Skip to content

Privacy policy

Privacy policy of Finnish Work

This privacy policy describes what and how personal data is processed in the activities of Finnish Work.

1. Controller

Suomalainen työ ry (business ID: 0201524-9)
Eteläranta 14, 00130 Helsinki
Tel. (09) 6962 430
www.suomalainentyo.fi
email: asiakaspalvelu@suomalainentyo.fi
(hereinafter referred to as “the Controller”” or “the Association”)

For data protection related contacts, please identify the contact with a reference to “data protection issues”.

2. Purposes of the processing of personal data

Personal data is processed

  • to process, invoice and archive matters related to the Association’s membership and rights of use of the marks (Key Flag Symbol, Design from Finland Mark and Social Enterprise Mark);
  • to improve member communication and the member experience;
  • to manage the Association’s institutions (Council, Board of Directors, Election Panel, Committees);
  • for user management and personalisation of services when using digital services that require authentication;
  • to ensure secure transmission of the information needed to authenticate digital services;
  • to develop the Controller’s operations and services;
  • for communication and information between stakeholders;
  • for marketing and advertising and the targeting thereof, distance or other direct marketing, opinion polls, market research or similar activities;
  • for statistical purposes;
  • to prevent misuse; and
  • to meet legal obligations.

Personal data is also processed in Liana Technologies Oy’s LianaMailer newsletter tool, Eventilla event management tool, and ePressi press distribution tool in order to perform the above functions and purposes. Liana Technologies Oy and its affiliated companies act as processors of personal data in compliance with the EU General Data Protection Regulation (GDPR) and as agreed in writing with the Controller.

The Controller does not use automated decision-making, such as automated profiling, as part of its personal data processing activities.

3. Legal basis for processing personal data

The Association manages and develops the following marks of Finnish work: Key Flag Symbol, Design from Finland Mark and Social Enterprise Mark. In addition, the Association carries out projects and joint marketing campaigns with its members related to the change in working life and the value of Finnishness, both in Finland and outside Finland, and conducts research and communication on issues that affect the value and success of work in Finland.

The processing of personal data in the Association’s activities described above is generally based on membership or a stakeholder or cooperative relationship, and in particular on a contract between the parties, a legal obligation or a legitimate interest. The Association collects and processes personal data in order to implement contracts related to its activities or to carry out pre-contractual activities, such as the performance of obligations and rights related to the membership of the Association and the management and use of the above-mentioned marks. Personal data is also processed for the purposes of communication related to the membership and cooperation.

In addition, personal data is processed for purposes of communication and information between stakeholders. The Controller also has a legal obligation to process personal data. The legal obligation may be based on, for example, the Accounting Act and the Associations Act.

Within the limits of legislation, the Controller, any joint controller or contractual partner and its affiliated companies may have the right to use personal data for opinion or customer satisfaction surveys or other similar addressed mailings, such as direct marketing, on the basis of legitimate interest. These measures are not in conflict with the rights or freedoms of the individual and do not pose a high risk to their enforcement. The data subject always has the right to object to direct marketing and addressed mailings concerning them. Notwithstanding a marketing prohibition, data subjects may be sent membership information if it is necessary for the performance of a service or a legal obligation.

4. Categories of personal data processed

The following personal data, necessary for each purpose, is processed:

Information relating to membership, partnership or other material connection, such as

  • first names and last names
  • title, position or occupation, area of responsibility in the organisation
  • company contact details (such as addresses, phone numbers, email addresses)
  • name of the company or organisation if a contact person is acting as its representative
  • start and end date of membership
  • membership history: membership-related contacts
  • information (such as surveys and feedback) provided or generated by the member’s representatives, i.e. the data subjects themselves, in connection with the use of membership and other services
  • other information collected with the consent of the data subject
  • any other information relating to membership, partnership or the matter in question

Information related to and derived from the use of the digital service

  • username and encrypted password and access rights
  • information relating to the device used by the data subject, such as the terminal device, IP address, operating system
  • behavioural data based on information collected through cookies
  • Information relating to consents and prohibitions given by the data subject
  • marketing authorisations and prohibitions
  • information related to targeted marketing

Photos

  • image recordings, such as photographs of events we organise

Jobseekers

  • Job applications and other information received from a jobseeker.

