Data protection
We are committed to protecting your personal data, and as a data controller we process this data securely. We wish to be your reliable partner when it comes data stored in our services, and we strive for openness regarding what data and in which way it is processed and stored in Vastuu Group Ltd’s services.
To make it easier for you to find relevant information, we have organised the data according to your role. For additional information regarding the data contained in our services, please see our service-specific privacy notices.Version 18 November 2019
How do we collect personal data?
When you use our website or services, we collect your personal data as described in this document. For more detailed information, please see our privacy notices.
Basis for and purpose of processing
The legal basis for personal data processing is the legitimate interest of the controller or fulfilling a contract made with the controller. We collect data in connection to making a contract, i.e. when you purchase our services and/or register as a user of our services. We also collect data during the validity period of the contract. Data is also received from other controllers and public sources.
We use personal data in the marketing and sale of our services and for customer relationship management, invoicing, provision of customer support services, user rights monitoring, and service development. Personal data processing also includes processing and analysing the data concerned for targeted marketing and service production. For example, we can show customers targeted messages or content on our website, or channels based on their previous interests.
We will principally collect personal data from the data subjects themselves when they contact us and use our services. We also collect data on our customers and their contact persons from public sources and registers.
We use web analytics services to collect visitor data on our website in order to analyse and develop our web resources, as well as target relevant marketing and customer communications to visitors.
We typically receive the following information directly from the contact persons of our customers:
- Name of the customer company, first and last name of the contact person, work email address, telephone number
- Permissions and/or bans on the contact person in electronic direct marketing and customer communications
- Classification data provided by the contact person (e.g. interests)
- Information provided on contact forms
- Customer feedback data, contact messages, and consents
- We also collect the data of our potential customers when they participate in competitions, lotteries, customer events, or fairs.
We will process, for example, the following personal data of the user in connection with the use of services and websites:
- IP address or other ID
- Subscription, invoicing, and delivery data
- Data collected through cookies
- Data collected on the use of our online services
- Data collected on the use of our Customer Service channels
The following data on the user in particular is received from other sources:
- Data related to the use of social media, such as LinkedIn, Facebook and Twitter, e.g. ‘liking’ our website
- We collect browsing data such as the user’s IP address and browsing history when people visit our website. Monitoring is based on the use of cookies. Personal data is principally collected from the data subjects themselves when they contact us and use our services.
- We collect visitor data on our website in order to analyse and develop our website as well as target relevant marketing and customer communications to visitors.
- We can also collect your personal data based on your separately given consent.
- In order to fulfill support requests and to monitor and develop our customer service processes, we record calls made to and chats with our Customer Service.
Storage period of personal data
Personal data contained in the customer and marketing communication register is stored for as long as we will need it for the above purposes.
Storage periods of data related to customer relationship management:
- recordings of chats with Customer Service: 3 months
- recordings of telephone conversations with Customer Service: 7 months
- details on the customer’s contact person related to customer relationship management: for as long as the data subject is the contact person of the customer concerned or for as long as we store the history data of the service used by the customer
Version 26 September 2022
Employee Management service
The Employee Management service allows your employer to transfer your personal data in an electronic format to the personal data files of the contractor of the work, the main contractor or project supervisor of the construction site, or other administrator of the work site. If your employer orders Valtti Cards, the employer will in addition transfer your personal data to Vastuu Group for the production of your Valtti Card.
Your employer may enter the following types personal data into the service:
- first name, last name
- Finnish person ID or similar foreign person number, tax number, date of birth
- the person ID will be used for strong identification of a person in employment-related matters, the verification of qualifications, and strong electronic authentication
- photograph
- type of employment relationship (e.g paid employee, unpaid trainee)
- the employee’s sectors of work (construction, shipbuilding or both)
- employer name, company number, address, company representative and contact details
- nationality and country of residence
- phone number
- email address
- employer name, Business ID or similar foreign company register number, country of registration, contact information, name and contact details of the contact person or representative of the employer
The following data may be added to each data subject’s personal data during use of the service:
- information when employee data has been modified or confirmed to be up-to-date
- information if the person is registered in the Tax Authority’s tax number register (construction sector, shipbuilding or both)
In addition, card and competence data retrieved from the Valtti card register and Taito Competence Register can be linked to the personal data of data subjects when the personal data concerned is conveyed.
Please note that the employer company is the controller of their employee data and is responsible for, e.g. deleting all persons from their employee list who no longer work for the company concerned. The employer company is also responsible for ensuring that it has the right to save the personal data of their employees in the service.
On which basis is personal data being processed?
