Data protection

We are committed to protecting your personal data, and as a data controller we process this data securely. We wish to be your reliable partner when it comes data stored in our services, and we strive for openness regarding what data and in which way it is processed and stored in Vastuu Group Ltd’s services.

To make it easier for you to find relevant information, we have organised the data according to your role. For additional information regarding the data contained in our services, please see our service-specific privacy notices.

Version 18 November 2019

How do we collect personal data?

When you use our website or services, we collect your personal data as described in this document. For more detailed information, please see our privacy notices.

 

Basis for and purpose of processing

The legal basis for personal data processing is the legitimate interest of the controller or fulfilling a contract made with the controller. We collect data in connection to making a contract, i.e. when you purchase our services and/or register as a user of our services. We also collect data during the validity period of the contract. Data is also received from other controllers and public sources.

We use personal data in the marketing and sale of our services and for customer relationship management, invoicing, provision of customer support services, user rights monitoring, and service development. Personal data processing also includes processing and analysing the data concerned for targeted marketing and service production. For example, we can show customers targeted messages or content on our website, or channels based on their previous interests.

We will principally collect personal data from the data subjects themselves when they contact us and use our services. We also collect data on our customers and their contact persons from public sources and registers.

We use web analytics services to collect visitor data on our website in order to analyse and develop our web resources, as well as target relevant marketing and customer communications to visitors.

 

We typically receive the following information directly from the contact persons of our customers:

  • Name of the customer company, first and last name of the contact person, work email address, telephone number
  • Permissions and/or bans on the contact person in electronic direct marketing and customer communications
  • Classification data provided by the contact person (e.g. interests)
  • Information provided on contact forms
  • Customer feedback data, contact messages, and consents
  • We also collect the data of our potential customers when they participate in competitions, lotteries, customer events, or fairs.

We will process, for example, the following personal data of the user in connection with the use of services and websites:

  • IP address or other ID
  • Subscription, invoicing, and delivery data
  • Data collected through cookies
  • Data collected on the use of our online services
  • Data collected on the use of our Customer Service channels

 

The following data on the user in particular is received from other sources:

  • Data related to the use of social media, such as LinkedIn, Facebook and Twitter, e.g. ‘liking’ our website
  • We collect browsing data such as the user’s IP address and browsing history when people visit our website. Monitoring is based on the use of cookies. Personal data is principally collected from the data subjects themselves when they contact us and use our services.
  • We collect visitor data on our website in order to analyse and develop our website as well as target relevant marketing and customer communications to visitors.
  • We can also collect your personal data based on your separately given consent.
  • In order to fulfill support requests and to monitor and develop our customer service processes, we record calls made to and chats with our Customer Service.

Storage period of personal data

Personal data contained in the customer and marketing communication register is stored for as long as we will need it for the above purposes.

Storage periods of data related to customer relationship management:

  • recordings of chats with Customer Service: 3 months
  • recordings of telephone conversations with Customer Service: 7 months
  • details on the customer’s contact person related to customer relationship management: for as long as the data subject is the contact person of the customer concerned or for as long as we store the history data of the service used by the customer

Version 18 November 2019

Ilmoita service

The Ilmoita service allows your employer to transfer your personal data in an electronic format to the personal data files of the contractor of the work, the main implementer of the building site, or other administrator of the work site. Your employer can order you a Valtti card, ePerehdytys, or other additional services through the Ilmoita service.

 

Your employer may enter the following personal data into the service:

  • first name, last name
  • identity number, tax number, date of birth
    • the identity number will be used for strong identification of a person in employment-related matters, the verification of qualifications, and strong electronic identification
  • picture
  • type of employment relationship
  • employer name, company number, address, company representative and contact details
  • nationality
  • phone number
  • email address
  • delivery address for the Valtti card
  • country of residence
  • employee’s status as a posted worker and information of the respective A1 certificate
  • home address in Finland (will be removed as of 1 January 2020)
  • address in the country of residence (will be removed as of 1 January 2020)

 

The following data can be added to each data subject’s personal data during use of the service:

  • information when employee data has been modified
  • information concerning when the accuracy of the employee data has been verified
  • information if the person is registered in the tax number register
  • status of ePerehdytys subscription
  • status of Valtti card

 

In addition, card and competence data retrieved from the Valtti card register and Taito Competence Register can be linked to the personal data of data subjects when the personal data concerned is conveyed.

Please note that the employer company is the controller of their employee data and is responsible for, e.g. deleting all persons from their employee list who no longer work for the company concerned. The employer company is also responsible for ensuring that it has the right to save the personal data of their employees in the data system.

 

On which basis is personal data being processed?

The employer company has statutory and contractual obligations regarding the conveyance of the personal data of their employees to the main contractor or main implementer of the building site (e.g. section 52 b of the Occupational Safety and Health Act (738/2002) and section 15 b of the Tax Procedure Act (1558/1995)). General collective agreements also include provisions on the notification obligation in the construction sector. The basis for processing personal data that falls within the scope of the notification obligation in the construction sector is the statutory reporting obligation of the controller. The basis for processing data that is conveyed in order to fulfil contractual obligations is a legitimate interest.

 

To whom is personal data conveyed?

Your employer can convey your personal data to his business partners through the Ilmoita service for the following purposes:

  • preparation of the employee list at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • verification of the validity of the picture ID required at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • performance of employee inductions at the construction site as set out in the Occupational Safety Act (738/2002) and taking care of all other required activities for ensuring and promoting safety at work;
  • preparation of monthly employee reports for the Finnish Tax Administration (section 15 b of the Tax Procedure Act (1558/1995))
  • compliance against other legal or contractual obligations;
  • access control at the construction site or other work site;
  • verification of professional competences of a person being inducted at the construction site or other work site;
  • verification of professional competences required for a work task;
  • ensuring compliance against occupational safety regulations;
  • direction of the work at the construction site or work site;
  • ensuring the contracting party’s compliance against contractual terms or applicable quality, operative or similar standards;
  • ensuring that contractors or independent workers operating at a partner’s building site or other work site comply with the contract, and
  • with the data subject’s explicit consent for other purposes.

