Version 25 May 2018
POLICY OF WOODCOMP COMPANIES ON THE PROCESSING OF PERSONAL DATA
- Data Controllers
Woodcomp Oy (1710369-8) KW-Component Oy (2431853-1) Puumesta Oy (1881073-0) Lapaluodon Puu Oy (1925581-2)
The contact person for matters related to the processing of personal data Name: Pauli Keränen Address: Länsiväylä 4, 92180 Lapaluoto Telephone number: 0456421223 Email: firstname.lastname@example.org
On behalf of the data controllers, the following personal will process data only to the extent necessary: CEOs, persons engaged in production and production management, persons engaged in financial and payroll administration, persons engaged in managing customer and supplier relationships, external service providers.
- Purposes of processing personal data
– Initiation, maintenance and termination of employment relationship – initiation, maintenance and termination of ownership and administration relationships – initiation, maintenance and termination of subcontracting and supply relationships – initiation, maintenance and termination of customer relationships – fulfillment of requirements of authorities related to the above.
- Bases for registering and processing persona data
The registration and processing of personal data are based primarily on the law or other regulation: employment legislation, tax legislation, accounting legislation, consumer protection and product liability legislation, legislation related to contracts and liability for damages.
Secondarily the registration and processing of personal data are based on the legitimate interest of the data controller: fulfillment of own contractual obligations and partners’ contractual obligations
Thirdly and exceptionally the registration and processing of personal data are based on the consent of the data subject: short-term registration, for example, organizing events of the data controller
- Groups of data subjects
– Employees – owners and members of the board – contact personnel and representatives of subcontractor and supplier companies – private customers – contact persons and representatives of corporate customers
- Personal Data Groups
The following data of employees are retained and used: Name, personal identity number, function and title, contact information, bank account, data required for withholding tax, close relative, education and work experience, data related to job function and employment relationship, data related to occupational health
The following personal data of owners and board members are retained and used: Name, personal identification number, function and title, contact information,
The following personal data of contact persons of subcontractors and suppliers are retained and used: Name, employer or company being represented, function and title, contact information, data required under the Contractor’s Obligations Act
The following personal data of private customers are retained and used: Name, contact information, content of customer relationship
The following personal data of representatives of corporate customers are retained and used: Name, employer or company being represented, function and title, contact information
- Sources of personal data
Personal data are mainly collected from the person him/herself. Personal data may also be obtained from officials and service providers.
- Recipients of personal data
Personal data are disclosed to the following entities: Providers of occupational healthcare – Insurance and pension insurance companies – providers of financial and payroll administration – Authorities
- Retention periods of personal data
Personal data are stored only as long as necessary for the intended use. The retention periods are determined for each personal data group depending on the situation before registration and use. Based on consent, data are retained until further notice or until consent is explicitly withdrawn.
- Security of personal data processing
The Data Controller takes various measures to ensure the security of the processing of personal data. These include secure processing methods, training of data processors, limiting the number of processors, and careful selection and monitoring of partners.
In the event of any security breaches the risk level will be assessed, the security breach will be documented and the data subjects concerned and supervisory authority will be notified if necessary.