The employer company has statutory and contractual obligations regarding the transfer of the personal data of their employees to the main contractor or project supervisor of the construction site (e.g. section 52 b of the Occupational Safety and Health Act (738/2002) and section 15 b of the Tax Procedure Act (1558/1995)) or the primary decision maker of the shipyard (section 52 c of the Occupational Safety and Health Act). General collective agreements also include provisions on the notification obligation in the construction sector. The legal basis for processing personal data that falls within the scope of the notification obligation in the construction sector is the legal obligation of the controller to collect, store or report such data. The basis for processing data that is transferred in order to fulfil contractual obligations is the legitimate interest of the controller. In certain circumstances the employer may process personal data in the context of the employment relationship and then the legal basis is the agreement with the data subject (employment agreement).
To whom is personal data disclosed?
Your employer can disclose your personal data to their business partners through the Employee Management service for the following purposes:
- preparation of a list of persons working at a shared construction site or a shipyard area pursuant to section 52b of the Occupational Safety and Health Act
- verification of the validity of the photographic ID required by section 52a of the Occupational Safety and Health Act and verification of the registration of the employee in the tax number register
- implementation of work site orientation and other measures required in the Occupational Safety and Health Act from the main contractor or the main implementer of the building site or from the party using the primary decision-making power at the shipyard area in order to ensure and promote safety at work
- preparation of monthly employee reports to the Finnish Tax Administration as required in the construction sector by section 15b of the Tax Procedure Act
- fulfilment of other statutory and contractual obligations of the party
- implementation of access control at a construction site, a shipyard, or other work site
- verification of professional competencies of a person participating in worksite orientation at a construction site, a shipyard, or other work site
- verification of the validity of professional competencies required for a work task
- ensuring compliance of the activities with occupational safety regulations
- supervision at a construction site, a shipyard, or other work site
- ensuring compliance with the contracting party’s own quality, operating, or similar systems
- ensuring that the activities of contractors and independent workers operating at the contracting party’s building site or other work site comply with the contracts
- other purposes subject to the data subject’s explicit consent.
The transfer of personal data will be conducted using application interfaces provided by Vastuu Group in a manner ensuring that the employee’s personal data is transferred when the employee has provided her/his Valtti card credentials, or when the business relationship between the User and the receiver of personal data is recognised in any other manner.
Vastuu Group may disclose your personal data to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified for the purpose of investigating suspected misuse of our services.
In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.
As a rule, personal data is not conveyed outside the EU or the European Economic Area.
Storage period of personal data
Your employer can keep your personal data in the service for the duration of your employment relationship. Once your employment ends, your employment and personal data will be stored in the service for a minimum of 18 months, which is the period during which users of the service acting as the main contractor can make correction notifications in the employee reports they have submitted to the Finnish Tax Administration.
Once the employment relationship has ended, the employment and personal data of the employee can be stored in the Building site register of the main contractor, for as long as this information is needed for the above purposes. The minimum data storage period in accordance with the Taxation Procedure Act (1558/1995) is six years from the end of the year when the building site was completed.
Version 18 November 2019
Reliable Partner and Raportti services
Data collected on our Reliable Partner customers is restricted to data concerning the company’s responsible person. We have excluded personal data that may be derivable from a business name (e.g. the name of a person that is part of a business name or auxiliary business name such as “Tmi Firstname Lastname” or “Firstname Lastname Oy”) from the scope of personal data, because this represents company data.
The Reliable Partner Power of Attorney Agreement is signed by the company’s authoritised signatories. The following personal data will be collected from the signatories and stored:
- signature date
- first name
- last name
- position of responsibility
- identity number
- We require the person’s identity number in order to ensure that the authorisation contract is signed by a person authorised to sign on behalf of the organisation.
We process the following personal data for the compilation of Reliable Partner reports. This data is retrieved from the respective trade registers and business prohibition registers either directly or through a service provider:
- first name(s)
- last name
- date of birth
- nationality
- hometown
- position in the organisation
- bans on engaging in business activities, if any
On which basis is personal data being processed?
The legal basis for processing is the legitimate interests of the controller and fulfilling a contract made between the controller and the customer.
The Reliable Partner service allows your company to offer its partners, in an electronic format, information that they need to fulfil their clarification obligation imposed on contractors in the Act on the Contractor’s Obligations and Liability when Work is Contracted Out (1233/2006).
To whom is personal data conveyed?
Your personal data will be included in the company’s trade register extract enclosed with the Reliable Partner report as an appendix. Data contained in the Reliable Partner report, including personal data, is available to third parties in our online services (Valvoja, Raportti Pro, Raportti and Zeckit) and in the business information services provided by our partners. Reliable Partner reports and data contained in them can be provided in an electronic format through an interface to the bidding, procurement, or similar data systems used by our customers.
We can convey data contained in the Reliable Partner service to the authorities as based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate a suspected misuse of our services.
In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.