The transfer of personal data will be conducted using application interfaces provided by Vastuu Group in a manner ensuring that the employee’s personal data is transferred when the employee has provided her/his Valtti card credentials, or when the business relationship between the User and the receiver of personal data is recognised in any other manner.

We can convey your personal data to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified for the purpose of investigating suspected misuse of our services.

In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.

As a rule, personal data is not conveyed outside the EU or the European Economic Area.

 

Storage period of personal data

Your employer can keep your personal data in the service for the duration of your employment relationship. Once your employment ends, your employment and personal data will be stored in the service for a minimum of 18 months, which is the period during which users of the service acting as the main contractor can make correction notifications in the employee reports they have submitted to the Finnish Tax Administration.

Once the employment relationship has ended, the employment and personal data of the employee can be stored in the work site register of the main contractor that uses  work site register services, for as long as this information is needed for the above purposes. The minimum data storage period in accordance with the Taxation Procedure Act (1558/1995) is six years from the end of the year when the building site was completed.

Version 18 November 2019

Reliable Partner and Raportti services

Data collected on our Reliable Partner customers is restricted to data concerning the company’s responsible person. We have excluded personal data that may be derivable from a business name (e.g. the name of a person that is part of a business name or auxiliary business name such as “Tmi Firstname Lastname” or “Firstname Lastname Oy”) from the scope of personal data, because this represents company data.

 

The Reliable Partner Power of Attorney Agreement is signed by the company’s authoritised signatories. The following personal data will be collected from the signatories and stored:

  • signature date
  • first name
  • last name
  • position of responsibility
  • identity number
    • We require the person’s identity number in order to ensure that the authorisation contract is signed by a person authorised to sign on behalf of the organisation.

 

We process the following personal data for the compilation of Reliable Partner reports. This data is retrieved from the respective trade registers and business prohibition registers either directly or through a service provider:

  • first name(s)
  • last name
  • date of birth
  • nationality
  • hometown
  • position in the organisation
  • bans on engaging in business activities, if any

 

On which basis is personal data being processed?
The legal basis for processing is the legitimate interests of the controller and fulfilling a contract made between the controller and the customer.

The Reliable Partner service allows your company to offer its partners, in an electronic format, information that they need to fulfil their clarification obligation imposed on contractors in the Act on the Contractor’s Obligations and Liability when Work is Contracted Out (1233/2006).

 

To whom is personal data conveyed?

Your personal data will be included in the company’s trade register extract enclosed with the Reliable Partner report as an appendix. Data contained in the Reliable Partner report, including personal data, is available to third parties in our online services (Valvoja, Raportti Pro, Raportti and Zeckit) and in the business information services provided by our partners. Reliable Partner reports and data contained in them can be provided in an electronic format through an interface to the bidding, procurement, or similar data systems used by our customers.

We can convey data contained in the Reliable Partner service to the authorities as based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate a suspected misuse of our services.

In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.

As a rule, personal data is not conveyed outside the EU or the European Economic Area.

 

Storage period of personal data

We archive all Reliable Partner reports that are created. The archived reports are used for providing customer services and for ensuring the reliability of the service and the authenticity of the reports created.

Only the latest Reliable Partner report is kept available for third parties on Vastuu Group’s online service at all times.

Version 18 November 2019

Valtti cardholder

The Valtti card is a photographic identification card for use at building sites, in accordance with the Occupational Safety and Health Act. We maintain a register of all issued Valtti cards.

 

We collect the following information from the employer company acting as Vastuu Group’s customer:

  • first name, last name, tax number, date of birth, and photograph of the cardholder
  • name and business ID (or similar foreign company number) of the employer

 

In connection to creating the Valtti card, we will add the following data into the register:

  • name and bar code of the Valtti card
  • chip ID
  • last valid date of the Valtti card
  • photograph of the card
  • status and any modification data of the card

 

We will collect the following data in our customer register and service logs when the card is ordered:

  • name of the person who submitted the order, date and method of identification
  • completed and cancelled orders and the date of completion or cancellation
  • status of the order

 

On which basis is personal data being processed?

The legal basis for processing is the legitimate interests of the controller.

 

To whom is personal data conveyed?

Customers using Vastuu Group’s services can search for and save in their own data systems personal data of cardholders when the cardholder works or is expected to start working at the customer’s building site or other work site. In connection to data searches, qualification data saved in the Taito Competence Register about the cardholder and other personal data reported by the employer in the Ilmoita service can be linked to the data contained in the Valtti card register, to the extent that the customer has the legal right to process such additional data.

The transfer of personal data to the personal data file of another controller is completed using interfaces provided by Vastuu Group so that the transfer of employees’ personal data requires that the employee’s Valtti card ID has been read or that the contractual relationship between the employer/data subject and the other controller and purpose of data processing has been recognised in some other manner.

We may convey data contained in the Ilmoita service to the authorities as based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.

In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.

As a rule, personal data is not transferred outside the EU or the European Economic Area.

 

Storage period of personal data

Information on issued Valtti cards is stored in the Valtti card register for ten years from the end of the calendar year during which the validity of the card expired, or for as long as the site register or some other register used by our customer has references to the said Valtti card.

Numbers of expired Valtti cards (without personal data) are saved permanently on the expired card revocation list.

