Data Protection Statement – Employees and Other Personnel

Last updated: 16 September 2024

Introduction

Siili Solutions Plc and its group companies ("Siili") place the highest value on protecting the privacy of its employees and other personnel and is committed to processing personal data carefully and responsibly. This Data Protection Statement (“Statement”) informs data subjects about how Siili processes personal data in its personnel management. Personal data refers to any information related to an identified or identifiable person, a data subject. Data subjects under this Statement include Siili’s current and previous employees and executives, as well as external consultants and leased workers. A separate subcontractor data protection statement applies to processing of personal data of the subcontractors belonging to Siili’s partner network.

Siili is the data controller of its employees and other personnel’s personal data. As the data controller, Siili is responsible for personal data processing and defines the purposes and means for the data processing.

Siili processes personal data in accordance with all applicable laws, as well as Siili’s Data Protection Policy and Information Security Policy and guidelines derived from them.

Personal Data Collection Methods and Sources

Siili primarily collects personal data from the individuals themselves. Additionally, data is maintained and updated with information produced by the authorities, cooperation partners, and Siili during the employment relationship.

Whenever personal data is intended to be collected from other sources, Siili will seek a data subject’s consent as required by law. However, consent is not needed if the authority discloses data to Siili in order for Siili to carry out its tasks as required by law.

Personal Data Collected and Processed

Siili may process the following personal data:

Basic Data – First and last names (including nicknames), personal identification number, date of birth, gender, native language, personal contact information (both private and business): telephone, email, mailing address, home country, nationality, photos, contact information of a family member identified as an emergency contact, personnel and employment number (company’s), substitution information.
Employment Relationship Data – Job title and description, supervisor, office/workplace, business unit, career start year, seniority level, employment start date and end date, probationary period end date, termination notice, employment termination cause, employment termination agreement, employment certificate, retirement information.

Education, Skills, and Experience Data – CV, education and degree information, professional experience, skills and competencies, certificates, interests, completed introductions and their approvals, information on training and event attendance.

Performance and Development Data – Growth discussion content and date, feedback that an employee has received.

Compensation and Deduction Data – Account number, salary and reward information and agreed benefits, taxation and employer payment information, travel expenses, trade union membership, prohibition on payments, personnel share savings program attendance information.

Working Time Control, Absences, and Vacations – Time and attendance management records, sick leave, parental leave, study leave, job alternation leaves, and other absences having an impact on the calculation of salaries, annual leave, vacation periods.

Occupational Health Care and Working Ability Data – Notification of sick leave and occupational accidents, working capacity discussion date and evaluation of the factors that have caused absence and possibilities to prevent them, occupational health care data, sick leave certificates.

Employee’s Feedback to Siili – Exit interview information, employee questionnaire answers and other feedback provided by an employee to the extent answers and feedback can be linked to an individual employee.

Occupational Safety and Cooperation – Election of occupational safety and health representatives, cooperation meeting minutes.

Work Equipment and Access Rights – Information concerning work equipment and work-related services such as computers, mobile phones and the use of such equipment, information on access rights including usernames and passwords. If an employee installs services meant for personal use in their work equipment, also related information is recorded.

Security Data – data collected by cookies, IP addresses, log data and internet browsing information to the extent allowed by applicable legislation, access control information in certain cases.

Siili may also process information concerning the modification or update of the above categories.

Legal Bases and Purposes of Data Processing

Siili processes personal data for predefined purposes based on contract, legal obligation, consent or Siili’s legitimate interests. Siili ensures that its interests can be considered legitimate and conducts an evaluation of the lawfulness of its interests.

Siili processes personal data to fulfill responsibilities and obligations related to a data subject’s employment relationship or other cooperation relationship. This includes tasks such as monitoring working time and absences, managing compensation, and implementing actions to take care of and develop the employment relationship. Also, personal data is processed to carry out tasks associated with initiating and termination of employment and to facilitate various business processes (e.g., client work).

Sensitive personal data, such as information revealing a person’s race or ethnic origin, trade union membership or health-related data, is only processed under legal obligations. If a data subject voluntarily discloses information about their diet or food allergies, for example, in the context of enrolling in an event, Siili processes such personal data only for arranging food services. This information is deleted when no longer needed, and it is not stored permanently in the register.

The table below provides more information on the legal bases and purposes of processing.

