect the transaction.
  • Consent: we may hand over your personal data to third parties if you have given your consent for us to do so. With the express permission of the employee, we may hand over data to companies that are customers of Barona Ltd. for employment purposes.

In processing the data we have collected, we also use subcontractors and service providers (e.g. for technical maintenance or for implementation of campaigns and direct marketing), who only have the right to process your data to the extent required by the contracted services. This means that they may not use your data for their own purposes. We contractually require them to ensure a sufficient level of data protection, as well as the legality of the processing.

The data we collect is in part stored and processed outside the European Economic Area in cases where e.g. our service provider is located, or stores data, outside the European Economic Area. The service provider we use is contractually bound to ensure that a sufficient level of data protection is guaranteed in all processing of your personal data.

 

5. Data security

We have appropriate technical and organisational means of data security in order to safeguard personal data from loss, misuse or other equivalent illegal access. Such means include e.g. the use of firewalls, encryption techniques, and secure areas for IT hardware.

Access to your personal data is also internally restricted through physical and electronic access control, the granting of user licences, and the monitoring of such licences. Your personal data is only processed by employees who have the right to do so within the framework of their work duties.

6. Access to data and exercise of rights

You have the right to check what data we have collected in our records regarding you, and to influence how we use it.

    • Right to revoke consent

If the processing of personal data is based on your consent, you have the right to revoke your consent at any time. However, as regards your employment relationship, the employer has the obligation to retain certain data both while your employment relationship is active and for a definite period of time after the relationship comes to an end. Due to legally-mandated obligations, we are unable to delete this data, even in the event that you wish to revoke your consent.

    • Right of review and correction

You have the right to review, at any time, what data we have collected regarding you, or to receive assurance that there is no  personal data about you in our records. If data pertaining to you is erroneous, inaccurate or insufficient, you may send us a request for correction or addition.

    • Restriction of or opposition to processing

If data pertaining to you is incorrect in some aspect, you have the right to call for a temporary restriction on processing, until we are able to ensure that the data is correct. In certain situations, you also have the right to oppose the processing of your data entirely.

    • Right to prohibit direct marketing

Additionally, you may prohibit direct marketing at any time (including profiling for direct marketing purposes).

    • Right to be forgotten

In certain situations, you have the right to be forgotten. We will delete all data that we have collected regarding you if the personal data is no longer needed for the purposes for which it was originally collected. We will also delete the data if the processing of personal data was based on consent and you revoke your consent, or if you are opposed to the processing of your personal data, unless there are other grounds for the processing. However, with respect to data related to the employment relationship, the employer is bound by the same obligations as in the section ”Right to revoke consent”.

    • Right to transfer data from one system to another

You may request a transfer of your personal data, in which case we will deliver your personal data to you in machine-readable form, so that you may keep it yourself or transfer it to another data controller (e.g. to another service provider). If it is technically feasible, we will also transfer your data directly to another data controller upon your request. This is possible only in situations where we process your personal data on the basis of your consent or an contract, and it only applies to data that you yourself have submitted to us.

    • Right of appeal

In addition to the above rights, you have the right to file an appeal to a supervisory authority regarding the processing of your personal data.If you have questions related to your rights mentioned above, or if you wish to review your data, please contact us at privacy@barona.fi.

 

7. Retention of data

We retain your personal data for as long as is required for the purposes of processing, as long as the law requires us to do so, or after this, at the longest, until we receive a deletion request.

We retain your data only for as long as is needed to fulfil the purposes specified in Section 1, always within the bounds set by the laws currently in force. All data related to your employment relationship will be retained in our records for the period of time required by law.

Retention times for Finland:

  • Employment contracts and other documents related to
    employment relationship and management thereof     time of employment + 10 yrs.
  • Tax cards     until the accounts for the year in     question have been closed
  • Sick leave certificates     2 yrs.
  • Constraining orders     10 yrs.
  • The Social Insurance Institution (KELA)applications and -decisions     6 yrs.
  • Accident reports, applications and decisions     20 yrs.
  • Agreements on parental leave, child-care leave, and partial child-care leave     10 yrs.
  • Study leave agreements     10 yrs.
  • Other employment relationship-related agreements     10 yrs.
  • Memorandums and agreements related to Co-determination     permanent
  • Work certificates     10 yrs.
  • Material related to wages     10 yrs.
  • Material related to annual leave, paid leave, and compensations for leave     10 yrs.
  • Transportation and service invoices     10 yrs.
  • Payroll card     50 yrs.
  • Annual declaration to the tax authorities     6 yrs.
  • List of employees, as per the Employees Pensions Act     6 yrs.
  • Wage declaration for the Unemployment Insurance Fund     6 yrs.
  • Wage declaration for accident insurance     6 yrs.

After this, the data will be either removed from the view of users, and, following a cautionary period, it will finally be deleted from our backup copies and from the system’s background data as well, or will be made unidentifiable, via being irreversibly modified into a form from which the individual person is no longer recognisable.

8. Use of cookies

We may collect information related to your computer by using cookies and other comparable techniques. Cookie is a small text file sent and stored in the user’s computer, which allows the administrator of the web page to identify users that visit the page frequently, simplifies user’s log in to the page and enables to create combination data on the users. Through this feedback we are able to continuously improve our site’s content. Cookies do not harm users’ computers or files. We use cookies in a way that allows us to provide our customers with information and services based on to individual needs. You have the right to prevent cookies to be used, but this may affect the functionality of our services. You may clear cookies from your browser from your computer’s settings.

9. Changes to the data protection privacy statement

We are continually developing our data protection practices, and for this reason, we may change this data protection privacy statement from time to time. The changes may also be based on a change in legislation. We recommend that, from time to time, you revisit this page containing the data protection privacy statement in order to keep informed of any changes. If needed, we may also notify you of changes directly.

 

10. Data controller and contact information

Barona Oy is the data controller for your personal data. If you have any questions or comments, contact us:

Barona Oy

Business ID         2808477-9

Address              Töölänlahdenkatu 3 B, 00100 Helsinki, Finland

E-mail     privacy@barona.fi

Telephone           +35820 198 3460

Contact