Ensuring data protection is part of the Fira Group’s risk management and responsible operating principles. This data protection policy applies to Fira Group Oy and its subsidiaries anywhere in the world. This data protection policy defines how the Fira Group seeks to ensure lawful processing of personal data as well as a high level of data protection.
Scope and aims of the data protection policy
Data protection includes the protection of an individual’s privacy and other rights that safeguard the protection of privacy when processing personal data.
The aim of the data protection policy is to safeguard the rights of the Fira Group’s customers, employees and other stakeholders in accordance with the applicable legislation related to the use of personal data and to ensure the rights of those processing the data and compliance with the obligations when processing personal data. When implementing data protection, particular attention is paid to the confidentiality of personal data and to the measures ensuring that unauthorised persons cannot access the data, that the data is not used in a way that is detrimental to the individual and that the data subject’s rights are safeguarded.
Data protection is closely linked to information security. The company’s data protection policy defines what information security means and how it is maintained.
Principles followed when processing personal data
As part of the Fira Group’s operations, the processing of personal data is planned in advance and the processing complies with this data protection policy, guidelines and data protection legislation, even when planning the collection of data. The party responsible for a project or a change will always ensure, with supporting documentation, that the data subject’s privacy is protected appropriately, considering the collected personal data and the need for protection. With regard to appropriate project documentation and the planning of the life cycle of personal data, one has to contact the company’s data privacy officer.
We at the Fira Group comply with the following principles whenever processing personal data.
Legality and transparency
We ensure that the processing of personal data is lawful, appropriate as well as transparent from the data subject’s perspective. We inform data subjects, for example, with regard to what kind of personal data is collected, for what purposes, where personal data is collected from and where data is transferred to.
The collection and processing of personal data is always based on legislation, a customer agreement, the Fira Group’s legitimate interest or other relevant reason or the data subject’s consent.
Respecting the rights of a data subject
We ensure that we inform data subjects in an appropriate and timely manner with regard to the processing of data and the related rights of the data subjects. The rights of a data subject include the right of access to one’s data, the right to request a rectification and removal of data and the right to object to and restrict the processing of personal data.
We operate in a transparent way. Data subjects have the right to check what data regarding themselves we have collected and recorded in our registers. Data subjects can also request incorrect data be rectified or data be removed if the legal basis for processing the data (e.g. customer relationship) no longer exists. As part of our operations, we ensure that the rights of all data subjects are protected and that the requests are responded to without delay.
We only collect personal data for a specific predetermined purpose. Any data collected for a specific purpose cannot be used for other purposes. If it is not clear that the data is needed for a justified purpose, the data should not be collected or recorded, instead it must be destroyed.
We only collect and process adequate and relevant personal data that is required for the purpose in question. The data should not be excessive for the purposes for which they are collected. As a general rule, we do not collect sensitive data referred to in data protection legislation, for example concerning one’s racial or ethnic origin, social, political or religious beliefs or trade union membership, health, illness or disability or sexual orientation or behaviour in our registers of personal data, unless we have a statutory right or obligation to do this.
Updating of data and rectification of errors
We do not process incorrect or outdated personal data and we will update or remove the data if necessary. We update, for example, the data subjects’ contact details whenever necessary through a reliable source, for example the data subjects themselves.
Storage period and disposal of personal data
We seek to store personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. We determine storage periods for all personal data collected. As a general rule, we only use personal data for as long as it is necessary considering its intended purpose, after which we will dispose of or archive the data (unless the legislation imposes a specific obligation to record the data).
Information security and confidentiality
Our aim is to ensure an adequate level of information security for personal data, for example by taking appropriate technical or organisational measures to protect the data from unauthorised and illegal processing as well as destruction. Technical and organisational measures refer to various protective measures which ensure the security of personal data in both electronic and paper format. Such measures include staff training and guidelines, confidentiality agreements, surveillance of facilities, monitoring of use, security and technical restrictions on information systems, audits, control and monitoring systems, data encryption, data anonymisation (removal of personally identifiable data from where it is not needed) and pseudonymisation (replacement of personally identifiable material with artificial identifiers).
Access to databases containing personal data is limited to persons who, due to their duties, need to process the personal data in question.
Controller’s responsibility and accountability
We regularly assess the processes related to the processing of personal data as well as the related risks to ensure that the Fira Group has taken adequate measures. As part of our operations we ensure that, for example, appropriate agreements, up-to-date privacy policies and guidelines as well as functional and restricted access rights are in place.
Responsibilities and organisation
The responsibility for ensuring data protection lies with the business and group management within each unit. The Fira Group has a data privacy officer who guides and develops the implementation of data protection within the group and whose task is to assist the business units with data protection matters and to ensure smooth cooperation with any authorities.
The work of the data privacy officer and business units is supported by the data protection group that consists of register owners and a legal officer. Register owners are responsible for ensuring that the description of a register for their own area is up-to-date and that personal data is processed and profiled appropriately. In addition, register owners are responsible for ensuring data protection when business functions are outsourced to a partner. They ensure that the chosen partner complies with this data protection policy. A written agreement that meets the requirements of relevant legislation is always prepared when outsourcing the processing of personal data in order to define the responsibilities and obligations of the parties.
Ensuring data protection
Data protection matters are part of the induction of new employees processing personal data and related training is offered to all employees on a regular basis. Ensuring data protection is in line with Fira’s values and the general data protection guidelines are integrated into the company’s other ethical guidelines.
All individuals processing personal data are bound by a legal or otherwise agreed and documented obligation of confidentiality.
The use of information systems containing personal data is controlled through the group’s user management solution or other documented measures. Log data is collected for all registers as required by law or with otherwise sufficient precision. When a breach of data protection is suspected or detected, the matter will be investigated without delay. If necessary, we will also notify the authorities and the person whose data protection has been compromised. The person in charge of the company’s data protection matters provides detailed instructions and is responsible for the notifications.
Communication to personnel, data subjects and stakeholders
This data protection policy and any changes to it are communicated to the Fira Group’s personnel through the Fira intranet. The up-to-date data protection policy is also published on the fira.fi website. The data protection policy will be updated whenever necessary. In addition to this policy, the Fira Group has internal data protection guidelines.
Adoption of the privacy and data protection policy
Fira Group’s board of directors has adopted this policy on 25.04.2018.