1.1 Description of processing
Processing of personal data of persons working at VTT.
1.2 Controller, Data Protection Officer and contact person
Name: VTT Technical Research Centre of Finland Ltd (“VTT”), business ID: 2647375-4
Address: Tekniikantie 21, FI-02150 Espoo
Data Protection Officer
Name: Seppo Viinikainen
Address: VTT Technical Research Centre of Finland Ltd, Koivurannantie 1, FI-40400 Jyväskylä
Email: email@example.com (Information Security Manager, Data Protection Officer and Legal Counsel) or
firstname.lastname@example.org (Data Protection Officer)
2 Categories of the personal data
VTT may process the following personal data directly needed for employment relationships or service relationships without employment to VTT that are related to handling the rights and obligations of parties to the service or employment relationship or to the benefits offered to employees by the controller:
Basic data, such as
- First and last names
- Date of birth and personal identity code
- Home address and other contacts details
- Bank details
- Contact details of immediate family (for emergencies)
- Basis for right to work
Basic data on employment or service relationship, such as
- Data on commencement, management and termination of employment or service relationship, and certificates of employment
- Content and title of job
- Data on taxes and employer contributions
- Employee insurance and accident data
- Travel claims and kilometric allowances
- Salary data
- Benefit data
- Remuneration data
- Work history data
Data on job performance, job development and working time monitoring, such as:
- Qualification data, skills assessment and training data
- Data on assessments and aptitude tests
- Data on goals and development discussions
- Posting data
- Data on secondary activities, positions of trust, and memberships paid by the employer
- Absences, annual holidays, parental leaves and childcare leaves, and any other agreed absences (e.g. study leave and sabbatical, job alternation leave, seminars and conferences)
- Medical certificates or statements, or other data on the state of health or work ability of the employee, insofar as legislation permits the processing of such data
- Data on the results of drug tests required for some tasks
- Any disciplinary action and related documentation
- Data on work email usage and other communications
Data on tools and work environment, such as:
- Access rights and user IDs and passwords to employer's electronic systems and filing systems
- Identification data of the tools assigned to the person, such as computers and mobile terminals as well as access cards with photo, keys or the like
- Data on the workspace assigned to the person
- Data on work environment safety that may affect work ability (including exposure).
In addition, modification and processing data for all the data types listed above may be processed.
3 Purposes of personal data processing
Personal data is processed for purposes of handling matters related to the employment or service relationships of the controller's personnel, such as the definition of the content and terms and conditions of employment or service relationships, handling of payroll and providing other benefits, and organisation of obligations of the controller, such as occupational health care, monitoring of working hours, holidays, absences and performance of work duties, as well as measures related to termination of employment or service relationships.
In addition, personal data is processed for performance evaluation and training, employee analysis as well as other general personnel development, protecting the controller and its customers' property, caring for security and occupational safety, a variety of reporting, comparison and statistical needs, as well as daily supervisory measures. VTT has an obligation to ensure that a foreign person has the right to work in Finland. VTT must also retain data on foreign employees and the basis for rights to work.
4 Legal basis for processing
Personal data is being processed on the basis of one or more of the following:
The legal basis for processing personal data is a statutory obligation under the GDPR when processing is necessary to comply with the statutory obligations of the controller. This is the case, for example, when the controller processes personal data for the provision of the statutory obligations of the employer, such as occupational health care and social security contributions.
The processing of personal data is based on the execution of an employment or service contract, or on the implementation of pre-employment measures at the request of the data subject.
The legal basis for processing is a legitimate interest under the GDPR, especially when it comes to personal data relating to work equipment and the work environment. The purpose of processing is, in particular, to protect the assets of VTT and its customers and to ensure safety.
Processing may also be based on the consent of the data subject to the extent required by law, such as opening or retrieving the employee's email, or potential monitoring systems. The data subject always has the right to withdraw his/her consent. Exercise of the right does not affect the lawfulness of the processing carried out prior to the withdrawal of consent.
