FI | EN

Privacy Statement

The Privacy Statement was last updated on 17 September 2021.

1. Data controller

Betolar Oy (Business ID 2800638-3) 
Mannilantie 9
43300 Kannonkoski, Finland
Email: contact@betolar.com

2. Contact person in register-related matters

Contact person in matters concerning the Customer and stakeholder register: Riikka Ylitalo, riikka.ylitalo@betolar.com, +358 40 828 2632.

Contact person in matters concerning the Recruitment register: Tarja Niemelin, tarja.niemelin@betolar.com, +358 40 687 7809.

4. Purpose and legal basis of the processing

Customer and stakeholder register

The register is used to process the information of Betolar’s customers, potential customers and other stakeholders, such as the contact persons of the service providers. Personal data is processed for purposes related to the maintenance and management of customer relationships, development of business operations, provision of services and products, sales, deliveries, development and invoicing. Personal data is also processed when handling possible reclamations and other requirements.

In addition, personal data is processed to implement communications, send event invitations, conduct opinion polls and marketing surveys and for marketing purposes. 

The legal bases for the processing of personal data consist of the performance of a contract and legitimate interest to practice and develop business operations as well as to market services. The legal basis for the processing in terms of electronic direct marketing is the data subject’s consent.

Recruitment register

The recruitment register is used to process the personal data of Betolar’s internal and external job applicants. The purpose of the processing of personal data is the reception and processing of job applications as well as the management of the recruitment process. We process the candidates’ data related to the job application process in order to enable the required contacts and make the required decisions when fulfilling the positions.  The personal data included in the Recruitment register can also be processed in order to prove the equal treatment of job applicants as well as to prepare for and respond to legal claims.

The basis for the processing of personal data is the controller’s legitimate interest to process personal data for recruitment purposes, demonstrate statutory obligations as well as to prepare for and respond to legal claims. In certain cases, the processing of personal data is necessary to implement measures preceding the signing of the employment contract between Betolar and the job applicant and to perform the employment contract.

The basis for the processing is consent if the job applicant’s personal data is collected from referees appointed by the job applicant or the personal data is processed during an aptitude assessment. The basis for the processing of personal data obtained through open applications is also the data subject’s consent. If personal data is processed in a specific recruitment process, the bases for the processing are those mentioned above.

5. Data content of the registers

Information processed in the Customer and stakeholder register is:

  • name and position of the person
  • company/organisation and its website address
  • contact information (telephone number, email address, address)
  • information related to the customer or partner relationship, such as information concerning the ordered services and information included in the contract
  • invoicing and payment information
  • communications information, such as correspondence with the contact person; 
  • information related to the event invitations
  • information related to market researches, such as the respondents of the market research and provided answers

The personal data of the customers’ contact persons and data related to the customer relationship are mainly retained for the duration of the customer relationship and two (2) years after the termination of the customer relationship and related liabilities, unless there is a legal basis for a longer retention period. The data related to invoicing is processed as part of the accounting material for the duration specified in the Accounting Act, which is six (6) years after the end of the calendar year during which the financial year ended.

The personal data of potential customers’ contact persons is mainly retained for a maximum of two (2) years from the time of its collection, after which it will be erased.

Information related to market researches is retained for a maximum of two (2) years after the implementation of the research. Information related to event invitations is retained for a maximum of two (2) years after the event day.

Personal data processed in the Recruitment register is:

  • name, date of birth, social security number, address, telephone number and email;
  • education, work experience and other skills
  • information provided by the job applicant related to their person, background and aptitude, such as education, language skills, photo, the applicant’s own description of their skills and aptitude for the position, desired salary, different certificates and assessments, information about a work permit, possible references to online portfolios and profiles or other sources
  • recommendation letters or names, position and contact information of the referees provided by the job applicant on the job applicant’s own initiative
  • voluntary information provided by the job applicant on the job applicant’s own initiative, such as family relations, hobbies and positions of trust
  • information concerning the progress of the recruitment process and summaries of the job applicant written by persons who participated in the process and a summary of the statements of the referees appointed by the job applicant
  • possible other information which the job applicant has voluntarily provided in connection with the recruitment process or otherwise expressly published for professional purposes, such as a LinkedIn profile and the results of possible person and aptitude assessments.
  • The basic information and application-related information of the selected candidate are transferred to Betolar’s Personnel register

The personal data processed during the recruitment process of the hired candidates are retained throughout the employment relationship and two (2) years after the termination of the employment relationship. The personal data of candidates who were not selected is retained for a maximum of two (2) years after the end of the recruitment process or until it is no longer needed due to the period for filing suit and period of limitation laid down in the legislation. Open applications are retained for two (2) years after their reception or until the person withdraws their consent, for example, by requesting the erasure of their data from Betolar’s Recruitment register. After the request, the data is erased, unless there are other grounds for their retention.

