1. Data Controller
Cimson Koulutuspalvelut Ltd
Väinönkatu 26 A, 40100 Jyväskylä, FINLAND
Tel. +358 20 791 2978
2. Person responsible for the register
Cimson Koulutuspalvelut Ltd’s Managing Director, info (at) cimson.fi
3. Name of the register and registered persons
Cimson Koulutuspalvelut Ltd´s registers of customers (end customers) in various services, employees and registers of contact persons of customers, potential customers and stakeholders.
Cimson Koulutuspalvelut Ltd´s customers, Cimson Koulutuspalvelut Ltd´s employees and Cimson Koulutuspalvelut Ltd´s contact persons of customers, potential customers and stakeholders.
4. Purpose of processing personal data
The purpose of the register is to manage Cimson Koulutuspalvelut Ltd´s customer and stakeholder relations, to inform the customer and cooperation network and, if necessary, to provide information about services, to analyse customer data and to conduct research. The survey results do not reveal any personal data of the data subjects. The data will not be used for other purposes.
5. Data content of the register
The following categories of data may be processed in the register of customers (end-customers), where necessary:
• basic personal data (name, personal identity code, contact details)
• information on education, training, professional experience and skills
• any job application, curriculum vitae and photograph
• information concerning the jobseeker’s job search
• recordings of video interviews
• information provided by the person themself
The following categories of data may be processed in the register of employees, where necessary:
• personal identity code
• data concerning the employment relationship (job title, start and end date of employment, occupational health care)
• data related to payroll, bank account number, data related to the payment of trade union membership fees
• record of working hours and information related to annual holidays
• where permitted or required by law, any other information related to the employment relationship, as specifically defined
The following categories of data may be processed in the register of contact persons of customers and potential customers and stakeholders, where necessary:
• name of the customer organisation, business ID, contact details, billing information
• contact details (name, position in the organisation, phone number, e-mail, address)
• contact history, marketing and promotional data
6. Grounds for keeping the register
The registers are kept on grounds of legitimate interest, in order to carry out tasks related to Cimson Koulutuspalvelut Ltd’s business activities. In the register of service participants, the information is provided by the organisation that acquired the service and/or is collected with the consent of the data subject. The employee register is based on compliance with the employer’s statutory obligations.
7. Regular data sources
The data are obtained from the data subjects themselves, from public data sources and, in addition, the client organisation may disclose the necessary information about the participants for the purposes of the provision of the services.
8. Regular disclosures of data
As a processor of personal data, we disclose data to the controller to the extent required by the contracts.
As the controller, Cimson Koulutuspalvelut Ltd will not disclose the information contained in the registers to third parties except with the express permission of the data subject.
9. Transfer of data outside the EU or EEA
The personal data contained in the register will not be disclosed or transferred outside the European Union or the European Economic Area.
10. Principles of protection of the register
The registers are stored and accessed in a password-protected network environment on password-protected computers.
Cimson Koulutuspalvelut Ltd has taken the necessary legal protection measures. The communication on the web service is SSL/TLS encrypted and the information system is protected by a firewall. The servers are managed by partners who operate in compliance with GDPR regulations.
Access to the registers is restricted to designated employees of Cimson Koulutuspalvelut Ltd and, if necessary, to designated employees of our partners. The processing of personal data requires personal access rights. We require our employees to sign a confidentiality agreement. We require a GDPR contract extension from our partners (if they process personal data).
11. Rights of the data subject
The data subject has the right to check the data that is in the register and that is related to them, or to be informed that no data related to them is held in the register.
The data subject has the right to obtain the rectification, erasure and integration of data concerning them or to object to the use of the data for marketing or research purposes. To exercise the right of access and rectification, the data subject must contact the person responsible for the register at Cimson Koulutuspalvelut Ltd and arrange a personal visit to verify their identity.
For data where Cimson Koulutuspalvelut Ltd is the processor, requests for review should be addressed directly to the controller.
12. Retention of data
Cimson Koulutuspalvelut Ltd shall keep the data subjects’ data until there are no longer grounds for keeping the data.
In the register of participants in the services (end customers), the retention of data shall take into account the statutory retention periods or separate consents given by the data subject. In the absence of other factors related to data retention, personal data will be deleted from the register no later than two calendar years after the end of the service.
Personal data in the employee register will be stored in accordance with the labour legislation.
In the register of contact persons of customers and potential customers and stakeholders, Cimson Koulutuspalvelut Ltd keeps the data relevant for establishing and maintaining the customer relationship until there is no reason to keep the data.
13. Other rights related to the processing of personal data
The data subject has the right to refer a matter concerning the processing of their personal data to a supervisory authority.