5. Regular sources of information

The main source of data is the data subject themselves (e.g. in connection with membership, cooperation, legal transactions including association law actions, meetings and other contacts). The contact persons of the member organisation may also inform the Controller of other contact persons in the member organisation concerned who need to receive communications from the Controller relating to membership and rights of use of the marks.

Data is collected on people who have applied for membership of the Association and rights to use the marks, as well as on people who have used the services. Data is collected from the Controller’s systems in connection with registration and use of the services. In addition, personal data may be collected in accordance with applicable data protection legislation from social media related to the Controller’s activities where information about the data subject is available.

The data may be supplemented by other registers of the Controller or of companies owned by the Controller or by registers providing address, update or similar services or other public or private data sources, as well as by partners of the Controller. In development projects, information is collected from service providers, employers, colleagues or individuals themselves, public data sources, and information services. Our member organisations’ contact persons can also update and edit personal data via the member service using their personal credentials.

6. Retention period

We retain personal data only for the time necessary to fulfil the purposes of use described in this privacy policy. The length of the retention period depends on the nature of the data and the purpose of the processing. The maximum period may therefore vary depending on the intended use. For some data, the law imposes obligations to store the data for longer periods.

The data may be processed for direct marketing purposes after the end of the membership or partnership in accordance with the legislation in force, unless the data subject has not consented to it. Personal data that has become redundant and that the Controller no longer has a reason or obligation to retain or process will be deleted at regular intervals in accordance with the Controller’s own privacy policy.

Personal data will be kept only for as long as required by law or otherwise reasonably necessary for the Controller to fulfil its contractual obligations or for other legal requirements or legitimate interests, such as complaint processing, accounting and internal reporting.

As a general rule, personal data is processed for the duration of the membership or cooperation and for a reasonable period thereafter, or for a minimum period of time defined by accounting and tax legislation in relation to contractual relations as defined by law. Data collected on a contractual basis can generally be kept for ten (10) years from the end of the contractual relationship and the fulfilment of the obligations arising from it.

For member organisations, personal data is kept for one (1) year from the end of membership. In principle, job applications are kept for six (6) months from the date of receipt, unless otherwise agreed with the applicant.

7. Recipients or categories of recipients of personal data

The Controller has the right to disclose personal data within its organisation and to its wholly-owned limited liability company, Avainlippu Oy, as reasonably necessary for the purposes set out in this privacy policy. The Controller is responsible for ensuring that Avainlippu Oy operates in accordance with this privacy policy.

Information may be disclosed in accordance with the requirements of the competent authorities or other parties, based on the legislation in force. For example, the auditor has access to the system containing personal data at the time of the audit.

If the data subject is logged in to the online service, the so-called “observed data” collected by cookies and other similar technologies may be combined with data obtained from the data subject or an entity represented by the data subject in another context, in accordance with the applicable data protection legislation.

Within the limits permitted and required by applicable law, the Controller may disclose data to, among others, the Controller’s partners for marketing purposes concerning membership of the Association and rights to use the marks, unless the data subject has prohibited such disclosure.

If data is transferred or disclosed outside the Controller or its companies, the Controller shall ensure an adequate level of data protection through contractual arrangements as required by law. Personal data may be processed on behalf of the Controller, in the first instance by trusted service providers with whom the Controller has concluded appropriate agreements to ensure compliance with applicable data protection legislation. Such service providers include IT service providers and marketing service providers. In addition, personal data may be disclosed in the context of company reorganisations; to public authorities and courts on their orders; and to collection service providers for the purpose of collecting payments.

8. Transfer of personal data outside the European Union or the European Economic Area

As a general rule, data will not be transferred outside the territory of the Member States of the European Union or the European Economic Area, unless this is necessary for the purposes of the processing of personal data or for the technical implementation of the processing, in which case the transfer of data shall comply with the requirements of personal data legislation.