Version 18 November 2019

Building Site Register service

The Tax Procedure Act (1558/1995) requires that the main implementer/main contractor of the work site monthly reports all workers to the Tax Administration who have worked at the construction site, including his own and contractors’ workers. The Occupational Safety Act (738/2002) requires that an up-to-date list is maintained of all persons working at the construction site, that orientation is provided for all workers at the work site, and that all workers display an ID with a photograph. The main implementer/main contractor will process your personal data for these purposes.

 

The controller of the work site -specific personal data file is the main implementer/main contractor, who added the work site into our service.

 

Your personal data processed in the Building Site Register service include the following categories of personal data depending on the service components used by the controller:

 

Data retrieved from the employee and company contact person register of the Ilmoita service:

  • name
  • identity number or tax number and date of birth
  • information on registration in the tax number register
  • type of employment relationship
  • employer name, company number, address, company representative and contact details
  • country of residence
  • nationality
  • phone number (will be removed as of 1 January 2020)
  • email address (will be removed as of 1 January 2020)
  • home address in Finland (will be removed as of 1 January 2020)
  • address in the country of residence (will be removed as of 1 January 2020)

 

Data retrieved from the Valtti card register:

  • Valtti card information

 

Data entered into the service by the controller:

  • orientation information
  • access right information

 

Information retrieved from the access control system of the controller:

  • work site access control data

 

On which basis is personal data being processed?

The basis for processing is the statutory obligations of the main implementer/main contractor of the work site and the legitimate interests of the controller.

The main implementer/main contractor regularly conveys personal data to the authorities in a manner required by valid legislation. The main implementer/main contractor can convey personal data to third parties within the scope of the valid data protection legislation.

 

Personal data saved in the Building Site Register can be processed for the following purposes:

  • preparation of the employee list at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • verification of the validity of the picture ID required at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • performance of employee inductions at the construction site as set out in the Occupational Safety Act (738/2002) and taking care of all other required activities for ensuring and promoting safety at work;
  • preparation of monthly employee reports for the Finnish Tax Administration (section 15 b of the Tax Procedure Act (1558/1995))
  • compliance with other legal or contractual obligations of the controller;
  • access control at the construction site;
  • verification of professional qualifications of a person being inducted at the construction site or other work site;
  • verification of professional competences required for a work task;
  • ensuring compliance against occupational safety regulations;
  • direction of the work at the construction site;
  • ensuring the main implementer’s/ main contractor’s compliance with his own quality, operating, or similar standards;
  • ensuring that contractors or independent workers operating at a main implementer’s/ main contractor’s building site comply with the contract

In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.

As a rule, personal data is not transferred outside the EU or the European Economic Area.

 

Storage period of personal data

The main implementer / main contractor will store the personal data for as long as he will need the data concerned for the above purposes. The minimum storage period of data reported to the Finnish Tax Administration in accordance with the Taxation Procedure Act (1558/1995) is six years from the end of the year during which the building site was completed.

Version 19 November 2019

Qualifications entered into the Taito Competence Register

Information on professional qualifications and their validity is collected in the Taito Competence Register Your personal data will be contained in the Taito Competence Register if:

  • your employer maintains competence information in the Taito Competence Register, or
  • you have given your consent for that qualification data to be published in the Taito Competence Register

 

The following personal data/data concerning a person will be stored in the Taito Competence Register:

  • first name
  • last name
  • tax number
  • date of birth
  • type of qualification
  • qualification ID
  • name marked on the qualification card
  • validity data
  • granter of the qualification
  • information of whether the validity of the qualification has been verified
  • modification data

 

On which basis is personal data being processed?

The legal basis for personal data processing is the legitimate interests of the controller and/or consent given by the data subject.

The Taito Competence Register is a service directed specifically at employers in the construction sector. Employers can use the service for maintaining qualification data on their employees and for distributing this data to their partners, including the work site supervisor.

 

To whom is personal data conveyed?

Customers using Vastuu Group’s services can search for and save, in their own data systems, personal data on data subjects (qualified persons) when the data subject works or is expected to start working at the customer’s building site or other work site. Data searches are principally completed so that the data subject presents his Valtti card to the customer, and the customer retrieves qualification data from Vastuu Group’s system through the interface using the Valtti card ID. The customer can, at the same time, search for other personal data in the Valtti card register and personal data in the Ilmoita service, to the extent that the customer has a legal right to process such additional data.

We may convey data contained in the Taito Competence Register to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.

In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.

As a rule, personal data is not transferred outside the EU or the European Economic Area.

 

Storage period of personal data

The storage period for qualification data is as follows:

  • qualification data is removed from the Taito Competence Register without undue delay when we are notified of the cancellation of your previous consent
  • valid qualification data is stored for as long as your data is included in the employee register of the Ilmoita service
  • the maximum storage period of data related to expired qualifications is two years from the end of the year during which the qualifications expired

Further information and contacts

If you wish to exercise your rights, please contact Vastuu Group Oy’s Data Protection Officer.

Data Protection Officer’s contact details:

Email:

dpo@vastuugroup.fi

 

Regular mail:

Vastuu Group Oy            
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland

Version 18 November 2019

Your rights as a data subject

As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.

You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:

  • you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
  • you object to the processing of your personal data, and there is no legal basis for continuing the processing
  • processing the data is illegal
  • you are under 18 and your personal data was collected in connection with providing information society services.

In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.

If you wish to inspect the personal data concerning yourself, fill in the request to inspect personal data concerning oneself.

Version 18 November 2019

How is your data secured?

Your personal data can only be processed by persons who are entitled to do so and need the said data in their work tasks. Persons processing the data are committed to confidentiality.

