Privacy policy

 

Introduction

To us at Saranen, the protection of your privacy is important. When working with us, you can trust that we process your personal data in a careful and transparent manner, respecting your right to privacy. In processing your personal data, we abide by the General Data Protection Regulation and other data protection legislation, and we always follow the best privacy practices.

Saranen, part of the Bravedo Group, uses this Privacy Notice to describe how we collect, process and protect the personal data of our customers in all of our businesses.

 

Why and what personal data do we process?

We collect and process personal data only for the following, specifically determined purposes. The purpose of the data processing is to provide employment and training services, manage invoicing, customer service and communication, develop the services and business and carry out marketing. Below you can see a list of the types of personal data we process for each purpose.

Part of the processed personal data may be categorized as special categories of personal data. Special categories of personal data cover sensitive information, such as ethnic origin, health-related data or trade union membership. We may process sensitive data, if the data subject provides us such data in recruitment, coaching or guidance discussions. Sensitive data is not transferred to third parties without your consent.

The register may include the following information necessary for the register’s purpose:

• Basic information: first and last name, date of birth, gender, social security number
• Contact information: address, phone number, email address
• Background information relevant to the employment, training or coaching program, such as:
  • Previous employment relationships and positions, education (basic education, advanced education, field of study), know-how, language skills and information on driver’s license and possibility to use a car
  • Application and CV, information regarding the pursued role, work preferences, additional information relevant to recruitment (hobbies, responsible positions etc.), references and their statements, working municipality, information regarding starting and ending dates, salary expectation
  • Interview and coaching notes, picture, video interview answers, other additional information provided by the job seeker, other relevant information regarding the pursued role
  • Data required for managing the process, such as communication between the parties, information on meetings, information on the service (e.g., to which of the controller’s customers has the candidate introduction been sent to), information on participation and given feedback
  • Data on the participant’s average salary may be processed if it is necessary for invoicing in change security services
• Register and browser data: registration data (username and password and other similar data), IP address, operating system, browser version, device model and website from which the user entered the Saranen website

 

What legal basis is the processing of personal data based on?

Data protection legislation requires that processing of personal data is based the legal bases included in the GDPR. We process your personal data based on the following legal basis:

Contract: Managing and fulfilling contractual obligations may require processing personal data. We process the contact information of customer company representatives based on a contract made between the parties to take care of invoicing or communications related to the business relationship.

Legal obligation: We process some personal data based on a legal obligation. For example, personal data processing within the change security service is done based on legal obligation, when the employer is legally obliged to arrange transition security to the employees.

Legitimate interest: When relying upon legitimate interest, we evaluate and consider the significance of the interest according to data protection legislation, ensuring that it does not cause an unreasonable risk or impediment to you. Legitimate interest is used as a legal basis, for example, for processing the personal data of the change security service participants to whom the employer offers transition security voluntarily. Also, legitimate interest is relied on when personal data is processed in the context of developing the services.

Consent: In certain situations, we process your personal data only if you have given explicit consent beforehand. For example, we process your CV only with your consent. Additionally, direct marketing is conducted only, if you have given consent to it.

 

Where do we get the personal data we process?

Personal data is mainly collected directly from the data subject. For example, in employment and training programs personal data is collected from the material provided by the data subject or collected during the service, such as in the recruitment or training discussions. To provide the service, some personal data may be received from third parties, such as the participant’s employer or TE Services. We may also receive personal data from other group companies as described in the section “Transfers of personal data”.

 

To whom is personal data transferred or disclosed to?

We process personal data confidentially, and we never sell, rent, or otherwise needlessly disclose your personal data to external parties.