As a rule, personal data is not conveyed outside the EU or the European Economic Area.
Storage period of personal data
We archive all Reliable Partner reports that are created. The archived reports are used for providing customer services and for ensuring the reliability of the service and the authenticity of the reports created.
Only the latest Reliable Partner report is kept available for third parties on Vastuu Group’s online service at all times.
Version 26 September 2022
Valtti card holder
Valtti Card is a remote-readable RFID card linked to employment, which can be used e.g. in accordance with the Occupational Safety and Health Act (2002/738) as a photographic ID on a construction site or in a shipyard area. We keep a register of all issued Valtti Cards.
Valtti cards ordered after September 26, 2022 have a PIV application in which a person certificate containing the personal data of the card holder is stored. The person certificate can be read with a compatible card reader device if the card holder has first given the card reader the PIN code of their card. If the PIN code is repeatedly entered incorrectly, the PIV application is locked so that it cannot be opened anymore.
The card holder receives their card's PIN code when the card is verified.
We collect the following information from the employer company acting as Vastuu Group’s customer:
- first name, last name, nationality, person ID or similar foreign ID number, tax number, date of birth, and photograph of the card holder, email address, mobile phone number
- name and business ID (or similar foreign company number) of the employer, country of registration
- Valtti Card delivery address
The person ID (henkilötunnus) is used exclusively to identify the card holder when verifying the Valtti Card.
The card holder's e-mail address, mobile phone number and delivery address are used exclusively to deliver the Valtti Card and its PIN code to the card holder.
In connection to creating the Valtti card, we will add the following data into the register:
- card type, number, barcode and other technical identifiers
- a person certificate that is stored on the Valtti Card with the following information: first name, last name, citizenship, tax number, date of birth, employer's name, Business ID or similar foreign company registration number and country of registration, card identifiers, card validity period
- a card certificate that is stored on the Valtti Card, which shows that the card was manufactured by Vastuu Group Oy
- Valtti Card’s PIN code
- Valtti Card’s validity period
- picture of the card (pdf)
- card status and its change information
- card verification date and card holder identification method
We will collect the following data in our customer register and service logs when the card is ordered:
- name of the person who submitted the order, date and method of identification
- completed and cancelled orders and the date of completion or cancellation
- status of the order
- card delivery address
- billing information
On which basis is personal data being processed?
The legal basis for processing is the legitimate interests of the controller.
To whom is personal data conveyed?
Customers using Vastuu Group’s services can search for and save in their own data systems personal data of card holders when the card holder works or is expected to start working at the customer’s construction site, shipyard or other work site. In connection to data searches, qualification data saved in the Taito Competence Register about the cardholder and other personal data reported by the employer in the Employee Management service can be linked to the data contained in the Valtti card register, to the extent that the customer has the legal right to process such additional data.
The transfer of personal data to the personal data file of another controller is completed using interfaces provided by Vastuu Group so that the transfer of employees’ personal data requires that the employee’s Valtti card ID has been read or that the contractual relationship between the employer/data subject and the other controller and purpose of data processing has been recognised in some other manner.
Vastuu Group may disclose data contained in the Valtti Card service to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.
We can collect and disclose to third parties numbers of issued and valid Valtti cards per company, group of companies, industry sectors or using other segments as a grouping criteria. Individual cardholders cannot be identified from such numbers.
In the production of the service, we use subcontractors located within the European Economic Area (e.g. data centres), and can also transfer personal data to such subcontractors for producing the service.
Personal data is not transferred outside the EU or the European Economic Area.
Storage period of personal data
Information on issued Valtti cards is stored in the Valtti card register for twenty years from the end of the calendar year during which the validity of the card expired, or for as long as the Building site register or some other register used by our customer has references to the said Valtti card.
Numbers of expired Valtti cards (without personal data) are saved permanently on the expired card revocation list.
Version 18 November 2019
Building Site Register service
The Tax Procedure Act (1558/1995) requires that the main implementer/main contractor of the work site monthly reports all workers to the Tax Administration who have worked at the construction site, including his own and contractors’ workers. The Occupational Safety Act (738/2002) requires that an up-to-date list is maintained of all persons working at the construction site, that orientation is provided for all workers at the work site, and that all workers display an ID with a photograph. The main implementer/main contractor will process your personal data for these purposes.
The controller of the work site -specific personal data file is the main implementer/main contractor, who added the work site into our service.
Your personal data processed in the Building Site Register service include the following categories of personal data depending on the service components used by the controller:
Data retrieved from the employee and company contact person register of the Ilmoita service:
- name
- identity number or tax number and date of birth
- information on registration in the tax number register
- type of employment relationship
- employer name, company number, address, company representative and contact details
- country of residence
- nationality
- phone number (will be removed as of 1 January 2020)
- email address (will be removed as of 1 January 2020)
- home address in Finland (will be removed as of 1 January 2020)
- address in the country of residence (will be removed as of 1 January 2020)
Data retrieved from the Valtti card register:
- Valtti card information
Data entered into the service by the controller:
- orientation information
- access right information
Information retrieved from the access control system of the controller:
- work site access control data
On which basis is personal data being processed?
