Creation date 13.6.2018

Data controller

Nordic Business Forum Global headquarters: Kauppakatu 41 B 14 40100 Jyväskylä Finland +358 20 775 1390 info@nbforum.com

Contact person in matters related to the filing system

CEO Aslak de Silva Kauppakatu 41 B 14 40100 Jyväskylä Finland +358 40 519 9933 aslak.de.silva@nbforum.com

Name of the filing system

Personnel register

Purpose of personal data processing

NBF may process your personal data directly necessary for your employment relationship (either with NBF or with a private employment agency) which is connected with managing the rights and obligations of the parties to the relationship or with the benefits provided by NBF for you, or which arises from the special nature of the work concerned.

Processing of your personal data is based on the following grounds of the EU’s General Data Protection Regulation (one or more grounds may apply simultaneously):

a) Processing is necessary for the performance of an employment contract to which you are party.

b) Processing is necessary for compliance with a legal obligation to which the controller is subject (for example the duty to keep the records based on Employment Contracts Act).

c) Processing is necessary for the purposes of the legitimate interests pursued by NBF.

d) You have given consent to the processing of your personal data.

The legitimate interests of NBF or third party referred to in point c) above may include amongst others the following matters:

· health and safety initiatives
· maintaining log files of who has processed the personal data
· investigation of possible malpractice
· business development

In addition to the above, NBF uses your data in which ever role you are if we think it’s necessary for security purposes or to investigate possible fraud or other violations of our agreements or this Privacy Policy.

Data content of filing system

Content of NBF’s filing system may include the following types of data and changes made to these data types:

1. Information that may be collected of all NBF employees

1.1. Personal information
· Last name, all first names, previous last name
· Home address
· Date of birth
· National identification code
· Gender
· Nationality
· Bank account information
· Phone number(s)
· Photo and biometric data
· Languages
· Relatives’ information (e.g. children, spouse, emergency contact information)
· Employee’s NBF ID number (generated automatically)
· Medical and drug test data (where applicable)

1.2. Employment related information
· Work history
· Education
· Cover letter and CV
· Aptitude assessment results (e.g. via recruitment consultants)
· Personality and aptitude assessment test results
· Recruitment videos
· Examples of previous work or presentations (e.g. portfolio of creative works)
· Social media content (with consent)
· Other information during recruitment interviews and reference checking
· Employment start and end date
· Form of employment (e.g. permanent / fixed term)
· Trial period
· Work permit
· Car details
· Insurance information
· Video surveillance data (where applicable)
· Vehicle’s GPS location data (where applicable)
· Credit rating (where applicable)
· Extract from criminal records (where applicable)
· Documents related to grounds for a specific leave of absence
· Headcount category (e.g. direct production)
· Weekly working hours (e.g. 40 hours)
· Working degree (e.g. 100%)
· Country of employment
· Legal company name
· Cost center
· Job certificate
· Use of your rights related to your personal data (such as right to rectification and right to access your personal data)
· Information of your access rights to different premises and digital programs and applications
· Information of your location within NBF Group’s premises when you open secured doors with your personal access key
· Automatically collected data (such as IP Address, your device’s operating system, browser type and language)
· Mobile device identifiers (such as your unique device ID and your device name)

1.3. Position related information
· Position start date
· Position end date
· Title
· Department
· Division
· Work location
· Manager

1.4. Compensation and benefits related information
· Salary
· Benefits
· Pay components
· Form of salary (e.g. monthly pay)
· Salary effective from
· Incentive program, percentage and payout
· Pension and other mandatory information
· Payroll ID
· Taxes
· Deductible union membership fees at the request of the employee
· Data requests and data notifications from authorities (such as from the enforcement administration)

1.5. Absence information
· Type of absence
· Absence start and end date
· Amount of vacation days

1.6. Performance management related information
· Individual objectives
· Performance in relation to set personal objectives
· Description of performance in relation to set objectives
· Employer’s actions related to your employment
· Competences
· Future aspirations

1.7. Training, education and events information
· Trainings and certificates you have completed
· Events you have participated in
· Language skills
· Education
· Trainings to be completed in relation to your position
· Information needed for arranging trainings (e.g. food allergies, arrival at destination, departure from destination)
· Possible personal assessment profile and test results
· Knowledge, skills and expertise (e.g. language skills, education)

1.8. Travel information
· Passport number
· Travel information (e.g. travel destination)
· Hotel accommodation information
· Credit card information

1.9. User account and log information
· Username
· Language preference and data format
· When your data was put in to the filing system
· Log information (e.g. logins, page views, workflow actions)

2. Information that may be collected of external temporary employees

· First name(s) and last name
· Phone number
· Email
· Title
· Photo and biometric data
· Name and business information of the entity you work for currently
· Host (e.g. NBF manager)
• Health and safety related data
Access rights
Working time and attendance
Video surveillance data (where applicable)

Regular data sources

1.1. Sources applicable for all NBF internal employees

NBF gathers personal data directly from you, for example from:
· electronical forms
· website forms (e.g. training platforms)
· physical forms
· telephone conversations during which you provide personal data to NBF
· e-mail correspondence in which you provide personal data to NBF
· personal discussions
· systems (e.g. HR system, training system, payroll system)
· work related devices you use

NBF gathers personal data directly from your manager, for example from:

· performance management forms
· electronical forms
· website forms (e.g. training platforms)
· physical forms
· telephone conversations
· e-mail correspondence
· personal discussions
· systems (e.g. HR system, training system)

NBF may obtain and update the personal data in its filing system from officials and companies offering personal data services.