5 Regular sources of information
As a rule, personal data are obtained from the employee him/herself, his/her supervisor and internal sources of VTT.
With the consent of the data subject, the controller can also collect personal data from other sources, unless it is personal credit data or criminal records data for the purpose of determining the employee's reliability, where consent is not required.
6 Recipients or categories of recipients of the personal data
VTT discloses personal data to third parties for a justified reason, when it is necessary because of technical requirements of a system or service delivered by the third party for the purpose of processing, and/or disclosure is required by applicable legislation. VTT discloses data to competent authorities to fulfil its statutory obligations.
The data is disclosed under appropriate contractual arrangements in accordance with the requirements of the GDPR and applicable legislation.
Personal data processing has been outsourced to the following service providers and their subcontractors, who process personal data on behalf of the controller:
- HR and payroll IT system providers, including but not limited to Oracle eBS (HR) and PersonecF
- access control IT system providers, including but not limited to Timecon
- storage space service providers
- external training, aptitude tests and coaching service providers
- well-being at work and other personnel benefit providers ePassi
7 Transfer of personal data outside the EU or the EEA
Personal data may be transferred outside the EU and the EEA if it is necessary for the technical implementation of the processing of personal data, in which case the requirements of the GDPR for data transfer are respected. The controller may, inter alia, use the current standard contractual clauses for international data transfers approved by the competent authorities.
8 Existence of automated decision-making, including profiling
The personal data mentioned in section 2 above are not subject to automated decision making.
9 The period for which personal data is stored or criteria used to determine the period
Personal data is being stored as long as is necessary for the purposes of personal data processing or for compliance with the statutory obligations of the controller. Thereafter, the data is destroyed or anonymised unless there is a legal basis for continued processing of the data. Retention periods take into account, for example, the limitation of action based on legislation and obligations of the employer.
10 Principles of protection of the register
The personal data is entered and processed in VTT's electronic HR information systems. In addition, employment contracts are stored in paper form at VTT's HR department. The personal data is stored in a technically secure location. Physical access to the data is limited by access rights and security measures. In addition, access to the data is limited, for example, by firewalls and technical security measures. Access to the personal data is limited to certain designated persons who are committed to confidentiality.
11 Rights of the data subject
The data subject has the following rights, which may be exempted from in accordance with the GDPR and applicable legislation. The data subject may exercise these rights by contacting the controller, preferably in writing and by e-mail using the contact details in section 2.
Right of access
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed, and access to his/her personal data and information concerning the processing of his/her personal data.
Right to rectification
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate and incorrect personal data concerning him/her, and the completion of incomplete personal data.
Right to erasure
The data subject may request the controller to delete the personal data concerning him/her, if (i) the personal data is no longer necessary for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and there is no other legal basis for the processing; (iii) the personal data have been unlawfully processed; (iv) the personal data have to be erased for compliance with a statutory obligation applicable to the controller; or (v) the data subject objects to the processing based on the controller’s legitimate interest.
Right to restriction of processing
The data subject has the right to obtain from the controller restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (iv) the data subject has objected to processing.
Right to data portability
If the data subject him/herself has provided his/her personal data to the controller, the data subject has the right to receive such personal data and the right to transfer the data to another controller if:
- the processing is carried out by automated means; and
- the processing is based either on the data subject's consent or the processing of the personal data concerning the data subject is necessary for the execution of a contract, for example a contract of employment, or for the implementation of pre-contractual measures at the request of the data subject.
The data subject is not entitled to transfer data from one system to another if the personal data concerned is processed on the basis of a legitimate interest or a statutory obligation of the controller.
Right to object
The data subject has the right to object, on grounds relating to his/her particular situation, to processing of personal data concerning him/her which is based on the legitimate interest of the controller.
Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a supervisory authority if he/she considers that the processing of personal data breaches his/her rights pursuant to applicable law. Office of the Data Protection Ombudsman, Ratapihantie 9, 00520 Helsinki, email@example.com