The basis for processing is the statutory obligations of the main implementer/main contractor of the work site and the legitimate interests of the controller.
The main implementer/main contractor regularly conveys personal data to the authorities in a manner required by valid legislation. The main implementer/main contractor can convey personal data to third parties within the scope of the valid data protection legislation.
Personal data saved in the Building Site Register can be processed for the following purposes:
- preparation of the employee list at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
- verification of the validity of the picture ID required at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
- performance of employee inductions at the construction site as set out in the Occupational Safety Act (738/2002) and taking care of all other required activities for ensuring and promoting safety at work;
- preparation of monthly employee reports for the Finnish Tax Administration (section 15 b of the Tax Procedure Act (1558/1995))
- compliance with other legal or contractual obligations of the controller;
- access control at the construction site;
- verification of professional qualifications of a person being inducted at the construction site or other work site;
- verification of professional competences required for a work task;
- ensuring compliance against occupational safety regulations;
- direction of the work at the construction site;
- ensuring the main implementer’s/ main contractor’s compliance with his own quality, operating, or similar standards;
- ensuring that contractors or independent workers operating at a main implementer’s/ main contractor’s building site comply with the contract
In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.
As a rule, personal data is not transferred outside the EU or the European Economic Area.
Storage period of personal data
The main implementer / main contractor will store the personal data for as long as he will need the data concerned for the above purposes. The minimum storage period of data reported to the Finnish Tax Administration in accordance with the Taxation Procedure Act (1558/1995) is six years from the end of the year during which the building site was completed.
Qualifications entered into the Taito Competence Register
Version 5 February 2024
Qualifications entered into the Taito Competence Register
Information on professional qualifications and their validity is collected in the Taito Competence Register Your personal data will be contained in the Taito Competence Register if:
- your employer maintains competence information in the Taito Competence Register, or
- you have given your consent for that qualification data to be published in the Taito Competence Register
The following personal data/data concerning a person will be stored in the Taito Competence Register:
- first name
- last name
- tax number
- date of birth
- type of qualification
- qualification ID
- name marked on the qualification card
- validity data
- granter of the qualification
- information of whether the validity of the qualification has been verified
- modification data
On which basis is personal data being processed?
The legal basis for personal data processing is the legitimate interests of the controller and/or consent given by the data subject.
The Taito Competence Register is a service directed specifically at employers in the construction sector. Employers can use the service for maintaining qualification data on their employees and for distributing this data to their partners, including the work site supervisor.
To whom is personal data conveyed?
Customers using Vastuu Group’s services can search for and save, in their own data systems, personal data on data subjects (qualified persons) when the data subject works or is expected to start working at the customer’s building site or other work site. Data searches are principally completed so that the data subject presents his Valtti card to the customer, and the customer retrieves qualification data from Vastuu Group’s system through the interface using the Valtti card ID. The customer can, at the same time, search for other personal data in the Valtti card register and personal data in the Ilmoita service, to the extent that the customer has a legal right to process such additional data.
We may convey data contained in the Taito Competence Register to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.
We can collect and disclose to third parties numbers of competences registered in the Taito Competence Register per company, group of companies, industry sectors or using other segments as a grouping criteria. Individual data subjects cannot be identified from such numbers.
In the production of the service, we use subcontractors located within the European Economic Area (e.g. service centres), and can also transfer personal data to such subcontractors for producing the service.
As a rule, personal data is not transferred outside the EU or the European Economic Area.
Storage period of personal data
The storage period for qualification data is as follows:
- Consent-based processing regarding qualification information received from qualification awarding bodies and trainers:
- qualification data is removed from the Taito Competence Register without undue delay when we are notified of the cancellation of your previous consent
- the maximum storage period of data related to expired qualifications is two years from the end of the year during which the qualifications expired
- Qualifications added by your employer
- Your employer can add, update and delete your qualification data in the Taito Competence Register and defines the retention period for the qualification data
Further information and contacts
If you wish to exercise your rights, please contact Vastuu Group Oy’s Data Protection Officer.
Data Protection Officer’s contact details:
Email:
dpo@vastuugroup.fi
Regular mail:
Version 18 November 2019
Your rights as a data subject
As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.
You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:
- you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
- you object to the processing of your personal data, and there is no legal basis for continuing the processing
- processing the data is illegal
- you are under 18 and your personal data was collected in connection with providing information society services.
In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.
