Skip to content
Menu

Kaarea

Privacy policy for the HR register

1. Data controller

Kaarea Oy (2925981-7)
PL 180, 20101 Turku, Finland
Other contact details: www.kaarea.fi, tel. switchboard +358 20 764 9850

2. Contact person for matters concerning the register

Mirva Keto
Postal address: PL 180, 20101 Turku, Finland
Visiting address: Lemminkäisenkatu 48, 20520 Turku, Finland
Email: mirva.keto@kaarea.fi, tel. switchboard +358 20 764 9850

3. Name of the register

Kaarea’s HR register

4. Purposes and legal basis for processing personal data

The purpose of processing personal data is to manage Kaarea’s employment matters and related employer obligations, such as payroll, as well as to plan and develop the company’s business considering personnel aspects.

Kaarea may use subcontractors to manage employment matters. In such cases, personal data may be disclosed to subcontractors to the extent necessary for the provision of services (e.g., storing data on a server managed by a third party on Kaarea’s behalf).

Personal data is processed on the basis of the data controller’s legitimate interests, to comply with statutory obligations, when processing is necessary to perform a contract with the data subject or the company they represent, or to take steps requested by them before entering into a contract. Processing may also be based on the consent of the data subject.

5. Legitimate interests of the data controller or a third party

The data subject is or has been an employee of the data controller.

6. Content of the register

The register consists of several different systems such as personnel and payroll systems as well as access control and time tracking systems.

The following information is collected about data subjects: basic information (name, personal identification number, contact details, user IDs); contact details of the emergency contact designated by the data subject; device identifiers and related data, such as device model, unique device identifier, or device operating system; employment-related information; payroll data; information concerning working hours, annual leave, absences, and workplace accidents; information on performance discussions; and information on employment and education history as well as special qualifications. Photos are also collected from the data subjects for ID cards and events organised by the company.

The systems in use include Mepco, Mepco Client, M2, Quinyx, Lixani, Webropol, Mapon, Hilti ON!Track, Intune, Elisa corporate portal, MS Entra, Edenred solutions portal, If corporate folder, Admicom, and Discover.

7. Regular sources of information

Personal data primarily comes from the employee or job applicant. Other sources of information are used within the limits set by law.

Providing personal data is a requirement for entering into an employment contract for the employee.

8. Recipients of personal data

Kaarea’s payroll is outsourced to Azets Insight Oy, to whom personal data is transferred.

Data is also provided to tax authorities for tax enforcement, to pension and other insurance companies for maintaining employer-taken insurances, to Länsirannikon Työterveys Oy for organising occupational health services, and to labour and enforcement authorities for the execution of their statutory duties. Additionally, data is provided for statutory notifications regarding exposure to substances that pose a risk of illness. Salary data is also provided to employer associations and Statistics Finland for statistical purposes. Data is provided in machine-readable format and via forms. Personal data may also be disclosed within the limits and obligations set by applicable law, for example, to authorities entitled to access the data.

9. Transfers to third countries and related safeguards

No data will be transferred outside the EU/EEA.

10. Data retention period and applicable retention criteria

Data retention, archiving, and deletion are determined based on legislation and the guidelines and archiving periods established by the organisation as follows:

  • Employee payroll records and payslips must be retained for 50 years from the end of the financial year (recommendation by the Finnish Business Archives Association).
  • All information relevant to payroll is retained for 5 years based on the expiration of salary claims (records of working hours, absences, annual leave).
  • Sick leave certificates are retained for the current year + 2 years (archived by payroll administration, Azets Insight Oy).
  • Health-related information is retained for the current year + 5 years (in accordance with the Act on the Protection of Privacy in Working Life).
  • Due to the obligation to issue work certificates, basic personal information and employment relationship data are retained for 10 years after the end of the employment relationship.
  • Working hours records, annual leave records, and certificates of occupational health examinations are retained for the current year + 2 years.
  • Decisions on experience-based pay, confidentiality agreements, data protection and information security agreements, on-call agreements, notifications of secondary employment, sanction forms, and memos are retained for 2 years after the end of the employment relationship.
  • A copy of a foreign employee’s residence permit is retained for 4 years after the end of the employment relationship.
  • Upon termination of employment, the basic information form, onboarding forms, decisions from Keva, and performance discussion forms are destroyed.

11. Principles of data protection

Access to the register’s data is restricted to certain individuals to the extent required by their duties. All individuals who use the employment register’s data have signed a confidentiality agreement and are bound by confidentiality obligations.

The data processed in information systems is protected from external use by means of information network access rights and user-specific access rights.

Manually processed data is retained under supervision in files or filing systems and stored in locked cabinets with restricted and monitored access.

12. Rights of the data subject

Right of inspection: In accordance with Kaarea’s privacy policy.

Right to rectification: In accordance with Kaarea’s privacy policy.

The data subject may, at any time and on grounds relating to their particular situation, object to the processing of personal data concerning them. Requests for objection must be addressed in writing to the contact person for the register.

The employee may also check and correct their basic information through the Mepco system.

13. Automated decision-making and profiling

The register does not involve automated decision-making. Profiling is carried out for the benefit of the employee. For example, early support is provided to the employee based on sickness absence data to promote work ability and prevent incapacity for work.