Commercial Customer Privacy Statement

 Updated on 16.11.2020

1 Controller

Eezy VMP Oy (hereinafter referred to as “EEZY”)
Business ID: 2514701-7
Maariankatu 6, 20101 TURKU, FINLAND
Tel.: +358 (0)40 307 5000

2 Contact details of the person responsible for data protection

Financial management business development manager Ossi Pietilä
c/o Eezy Henkilöstöpalvelut Oy
Phone: 050 384 9319
E-mail: tietosuoja@eezy.fi

3 Privacy statement description

This privacy statement in accordance with articles 13 and 14 of the General Data Protection Regulation (679/2016/EU) and the Finnish Data Protection Act (1050/2018) describes how the controller processes data related to processing and analysing commercial customer relationships and other relationships based on the appropriate connections, producing and personalising the controller’s services, developing and planning business operations as well as marketing, surveys and market research and customer communications and profiling.

The group of data subjects consists of the consumers and organisation representatives who use commercial services provided by the controller or another enterprise in the same group of undertakings but who are job applicants, employees or corporate customers employing employees (so-called employment customers). The group of data subjects also includes the employment customers who wish to also acquire the data subject’s commercial services alongside the actual employment services.

Commercial services refer to, among others, the following services free of charge or subject to a charge using which we aim to help individuals to succeed in the changing working life:
• career management service
• CV service/CV coaching
• employment strategy
• workplace matching
• networking opportunities
• receiving feedback
• guided mentoring service
• charting the working life strengths
• different tests and simulations
• initiative exchange
• suitability assessments
• training and coaching
• tutoring services
• recovering from work
• offering new forms of working, such as using an invoicing service
• providing benefits, goods and services related to work and leisure
• offering the benefits, goods and services of the EEZY Edut online store and offering the use of the Cardu mobile loyal card

The nature of some of the commercial services is such that they are offered alongside normal service or customer relationship aiming at employment. In these cases, the related data is collected to the same connection with the personal data mentioned in the privacy statements of job applicants and employees.

If a commercial service is subject to a charge (for instance, the EEZY or VMP Express salary), that is clearly indicated in connection with the service presentation and any possible orders.

4 Personal data to be processed

The following personal data categories are collected and processed of the data subjects:

• Data subjects’ identification and contact details, such as name, date of birth or identification number, gender, home or workplace contact details (postal address, telephone number, e-mail), job title of the data subject (if the data subject is a representative of an organisation) and language
• Data related to bans on marketing and promoting activities, such as bans and consents on direct marketing, marketing activities (for instance, data on marketing raffles and their participation data)
• Data related to customer relationship or another appropriate connection, such as customer number, start and end date and method of customer relationship or another appropriate connection, and data related to communications (for instance, order and cancellation data, feedback and recordings of customer service events), invoicing and debt collection data
• Data related to the providing of electronic services, such as subscribing to a newsletter and technical data sent to the controller’s server by the data subject’s browser (e.g. browser and its versions, IP address and the site from which the data subject moved to the controller’s website), and cookies when they contain personal data and usage data of the service’s functionalities
• Interests reported by the data subject
• Login credentials
• Change data of the data subject’s above-mentioned individualised personal data categories.

5 Regular sources of personal data

Personal data is collected from the data subject, different services used by the data subject, and in connection with different marketing activities.

In addition, personal data may be collected and updated from the register of other enterprises of the same group of undertakings, the registers of the controller’s partners and from businesses and public authorities providing services related to personal data. Data about the representatives of organisations may also be collected from the trade register or businesses’ online services.

6 Purpose and legal basis for the processing of personal data

Personal data is processed in connection with processing and analysing commercial customer relationships and other relationships based on appropriate connections, producing and personalising the controller’s services, developing and planning business operations as well as marketing, surveys and market research and customer communications and profiling. In addition, personal data is processed in customer communications that are also realised electronically and using targeting, unless the data subject has forbidden profiling. You have the right to change the settings for collecting your data by contacting Eezy’s office or Controller.

The personal data may be processed in ways allowed by the applicable legislation for the marketing purposes of enterprises in the same group of undertakings and partners carefully selected by the controller (e.g. direct marketing, surveys and market research). The data is disclosed to partners for only such purposes that support the purpose of the commercial customer register and do not conflict with the purpose of use of this register.