If you wish to inspect the personal data concerning yourself, fill in the request to inspect personal data concerning oneself.
Version 3 June 2021
How is your data secured?
Your personal data can only be processed by persons who are entitled to do so and need the said data in their work tasks. Persons processing the data are committed to confidentiality.
Subcontractors operating within the European Economic Area can be used to produce the service. With subcontractors, a written data processing agreement has been signed in accordance with section 28 of the General Data Protection Regulation as well as an agreement made regarding the confidentiality of personal data. To the extent that third party cloud services (e.g. Hubspot, Zendesk) are used for customer and marketing communications and customer service, we have ensured that personal data transfers outside the European Economic Area are completed in accordance with the valid legislation (e.g. following the terms and conditions of EU Standard Contractual Clauses).
Servers used for data processing are located in data centres within the European Economic Area and protected with the appropriate access control and security systems. Regular backups are made of the data.
Log data is collected of the use of the services in order to investigate error situations and suspected misuse and develop the services.
Data transfer between the data centre and the user is protected with appropriate encryption technology.
Confidentiality, integrity, availability, and fault tolerance of information saved in the services is ensured by means of various methods and systems such as security audits, security updates, and service monitoring of the systems.
Privacy notice
Customer and marketing communication register
(Last updated on 18 November 2019)
Controller and contact person of the register
Vastuu Group Oy (Business ID 2327327-1)
Tarvonsalmenkatu 17 B
02600 Espoo, Finland
Data Protection Officer’s contact details:
dpo@vastuugroup.fi
Regular mail
Data subjects
Data subjects are contact persons of Vastuu Group Oy’s (the ”Supplier”) customers and potential customers, users of Supplier’s services, and users of Supplier’s website. Customers are companies, entrepreneurs, or consumers.
Basis for and purpose of personal data processing
The legal basis for personal data processing is the legitimate interest of the controller or fulfilling a contract made with the controller.
We use personal data in the marketing and sale of our services and for customer relationship management, invoicing, provision of customer support services, user rights monitoring, and service development. Personal data processing also includes processing and analysing the data concerned for targeted marketing and service production. For example, we can show customers targeted messages or content on our website, or channels based on their previous interests.
We will principally collect personal data directly from you when you contact us and use our services. We also collect data on our customers and their contact persons from public sources and registers.
We use web analytics services to collect visitor data on our website in order to analyse and develop our web resources, as well as target relevant marketing and customer communications to the visitors.
Which personal data is collected and from what sources?
We collect and process in the customer and marketing communication register mainly our customers and potential customer’s representatives and contact persons’ personal data. The register contains the following types of data on the contact persons for our customers and potential customers:
- name, email address, telephone number, job title
- name and contact details of the company/organisation
- mailing list subscription data
- consents and bans on direct marketing and customer communications
- pages opened and brochures requested by the user on the website
- information on the logins in our online services
- information on any customer and direct marketing communication sent by email and whether the message has been read
- user profile
- information on any communication with the data subject, such as content, date, and time of message
- messages sent to Customer Service and processing data on the related customer support ticket
- website chats with Customer Service
- recording of calls made to the telephone number of Customer Service
- feedback you provide on the use of Customer Service
- other information related to the purpose of the register that can be linked to the data subject, such as data collected on the use of the website during the use of the service (e.g. the user’s IP address, time of the visit, pages visited, browser type used, website that directed the user to the website, and the server that the user used to access the website).
We typically receive the following information directly from the contact persons of our customers:
- name of the customer company, first and last name of the contact person, work email address, telephone number
- permissions and/or bans on the contact person in electronic direct marketing and customer communications
- classification data provided by the contact person (e.g. interests)
- information provided on contact forms
- customer feedback data, contact messages, and consents
We will process, for example, the following personal data of the user in connection with the use of services and websites:
- IP address or other ID
- Subscription, invoicing, and delivery data
- Data collected through cookies
- Data collected on the use of our online services
- Data collected on the use of our customer support channels
The following data on the user in particular is received from other sources:
- Data related to the use of social media, such as LinkedIn, Facebook and Twitter, e.g. ‘liking’ our website
Regular disclosure and transfer of personal data
We can use subcontractors for personal data processing.
We can disclose personal data to our partners for direct marketing purposes within the limits of the applicable legislation at force.
We can disclose your personal data to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified for the purpose of investigating suspected misuse of our services.
Transfers outside the EU and EEA
Personal data is not principally transferred outside the European Union (EU) or the European Economic Area (EEA), unless necessary for the technical implementation of data processing, e.g. when the data subject sends or receives messages by email or other online-based transmission service.
We can be used in customer and marketing communications and in Customer Service ticket management third-party data systems and cloud services, the personal data processing of which can be partly implemented outside the EEA. To the extent that our subcontractors implement data processing outside the EEA, we will ensure that the transfer of personal data outside the EEA is completed in compliance with the applicable legislation.