Transfers of personal data

When the data controller (herein Saranen) gives personal data to a third party for them to use for their own purposes, this situation is considered a data transfer. Saranen may transfer data to the following entities:

• Other Bravedo group companies: contact information of customer company representatives or participant’s personal data may be transferred if it is appropriate for the purpose of processing
  • Personal data of program participants may be transferred, for example, to Barona working ability service in the Bravedo group if participating in a working ability service is needed
• Customer company: in relation to an assignment, personal data is transferred only to the extent necessary for the assignment, for example, when we present you as a candidate to the customer company to find a suitable work or education position
• Customer company: information related to change security services may be transferred to the customer company within in voicing, including whether a person has participated in the service, in which month the service has began, and what additional services the participant has used (such as training or coaching)
• Customer company: the outcome of an assignment may be presented as a statistic
• Employment authorities (TE Services and ELY Centers): in invoicing documents or if required by law
• Authorities: if required by law
• Acquiring company: if Saranen is acquired in a merger or acquisition
  
  

Disclosures of personal data

If a data controller reveals personal data to a third party without the third party processing the personal data according to their own purposes, the situation is considered a personal data disclosure. For example, if a certain business process, such as payroll management, is outsourced, the personal data related to the business operation may be disclosed to the third party. Sub-processors and service providers process personal data only to the extent necessary for the service. They are contractually bound to implementing a sufficient level of data protection and lawfulness of processing in all of their operations.

The collected personal data is partly processed and stored outside the EU/EEA, for example when service providers are located outside the EU. The service providers used have contractually committed to ensuring adequate level of data protection in all processing activities.

 

How do we protect your personal data?

We protect your personal data with appropriate technical and organizational safeguards against loss, unauthorized access, and other misuse. Examples of such measures include the use of firewalls, secure passwords and personal access rights. Possible manual databases are stored in locked and guarded spaces.

Access to your personal data is controlled by internal measures, such as electronic and physical access control, limited access credentials and monitoring policies. Your personal data is processed only by employees who are authorized to do so based on their role.

 

Automated decision-making

Automated decision-making refers to decision made fully automatically, for example based on an algorithm without human intervention. The processing of your personal data at Barona does not include automated decision-making.

 

Retention times

We store your personal data only as long as necessary for the purposes of the data processing, unless a law requires a longer retention time.

After the retention time has ended, your personal data is either written over in the backup copies and system background or made unidentifiable by irrevocably changing the personal data into a form that does not enable identifying an individual person. Manually stored information is deleted in a secure way aligned with our data removal policy. Saranen has appointed responsible persons for taking care of the deletion of personal data.

Below you can see typical retention times for personal data. The retention time is counted from, for example, the creation of the data or the last update made to the data.

• Personal data relating to participation in employment or training services is mainly retained for 2 years
• Personal data included in the recruitment system is retained for 2 years after the profile has been created or after the person has last viewed or edited their profile
• Personal data of participants in projects done with authorities is retained for 10 years after the service has been completed

 

What rights do you have?

Right to be informed

You have the right to be informed about the processing of your personal data in a concise, transparent, intelligible, and accessible from, presented in clear and plain language. The purpose of this privacy notice is to address the right to be informed and help you understand how we process your personal data. If after reading this notice you have further questions, you can contact us as advised in the “Contact information” section

Right to access

You have the right to get confirmation of what personal data we process concerning you. Thereby, you can evaluate and confirm that the data is processed lawfully. Additionally, you have the right to ask and receive a copy of the personal data we process. Instructions for requesting a copy of your data can be found in the next section, “How can you exercise your rights?”.

Right to data portability

In certain situations, you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format and, if desired, transmit that data to another controller. This right exists when we process your personal data based on consent or contract and the data processing is digital in nature.

Right to rectification

Our goal is to maintain personal data in a current and accurate form and to delete false, insufficient or inaccurate personal data without delay. You have the right to demand the rectification of inaccurate personal data concerning you and completion of insufficient personal data.

Right to restrict processing

The restriction of processing means that, in addition to storage, the personal data subject to the restriction can only be processed

• with your consent,
• for the establishment, exercise or defense of legal claims,
• for the protection of the rights of another natural or legal person, or
• for reasons of important public interest of the Union or a Member State.