Subcontractors operating within the European Economic Area can be used to produce the service. With subcontractors, a written data processing agreement has been signed in accordance with section 28 of the General Data Protection Regulation as well as an agreement made regarding the confidentiality of personal data. To the extent that third party cloud services (e.g. Hubspot, Zendesk) are used for customer and marketing communications and customer service, we have ensured that personal data transfers outside the European Economic Area are completed in accordance with the valid legislation, e.g. following the terms and conditions of EU’s standard clauses or the EU–USA Privacy Shield arrangement.

Servers used for data processing are located in data centres within the European Economic Area and protected with the appropriate access control and security systems. Regular backups are made of the data.

Log data is collected of the use of the services in order to investigate error situations and suspected misuse and develop the services.

Data transfer between the data centre and the user is protected with appropriate encryption technology.

Confidentiality, integrity, availability, and fault tolerance of information saved in the services is ensured by means of various methods and systems such as security audits, security updates, and service monitoring of the systems.

Privacy Notices

Privacy notice

Customer and marketing communication register

(Last updated on 18 November 2019)

 

PDF

 

Controller and contact person of the register

Vastuu Group Oy (Business ID 2327327-1)

Tarvonsalmenkatu 17 B

02600 Espoo, Finland

 

Data Protection Officer’s contact details:

Email

dpo@vastuugroup.fi

 

Regular mail

Vastuu Group Oy                 
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland

 

Data subjects

Data subjects are contact persons of Vastuu Group Oy’s (the ”Supplier”) customers and potential customers, users of Supplier’s services, and users of Supplier’s website. Customers are companies, entrepreneurs, or consumers.

 

Basis for and purpose of personal data processing

The legal basis for personal data processing is the legitimate interest of the controller or fulfilling a contract made with the controller.

We use personal data in the marketing and sale of our services and for customer relationship management, invoicing, provision of customer support services, user rights monitoring, and service development. Personal data processing also includes processing and analysing the data concerned for targeted marketing and service production. For example, we can show customers targeted messages or content on our website, or channels based on their previous interests.

We will principally collect personal data directly from you when you contact us and use our services. We also collect data on our customers and their contact persons from public sources and registers.

We use web analytics services to collect visitor data on our website in order to analyse and develop our web resources, as well as target relevant marketing and customer communications to the visitors.

 

Which personal data is collected and from what sources?

We collect and process in the customer and marketing communication register mainly our customers and potential customer’s representatives and contact persons’ personal data. The register contains the following types of data on the contact persons for our customers and potential customers:

  • name, email address, telephone number, job title
  • name and contact details of the company/organisation
  • mailing list subscription data
  • consents and bans on direct marketing and customer communications
  • pages opened and brochures requested by the user on the website
  • information on the logins in our online services
  • information on any customer and direct marketing communication sent by email and whether the message has been read
  • user profile
  • information on any communication with the data subject, such as content, date, and time of message
  • messages sent to Customer Service and processing data on the related customer support ticket
  • website chats with Customer Service
  • recording of calls made to the telephone number of Customer Service
  • feedback you provide on the use of Customer Service
  • other information related to the purpose of the register that can be linked to the data subject, such as data collected on the use of the website during the use of the service (e.g. the user’s IP address, time of the visit, pages visited, browser type used, website that directed the user to the website, and the server that the user used to access the website).

We typically receive the following information directly from the contact persons of our customers:

  • name of the customer company, first and last name of the contact person, work email address, telephone number
  • permissions and/or bans on the contact person in electronic direct marketing and customer communications
  • classification data provided by the contact person (e.g. interests)
  • information provided on contact forms
  • customer feedback data, contact messages, and consents

We will process, for example, the following personal data of the user in connection with the use of services and websites:

  • IP address or other ID
  • Subscription, invoicing, and delivery data
  • Data collected through cookies
  • Data collected on the use of our online services
  • Data collected on the use of our customer support channels

The following data on the user in particular is received from other sources:

  • Data related to the use of social media, such as LinkedIn, Facebook and Twitter, e.g. ‘liking’ our website

 

Regular disclosure and transfer of personal data

We can use subcontractors for personal data processing.

We can disclose personal data to our partners for direct marketing purposes within the limits of the applicable legislation at force.

We can disclose your personal data to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified for the purpose of investigating suspected misuse of our services.

 

Transfers outside the EU and EEA

Personal data is not principally transferred outside the European Union (EU) or the European Economic Area (EEA), unless necessary for the technical implementation of data processing, e.g. when the data subject sends or receives messages by email or other online-based transmission service.

We can be used in customer and marketing communications and in Customer Service ticket management third-party data systems and cloud services, the personal data processing of which can be partly implemented outside the EEA. To the extent that our subcontractors implement data processing outside the EEA, we will ensure that the transfer of personal data outside the EEA is completed in compliance with the applicable legislation.

 

Storage period of personal data

Personal data contained in the customer and marketing communication register is stored for as long as we will need it for the above purposes.

Storage periods have been defined for the following data

  • recordings of chats with Customer Service: three months
  • recordings of telephone conversations with Customer Service: seven months
  • details on the customer’s contact person related to customer relationship management: for as long as the data subject is the contact person of the customer concerned or for as long as we store the history data of the service used by the customer

 

Rights of data subjects

As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the security features of the service.

You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:

  • you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
  • you object to the processing of your personal data, and there is no legal basis for continuing the processing
  • processing your personal data is illegal
  • you are under 18 and your personal data was collected in connection with providing information society services.

In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.

 

Data security

The right to use the customer and marketing communication register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is principally stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place, to protect the personal data against misuse and disclosure.

 

Contacts

If you have questions regarding this privacy statement or you wish to exercise your rights, please contact controller’s data protection officer by using the above email or postal address.

 

Changes

We can make changes to this privacy statement from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.

