Privacy statement for SRV Network Register

Privacy statement for SRV Network Register

Updated on 28 October 2020

1        Joint controllers

SRV Group Plc and all companies belonging to the group (hereinafter ‘SRV’).

SRV Group companies:

SRV Group Plc (FI-17071868)

SRV Construction Ltd (FI-17282446)

SRV Infra Oy (FI-05909379)

SRV Russia Ltd (FI-22791261)

Each SRV Group company is responsible for the processing of personal data conducted under its own business operations for the purposes and with the legal basis set out in this Privacy Statement and may use the necessary personal data collected by other group companies for the same purposes.

2       In matters relating to this register, please contact

SRV Group Plc

Privacy

P.O.Box 555

02601 Espoo

privacy@srv.fi

Tel. +358 20 145 5200

3       Register name

SRV Network Register

4       Purpose and basis of the processing of personal data

The processing of personal data is based on law and the legitimate interest of SRV. Personal data is used in order to fulfil obligations and rights set out in legislation and contracts of employment, works contracts and other contracts, for purposes related to access control, working hours monitoring, occupational safety, other safety and crime prevention, and the monitoring and measurement of quality and work performance, for example, for the following purposes:

  • for managing own site, contractor and employee data and the related obligations of SRV
  • for ensuring that the obligations set out for SRV under the Occupational Safety Act, the Act governing the use of tax numbers and the Act on the Contractor’s Obligations and Liability when Work is Contracted Out are fulfilled
  • for the party having the overall responsibility to identify persons on the working site
  • for reporting to tax administration and the supervisory authority
  • detecting, preventing and investigating misuse, fraud and other crimes
  • for clarifying site-specific induction and access permits for persons working on site and for contacting the required persons
  • for ensuring the quality of operations
  • for testing and development of services and systems.

5       The information content of the filing system and categories of data subjects

The filing system includes the following information on employees, independent workers, persons otherwise accessing the site for legitimate reasons and the decision-makers and contact persons of contractors:

  • Basic information on the employee and contractor, such as name, contact details (postal address, email address, phone number) tax number, date of birth, employer and information on site-specific access permits.
  • Information required under the Occupational Safety Act:
  • First name, last name, date of birth and tax number
  • The start and end date of working at the site
  • The name and business ID (or an equivalent foreign ID number) of the employee’s employer
  • Name and contact details of the representative in Finland, as set out in section 8 of the Act on Posting Workers.
  • Information on the person’s professional qualifications and licence documents (such as a hot work permit)
  • Basic information on the contractors’ contact persons, for example, name, employer and contact details (postal address, email address, phone number). Information required under the Act on the Contractor’s Obligations and Liability when Work is Contracted Out, such as information on the applicable collective agreement, proof of pension insurance taken out for employees and certificates of how the employees’ social security is determined.
  • Information that is to be processed on the basis of the disclosure obligation related to construction, as set out in the decision given by the Tax Administration, such as:
    • Identifying details concerning the party under disclosure obligation and a contact person with contact information
    • Site location
    • Identifying details concerning the employee, the start date and estimated end date for the work the employee carries out on-site
    • Insurance information on foreign employees
    • Information on whether an employee has an employment contract, is an agency contract worker, self-employed, trainee or a voluntary worker
    • Identifying details concerning the employer and the employer’s representative or contact person with contact information
    • Identifying details on the party using agency-hired labour
    • Information on contractors and their employees that is processed on the basis of a contract.

6       Information sources

As a rule, the information in the filing system is collected from the data subjects’ employers, the data subjects and the contractors themselves. In addition, personal data can be collected and updated from public and private registers.

7       Disclosure and transfer of data and data transfers to countries outside the EU or EEA.

The data in the filing system is regularly disclosed to authorities, such as the tax authorities, in accordance with the requirements set out in legislation. SRV can also disclose data to its cooperation partners in order to fulfil contractual or legal obligations. Furthermore, data can be disclosed to shop stewards and occupational safety representatives in accordance with collective agreements.

As a rule, personal data is not transferred to locations outside the EU or EEA. If, as an exception, personal data is transferred to a location outside the EU or EEA, SRV ensures that the level of data protection is adequate by using, for example, the standard clauses approved by the EU Commission.

8       Principles for securing the filing system and the period for retaining data

Only employees who are authorised to process personal data due to their work tasks have access to the system that contains the data. Each user has a personal user ID and password for the system. Data is collected into databases that are protected with firewalls, passwords and other technical means. Data communications between the server and the user’s browser is SSL-encrypted. Databases and the related backups are located in locked premises protected by access control and camera monitoring, and only pre-defined persons can access the premises.

Personal data is retained for as long as necessary for the purpose for which the personal data is used or as required in order to fulfil legal obligations. For example, the list required by the Occupational Safety Act is retained for six years from the end of the year during which work on the site was completed. Information collected in accordance with the Act on the Contractor’s Obligations and Liability when Work is Contracted Out is retained by the customer for at least two years from the completion of the work related to the contract in question.

9        Rights of data subjects

Data subjects have the right to check their own information stored in the filing system, and they have the right to demand that data is corrected or erased. Such requests must be submitted in writing to the address provided in section 2.

In accordance with the General Data Protection Regulation, data subjects have the right to object to the processing of their data, request that the processing of their data be restricted, and lodge a complaint concerning the processing of personal data to the data protection authority.