Update of 30.11.2020
1 Data Controller
Eezy Kevytyrittäjät Osk (hereinafter ”Eezy”)
Address: Itämerenkatu 3, 4. floor, 00180 HELSINKI
Phone: +358 (0) 9 4247 5630
2 Contact information of the person responsible for data protection
Otto Michelsen, Lawyer & Business development manager
c/o Eezy Kevytyrittäjät Osk
Phone: +358 (0) 9 4242 1559
The group of data subjects consists of service users who have themselves registered in the service or have been registered by an eventual third party, however always with a consent of the data subject.
4 Personal Data to be processed
The following categories of personal data shall be collected and processed from the data subjects:
- Identification and contact details of the data subject such as name, email address, mail address, phone number, nationality and personal identification code
- Other essential information in regard to payment of salary, inter alia
- details concerning bank account for payment of salary
- professional information
- competence in specific trades (e.g. electrical installations)
- information relating to compensations payable on basis of employment relationship (inter alia taxation details and travelling specifications e.g. regarding kilometer allowance)
- information of possible entrepreneur’s pension insurance
- information of possible orders from authorities regarding payment of salary, such as execution office
- Pictures (logo in the invoice and profile picture/photo, in case the user adds these him/herself)
- Information about possible recommendations
- Amendments in the information under personal data categories as specified above and concerning the data subject
5 Sources from which personal data is regularly collected
Personal data is collected from and updated by the data subject.
Upon consent of the data subject, personal data may be collected and updated also from other sources, e.g. from cooperation partners of the Data Controller or from authorities (e.g. credit information agencies). Personal data may be collected and updated also without a consent from the data subject provided this is carried out under circumstances where the legislation permits such collection.
6 Purpose and legal basis of processing of personal data
The Data Controller shall process personal data to administer the processes of invoicing the work performed, payment of salary and managing thereto related matters.
Personal data shall also be processed to manage customer communication by the Data Controller. Communication may be directed to the data subject e.g. electronically, for example by newsletters sent by email. The processing of personal data is in such cases based on the legitimate interest of the Data Controller to inform the service users of current issues of the Data Controller and to offer the service users benefits and information concerning the use of the service and self-employment. The user is entitled to reject to receive communication by clicking the “unsubscribe” link in the newsletter or by contacting the customer service of Eezy.
Personal data is also processed to implement the customer experience (using the WheelQ tool, among other things) by random sampling. If you wish, Eezy can reply to the open feedback you provide. In this case, the processing of your personal data is based on your consent to implement the customer experience.
The legal ground for processing personal data is the legitimate interest of the Data Controller and the legitimate interest established on basis of the Data Subject using the service, as well as Data Controller having to comply with legislation (such as but not limited to taxation, execution and statistic legislation) that it is subject to when managing the invoicing and salary payments.
When reporting expenses and address information, Eezy is utilizing Google Maps (API) and Places (API) interfaces, making the Google Privacy Statement applicable.
7 Disclosure and transfers of personal data
The personal data stored in the register may be disclosed when approved or obligated by applicable legislation or on consent of the data subject to authorities having statutory right to obtain data from the register, such as taxation authorities and KELA (The Social Insurance Institution of Finland) as well as to other third parties relating to administration of employment relationships, such as pension insurance and accident insurance companies, trade unions and third parties offering occupational health services. In addition, personal information can be forwarded on to Eezy Plc companies for employment purposes.
In addition, personal data may be transferred to such cooperation partners of the Data Controller that will process personal data on behalf of and on documented instructions from the Data Controller. In these cases the cooperation partner of the Data Controller, i.e. the processor, shall not have the right to process personal data for its own purposes.
In principle, personal data will not be transferred outside of the Member States of the European Union or outside of the European Economic Area, unless it will be necessary for the purpose of processing personal data or for technically facilitating the processing, whereby the requirements of data protection legislation shall be complied with in transfer of personal data.
For the purpose of mailing the newsletters, the customer’s email address and name will be transferred to a separate customer register in which case the technical operator will be The Rocket Science Group LLC d/b/a MailChimp. In this connection personal data is transferred outside of the EU/ETA areas. The Rocket Science Group LLC d/b/a MailChimp is a service provider committed to complying with EU’s standard contract clauses and respecting general EU data protection principles.
8 Protection of personal data
The Data Controller will implement appropriate technical and organisational data-protection measures to ensure protection of personal data. Personal data is recorded and saved in both electronic data bases and manually maintained materials. The electronic data bases are protected by fire walls, passwords and other generally in the data-protection branch accepted technical measures. The manually maintained and processed materials are stored in premises where access by unauthorized persons is prevented.
Access to the personal data is given only to persons that are separately determined and specified and who need to process the personal data in the register in order to carry out their duties. These persons will have access to the system only by using their personal usernames and passwords.
9 Storage period of personal data
10 Rights of the data subject
The registered data subject can exercise the following rights provided by the data protection legislation:
- The data subject has right to obtain access to the personal data concerning him or her and right to obtain correction of this data. The request of rectification must be specified in such a manner that the inaccurate personal data can be easily noticed and rectified.
- The data subject has right to obtain erasure of personal data in accordance with and within the framework of applicable General Data Protection Regulation.
- The data subject has right to obtain restriction of processing of his or her personal data in accordance with and within the framework of applicable data protection legislation.
- The data subject has the right to data portability i.e. to transmit his or her personal data from one register to another and obtain the personal data in a structured, commonly used and machine-readable format, and transmit them to another data controller in accordance with and within the framework of applicable data protection legislation.
- The data subject has right to file a complaint to the national data protection authority (in Finland Data Protection Ombudsman) or to another data protection authority in the European Union or in the European Economic Area, if the data subject considers that his or her statutory rights regarding processing of personal data have been breached.
The data subject can direct the requests to exercise the above referred rights to the contact person responsible for data-protection matters.