Privacy notice

Reliable Partner service

(Last updated on 18 November 2019)

 

PDF

 

Controller and contact person of the register

Vastuu Group Oy (Business ID 2327327-1)

Tarvonsalmenkatu 17 B

02600 Espoo, Finland

 

Data Protection Officer’s contact details:

Email

dpo@vastuugroup.fi

 

Regular mail

Vastuu Group Oy                 
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland

 

Data subjects

Data subjects are legal representatives, officers or directors of a customer company that has subscribed to the Reliable Partner Service provided by Vastuu Group Oy (the “Supplier”). Data subject’s personal data and position in the customer company has been registered in the national trade or company register and is shown on the trade register extract.

 

Basis for and purpose of personal data processing

The legal basis for personal data processing is the legitimate interests of the controller.

The Reliable Partner service allows Supplier’s customer to offer its partners, in an electronic format, information that they need to fulfil their clarification obligation imposed on contractors in the Act on the Contractor’s Obligations and Liability when Work is Contracted Out (1233/2006). The contractor’s liability data of customers who have subscribed to the Reliable Partner service is available to third parties in Supplier’s Valvoja, Raportti Pro, Raportti and Zeckit services and in the business information services provided by Supplier’s partners.

 

Which personal data is collected and from what sources?

The following personal data will be collected in the Reliable Partner service register of the customer company’s responsible persons:

  • name
  • date of birth
  • nationality
  • hometown
  • position of responsibility in the company and its start and end dates
  • bans on engaging in business activities, if any

Data is acquired either directly from the respective trade register or business prohibition register or through a commercial business information service, and is integrated into the Reliable Partner report prepared by the Supplier.

We collect the following information on the signatory of the Reliable Partner service contract when the contract is signed:

  • name
  • position in the company
  • unique identification of the person (identity number) that allows for checking the reported position against the trade register data
  • signature date

 

Regular disclosure and transfer of personal data

The Reliable Partner report and related personal data is available to third parties in Supplier’s Valvoja, Raportti Pro, Raportti and Zeckit services and in the business information services provided by Supplier’s partners. Reliable Partner reports can be provided in an electronic format through an interface to the bidding, procurement, or similar data systems of our customers.

We can disclose data contained in the Reliable Partner register to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.

In the production of the Reliable Partner service, we can use subcontractors located within the European Economic Area, and it can also transfer personal data to such subcontractors for producing the service.

 

Transfers outside the EU and EEA

As a rule, personal data is not transferred outside the EU or the European Economic Area.

 

Storage period of personal data

We archive all Reliable Partner reports created and uses the archived reports for providing customer services and for ensuring the reliability of the service and the authenticity of the reports created.

Only the latest Reliable Partner report is kept available for third parties on Vastuu Group’s report services at all times.

 

Rights of data subjects

As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.

You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:

  • you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
  • you object to the processing of your personal data, and there is no legal basis for continuing the processing
  • processing the data is illegal
  • you are under 18 and your personal data was collected in connection with providing information society services.

In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.

 

Data security

The right to use the register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place to protect the personal data against misuse and disclosure.

 

 Contacts

If you have questions regarding this privacy notice or you wish to exercise your rights, please contact Supplier’s Data Protection Officer by using the above email or postal address.

 

 Changes

We can make changes to this privacy notice from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.

 

Privacy notice

Ilmoita service

(Last updated on 18 November 2019)

 

PDF

 

Controller and contact person of the register

The controller is Vastuu Group Oy’s customer company that uses the Ilmoita service and is the employer of the data subject.

Controller’s supplier responsible for the provision, development and customer support of the Ilmoita service and its interfaces is: 

Vastuu Group Oy, Business ID 2327327-1 (the ”Supplier”)

Tarvonsalmenkatu 17 B

02600 Espoo, Finland

 

Data Protection Officer’s contact details:

Email

dpo@vastuugroup.fi

 

Regular mail

Vastuu Group Oy                 
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland

 

Data subjects

Data subjects are the employees, managers, trainees (not working on an employment contract), or volunteer workers of the controller (Supplier’s customer).

 

Basis for and purpose of personal data processing

The legal basis for personal data processing is the contract signed between the controller and the data subject (employment contract), fulfilling a legal obligation of the controller (reporting obligation within the construction sector), and a legitimate interest of the controller.

The Ilmoita service allows the controller to transfer employer and employee data in an electronic format to the purchaser of the work, the main contractor of the building site or other administrator of the work site.

 

Which personal data is collected and from what sources?

The controller will store the following categories of personal data in their employee register in the Ilmoita service:

  • first name, last name
  • identity number, tax number, date of birth
  • picture
  • type of employment relationship
  • employer name, company number, address, company representative and contact details
  • nationality
  • phone number
  • email address
  • Valtti card delivery address
  • country of residence
  • employee’s status as a posted worker and information of the respective A1 certificate
  • home address in Finland (will be removed as of 1 January 2020)
  • address in the country of residence (will be removed as of 1 January 2020)

The following data will be added to each data subject’s personal data during use of the service:

  • information when employee data has been modified
  • information concerning when the employment data has been verified by the employer
  • information if the person is registered in the Tax Authority’s tax number register
  • status of ePerehdytys subscription
  • status of Valtti card

In addition, card and competence data retrieved from Supplier’s Valtti card register and Taito Competence Register can be linked to the personal data of data subjects when the personal data concerned is transferred.