Storage period of personal data
Personal data contained in the customer and marketing communication register is stored for as long as we will need it for the above purposes.
Storage periods have been defined for the following data
- recordings of chats with Customer Service: three months
- recordings of telephone conversations with Customer Service: seven months
- details on the customer’s contact person related to customer relationship management: for as long as the data subject is the contact person of the customer concerned or for as long as we store the history data of the service used by the customer
Rights of data subjects
As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the security features of the service.
You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:
- you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
- you object to the processing of your personal data, and there is no legal basis for continuing the processing
- processing your personal data is illegal
- you are under 18 and your personal data was collected in connection with providing information society services.
In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.
Data security
The right to use the customer and marketing communication register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is principally stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place, to protect the personal data against misuse and disclosure.
Contacts
If you have questions regarding this privacy statement or you wish to exercise your rights, please contact controller’s data protection officer by using the above email or postal address.
Changes
We can make changes to this privacy statement from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.
Vastuu Group Ltd whistleblowing channel privacy notice
(Version 3 December 2024)
Privacy notice
Reliable Partner service
(Last updated on 18 November 2019)
Controller and contact person of the register
Vastuu Group Oy (Business ID 2327327-1)
Tarvonsalmenkatu 17 B
02600 Espoo, Finland
Data Protection Officer’s contact details:
Regular mail
Data subjects
Data subjects are legal representatives, officers or directors of a customer company that has subscribed to the Reliable Partner Service provided by Vastuu Group Oy (the “Supplier”). Data subject’s personal data and position in the customer company has been registered in the national trade or company register and is shown on the trade register extract.
Basis for and purpose of personal data processing
The legal basis for personal data processing is the legitimate interests of the controller.
The Reliable Partner service allows Supplier’s customer to offer its partners, in an electronic format, information that they need to fulfil their clarification obligation imposed on contractors in the Act on the Contractor’s Obligations and Liability when Work is Contracted Out (1233/2006). The contractor’s liability data of customers who have subscribed to the Reliable Partner service is available to third parties in Supplier’s Valvoja, Raportti Pro, Raportti and Zeckit services and in the business information services provided by Supplier’s partners.
Which personal data is collected and from what sources?
The following personal data will be collected in the Reliable Partner service register of the customer company’s responsible persons:
- name
- date of birth
- nationality
- hometown
- position of responsibility in the company and its start and end dates
- bans on engaging in business activities, if any
Data is acquired either directly from the respective trade register or business prohibition register or through a commercial business information service, and is integrated into the Reliable Partner report prepared by the Supplier.
We collect the following information on the signatory of the Reliable Partner service contract when the contract is signed:
- name
- position in the company
- unique identification of the person (identity number) that allows for checking the reported position against the trade register data
- signature date
Regular disclosure and transfer of personal data
The Reliable Partner report and related personal data is available to third parties in Supplier’s Valvoja, Raportti Pro, Raportti and Zeckit services and in the business information services provided by Supplier’s partners. Reliable Partner reports can be provided in an electronic format through an interface to the bidding, procurement, or similar data systems of our customers.
We can disclose data contained in the Reliable Partner register to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.
In the production of the Reliable Partner service, we can use subcontractors located within the European Economic Area, and it can also transfer personal data to such subcontractors for producing the service.
Transfers outside the EU and EEA
As a rule, personal data is not transferred outside the EU or the European Economic Area.
Storage period of personal data
We archive all Reliable Partner reports created and uses the archived reports for providing customer services and for ensuring the reliability of the service and the authenticity of the reports created.
Only the latest Reliable Partner report is kept available for third parties on Vastuu Group’s report services at all times.
Rights of data subjects
As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.
You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:
- you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
- you object to the processing of your personal data, and there is no legal basis for continuing the processing
- processing the data is illegal
- you are under 18 and your personal data was collected in connection with providing information society services.
In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.
Data security
The right to use the register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place to protect the personal data against misuse and disclosure.
Contacts
If you have questions regarding this privacy notice or you wish to exercise your rights, please contact Supplier’s Data Protection Officer by using the above email or postal address.
Changes
We can make changes to this privacy notice from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.
Privacy notice
Taito Competence Register
(Last updated on 6th February 2024)
Controller and contact person of the register
Vastuu Group Oy (Business ID 2327327-1)
Tarvonsalmenkatu 17 B
02600 Espoo, Finland
Data Protection Officer’s contact details:
dpo@vastuugroup.fi
Regular mail
Vastuu Group Oy
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland
Data subjects
Data subjects are:
- natural persons who have given their consent for publishing their completed qualifications in Taito Competence Register.
