The Privacy Statement was last updated on 26th October 2022.
Betolar Oy (Business ID 2800638-3)
43300 Kannonkoski, Finland
Contact person in matters concerning the Customer and stakeholder register: Riikka Ylitalo, email@example.com, +358 40 828 2632.
Contact person in matters concerning the Recruitment register: Tarja Niemelin, firstname.lastname@example.org, +358 40 687 7809.
Customer and stakeholder register
The register is used to process the information of Betolar’s customers, potential customers and other stakeholders, such as the contact persons of the service providers. Personal data is processed for purposes related to the maintenance and management of customer relationships, development of business operations, provision of services and products, sales, deliveries, development, invoicing as well as utilizing external service providers (such as consultants). Personal data is also processed when handling possible reclamations and other requirements.
In addition, personal data is processed to implement communications, send event invitations, conduct opinion polls and marketing surveys and for marketing purposes.
To the extent the data subjects use Betolar’s internal systems, personal data may also be collected on the use of the internal tools and systems and it may be used to develop the business operation by analyzing the data. Generally any analytics data is always as aggregated as possible and an unique user cannot be identified therein.
The recruitment register is used to process the personal data of Betolar’s internal and external job applicants. The purpose of the processing of personal data is the reception and processing of job applications as well as the management of the recruitment process. We process the candidates’ data related to the job application process in order to enable the required contacts and make the required decisions when fulfilling the positions. The personal data included in the Recruitment register can also be processed in order to prove the equal treatment of job applicants as well as to prepare for and respond to legal claims.
The basis for the processing of personal data is the controller’s legitimate interest to process personal data for recruitment purposes, demonstrate statutory obligations as well as to prepare for and respond to legal claims. In certain cases, the processing of personal data is necessary to implement measures preceding the signing of the employment contract between Betolar and the job applicant and to perform the employment contract.
The basis for the processing is consent if the job applicant’s personal data is collected from referees appointed by the job applicant or the personal data is processed during an aptitude assessment. The basis for the processing of personal data obtained through open applications is also the data subject’s consent. If personal data is processed in a specific recruitment process, the bases for the processing are those mentioned above.
Information processed in the Customer and stakeholder register is:
The personal data of the customers’, cooperation partners’ and service providers’ contact persons and data related to the business relationship are mainly retained for the duration of the customer relationship and two (2) years after the termination of the business relationship and related liabilities, unless there is a legal basis for a longer retention period. The data related to invoicing is processed as part of the accounting material for the duration specified in the Accounting Act, which is six (6) years after the end of the calendar year during which the financial year ended. Notwithstanding the above, the data collected concerning the use of internal tools shall be retained in identifiable format for 2 years whereafter it shall be anonymized. After the data has been anonymized, a unique user can not be identified in the data.
The personal data of potential customers’ contact persons is mainly retained for a maximum of two (2) years from the time of its collection, after which it will be erased.
Information related to market researches is retained for a maximum of two (2) years after the implementation of the research. Information related to event invitations is retained for a maximum of two (2) years after the event day.
The personal data processed during the recruitment process of the hired candidates are retained throughout the employment relationship and two (2) years after the termination of the employment relationship. The personal data of candidates who were not selected is retained for a maximum of two (2) years after the end of the recruitment process or until it is no longer needed due to the period for filing suit and period of limitation laid down in the legislation. Open applications are retained for two (2) years after their reception or until the person withdraws their consent, for example, by requesting the erasure of their data from Betolar’s Recruitment register. After the request, the data is erased, unless there are other grounds for their retention.
The data stored in the Customer and stakeholder register is collected from the data subjects themselves, for example, with messages sent through online forms and via email, cookies and similar techniques, telephone and social media, from contracts, customer meetings and other events in which the customer provides their information. In certain situations, personal data may be collected from a service provider acting as an employer of the data subject.
The data stored in the Recruitment register is mainly collected from the job applicants themselves. Data can also be collected, with the job applicant’s consent, from possible referees and service providers conducting aptitude assessments or recruitment consultants.
The personal data in the Customer and stakeholder register are not disclosed to external parties, unless otherwise required by the statutory legislation. Betolar does however utilize sub-processors for processing personal data in the Customer and stakeholder register as further defined here below. The personal data in the Recruitment register is not regularly disclosed to external parties, unless the disclosure is specifically requested and the data subject has provided their consent to the disclosure, for example, for the aptitude assessment.
Betolar processes personal data mainly by itself, but utilises also service providers acting on behalf of it when processing data. Such service providers are, for example, IT service providers who take care of the technical maintenance of systems and servers, service providers providing analytics tools concerning our services, and headhunting companies which may assist Betolar in the recruitment processes.
Betolar has ensured data protection with the service providers, for example, by concluding personal data processing agreements with them.
As a rule, personal data is not disclosed outside the EU/EEA area. However, the IT administration systems used by Betolar may enable service providers access to the data outside the EU/EEA area, for example, for the provision of technical support. If personal data is processed outside the EU/EEA area, Betolar ensures that the service provider has been committed to the standard clauses approved by the European Commission or other appropriate safeguards specified in the General Data Protection Regulation.
Personal data is processed confidentially and the processors are bound by the obligation of secrecy. Only the employees who have the right to process personal data due to their work duties have the right to process personal data. The data is stored in systems protected by firewalls, passwords and other technical and organisational means. Betolar is using security measures to protect itself against viruses and malware. The security measures are updated regularly. Each user has their own user name and password to the system, based on which the logging in can be verified. The databases and their backups are located in locked facilities and only the appointed individuals can access the data.
The data subject has the right to access the data concerning them stored in the Customer and stakeholder register and the Recruitment register and request the rectification of incorrect or incomplete data or the erasure of their personal data if there are statutory grounds for this. If the processing of the personal data has been based on consent, the data subject has the right to withdraw their consent.
Betolar may, on its own initiative or upon the data subject’s request, supplement, correct or erase incomplete, incorrect or outdated personal data.
In terms of data delivered to the register by the data subject, which are processed on the basis of consent or an agreement, the data subject has the right to receive such data in a machine readable-format and the right to transfer this data to another controller.
In a particular situation of the individual, the data subject has the right to object to the processing of their personal data when the basis for the processing is the controller’s legitimate interest or the processing is required to perform a task concerning general interest. Objection should be based on grounds relating to the particular situation of the individual, and these grounds should be cited in the request to exercise the right to object. The controller may only refuse to implement this request if there are legal grounds to do so.
The data subjects have the right to request the restriction of the processing of their personal data and to lodge a complaint about the processing of their data with a supervisory authority. The supervisory authority in Finland is the Office of the Data Protection Ombudsman (tietosuoja(at)om.fi).
The data subjects have the right not to be subject to decision-making which is solely based on automated processing, such as profiling, which has legal effects on the data subject or has an equivalent significant effect on the data subject.
The personal data included in Betolar’s Customer and stakeholder register and Recruitment register are not subject to automated decision-making nor used for profiling.
Inquiries concerning the processing of personal data described in this Privacy Statement and requests can be submitted to the contact persons mentioned at the beginning of this Privacy Statement. We kindly ask you to contact us in writing or by visiting in person. Betolar may ask the requester to verify their identity, if necessary. Betolar will reply to the data subject within the deadline defined in the EU’s General Data Protection Regulation (as a rule, within one (1) month).
Betolar may update this Privacy Statement due to the changes in its business operations or the legislation. The date of the latest amendment is stated at the beginning of the Privacy Statement.