The right exists in the following situations:

• The data subject contests the accuracy of the personal data. In such cases, the processing will be restricted for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of its use instead.
• The controller no longer needs the personal data for the purposes of the processing, but it is required by the data controller for the establishment, exercise or defence of legal claims.
• The data subject has objected to the processing of the personal data for purposes other than direct marketing and is awaiting verification on whether the legitimate grounds of the controller override those of the data subject.

Right to object to data processing

In certain situations, you have the right to object to data processing by requesting that your data will not be processed at all. If the data is processed for the performance of a task carried out for reasons of public interest, in the exercise of official authority or for the purposes of the compelling legitimate interests pursued by us or a third party, you have the right to object to the processing on grounds relating to your particular situation.

In such cases, the processing must be stopped unless

• the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or
• the processing is necessary for the establishment, exercise or defense of legal claims

If the personal data is processed for direct marketing, you have the right to object to the processing without any specific grounds, after which the data may no longer be processed for purposes of direct marketing.

Right to erasure and to be forgotten

In certain situations, you have the right to be forgotten, or to have your personal data erased entirely. This right exists when, for example, the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, the processing was based on consent and you withdraw the consent, or the personal data has been processed unlawfully.

Right to withdraw consent

When your personal data is processed based on consent, you have the right to withdraw your consent at any time. If you withdraw your consent, processing of personal data will not be continued unless another legal basis, such as legal obligation, requires continuing the processing of data. You can withdraw your consent, for example, by clicking the “unsubscribe” link at the end of a newsletter email.

Right to file a complaint to a supervisory authority

In addition to the rights mentioned previously, you have a right to file a complaint to a supervisory authority if you believe that our privacy practices do not follow the General Data Protection Regulation. A complaint can be filed, for example, if the rights described in this notice are not implemented appropriately. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.

 

How can you exercise your rights?

If you have questions regarding the aforementioned rights or you wish to examine your personal data or otherwise exercise your rights, please be in contact with us. The contact information of our data protection officer can be found at the end of this notice.

Exercising your rights is generally free of charge. In certain situations defined by law, for example, if you request multiple copies of your personal data, we may request a fee equivalent to the cost of implementing your request beforehand.

We respond to all requests without undue delay, at the latest one month after the request has been received. We will inform you about the measures we have taken in order to complete your request. If for some reason we have to decline your request, we will inform you about the refusal and reasoning for it in one month after the request has been received.

If there are multiple requests, or they are complex, we may require additional time of up to 2 months for implementing the request. In this case, we will inform you about the need for additional time and reasoning for the delay in one month after receiving the request.
If you want to file a complaint to the supervisory authority, more information can be found on the website of the Office of the Data Protection Ombudsman: https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman

 

Data controller and contact information

Data controller is the entity, who decides how and why personal data is processed. Saranen decides the purposes and measures for processing its customers’ personal data. Thereby, Saranen is the data controller for the personal data processing.

Contact information of the data controller:
Saranen Consulting Oy
Company ID 2588306-5
Innopoli 1, Tekniikantie 12, 02150 Espoo
Phone number 020 198 3430

Contact person in data protection matters:
Samuel Leivo
tietosuoja@saranen.fi
Phone number 050 414 3304

 

Updates to the privacy notice

We continuously improve our privacy practices, which is why this privacy notice will also be updated occasionally. Updates may be due to changes in legislation. We recommend, that you re-visit this page to be informed about any possible changes. If needed, we may also inform you directly about any changes in our privacy practices.

Previous updates:

May 2018

We published a new privacy notice aligned with the GDPR.

June 2018

We updated the privacy notice regarding data transfers withing the group.

June 2019

We updated the privacy notice regarding sensitive information, privacy training organized for our employees and making a data rectification request.

October 2020

We updated the privacy notice regarding legal basis for data processing, processing of sensitive data, data transfers to third parties, your rights as a data subject and storing of data.

January 2022

We updated the structure of the privacy notice and added a more specific description of retention times.

February 2023

Updated new contact information of the data protection officer