Basis for and purpose of personal data processing
The legal basis for personal data processing is consent given by the data subject.
The Taito Competence Register is a service directed specifically at employers in the construction sector. Employers can use the service for maintaining the qualification data of their employees and for distributing this data to their partners, including the work site supervisor.
Which personal data is collected and from what sources?
The Taito Competence Register contains the following types of personal data:
- first name and last name of the data subject
- tax number
- date of birth
- type of qualification
- name marked on the qualification card
- qualification ID
- validity data
- granter of the qualification
- information on whether the validity of the qualifications has been verified directly from the source
- modification data
Regular disclosure and transfer of personal data
Customers using Vastuu Group’s services can search for and save, in their own data systems, personal data on data subjects (qualified persons) when the data subject works or is expected to start working at the customer’s building site or other work site. The qualification information is also provided to the employer of the data subject that adds the data subject to their employee list maintained in the Employee Management Service. Data searches are principally completed so that the data subject presents his Valtti card to the customer, and the customer retrieves qualification data from Supplier’s system through the interface using the Valtti card ID. The customer can, at the same time, search for other personal data in the Valtti card register and personal data reported by the employer in the Employee Management Service, to the extent that the customer has a legal right to process such additional data.
The customer can search for and process personal data contained in the Taito Competence Register only for the following purposes:
- To check and supervise the qualifications of its own employees
- To implement worksite orientation required by the Occupational Safety Act (738/2002) and to take care of all other activities required from the main contractor, the main implementer, or the employer in order to ensure and promote work safety and fulfil other statutory obligations
- verification of professional competences of a person being inducted at the construction site or other work site;
- verification of professional competences required for a work task;
- ensuring compliance against occupational safety regulations;
- direction of the work at the construction site or work site;
- to ensure compliance with the customer’s own quality, operating or similar system
- to ensure compliance with contracts of the employees, contractors or independent workers operating at the customer’s building site or other work site,
- to develop and maintain own employees’ competences, and
o other purposes subject to the data subject’s explicit consent.
We can disclose data contained in the Taito Competence Register to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.
We can collect and disclose to third parties numbers of competences registered in the Taito Competence Register per company, group of companies, industry sectors or using other segments as a grouping criteria. Individual data subjects cannot be identified from such numbers.
In the production of the Taito Competence Register, we can use subcontractors located within the European Economic Area, and it can also transfer personal data to such subcontractors for producing the service.
Transfers outside the EU and EEA
As a rule, personal data is not transferred outside the EU or the European Economic Area.
Storage period of personal data
The storage period for qualification data is as follows:
- qualification data is removed from the Taito Competence Register without undue delay when the Supplier is notified of the cancellation of the data subject’s previous consent
- valid qualification data is stored for as long as the data subject is saved in the employee register of the Ilmoita service
- the maximum storage period of data related to expired qualifications is two years from the end of the year during which the qualifications expired
Rights of data subjects
As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.
You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:
- you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
- you object to the processing of your personal data, and there is no legal basis for continuing the processing
- processing the data is illegal
- you are under 18 and your personal data was collected in connection with providing information society services.
In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.
Data security
The right to use the register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place to protect the personal data against misuse and disclosure.
Contacts
If you have questions regarding this privacy statement or you wish to exercise your rights, please contact Supplier’s data protection officer by using the above email or postal address.
Changes
We can make changes to this privacy statement from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.
Privacy notice
Building Site Register
(Last updated on 18 November 2019)
Controller and contact person of the register
Vastuu Group Oy’s customer company that acts as the main contractor or main implementer of the building site is the controller of the register.
Controller’s supplier responsible for the provision, development and customer support of the Building Site Register service and its interfaces is:
Vastuu Group Oy, Business ID 2327327-1 (the ”Supplier”)
Tarvonsalmenkatu 17 B
02600 Espoo, Finland
Data Protection Officer’s contact details:
dpo@vastuugroup.fi
Regular mail
Data subjects
Data subjects are persons working at the controller’s building site.
Basis for and purpose of personal data processing
The legal basis for personal data processing is implementing the statutory obligations of the controller (e.g. section 52b of the Occupational Safety Act (738/2002) and section 15b of the Tax Procedure Act (1558/1995)) and the legitimate interests of the controller.
Which personal data is collected and from what sources?
The personal data processed in the building site register service include the following categories of personal data, depending on the service components selected by the controller:
Data retrieved from the employee register of the Ilmoita service:
- name
- identity number or tax number and date of birth
- information on registration in the Tax Authority’s tax number register
- type of employment relationship
- employer name, company number, address, company representative and contact details
- country of residence
- nationality
- phone number (will be removed as of 1 January 2020)
- email address (will be removed as of 1 January 2020)
- address in Finland (will be removed as of 1 January 2020)
- address in the country of residence (will be removed as of 1 January 2020)
Data retrieved from the Valtti card register:
- Valtti card information
Data entered into the service by the controller:
- information on completed induction at the building site
- access rights at the building site
Information retrieved from the access control system of the controller:
- access control data
Regular disclosure and transfer of personal data
The controller regularly discloses personal data to the authorities in a manner required by applicable legislation in force. The controller can disclose personal data to third parties within the scope of applicable data protection legislation.