 

Regular disclosure and transfer of personal data

The controller can transfer their own employees’ personal data to their business partners through the Service for the following purposes:

  • preparation of the employee list at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • verification of the validity of the picture ID required at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • performance of employee inductions at the construction site as set out in the Occupational Safety Act (738/2002) and taking care of all other required activities for ensuring and promoting safety at work;
  • preparation of monthly employee reports for the Finnish Tax Administration (section 15 b of the Tax Procedure Act (1558/1995))
  • compliance against other legal or contractual obligations;
  • access control at the construction site or other work site;
  • verification of professional competences of a person being inducted at the construction site or other work site;
  • verification of professional competences required for a work task;
  • ensuring compliance against occupational safety regulations;
  • direction of the work at the construction site or work site;
  • ensuring the contracting party’s compliance against contractual terms or applicable quality, operative or similar standards;
  • ensuring that contractors or independent workers operating at a partner’s building site or other work site comply with the contract, and
  • with the data subject’s explicit consent for other purposes.

The transfer of personal data will be conducted using application interfaces provided by the Supplier in a manner ensuring that the employee’s personal data is transferred when the employee has provided her/his Valtti card credentials, or when the business relationship between the controller and the receiver of personal data is recognised in any other manner.

The Supplier can disclose data contained in the Building Site Register to the authorities based on the mandatory requirement of a competent authority, or when the Supplier considers the inquiry of the authority to be justified in order to investigate suspected misuse of their services.

In the production of the Building site register service, the Supplier can use subcontractors located within the European Economic Area, and can also transfer personal data to such subcontractors for producing the service.

 

Transfers outside the EU and EEA

As a rule, personal data is not conveyed outside the EU or the European Economic Area.

 

Storage period of personal data

During the use of the service, the controller is responsible for maintaining the data saved in its employee register and for entering the end of each employment relationship into the register. Employment and personal data of each former employee will be stored in the service for the minimum of 18 months, which is the time during which users of the service that acted as the main contractor can make correction notifications in the employee reports they have submitted to the Finnish Tax Administration. If the user company discontinues their operations without marking the employment relationships as having ended, the Supplier can do this on its own initiative.

Once the employment relationship has ended, the employment and personal data of the employee can be stored in the work site register of the main contractor that uses Supplier’s work site register services, for as long as the information concerned is needed for the purposes mentioned above by other customers. The minimum data storage period in accordance with the Taxation Procedure Act (1558/1995) is six years from the end of the year when the building site was completed.

 

Rights of data subjects

As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.

You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:

  • you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
  • you object to the processing of your personal data, and there is no legal basis for continuing the processing
  • processing the data is illegal
  • you are under 18 and your personal data was collected in connection with providing information society services.

In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.

 

Data security

The right to use the register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place to protect the personal data against misuse and disclosure.

 

Contacts

If you have questions regarding this privacy notice or you wish to exercise your rights, please contact Supplier’s Data Protection Officer by using the above email or postal address.

 

 Changes

We can make changes to this privacy notice from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.

 

Privacy notice

Valtti card register

(Last updated on 18 November 2019)

 

PDF

 

Controller and contact person of the register

Vastuu Group Oy (Business ID 2327327-1)

Tarvonsalmenkatu 17 B

02600 Espoo, Finland

 

Data Protection Officer’s contact details:

 

Email

dpo@vastuugroup.fi

 

Regular mail

Vastuu Group Oy                 
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland

 

Data subjects

Data subjects are the holders of Valtti smart cards granted by Vastuu Group Oy (the ”Supplier”). Cardholders are the employees, managers, trainees (not working on an employment contract), or volunteer workers of Supplier’s customer.

 

Basis for and purpose of personal data processing

The legal basis for personal data processing is the legitimate interests of the controller.

The Valtti card is a photographic identification card for use at building sites, in accordance with the Occupational Safety and Health Act. There can be two cards in the card package: The Valtti smartcard and the photographic personal identity card required on worksites. The Valtti smartcard relies on RFID technology.

Information printed on the smart card has been saved in the Supplier’s electronic Valtti card database, from where third parties that have been granted access rights to the data can search for the cardholder’s personal data for purposes specified in this privacy notice.

 

Which personal data is collected and from what sources?

We collect the following information from the employer company acting as Supplier’s customer:

  • first name, last name, tax number, date of birth, and photograph of the cardholder
  • name and business ID of the employer

In connection to creating the Valtti card, we will add the following data into the register:

  • name and bar code of the Valtti card
  • chip ID
  • last valid date of the Valtti card
  • photograph of the card
  • status and any modification data of the card

We will collect the following data in our customer register and service logs when the card is ordered:

  • name of the person who submitted the order, date and method of identification
  • completed and cancelled orders and the date of completion or cancellation
  • status of the order

 

Regular disclosure and transfer of personal data

Customers using Vastuu Group Oy’s services can search for and save in their own data systems personal data of cardholders when the cardholder works or is expected to start working at the customer’s building site or other work site. In connection to data searches, qualification data saved in the Taito Competence Register about the cardholder and other personal data reported by the employer in the Ilmoita service can be linked to the data contained in the Valtti card register, to the extent that the customer has the legal right to process such additional data.

The cardholder’s personal data can be searched for and processed only for the following purposes:

  • preparation of the employee list at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • verification of the validity of the picture ID required at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • performance of employee inductions at the construction site as set out in the Occupational Safety Act (738/2002) and taking care of all other required activities for ensuring and promoting safety at work;
  • preparation of monthly employee reports for the Finnish Tax Administration (section 15 b of the Tax Procedure Act (1558/1995))
  • compliance against other legal or contractual obligations;
  • access control at the construction site or other work site;
  • verification of professional competences of a person being inducted at the construction site or other work site;
  • verification of professional competences required for a work task;
  • ensuring compliance against occupational safety regulations;
  • direction of the work at the construction site or work site;
  • ensuring the contracting party’s compliance against contractual terms or applicable quality, operative or similar standards;
  • ensuring that contractors or independent workers operating at a partner’s building site or other work site comply with the contract, and
  • upon data subject’s explicit consent for other purposes.

