Updated on 5.7.2023
1 Data Controller
Eezy Kevytyrittäjät Oy (hereinafter ”Eezy”)
Address: Maistraatinportti 1, 00240 HELSINKI
Phone: +358 (0) 9 4247 5630
2 Contact information of the person responsible for data protection
The group of data subjects consists of service users who have themselves registered in the service or have been registered by an eventual third party, however always with a consent of the data subject.
4 Personal Data to be processed
The following categories of personal data shall be collected and processed from the data subjects:
- Identification and contact details of the data subject such as name, email address, mail address, phone number, nationality and personal identification code
- Other essential information in regard to payment of salary, inter alia
- details concerning bank account for payment of salary
- professional information
- competence in specific trades (e.g. electrical installations)
- information relating to compensations payable on basis of employment relationship (inter alia taxation details and travelling specifications e.g. regarding kilometer allowance)
- information of possible entrepreneur’s pension insurance
- information of possible orders from authorities regarding payment of salary, such as execution office
- Pictures (logo in the invoice and profile picture/photo, in case the user adds these him/herself)
- Information about possible recommendations
- Amendments in the information under personal data categories as specified above and concerning the data subject
- Information related to ordering and maintaining a Valtticard (Occupational Safety Card), such as card type, card status, card industry, card validity information, card number and technical identifier, and card confirmation information.
5 Sources from which personal data is regularly collected
Personal data is collected from and updated by the data subject.
Upon consent of the data subject, personal data may be collected and updated also from other sources, e.g. from cooperation partners of the Data Controller or from authorities (e.g. credit information agencies, Vastuu Group). Personal data may be collected and updated also without a consent from the data subject provided this is carried out under circumstances where the legislation permits such collection.
6 Purpose and legal basis of processing of personal data
The Data Controller shall process personal data to administer the processes of invoicing the work performed, payment of salary and managing thereto related matters.
Personal data shall also be processed to manage customer communication by the Data Controller. Communication may be directed to the data subject e.g. electronically, for example by newsletters sent by email. The processing of personal data is in such cases based on the legitimate interest of the Data Controller to inform the service users of current issues of the Data Controller and to offer the service users benefits and information concerning the use of the service and self-employment. The user is entitled to reject to receive communication by clicking the “unsubscribe” link in the newsletter or by contacting the customer service of Eezy.
Personal data is also processed to implement the customer experience by random sampling. If you wish, Eezy can reply to the open feedback you provide. In this case, the processing of your personal data is based on your consent to implement the customer experience.
Personal data is also processed to implement the Valtticard (Occupational Safety and Health card) and related worker management services maintained and administered by Vastuu Group Oy. The services implement the statutory obligation to clarify under the Contractor’s Obligations Act for light entrepreneurs working on a Finnish construction site or a Finnish shipyard. The implementation of the Valtticard Services also includes the data protection statement regarding Vastuu Group’s Valtticard Service. You can find the data protection statement here.
The legal basis for the processing of personal data is the legitimate interest of the data controller and the data subject based on the use of the service, as well as legislation related to billing and payroll, such as tax, attachment, contractor liability, occupational safety, and statistical legislation.
When reporting expenses and address information, Eezy is utilizing Google Maps (API) and Places (API) interfaces, making the Google Privacy Statement applicable.
7 Disclosure and transfers of personal data
General Disclosures of Personal Data
The personal data stored in the register may be disclosed in accordance with and as required by applicable legislation, or with the consent of the data subject, to authorities that have a legal right to obtain information from the register, such as tax authorities and KELA (Social Insurance Institution of Finland), as well as to other parties involved in the handling of employment-related and light entrepreneurship matters, such as pension and accident insurance companies, trade unions, and occupational health service providers. In addition, personal information can be forwarded on to Eezy Plc companies for employment purposes.
Disclosures of Information for the Valtticard Service and the Associated Employee Management Service
In the Valtticard and its associated employee management service, personal data can be disclosed to the data controller’s contractual partners for various purposes including, but not limited to, the following:
· Compiling a list according to Occupational Safety and Health Act Section 52b of individuals working at a common construction site or dock area.
· Ensuring the validity of a photographic identification as per Occupational Safety and Health Act Section 52a and confirming the registration of the employee’s tax number.
· Implementing measures required by the main contractor or principal implementer at a construction site, or the employer having principal control at the dock area for promoting and ensuring occupational safety as mandated by the Occupational Safety and Health Act.
· Submitting the construction sector employee report to the Tax Administration as required by Tax Procedure Act Section 15b.
· Making the contract notice as required in Tax Procedure Act Section 15c.
