Privacy policy

DATA SECURITY OF PERSONAL DATA USED IN SOFTWARE 25 MAY 2018

Record of data processing operations concerning software.

Visma Fivaldi (Visma Software Oy) We have signed a written contract of data protection with Visma Software Oy. 

To visit Visma Group’s GDPR page, go to: https://www.visma.com/gdpr/

Fatman (Fatman Oy) We have signed a written contract of data protection with Fatman Oy. 

To visit Fatman Oy’s GDPR page, go to: https://fatman.fi/tietosuoja/

Microsoft Dynamics NAV (Microsoft Oyj) We have signed a written contract of data protection with Microsoft Oyj.

To visit Microsoft Oyj’s GDPR page, go to: https://privacy.microsoft.com/fi-fi/privacystatement

Basware (Basware Oyj) We have signed a written contract of data protection with Basware Oyj. 

To visit Basware Oyj’s GDPR page, go to: https://www.basware.com/en-us/gdpr

DATA SECURITY OF PERSONAL DATA USED IN ACCOUNTING COMPANY 25 MAY 2018

The accounting company ensures data security by both technical and organisational measures. Personal data is processed with due regard and ensuring data security. The measures listed below have been taken to ensure processing with due regard.

Personnel

Together with our employees, we have drawn up a confidentiality agreement on the confidentiality of trade and professional secrets. We invest in employee training, in both information technology and specific skills, and this will also assure the quality of processing in terms of data protection and data security. 

Our employees adhere to our internal guidelines, and we store customer materials in locked premises. In case of any changes, we have created our own operating models to ensure, for example, the timely deleting of access rights. We have a set of rules governing remote working.

We have a dedicated operating model in case of substantial derogations from data security.

Identification of customers and disclosure of material

We always and as much as possible strive to identify customers electronically and disclose material encrypted in an electronic format. Where material is disclosed in a paper format, we will identify the customer and draw up documents on the disclosure of material in two copies.

Administration of access rights and password policy

We follow a centralised and system-specific password administration procedure. All of our employees have been issued personal user authentication to access the systems, and access to confidential data is always protected by passwords. User authentication also means that user-specific logs are stored. Passwords are changed regularly according to an internal procedure, and the adequate level of password strength has been determined separately. If an employee’s job description is substantially changed, employee access rights are reviewed.

Outsourced ICT services and software

Written service agreements have been drawn up for external ICT services, and written agreements have also been drawn up on the secrecy of confidential data. The assignment of responsibilities between us and our service provider has been documented in writing. 

Information management and protected data

We largely seek to process all customer-related data through electronic means. Where necessary, access to electronic systems has been limited to the persons who process data and their substitutes. To ensure processing with due regard, internal handling and processing guidelines have been drawn up regarding the processing of customer materials. We use locked confidential waste bins for destroying paper waste from customer materials. We seek to avoid the use of removable storage media, such as USB mass storage, in the processing of customer-related materials.

Data security of computers and mobile devices

We have in place centralised workstation management for distributing the latest data security updates to workstations regularly. Employees do not have the rights to install in their workstations any software other than that approved by the company’s ICT administration. We use centralised antivirus and firewall applications which we monitor to ensure that they are up to date. Connections to electronic systems are encrypted. Workstation disk systems are encrypted, and we use scanning and analysis tools to look for workstation and server vulnerabilities.

Data security of networks and other ICT environments

Our external service provider ensures that our network is kept up to date. Network devices are updated regularly, and any detected vulnerabilities are patched. We only use business-grade network devices. We do not use our own server. Customer networks (including the wireless guest network) have been separated from our network.

Financial administration software and cloud services

We use some financial administration programmes and cloud services internally and with customers.

 

RECORD OF PROCESSING OPERATIONS 25 MAY 2018

Accounting company’s record of data processing operations

Subcontractors

The customer has given a general consent for the use of subcontractors. For a list of the accounting company’s subcontractors categorised by the software used in customer service, visit tarnan.fi

Categories of data subjects, and the purpose and nature of the processing of personal data 

Subject to the mandate, the accounting company may process the data on data subjects for the following purposes:

• The client’s wage and other remuneration earners for payroll and human resources administration 

• The client’s personal customers to monitor their receivables

• The membership data of client associations or cooperatives to carry out membership management and invoicing

• Shareholder data for the administration of a limited company, cooperative or limited-liability housing company

• For other purposes specified by the client

Subject matter and categories of processing and the type of personal data

The accounting company will process the following categories of personal data: 

• Name and contact details

• Personal identification code, any personal codes provided by the client to an individual

• Personal basic information, such as date of birth, gender and education

• Details of a close relative, if necessary for the client company

• Information on the beginning, end and forms of employment and holidays for the purposes of payroll

• Pay-as-you-earn tax, information on sick leave and other data for the purposes of payroll

• Special categories of personal data referred to in the General Data Protection Regulation and required for payroll 

Sick leave/health-related data and information on trade union memberships

• Payroll 

-derived data on wages, pensions and tax, and other similar data

• Invoicing and recovery data for invoicing and recovery proceedings

• Shareholder and shareholding data for the administration of a limited company or limited-liability housing company

• Education and qualifications for the purposes of human resources management

• Other specified data itemised in writing by the client and processed by the accounting company on behalf of the client

Processing and disclosure of personal data

The accounting company has the right and the obligation to process the data for the purposes specified in the client’s service agreement. The accounting company may disclose data on behalf of the client to the bodies necessary for the service delivery, including the client’s partners who have a statutory right to access information (for example, labour market organisations) and the authorities. The accounting company may process anonymised data to develop its customer service and generate data for its clients, and to disclose anonymised data to the authorities (for example, Statistics Finland) pursuant to their statutory right. 

Duration of the processing of personal data

Unless the parties have otherwise agreed, personal data will be processed as long as the services are provided in accordance with the mandate or the legislation requires the data to be stored. After the statutory storage period has elapsed, the accounting company will have the right and the obligation to destroy the data.

Geographical location of personal data

Unless the parties have expressly agreed otherwise, the accounting company will only process personal data in Finland and in the other EU/EEA countries. 

Version of the Privacy Policy

The accounting company shall update the changes made to this Privacy Policy to make it consistent with the current practice. The current Policy shall be made available to the client at tarnan.fi