The transfer of personal data to the personal data file of another controller is completed using interfaces provided by the Supplier so that the transfer of employees’ personal data requires that the employee’s Valtti card ID has been checked or that the contractual relationship between the employer/data subject and the other controller and purpose of data processing has been recognised in some other manner.

We can disclose data contained in the Valtti card register to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.

In the production of the Valtti card service, we can use subcontractors located within the European Economic Area, and it can also transfer personal data to such subcontractors for producing the service.

 

Transfers outside the EU and EEA

As a rule, personal data is not transferred outside the EU or the European Economic Area.

 

Storage period of personal data

Information on issued Valtti cards is stored in the Valtti card register for ten years from the end of the calendar year during which the validity of the card expires, or for as long as the site register or some other register of Vastuu Group’s customer has references to the Valtti card concerned.

Numbers of expired Valtti cards (without personal data) are saved permanently on the expired card revocation list.

 

Rights of data subjects

As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.

You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:

  • you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
  • you object to the processing of your personal data, and there is no legal basis for continuing the processing
  • processing the data is illegal
  • you are under 18 and your personal data was collected in connection with providing information society services.

In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.

 

Data security

The right to use the register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place to protect the personal data against misuse and disclosure.

 

Contacts

If you have questions regarding this privacy notice or you wish to exercise your rights, please contact Supplier’s Data Protection Officer by using the above email or postal address.

 

Changes

We can make changes to this privacy notice from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.

 

Privacy notice

Taito Competence Register

(Last updated on 18 November 2019)

 

PDF

 

Controller and contact person of the register

Vastuu Group Oy (Business ID 2327327-1)

Tarvonsalmenkatu 17 B

02600 Espoo, Finland

 

Data Protection Officer’s contact details:

 

Email

dpo@vastuugroup.fi

 

Regular mail

Vastuu Group Oy                 
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland

 

Data subjects

Data subjects are:

  • the employees, managers, trainees (not working on an employment contract), or volunteer workers of Vastuu Group Oy’s (the “Supplier”) customer that use the Taito Competence Register; or
  • natural persons who have given their consent for publishing their completed qualifications in Taito Competence Register.

 

Basis for and purpose of personal data processing

The legal basis for personal data processing is the legitimate interests of the controller and/or consent given by the data subject.

The Taito Competence Register is a service directed specifically at employers in the construction sector. Employers can use the service for maintaining the qualification data of their employees and for distributing this data to their partners, including the work site supervisor.

 

Which personal data is collected and from what sources?

The Taito Competence Register contains the following types of personal data:

  • first name and last name of the data subject
  • tax number
  • date of birth
  • type of qualification
  • name marked on the qualification card
  • qualification ID
  • validity data
  • granter of the qualification
  • information on whether the validity of the qualifications has been verified directly from the source
  • modification data

 

Regular disclosure and transfer of personal data

Customers using Vastuu Group’s services can search for and save, in their own data systems, personal data on data subjects (qualified persons) when the data subject works or is expected to start working at the customer’s building site or other work site. Data searches are principally completed so that the data subject presents his Valtti card to the customer, and the customer retrieves qualification data from Supplier’s system through the interface using the Valtti card ID. The customer can, at the same time, search for other personal data in the Valtti card register and personal data reported by the employer in the Ilmoita service, to the extent that the customer has a legal right to process such additional data.

The customer can search for and process personal data contained in the Taito Competence Register only for the following purposes:

  • The employer can process the personal data concerning their own employees for all legal purposes within the employer’s own company.
  • Customers who are not the employer of the data subject can process the personal data for the following purposes:
    • To implement worksite orientation required by the Occupational Safety Act (738/2002) and to take care of all other activities required from the main contractor or the main implementer, in order to ensure and promote work safety and fulfil other statutory obligations
    • verification of professional competences of a person being inducted at the construction site or other work site;
    • verification of professional competences required for a work task;
    • ensuring compliance against occupational safety regulations;
    • direction of the work at the construction site or work site;
    • to ensure compliance with the customer’s own quality, operating or similar system
    • to ensure compliance with contracts of the contractors or independent workers operating at the customer’s building site or other work site, and
    • other purposes subject to the data subject’s explicit consent.

We can disclose data contained in the Taito Competence Register to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.

In the production of the Taito Competence Register, we can use subcontractors located within the European Economic Area, and it can also transfer personal data to such subcontractors for producing the service.

 

Transfers outside the EU and EEA

As a rule, personal data is not transferred outside the EU or the European Economic Area.

 

Storage period of personal data

The storage period for qualification data is as follows:

  • qualification data is removed from the Taito Competence Register without undue delay when the Supplier is notified of the cancellation of the data subject’s previous consent
  • valid qualification data is stored for as long as the data subject is saved in the employee register of the Ilmoita service
  • the maximum storage period of data related to expired qualifications is two years from the end of the year during which the qualifications expired

 

Rights of data subjects

As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.

You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:

  • you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
  • you object to the processing of your personal data, and there is no legal basis for continuing the processing
  • processing the data is illegal
  • you are under 18 and your personal data was collected in connection with providing information society services.

In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.

 

Data security

The right to use the register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place to protect the personal data against misuse and disclosure.

 

Contacts

If you have questions regarding this privacy statement or you wish to exercise your rights, please contact Supplier’s data protection officer by using the above email or postal address.

 

Changes

We can make changes to this privacy statement from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.

 

Privacy notice

Building Site Register

(Last updated on 18 November 2019)

 

PDF

 

Controller and contact person of the register

Vastuu Group Oy’s customer company that acts as the main contractor or main implementer of the building site is the controller of the register.