Personal Data Category	Legal Bases	Purposes
Basic Data	Contract, legal obligation, Siili’s legitimate interests: some personal data is necessary to be used in communications by the company during the employment relationship such as adding an employee’s name and title, contact details and photo to internet and/or intranet and to be able to operate in an emergency.	Identification of individuals, granting user and access rights and managing work equipment, ensuring the right to work, handling work tasks and communications to employees, contacting employees in emergency situations, statistics, mailing, administration and maintenance of internet and intranet pages.
Employment Relationship Data	Contract, legal obligation, Siili’s legitimate interests: personal data is needed for maintaining organizational structure.	Calculation of salaries, working time control, travel and expense handling, calculation of pension, inheriting labor union membership fees, statistics, taking care of matters regarding employment relationship, handling works tasks.
Education, Skills, and Experience data	Contract, Siili’s legitimate interests: personal data is needed for ensuring sufficient skill level for different tasks and allocating employees to the right client assignments as well as for following up on personal development and training.	Performance, talent and rewards management and development and enabling business processes (e.g., client work).
Performance and Development Data	Contract, Siili’s legitimate interests: by means of growth discussion and feedback, the skills and work of an employee can be developed, recognition can be granted on good performance and personal development and follow-up fulfillment of personal goals.	Defining work targets, drawing up personal development plan and related follow-up.
Compensation and Deduction Data	Contract, legal obligation, Siili’s legitimate interests: personal data is needed for targeting personnel benefits to the right employees and ensuring correctness of travel time salary, daily allowance, and expense compensation.	Payment of salaries (including salaries, rewards, benefits, and vacations), taxation, pension accrual, statistics and other authority purposes, travel and expense handling, insurance management.
Working Time Control, Absences, and Vacations	Contract, legal obligation, Siili’s legitimate interests: handling absence data is necessary for the business in order to allocate employees to the right client assignments.	Working time control for salary payments, managing absences and vacations, and enabling business processes (e.g., client work).
Occupational Health Care and Working Ability Data	Contract, legal obligation, Siili’s legitimate interests: through working ability discussions, Siili aims to find out whether it is possible to implement measures for supporting employee working ability.	Health and wellbeing management and evaluation of working ability after long-term absence or in case working ability has or is threatened to be lowered.
Employees’ Feedback to Siili	Siili’s legitimate interests: ensuring and developing employee satisfaction and wellness, as well as developing processes and other employer operations.	Measuring work satisfaction and developing processes and operations.
Occupational Safety and Cooperation	Legal obligation	Ensuring and enhancing work safety and healthiness.
Work Equipment and Access Rights	Contract, Siili’s legitimate interests: by documenting work equipment and access rights Siili ensures that employees have suitable equipment and rights considering their work tasks and use and access rights are traceable.	Managing work equipment and access rights.
Security Data	Contract, consent (regarding non-essential cookies), Siili’s legitimate interests: by documenting IP address and log data Siili ensures traceability of events and changes in information systems, applications, networks, and data content for the purpose of ensuring and maintaining information security. By access control, Siili ensures that outsiders cannot access its business premises. Using essential cookies is necessary for the proper functioning of Siili’s website and services.	Ensuring and improving workplace and information security. Cookies are employed to personalize website content and advertisements according to your preferences, facilitate social media functionalities, analyze website visits and usage patterns, and overall improve the website's performance. For further details on how Siili uses cookies, please refer to Siili’s Cookie Statement.

Personal data may also be processed based on Siili's legitimate interest to prevent and investigate misuse and issues, as well as to comply with legal requirements. Siili may process personal data also for defending its legal rights, carrying out a trial or authority process and the execution of an authority order.

In addition, personal data can be processed for reporting and analytics based on Siili’s legitimate interest or legal obligation. If identification of an individual person is not necessary considering the purpose, Siili ensures that personal data is processed in such a form that data subjects are not identifiable from the report or other result.

Disclosures of Personal Data

Siili may disclose personal data to the following recipients:

Siili Group Companies: Personal data may be shared with companies within the Siili Group, based on Siili’s legitimate interest. These companies process personal data in accordance with this Statement or their own statement, substantially like this one.
Service Providers and Subcontractors: Personal data may be disclosed to Siili’s service providers and subcontractors who process personal data on behalf of Siili. Through appropriate contractual arrangements, Siili ensures that personal data is processed in accordance with this Statement and applicable laws.
Clients: Personal data may be disclosed to Siili’s clients and potential clients in relation to work assignments.
Business Partners: Personal data may be disclosed to trusted third parties, such as travel agencies, airlines, accommodation providers, banks, mobile operators, external advisors, and auditors, based on Siili’s legitimate interest.
Authorities, Legal Processes, and Legislation: Siili discloses personal data to competent authorities (such as tax authority) as required by mandatory legislation. Personal data may also be disclosed in connection with legal processes or as a response to the requests by authorities based on law, court order, court proceedings, or authority process, in compliance with applicable laws.
Mergers and Acquisitions: In the event that Siili decides to sell, merge, or rearrange its business, such actions may include disclosing personal data to potential or actual purchasers and their advisors. If the disclosure of personal data is necessary in such a situation, Siili will share only the necessary personal data and only as permitted by applicable legislation.