6. Standard sources of data

The data stored in the Customer and stakeholder register is collected from the data subjects themselves, for example, with messages sent through online forms and via email, telephone and social media, from contracts, customer meetings and other events in which the customer provides their information.

The data stored in the Recruitment register is mainly collected from the job applicants themselves. Data can also be collected, with the job applicant’s consent, from possible referees and service providers conducting aptitude assessments or recruitment consultants.

7. Recipients of personal data and transferring personal data outside the EU/EEA area

The personal data in the Customer and stakeholder register are not disclosed to external parties, unless otherwise required by the statutory legislation.  The personal data in the Recruitment register is not regularly disclosed to external parties, unless the disclosure is specifically requested and the data subject has provided their consent to the disclosure, for example, for the aptitude assessment.

Betolar may disclose personal data included in the Recruitment register:

  • to parties which have statutory or agreement-based right to receive data from the register, such as the TE Offices
  • to respond to a request from the authorities
  • in connection with corporate reorganisations
  • with the data subject’s consent to parties whom the consent concerns, for example, to referees

Betolar processes personal data mainly by itself, but utilises also service providers acting on behalf of it when processing data. Such service providers are, for example, IT service providers who take care of the technical maintenance of systems and servers and headhunting companies which may assist Betolar in the recruitment processes.

Betolar has ensured data protection with the service providers, for example, by concluding personal data processing agreements with them.

As a rule, personal data is not disclosed outside the EU/EEA area. However, the IT administration systems used by Betolar may enable service providers access to the data outside the EU/EEA area, for example, for the provision of technical support. If personal data is processed outside the EU/EEA area, Betolar ensures that the service provider has been committed to the standard clauses approved by the European Commission or other appropriate safeguards specified in the General Data Protection Regulation.

8. Principles of protecting the personal data

Personal data is processed confidentially and the processors are bound by the obligation of secrecy. Only the employees who have the right to process personal data due to their work duties have the right to process personal data. The data is stored in systems protected by firewalls, passwords and other technical and organisational means. Betolar is using security measures to protect itself against viruses and malware. The security measures are updated regularly. Each user has their own user name and password to the system, based on which the logging in can be verified. The databases and their backups are located in locked facilities and only the appointed individuals can access the data.

9. Rights of the data subject 

The data subject has the right to access the data concerning them stored in the Customer and stakeholder register and the Recruitment register and request the rectification of incorrect or incomplete data or the erasure of their personal data if there are statutory grounds for this. If the processing of the personal data has been based on consent, the data subject has the right to withdraw their consent. 

Betolar may, on its own initiative or upon the data subject’s request, supplement, correct or erase incomplete, incorrect or outdated personal data. 

In terms of data delivered to the register by the data subject, which are processed on the basis of consent or an agreement, the data subject has the right to receive such data in a machine readable-format and the right to transfer this data to another controller.

In a particular situation of the individual, the data subject has the right to object to the processing of their personal data when the basis for the processing is the controller’s legitimate interest or the processing is required to perform a task concerning general interest. Objection should be based on grounds relating to the particular situation of the individual, and these grounds should be cited in the request to exercise the right to object. The controller may only refuse to implement this request if there are legal grounds to do so.

The data subjects have the right to request the restriction of the processing of their personal data and to lodge a complaint about the processing of their data with a supervisory authority. The supervisory authority in Finland is the Office of the Data Protection Ombudsman (tietosuoja(at)om.fi).

10. Automated decision-making and profiling

The data subjects have the right not to be subject to decision-making which is solely based on automated processing, such as profiling, which has legal effects on the data subject or has an equivalent significant effect on the data subject. 

The personal data included in Betolar’s Customer and stakeholder register and Recruitment register are not subject to automated decision-making nor used for profiling.

11. Contact information

Inquiries concerning the processing of personal data described in this Privacy Statement and requests can be submitted to the contact persons mentioned at the beginning of this Privacy Statement. We kindly ask you to contact us in writing or by visiting in person. Betolar may ask the requester to verify their identity, if necessary. Betolar will reply to the data subject within the deadline defined in the EU’s General Data Protection Regulation (as a rule, within one (1) month).

12. Amendments to the Privacy Statement

Betolar may update this Privacy Statement due to the changes in its business operations or the legislation. The date of the latest amendment is stated at the beginning of the Privacy Statement.