Controller’s supplier responsible for the provision, development and customer support of the Building Site Register service and its interfaces is: 

 

Vastuu Group Oy, Business ID 2327327-1 (the ”Supplier”)

Tarvonsalmenkatu 17 B

02600 Espoo, Finland

 

Data Protection Officer’s contact details:

 

Email

dpo@vastuugroup.fi

 

Regular mail

Vastuu Group Oy                 
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland

 

Data subjects

Data subjects are persons working at the controller’s building site.

 

Basis for and purpose of personal data processing

The legal basis for personal data processing is implementing the statutory obligations of the controller (e.g. section 52b of the Occupational Safety Act (738/2002) and section 15b of the Tax Procedure Act (1558/1995)) and the legitimate interests of the controller.

 

Which personal data is collected and from what sources?

The personal data processed in the building site register service include the following categories of personal data, depending on the service components selected by the controller:

Data retrieved from the employee register of the Ilmoita service:

  • name
  • identity number or tax number and date of birth
  • information on registration in the Tax Authority’s tax number register
  • type of employment relationship
  • employer name, company number, address, company representative and contact details
  • country of residence
  • nationality
  • phone number (will be removed as of 1 January 2020)
  • email address (will be removed as of 1 January 2020)
  • address in Finland (will be removed as of 1 January 2020)
  • address in the country of residence (will be removed as of 1 January 2020)

Data retrieved from the Valtti card register:

  • Valtti card information

Data entered into the service by the controller:

  • information on completed induction at the building site
  • access rights at the building site

Information retrieved from the access control system of the controller:

  • access control data

 

Regular disclosure and transfer of personal data

The controller regularly discloses personal data to the authorities in a manner required by applicable legislation in force. The controller can disclose personal data to third parties within the scope of applicable data protection legislation.

Personal data saved in the Building Site Register can be processed for the following purposes:

  • preparation of the employee list at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • verification of the validity of the picture ID required at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
  • performance of employee inductions at the construction site as set out in the Occupational Safety Act (738/2002) and taking care of all other required activities for ensuring and promoting safety at work;
  • preparation of monthly employee reports for the Finnish Tax Administration (section 15 b of the Tax Procedure Act (1558/1995))
  • compliance with other legal or contractual obligations of the controller;
  • access control at the construction site;
  • verification of professional qualifications of a person being inducted at the construction site or other work site;
  • verification of professional competences required for a work task;
  • ensuring compliance against occupational safety regulations;
  • direction of the work at the construction site;
  • to ensure compliance with the controller’s own quality, operational or similar system
  • to ensure compliance with contracts of the contractors or independent workers operating at the controller’s building site

The Supplier can disclose data contained in the Building Site Register to the authorities based on the mandatory requirement of a competent authority, or when the Supplier considers the inquiry of the authority to be justified in order to investigate suspected misuse of their services.

In the production of the Building site register service, the Supplier can use subcontractors located within the European Economic Area, and can also transfer personal data to such subcontractors for producing the service.

 

Transfers outside the EU and EEA

As a rule, personal data is not transferred outside the EU or the European Economic Area.

 

Storage period of personal data

The controller will store the personal data for as long as the data concerned for the above purposes is required. The minimum storage period of data reported to the Finnish Tax Administration in accordance with the Taxation Procedure Act (1558/1995) is six years from the end of the year during which the building site was completed.

 

Rights of data subjects

As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.

You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:

  • you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
  • you object to the processing of your personal data, and there is no legal basis for continuing the processing
  • processing the data is illegal
  • you are under 18 and your personal data was collected in connection with providing information society services.

In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.

 

Data security

The right to use the register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place to protect the personal data against misuse and disclosure.

 

Contacts

If you have questions regarding this privacy notice, please contact Supplier’s data protection officer by using the above email or postal address.

If you wish to check if your personal data has been saved in the building site register of the main contractor or the main implementer, please contact the main contractor or main implementer concerned directly.

 

  Changes

We can make changes to this privacy notice from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.

THE USE OF COOKIES

The website of Vastuu Group group may use cookies. Cookies are small text files that save onto the user’s computer in order to create broader functionality on the website. Cookies do not collect or otherwise process personal data. If you do not want cookies to be used, you can disable them on your browser. In this case, the website may not operate as intended.

 

Further Information on Cookies

Cookies may occasionally be transferred to a visitor’s computer. Cookies may be used to collect the following information: the website from which you have moved to our website, the webpages of Vastuu Group Oy you have browsed and when you have browsed them, the browser you are using, the display resolution of your computer, the brand and model of your computer’s operating system, and the IP address of your computer i.e. the Internet address that you send data from and where the data is received.

Behavioral data may be collected by Vastuu Group Oy, its group companies, their service providers and third parties (advertisers and advertising networks, media and advertising agencies, measuring and monitoring services) on visits made to the websites of the Vastuu Group group. Vastuu Group group may also use behavioral data collected from websites other than its own.

With cookie-related information, the number of visits made to services can be monitored by the Vastuu Group group and its collaborative partners and analyzed to develop the Internet services into more visitor-friendly wholes. The abovementioned parties may use cookies to collect information about a visitor’s visits to the Vastuu Group group websites in order to target their advertising. The information collected through the use of cookies is used to produce targeted advertising based on the visitor’s interests for the websites of Vastuu Group group and their collaborative partners. When advertising is targeted by means of cookies, the visitor is neither identified nor is the anonymous data gathered on the visitor connected to personal data possibly obtained from the visitor in some other context.

Through, inter alia, physical, electronic and contractual means, Vastuu Group group strives to prevent unauthorized access to the abovementioned information. The intention is to commit third parties to existing legislation and self-regulations. The Internet is an open system and therefore Vastuu Group group does not monitor or answer for the practices of third parties.

The user can disable cookies by changing their browser settings so that the browser does not allow cookies to be saved. The visitor accepts that disabling cookies may, however, affect the functionality of some of the services.