Data Transfers Outside of the European Economic Area

Siili may transfer personal data to Siili Group companies located outside of the European Economic Area (EEA) for arranging Siili Group operations. Siili may transfer personal data also to its clients, cooperation partners, service providers and subcontractors located outside of the EEA for the purposes described in this Statement.

When personal data is transferred outside of the EEA, Siili uses appropriate transfer basis (such as standard contractual clauses approved by the European Commission and possible supplementary measures) to ensure an adequate level of data protection.

Data Retention

Siili retains personal data for as long as it’s necessary for the initial or compatible purposes for which the personal data have been collected. Retention periods are determined based on mandatory legislation and common industry practices.

The retention period for employee and other personnel’s personal data generally ranges from one year from the date of collection to ten years following the end of employment or the financial year.

Siili may also delete personal data that is no longer needed for its intended purpose during the employment period. Information that becomes unnecessary, outdated, or for which there is no longer a valid reason for processing, will be anonymized or securely destroyed.

More information about personal data retention periods and deletion practices can be found in Siili’s Data Retention Policy. Detailed information on the retention of personal data collected with cookies is available in Siili's Cookie Statement.

Data Security

Siili employs appropriate organizational and technical measures to guard against accidental and/or unlawful access, alteration, and destruction, or other processing, including unauthorized disclosure and transfer of personal data.

These measures encompass (without limitation) proper firewall arrangements, malware detection, appropriate encryption of telecommunication and messages, as well as the use of secure and monitored equipment and server rooms. Data security is of special concern when third parties provide and implement IT systems.

Data security requirements are diligently observed in IT system access management and monitoring of access to IT systems. Siili personnel, processing personal data as part of their tasks, are trained and properly instructed in matters of data protection and data security.

For more information about Siili’s data security practices, please refer to Siili’s Information Security Policy and Workstation Policy.

Automated Decision-Making

Siili does not make decisions about data subjects through automated decision-making.

Data Subject Rights

Data subjects have the following rights according to data protection legislation:

Right to obtain information on the processing of personal data: Data subjects have the right to be informed of the collection and processing of their personal data.
Right of access to their data: Data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. If data concerning the data subject is being processed, the controller must provide the data subject with a copy of the personal data being processed.
Right to rectification of their data: Data subjects have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.
Right to the erasure of data: In certain cases, the data subjects have the right to have the controller erase data concerning them without undue delay.
Right to restriction of processing: The data subjects can request the controller to restrict the processing of personal data concerning them.
Right to object to the processing of data: The data subjects have the right to object to the processing of their personal data on grounds relating to their particular situation when a processing is based on legitimate interests pursued by the controller or a third party.
Right to data portability: The data subjects have the right to receive the personal data that they have provided to the controller in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller.
Right not to be subject to a decision based solely on automated processing: The data subjects have the right to demand human involvement in decisions that concern them.
Right to file a complaint to the data protection authority: The data subjects have the right to file a complaint with the national data protection authority (in Finland, the Data Protection Ombudsman) or other data protection authority within the EU or EEA if they have experienced that personal data have not been processed lawfully.

If Siili processes certain personal data based on the data subject’s consent, they have a right to withdraw their consent at any time.

Data subjects can exercise their rights by accessing their user profiles in Siili’s online employment tools or by contacting hr@siili.com.

Data subjects may not be able to exercise their rights in all situations. For instance, the basis for data processing has an impact on the data subjects’ possibility to exercise their rights (e.g., if the processing is based on legal obligation, it is not possible to erase the data upon the request of the data subject).

Changes

Siili may change or amend this Statement as necessary, and therefore it is recommended that you revisit this Statement regularly. Substantial changes are announced in Siili’s internal channels and/or data subjects are informed personally.

Contact Information

For questions related to data protection, you can email Siili's data protection team at dataprotection@siili.com.