· Fulfilling other statutory or contractual obligations concerning the data controller or its contractual partner.
· Implementing access control at the construction site, dock, or other work location.
· Checking the qualifications of an employee being introduced to the construction site, dock, or work location – Ensuring compliance with occupational safety regulations.
· Ensuring compliance with occupational safety regulations.
· For supervisory purposes at the construction site, dock, or other work location.
· Ensuring operations according to a contractual partner’s quality, operational, or similar system.
· Ensuring the compliance of contractors or independent professionals operating at the contractual partner’s construction site or other work location.
· For other purposes with the explicit consent of the employee.
In the Valtticard service and the associated employee management service, the disclosure of personal data to another data controller’s personal register is carried out through interfaces provided by Vastuu Group, in such a way that the light entrepreneur’s information is disclosed against the reading of Valtticard identifiers or otherwise in a manner where the contractual relationship between the data controller and the other data controller, and the purpose of the data use, is identified. Vastuu Group may disclose information from the Employee Management Service to authorities based on a binding order issued by a competent authority or when the provider believes that the authority’s request for information is justified to investigate suspected misuse related to the use of the services. Vastuu Group may use subcontractors located within the European Economic Area in the production of the Valtticard service and the associated employee management service and may transfer personal data to such subcontractors for the purpose of providing the service.
Transfers of Personal Data
In addition, personal data may be transferred to such cooperation partners of the data subject who process personal data on behalf of and under the instructions of the data controller, such as Vastuu Group. In this case, the cooperation partner of the data controller does not have the right to process personal data for its own account.
In principle, personal data will not be transferred outside of the Member States of the European Union or outside of the European Economic Area, unless it will be necessary for the purpose of processing personal data or for technically facilitating the processing, whereby the requirements of data protection legislation shall be complied with in transfer of personal data.
For the purpose of mailing the newsletters, the customer’s email address and name will be transferred to a separate customer register in which case the technical operator will be Liana Technologies Oy.
8 Protection of personal data
The Data Controller will implement appropriate technical and organisational data-protection measures to ensure protection of personal data. Personal data is recorded and saved in both electronic data bases and manually maintained materials. The electronic data bases are protected by fire walls, passwords and other generally in the data-protection branch accepted technical measures. The manually maintained and processed materials are stored in premises where access by unauthorized persons is prevented.
Access to the personal data is given only to persons that are separately determined and specified and who need to process the personal data in the register in order to carry out their duties. These persons will have access to the system only by using their personal usernames and passwords.
9 Cookies and tracking
Cookies are small text files that are saved on your computer when you visit our service.
We are using chat by Giosg. When using chat in our service we are identifying logged in user, IP-address, browser used and for example which invoice or salary the chat is concerning. Additionally, we’re using Giosg Interaction Designer tool for example for questionnaire pop-ups in our service.
We collect information about your use of our service through Google Analytics. It is possible to opt-out of Google Analytics tracking by using Google Analytics Opt-out tool.
We are using Mouseflow -tool to improve are service. The tool is used for tracking service user movements and clicks. You can check what information is collected by visiting https://mouseflow.com/gdpr/. You can opt-out from tracking at Mouseflow’s Opt Out page.
Our website uses the Facebook pixel and the Conversion API.
Facebook Conversion API events (CAPIs) help us understand how users interact with the website. CAPI events allow us to measure the impact of ads on website conversions and improve the targeting of our ads with custom audiences. A Facebook pixel is a code attached to a website that allows us to target Facebook advertising to users who visit the website.
10 Storage period of personal data
11 Rights of the data subject
The registered data subject can exercise the following rights provided by the data protection legislation:
- The data subject has right to obtain access to the personal data concerning him or her and right to obtain correction of this data. The request of rectification must be specified in such a manner that the inaccurate personal data can be easily noticed and rectified.
- The data subject has right to obtain erasure of personal data in accordance with and within the framework of applicable General Data Protection Regulation.
- The data subject has right to obtain restriction of processing of his or her personal data in accordance with and within the framework of applicable data protection legislation.
- The data subject has the right to data portability i.e. to transmit his or her personal data from one register to another and obtain the personal data in a structured, commonly used and machine-readable format, and transmit them to another data controller in accordance with and within the framework of applicable data protection legislation.
- The data subject has right to file a complaint to the national data protection authority (in Finland Data Protection Ombudsman) or to another data protection authority in the European Union or in the European Economic Area, if the data subject considers that his or her statutory rights regarding processing of personal data have been breached.
The data subject can direct the requests to exercise the above referred rights to the contact person responsible for data-protection matters.