Privacy policy
INTRODUCTION
This document highlights the steps KilpiTek has taken for the General Data Protection Regulation (GDPR) which will apply since 13th of December 2023.
Many of the GDPR’s main concepts and principles are much the same as those that are already in the current Data Protection Act (DPA), so most of the state of compliance steps will remain valid under the new GDPR act. The main changes are to make the company procedures visible and systematically documented, to deal with the GDPR’s new transparency and individuals’ rights provisions.
The GDPR places greater emphasis on the internal documentation to demonstrate the accountability. Compliance with all the areas are listed in this document and will require company to review the approach to governance and how to manage data protection as a corporate issue. One aspect of this is to review the contracts and other arrangements in place when sharing data with other organizations.
KilpiTek’s personal data processing requires a legal basis. Personal data is processed lawfully, fairly and in a transparent manner. Data is also collected only to the amount necessary regarding the purpose of the processing. Data is also updated when required and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes.
1. AWARENESS
KilpiTek takes GDPR seriously and ensures that decision makers and key people in our organization are aware of GDPR. Key persons and stakeholders are aware of the impact and are constantly identifying the areas that could cause compliance problems under the GDPR. Implementing the GDPR involves people from administration, information management, HR, recruiting, sales and accounting.
KilpiTek’s GDPR statement is available on the company’s public web page.
2. INFORMATION YOU HOLD
KilpiTek keeps track on all the personal data we hold, where it came from and who it is shared with. KilpiTek maintains records of the data processing activities and data accuracy.
3. COMMUNICATING PRIVACY INFORMATION
KilpiTek has reviewed the current company privacy notice according to the GDPR. When collecting any personal information, KilpiTek explains how we intend to use that information. This is done through the privacy notice. In the privacy notice, we also explain the lawful basis for processing the data, the data retention periods and that individuals have a right to complain to the Data Protection Ombudsman, if they think there is a problem with the way we are handling their data. The Data Protection Ombudsman’s Privacy notices code of practice reflects the requirements of the GDPR and EU’s Data act.
4. INDIVIDUALS’ RIGHTS
KilpiTek’s procedures ensure that they cover all the GDPR rights individuals have, including the steps how personal data is deleted or how the data is provided to individual.
The GDPR includes the following rights for individuals:
the right to be informed, how stored data is used
the right of access, to verify own personal data
the right to rectification, to ask for data correction
the right to erasure, for removing own data
the right to restrict processing, or any utilization of given data
the right to data portability, when applicable
the right to object, when applicable
the right not to be subject to automated decision-making including profiling, when applicable
KilpiTek stores personal data under GDPR only in recruiting candidate and company employee registers. So, most of the rights are natural and are related either to the data stored during the recruiting process or employee data during the employment.
KilpiTek employees will follow the data protection policy. KilpiTek will also ensure that personal data is processed with the same privacy principles with partners and subcontractors.
5. SUBJECT ACCESS REQUESTS
KilpiTek will comply in 30 days when subject access request (SAR) notice is received. SAR must be delivered in written format to KilpiTek and it will be processed without charge. KilpiTek is prepared to answer individual SAR requests related following details:
what personal data it is being processed
the purposes for which the personal data is being processed
who, if anyone, the personal data is disclosed to
the extent to which it is using the personal data for the purpose of making automated decisions relating to the data subject and, if so, what logic is being used for that purpose
The answer for the SAR is delivered in written format. It can be sent either using verified email address, fetch from KilpiTek Tampere office or sent using conventional mail.
6. LAWFUL BASIS FOR PROCESSING PERSONAL DATA
KilpiTek has the lawful basis for data processing activity according to the GDPR. KilpiTek has two main repositories containing personal data
Employee Registers
Employee registers contain the basic information of the people working for KilpiTek. The data collected is used for contacting the workforce, keeping track of the work history, counting the work hours done and bank details to be able to pay the salaries. Processing employee data is based on controller’s legal obligation and contract.
Recruitment Register
Recruitment register contains the potential applicants for new job opportunities. The collected information including the personal details, contact information, talents and CVs with details of earlier job experiences are used for staffing and match making with open vacancies. The persons stored into the recruitment register have given the consent (chapter 7) for storing the information according to the KilpiTek Privacy Notice (chapter 3).
KilpiTek reviews the types of processing activities annually to identify the lawful basis for the data processing and to comply with the GDPR’s ‘accountability’ requirements.
7. CONSENT
KilpiTek seeks, records and manages the person’s consent for storing the data into the Recruitment register. No data is stored into any register without given consent. In practice, when a person leaves an open application and records the recruiting information, the person need to read and agree the given KilpiTek Privacy Notice. In case information is received directly and stored manually into the register, the consent is also asked from the person.
Consent to process any recruitment data is freely given, is specific for the recruitment purpose, is informed to the person and is unambiguous. The concent option in electronic forms is a positive opt-in – i.e., consent is not inferred from silence, pre-ticked boxes or user inactivity. Consent can also be verified according to the SAR (chapter 5).
Consent to record and process any personal data in Employee Register is received in written format when new work contract is signed.
8. USE OF COOKIES
The website uses cookies. The consent for usage of cookies is requested upon first arrival to the KilpiTek’ website. The consent will be requested again after 30 days or if the browser cookies are cleared.
9. WEBSITE USER TRACKING
We use Squarepace’s tracking services to follow what users are doing on the website and combine this behavioral data. Squarepace’s uses etag tracking in order to hook together the same users behavior over several sessions. Please check out Squarespace Privacy Policy and Squarepace Cookie policy for more information on what is tracked and what your rights are. Squarepace works as the Processor and we work as the Controller for the data in terms of GDPR.
10. CHILDREN
The GDPR sets the age when a child can give their own consent to this processing at 16. KilpiTek does not offer any online services to children and does not process any children’s personal data underage at 16.
11. DATA BREACHES
KilpiTek follows carefully the access rights, access statistics and anomalies on our data servers. We are prepared to detect, report and investigate a personal data breach. Organizations storing high risk information are required to notify the Data Protection Ombudsman (and possibly some other bodies) when they suffer a personal data breach. When KilpiTek does not process any data that would contain a risk to the rights and freedoms of individuals – such as discrimination, damage to reputation, major financial loss, loss of confidentiality or any other significant economic or social disadvantage – our data processed can be treated as low risk information.
12. DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESMENTS
Even when data we process can be treated as a low risk information, KilpiTek follows good design practices and adopts a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of GDPR. Only such information that is really required is collected and adequate security and privacy measures needed are implented for decent data usage.
13. DATA PROTECTION OFFICERS
KilpiTek does not need official Data Protection Officer (DPO) according to GDPR. However, KilpiTek’s CPO has also additional responsibility for data protection compliance. CPO has the required knowledge, support and authority to carry out the role effectively.
14. INTERNATIONAL
KilpiTek operates inside EU – in Finland. KilpiTek has also presence in USA, but information collected inside EU is not processed or transferred outside EU. The KilpiTek’s lead data protection supervisory authority (LDPSA) is Office of Data Protection Ombudsman in Finland. The KilpiTek’s central administration and LDPSA will make the most significant decisions related to the GDPR.