Merilampi Attorneys Ltd. collects and processes personal data that is necessary in order to manage relationships with employees and prospective employees. Merilampi Attorneys Ltd complies with and acts in accordance with the applicable data protection legislation, including amongst other the General Data Protection Regulation (EU 2016/679 “GDPR”) every time it processes personal data. The purpose of this privacy policy is to describe how and for what purpose the personal data is processed by Merilampi Attorneys Ltd and what rights the data subjects have with respect their personal data.
1. Controller
Merilampi Attorneys Ltd. (”Merilampi”)
Keskuskatu 7
00100 Helsinki
Finland
+358 9 686 481
info@merilampi.com
2. Contact Person
Tuuli Syrjänen
Keskuskatu 7
00100 Helsinki
+358 50 468 2788
info@merilampi.com
3. Purpose of processing
Merilampi processes personal data for the following purposes:
- Personal data of the employees: Personal data is processed for the purposes of complying with applicable employment laws and managing the employment relationship between Merilampi and its employees.
- Personal data of the prospective employees: Personal data is processed in order to determine whether to recruit the data subject or not. Processing includes, for example, correspondence and other communication with the prospective employee, review of certificates and educational information, review of the references provided by the prospective employee and other activities necessary to evaluate the suitability of the prospective employee.
With respect to employee personal data, Merilampi processes personal data pursuant to both the legal obligation of the data controller and the performance of a contract as defined in Articles 6(1)(b) and 6(1)(c) of the GDPR.
As to the personal data of the prospective employee, Merilampi processes personal data pursuant to the legitimate interest as described in article 6(1)(f) of the GDPR relating to the decision as to whether to recruit the data subject.
4. Personal data collected and retention
Merilampi collects and processes the following personal data:
- Personal data of the employees: name, address, social security number, phone number, email address, tax number, bank account details.
- Personal data of the prospective employees: name, address, phone number, email address, social security number.
Merilampi will only store personal data for as long as it relevant and will remove the collected personal data when it is no longer needed for the abovementioned purposes.
All old job applications are destroyed every 3-6 months.
5. Source of personal data
Personal data is usually collected directly from the data subjects or from the client’s or business partner’s representative. Personal data is also received from other parties than the data subject him/herself as part of assignment work or business relationship management. Moreover, data subjects may give their contact information in events or direct sales contacts and information can be received from other business partners.
6. Disclosure of personal personal data
As a general principle, Merilampi does not disclose personal data to third parties, unless required by applicable legislation, authorities or the management of the employee or prospective employee relationship. However, personal data may be disclosed to third parties in the event that Merilampi wishes to appoint external processors or sub-processors. In that case, Merilampi will enter into a data protection agreement with the service provider in order to secure a safe and appropriate processing of personal data.
In case Merilampi enters into a joint venture with or is sold to or merged with another business entity, personal data may be disclosed to the new business partner or owner.
Personal data will not be transferred outside the EU/EEA region.
7. Data security
With respect to electronic data:
Most data are stored electronically on servers provided by third parties. Merilampi has appropriate data security measures in place in order to protect all electronic personal data. Merilampi will ensure that the registers will not be subject to access by unauthorized persons or unlawful processing or other damage.
With respect to personal data on paper:
Merilampi ensures that all papers containing personal data are protected in an appropriate manner and Merilampi has sufficient measures in place to monitor any unauthorized access.
In case Merilampi is subject to damage, destruction or other similar event that Merilampi could not possibly have prevented, Merilampi will notify the data subject immediately in accordance with the obligations of the applicable laws. Merilampi is not, however, liable for such unpredictable events.
8. Individual rights
According to the GDPR, data subjects have the following rights regarding their personal data:
- Right of access to their personal data;
- Right to request the controller to rectify incomplete or incorrect personal data;
- Right to object to or restrict the processing of personal data and to object to automated decision-making, when the processing is based on the legitimate interest of the data controller or consent;
- Right to request the controller to erase personal data, when the processing is based on the legitimate interest of the data controller or consent; and
- Right to transfer personal data to another controller when the personal data is based on consent or agreement and the processing is automated.
According to GDPR article 77, the data subject is entitled to lodge a complaint with the supervisory authority concerning the processing activities carried out by Merilampi. Such complaint may be lodged in particular, in the member state of his or her habitual residence or place of work or the alleged infringement took place.
If the data subject wishes to exercise his or her rights, he or she should contact Merilampi via email to info@merilampi.com. Merilampi will use all reasonably available resources to respond to any such request without undue delay.