1.2. External temporary employees

NBF gathers personal data directly from you, for example from:

· electronical forms
· website forms (e.g. training platforms)
· physical forms
· telephone conversations
· e-mail correspondence
· personal discussions

NBF may obtain and update the personal data in its filing system from officials and companies offering personal data services.

NBF gathers personal data from the technical device you use in your communication with NBF.

NBF may obtain and update the personal data in its filing system from officials and companies offering personal data services.

Regular disclosure of data

NBF companies have a legitimate interest in transmitting personal data within the NBF group for internal administrative purposes.

NBF does not sell, lease or otherwise disclose your personal data to third parties outside of the NBF group unless otherwise stated below.

NBF may share your personal data with authorized third parties that perform services for NBF for the purposes described in this Privacy Policy within the limits of the applicable legislation. This may include for example providing services such as software services, managing and analyzing personal data and conducting research. Because NBF takes the responsibility to safeguard your personal data seriously, NBF does not allow those companies to use it for any purpose other than to perform those services, and NBF requires them to protect your personal data in a way consistent with this privacy policy.

NBF may share your personal data based on a valid order from a court or other official body with sufficient authority.

NBF may share your personal data as part of any merger, acquisition, sale of company assets or transition of service to another provider. This also applies in the unlikely event of an insolvency, bankruptcy or receivership in which your personal data would be transferred to another entity as a result of such a proceeding.

Transferring data outside the EU or the EEA

NBF’s services may be provided using resources and servers located in various countries around the world. Therefore NBF may transfer your personal data outside the country where you use our services, including to countries outside the EU and EEA that do not have laws providing specific protection for personal data or that have different legal rules on data protection.

In such cases NBF ensures that a legal basis for such a transfer exists and that adequate protection for your personal data is provided as required by applicable law, for example, by using standard agreements approved by relevant authorities (where necessary) and by requiring the use of other appropriate technical and organizational information security measures.

Filing system’s principles of protection A: Manual material

Employment contracts are stored in a locked cabinet to which only the CEO has access. Many of the contracts are also stored on cloud. All other data related to the filing system is only kept in electronic format, and data are only processed electronically. Access to the data stored in the filing system is given only to such persons and in such scope that is required for the purposes of employee supervision, monitoring, payroll tasks or other tasks related to the maintenance of employee relations. The protection of all data in the filing system is carried out in accordance with the applicable Personal Data legislation, the regulations and principlesof the applicable Information Society Code, regulatory provisions, and good data processing practices.

Filing system’s principles of protection B: Electronically processed functions

Access to the data stored in the filing system is given only to such persons and in such scope that is required for the purposes of employee supervision, monitoring, payroll tasks or other tasks related to the maintenance of employee relations. The protection of all data in the filing system is carried out in accordance with the applicable Personal Data legislation, the regulations and principles of the applicable Information Society Code, regulatory provisions, and good data processing practices.

Duration of data processing

NBF may process your personal data for e.g. tax, insurance, work certificate and pension purposes as long as necessary for obeying specific requirements.

1) Employees

NBF may process your personal data for as long as the employment relationship between you and NBF exists, as well as for a reasonable time thereafter to meet legal requirements.

2) External temporary employees

NBF may process your personal data for as long as the temporary employment relationship between you and NBF exists, as well as for a reasonable time thereafter to meet legal requirements.

Exercising of different rights

All rights can be exercised by contacting NBF by using the contact details issued at section 1 above. NBF will then give further instructions on how to exercise a specific right. Where NBF has reasonable doubts concerning the identity of the person making the request, NBF may request the provision of additional information necessary to confirm your identity.

NBF will provide information on action taken on a request to you within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

1. Right of access to your personal data

You have the right to obtain from NBF confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, receive information about your personal data.

2. Right to rectification

You have the right to obtain from NBF without undue delay the rectification of inaccurate personal data concerning you.

3. Right to erasure (‘right to be forgotten’)

You have the right to obtain from NBF the erasure of personal data concerning you without undue delay where one of the following grounds applies:

(a) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) you withdraw consent on which the processing is based and where there is no other legal ground for the processing;

(c) you object to the processing and there are no overriding legitimate grounds for the processing;

(d) your personal data have been unlawfully processed;

(e) your personal data have to be erased for compliance with a legal obligation in Union or member state law to which NBF is subject;

(f) the personal data have been collected in relation to the offer of information society services.

However, you do not have the right or erasure if the processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or member state law to which NBF is subject; or

(c) for the establishment, exercise or defence of legal claims.

4. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interests pursued by NBF, including profiling. NBF shall no longer process the personal data unless NBF demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Please be aware that you cannot opt out of receiving service messages from NBF, including but not limited to security and legal notices.

5. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to NBF, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller where:

(a) the processing is based on consent or on a contract; and

(b) the processing is carried out by automated means.

Cookies

Nordic Business Forum uses cookies. Our cookie policy is available at https://www.nbforum.com/cookies/

Decision making with automated means and profiling

NBF does not make decisions based solely on automated processing which produces legal effects concerning you or similarly significantly affect you.

NBF does not carry out personnel profiling in a way meant in the GDPR.

Applicable law

The processing of personal data in NBF’s filing system is governed by the European Union’s applicable data protection legislation as well as national laws of countries where NBF is established.

Updates to this Privacy Policy

NBF may modify this privacy policy, and if we make material changes to it, we will provide notice on our intranet or by other means, to provide you the opportunity to review the changes before they become effective and binding.