The legal basis for the processing of personal data is the legitimate interest provided by a commercial customer relationship for improving customer service and developing better new services by refining data.

Starting point of refining data at EEZY

At EEZY, we group, refine and enrich data describing a customer relationship to serve you better. This kind of data describing a customer relationship include age classification, information about the previous employer and job, among other things. Through the purchase behaviour classification, we aim to understand our customers’ situation in life, motives of consumption and objectives better. Our goal is to help enterprises and individuals succeed in the changing working life.

Profiling and carrying out profiling at EEZY

The motive for working (motive segment) is enquired in the EEZY customer experience surveys (conducted using the WheelQ tool). The monthly e-mail survey is sent randomly to more than 500 recipients on average. Responding to e-mail survey is voluntary.

Using the motive segments, we know what motivates you in your work. Some of our employees are motivated, above all, by the opportunity to accumulate some money for travelling, whereas others want to develop their careers with a long-term perspective or value being part of a great crew at work.

In its operations, EEZY does not engage in automatic decision-making as specified in Article 22 of the General Data Protection Regulation.

*profiles created using data analytics that fulfil the definition of Article 4 in the General Data Protection Regulation [http://www.privacy-regulation.eu/en/4.htm].

7 Disclosure and transfer of personal data

Primarily, personal data may only be disclosed for purposes that support the idea of the commercial register and in which the purpose of use of the data does not conflict with the purpose of use of this register.

At the controller’s discretion, personal data may be disclosed to, for instance, companies in the same group of undertakings with the controller or the data controller’s partners unless the data subject has specifically forbidden this, as allowed and obligated by the valid legislation at the time. Personal data is only disclosed to partners that are committed to operating in accordance with the General Data Protection Regulation.

Data may also be disclosed as required by competent public authorities or other parties in accordance with the valid legislation, and for historical or scientific research when personal data has been anonymised.

If the controller sells or otherwise reorganises its business operations, data may be disclosed to the buyers in connection with corporate transactions.

In addition, personal data may be disclosed to such partners of the data controller that process personal data on behalf of the controller and instructed by the data controller. In these cases, the data controller’s partner does not have the right to process the personal data on behalf of itself.

Primarily, data is not transferred to locations outside the member states of the European Union or the European Economic Area unless necessary for the technical implementation of the data processing or the purposes of the processing of personal data. In these cases, the requirements of the data protection legislation will be complied with in the transfer of data.

8 Protection of personal data

The controller implements the appropriate technical and administrative data privacy measures for the protection of personal data. Personal data is stored in both electronic databases and manually maintained materials. Electronically processed databases are protected using firewalls, passwords and other technical measures generally accepted in the field of data privacy. Manually maintained and processed materials are located on premises with no unauthorised access.

Personal data may only be accessed by the specifically defined and identified people whose work performance requires the processing of personal data stored in the register. These people may access the system using their personal login credentials to the controller’s internal network. Each user has signed a special login credential and confidentiality agreement.

9 Retention period of personal data

The data subject’s personal data is stored only for as long as is required for the implementation of the purposes specified in this privacy statement.

10 Rights of the data subject

The data subject has the following rights guaranteed by the data protection legislation:

• The data subject has the right to ask the data controller for access to their personal data and the right to ask for the said data to be rectified. The request for rectifying personal data must be individualised so that the error in the personal data may be observed and rectified easily.
• The data subject has the right to request the erasure of personal data pursuant to and within the limits of the data protection legislation.
• The data subject has the right to request the restriction of the processing of personal data and to object to the processing of personal data pursuant to and within the limits of the data protection legislation.
• The data subject has the right to data portability or the right to receive their personal data in a structured and generally used format and transfer them to another controller pursuant to and within the limits of the data protection legislation.
• The data subject has the right to file a complaint with the local data protection authority (in Finland, the Data Protection Ombudsman) or another data protection authority in the European Union or the European Economic Area if the data subject sees that the statutory rights related to the processing of their personal data have been breached.

The data subject may address the requests of exercising their above-mentioned rights to the contact person in charge of data protection.

11 Changes to the privacy statement

The controller continuously develops its business operations and, therefore, reserves the right to change this privacy statement by notifying about it in its services and on its website at https://eezy.fi/fi/tietosuoja-ja-kayttoehdot. Changes may also be based on changes in the legislation. The controller recommends checking the content of the privacy statement regularly and from time to time again.