Personal data saved in the Building Site Register can be processed for the following purposes:
- preparation of the employee list at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
- verification of the validity of the picture ID required at the construction site, pursuant to section 52b of the Occupational Safety Act (738/2002)
- performance of employee inductions at the construction site as set out in the Occupational Safety Act (738/2002) and taking care of all other required activities for ensuring and promoting safety at work;
- preparation of monthly employee reports for the Finnish Tax Administration (section 15 b of the Tax Procedure Act (1558/1995))
- compliance with other legal or contractual obligations of the controller;
- access control at the construction site;
- verification of professional qualifications of a person being inducted at the construction site or other work site;
- verification of professional competences required for a work task;
- ensuring compliance against occupational safety regulations;
- direction of the work at the construction site;
- to ensure compliance with the controller’s own quality, operational or similar system
- to ensure compliance with contracts of the contractors or independent workers operating at the controller’s building site
The Supplier can disclose data contained in the Building Site Register to the authorities based on the mandatory requirement of a competent authority, or when the Supplier considers the inquiry of the authority to be justified in order to investigate suspected misuse of their services.
In the production of the Building site register service, the Supplier can use subcontractors located within the European Economic Area, and can also transfer personal data to such subcontractors for producing the service.
Transfers outside the EU and EEA
As a rule, personal data is not transferred outside the EU or the European Economic Area.
Storage period of personal data
The controller will store the personal data for as long as the data concerned for the above purposes is required. The minimum storage period of data reported to the Finnish Tax Administration in accordance with the Taxation Procedure Act (1558/1995) is six years from the end of the year during which the building site was completed.
Rights of data subjects
As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.
You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:
- you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
- you object to the processing of your personal data, and there is no legal basis for continuing the processing
- processing the data is illegal
- you are under 18 and your personal data was collected in connection with providing information society services.
In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.
Data security
The right to use the register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place to protect the personal data against misuse and disclosure.
Contacts
If you have questions regarding this privacy notice, please contact Supplier’s data protection officer by using the above email or postal address.
If you wish to check if your personal data has been saved in the building site register of the main contractor or the main implementer, please contact the main contractor or main implementer concerned directly.
Changes
We can make changes to this privacy notice from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.
Privacy notice
MyData Share ID service
(Version 26 September 2022)
Open privacy notice as a PDF (FI)
THE USE OF COOKIES
The website of Vastuu Group group may use cookies. Cookies are small text files that save onto the user’s computer in order to create broader functionality on the website. Cookies do not collect or otherwise process personal data. If you do not want cookies to be used, you can disable them on your browser. In this case, the website may not operate as intended.
Further Information on Cookies
Cookies may occasionally be transferred to a visitor’s computer. Cookies may be used to collect the following information: the website from which you have moved to our website, the webpages of Vastuu Group Oy you have browsed and when you have browsed them, the browser you are using, the display resolution of your computer, the brand and model of your computer’s operating system, and the IP address of your computer i.e. the Internet address that you send data from and where the data is received.
Behavioral data may be collected by Vastuu Group Oy, its group companies, their service providers and third parties (advertisers and advertising networks, media and advertising agencies, measuring and monitoring services) on visits made to the websites of the Vastuu Group group. Vastuu Group group may also use behavioral data collected from websites other than its own.
With cookie-related information, the number of visits made to services can be monitored by the Vastuu Group group and its collaborative partners and analyzed to develop the Internet services into more visitor-friendly wholes. The abovementioned parties may use cookies to collect information about a visitor’s visits to the Vastuu Group group websites in order to target their advertising. The information collected through the use of cookies is used to produce targeted advertising based on the visitor’s interests for the websites of Vastuu Group group and their collaborative partners. When advertising is targeted by means of cookies, the visitor is neither identified nor is the anonymous data gathered on the visitor connected to personal data possibly obtained from the visitor in some other context.
Through, inter alia, physical, electronic and contractual means, Vastuu Group group strives to prevent unauthorized access to the abovementioned information. The intention is to commit third parties to existing legislation and self-regulations. The Internet is an open system and therefore Vastuu Group group does not monitor or answer for the practices of third parties.
The user can disable cookies by changing their browser settings so that the browser does not allow cookies to be saved. The visitor accepts that disabling cookies may, however, affect the functionality of some of the services.