We offer a template for privacy policy regarding the use of Nepton's service for our customers' internal use.
Company Oy
XX.XX.202X
Privacy Policy for the use of Nepton Service for your employees
Purpose of the Policy
This privacy policy defines the rights of Company Oy’s employees and other users registered to the service regarding the use of the Nepton service, as well as our commitment to protecting personal data.
General Information on Data Protection
Company Oy operates in accordance with EU data protection legislation. A Data Protection Officer supervises compliance with data protection practices.
Nepton Service Information
Saarni Nepton Oy provides software and services to public and private clients across Europe. The services are delivered as cloud services. A detailed description of the service and the general privacy policy of the service provider can be found on the website nepton.fi.
Information on the Nepton service
Saarni Nepton Oy offers software and services to public and private customers in Europe. The services are delivered as a cloud service. A more detailed description of the service and the service provider's general Privacy Policy can be found on the nepton.fi website.
Company Oy as data controller
Company Oy offers the Nepton service for use to its own employees and other possible stakeholders. Company Oy is the controller of personal data. The provider of the Nepton service is a personal data processor. A separate agreement regarding the Nepton service, and a data processing agreement are valid between the parties.
Particulars
Personal information is information or groups of information that can probably be used to identify a person.
Company Oy can store or instruct to store the following information in the Nepton service: Name, address, telephone number, email address, social security number, contact information of next of kin, organisational unit, supervisor information, subordinate information, job title, employment information, work event stamps with comments, project stamps, cost location information, interpreted wage type information, payroll information, bank contact information and tax number.
Legal basis and purpose of personal data processing
Company Oy stores and processes personal data in the Nepton service based on the requirements of labor relations management and legislation. If the grounds for storing personal data are no longer valid, Company Oy will delete or anonymise the personal data stored in the service.
Processing of personal data on behalf of customers
The Nepton service includes data processing of customers, employees and other people’s personal data. In this case, Company Oy determines the purpose of personal data processing and is the data controller, while Saarni Nepton acts as the personal data processor. Company Oy determines and is responsible for the legal basis for the processing of personal data. Company Oy must also comply with the data controller's notification obligation regarding data subjects.
Transfers of personal data
Company Oy discloses your personal data to third parties only when this is necessary in terms of legislation or the functionality of Company Oy's personnel administration and payroll administration.
Your personal data will not be moved outside EU/EEA area.
Principles of personal data protection
As a data controller, Company Oy complies with all the requirements of the data protection regulation.
As the supplier of the service, Nepton, as the data processor, is also committed to keeping personal data confidential, and does not process personal data except at the request of Company Oy's designated principal users.
Nepton, as the supplier of the service, is responsible for ensuring that the service and its delivery to Company Oy comply with the personal data legislation in force at any given time, including the requirements of the Data Protection Regulation (2016/679) ("Data Protection Regulation"), and that their data security is at least at the level of professional reliable data security, thus , that the confidentiality, integrity or usability of the data is not compromised.
Privacy protection is very important to the Nepton service provider. Saarni Nepton complies with at least the requirements of EU data protection legislation in all operations. Employees receive regular data protection training. The applicable service descriptions with attachments determine the details and implementation methods of the data protection policies. The goal is to operate in accordance with ISO/IEC 27001, KATAKRI, OWASP and VAHTI standards.
The Nepton service provider is committed to:
1. process personal data only in accordance with the documented instructions given by the controller, which also applies to transfers of personal data to a country outside the EEA.
2. ensures that the supplier's persons who have the right to process personal data have committed to comply with the obligation of confidentiality or are subject to an appropriate statutory obligation of confidentiality.
3. implements all the measures required in Article 32 of the Data Protection Regulation (Processing security).
4. complies with the requirements of the Data Protection Regulation regarding the processor or sub-processor
5. takes into account the nature of the processing operation, help the customer with appropriate technical and organisational measures to exercise the customer's obligation to respond to requests made by data subjects.
6. helps the controller to ensure that the obligations laid down in Articles 32-36 of the Data Protection Regulation are complied with, considering the nature of the processing and the information available to the personal data processor.
7. at the end of the contract, according to the customer's choice, delete or return all personal data to the controller and delete existing copies, unless required by EU regulations or member state legislation to keep personal data.
8. provides the customer with all the information necessary for the customer to demonstrate compliance with data protection requirements."
9. allows the customer or an independent auditor authorised by the customer to perform the necessary data protection audits and participates in them.
10. immediately informs the customer if the customer's instructions are deemed to violate the data protection regulation or other legal data protection provisions.
Saarni Nepton, as the provider of the Nepton service, will report without delay any occurred or suspected data breaches, loss of personal data, damage and other situations where the data security of personal data is threatened. The supplier hands over all the necessary information about the data breach and the measures that have been taken due to the data breach. The notification contains at least the following information, if known:
• The nature of the event
• Number of registrants related to the event
• Descriptions of registered and personal data fields related to the event
• Identified or suspected entity that caused the event
• Identified or suspected entities that have gained access to personal information
• Identified or estimated impact on data subjects, customers and suppliers
• Implemented and planned measures that the supplier has taken to limit the consequences of the event and minimize possible damage, to prevent the continuation of the event, and to prevent the recurrence of similar events
• Other information reasonably required by Company Oy
Subcontractors and data transfer
Company Oy can use subcontractors to process personal data. In this case, personal data can also be transferred outside the EU. When subcontractors are used, Company Oy enters into a data processing agreement with the subcontractors. In that context, the legal basis of international transfers is ensured, for example, by means of EU model contract clauses.
Your rights
You have all the basic rights according to EU privacy protection legislation also regarding the use of the Nepton service. For example, you can request a summary of your personal data processed by Company Oy, request correction of your incorrect personal data, object to the storage and processing of your personal data and complain about the processing of your personal data.
Contacts
If you have questions or comments regarding this privacy statement, send a message to Company Oy's data protection officer, Alfie Atkins, by e-mail at dpo@Company.com.
This Data Protection Agreement was updated XX. XXXX 202X.