9. Principles for the protection of the register

All information relating to data subjects will be treated as confidential and will not be disclosed to anyone other than those who need it for their work and who are bound by professional secrecy. Only employees of the Controller or of companies owned by the Controller and employees of partners who have concluded a personal data processing agreement have access to the data if they need to do so for the performance of their work. They use usernames and passwords. The personal data processed is stored in premises to which third parties have no unauthorised access. Contractors and their subcontractors are required to adopt security practices.

The databases and other data repositories in which the information in the register is stored are protected by firewalls, passwords and other technical means.

The people who process personal data are trained to use it safely and ethically. Each member of our staff uses their own usernames and passwords to see customer information only to the extent necessary to perform their duties.

In the event of a security breach that is likely to have an adverse effect on an individual’s privacy, despite the security measures in place, all affected parties will be notified as required by applicable law and, where required by applicable data protection law, the authorities as soon as possible.

10. Rights of the data subject

The data subject has rights under the applicable data protection legislation, the most important of which are described below.

Rights

Right to access personal data

The data subject has the right to obtain confirmation from the Controller that personal data concerning them is or is not being processed. Where personal data is processed, the individual has the right to access the data. The data subject’s right of access may be restricted or refused under law if disclosure would adversely affect the rights and freedoms of others. Such protected rights include, for example, the controller’s trade secrets or the personal data of another person.

Right to request rectification, erasure or restriction of data processing

The data subject has the right to request the Controller to rectify inaccurate or erroneous personal data concerning them, to request the erasure of any personal data concerning them or to request the restriction of processing on the grounds provided for by law. There is no right to erasure, for example, if the Controller has a need to process personal data or if the personal data is subject to a storage obligation or if the processing is based on a contract between the Controller and the data subject.

At the request of the data subject, the Controller must restrict the active processing of personal data if the data subject contests the accuracy of the personal data, in which case the processing must be restricted until the Controller can verify the accuracy of the data. During the period of the processing restriction, the data may only be stored. The data may also be processed for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. The data subject must be notified before the restriction on processing is lifted.

Right to object

Data subjects have the right to object to the processing of their personal data on grounds relating to their particular situation, where the Controller processes personal data on the basis of legitimate interest.

Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling where it relates to such direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the data may no longer be processed for that purpose.

Right to transfer data from one system to another

The data subject has the right to receive personal data concerning them which they have provided to the Controller in a commonly used and machine-readable format and the right to transmit such data to another Controller without the Controller’s objection, provided that the processing is based on consent or a contract and is carried out automatically. The data subject has the right to have personal data transferred directly from one Controller to another, where technically feasible.

Right to withdraw consent

Where personal data of the data subject is processed on the basis of their consent, the data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of consent before its withdrawal.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the data subject considers that they their case has not been resolved following communication with the Controller. However, the first priority is to resolve the matter through discussion between the parties. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact details and instructions can be found at www.tietosuoja.fi.

Exercising rights

The data subject may exercise their data protection rights by contacting the Controller by sending an email to the email address mentioned in section 1 of this privacy policy.

The Controller shall endeavour to respond to the data subject as soon as possible and, as a general rule, within one (1) month of the request and the verification of the identity of the data subject. If necessary, the Controller will provide further instructions or ask further questions in response to the data subject’s request. The request is free of charge. If the request is manifestly unfounded or unreasonable, in particular if it is repeated, the data subject may be charged a reasonable fee or refused the request.

Before executing the request, the Controller has the right and the obligation to verify the identity of the data subject. The Controller must be able to adequately identify the data subject. The Controller will inform the data subject within the time limit mentioned above if the data subject’s request cannot be complied with.

Before executing the request, the Controller has the right and the obligation to verify the identity of the data subject. The Controller must be able to adequately identify the data subject.

Each contact person in the Controller’s member organisation can check their own data on the Controller’s Extranet service with their own user credentials.

11. Updating of the privacy policy

We will update this privacy policy as necessary. Changes in legislation and its interpretation may also require changes to the privacy policy. Please check the current privacy policy on our website at www.suomalainentyo.fi.

This privacy policy was last updated on 2 December 2024

Other useful pages

Suomalainen työ