Employee register

lukkoja

Rainmaker – Employee register

At Rainmaker, we take data protection seriously. The proper handling of personal data of our customers, potential customers, employees, and job applicants is important to us, and we are committed to operating as transparently as possible regarding data protection matters.  This statement describes how we process the personal data of data subjects and explains their rights concerning the processing of personal data.

 

Data controller

Rainmaker Group Oy (business ID: 2707250-6), together with other companies belonging to the Group (hereinafter “Rainmaker”). A list of the Group companies: https://rainmaker.fi/ota-yhteytta/

Address: Piispanportti 11, 02240 Espoo

 

 

Contact person for data protection matters

Kati Helavirta, Data Protection Officer

firstname.lastname(@)rainmaker.fi

 

 

Personal data processed and purposes of processing

We process employee-related personal data for the management of employment relationships, fulfillment of employer obligations, and business development. The data processed includes, among others:

  • Personal, contact, and identification information
    • Name
    • Address
    • Telephone number
    • Email address
    • Social security number
    • Employee ID
    • Gender
  • Information related to employment contract
    • Start and end date of employment
    • Job title
    • Title
    • Other employment contract details
  • Payroll information
    • Salary group
    • Monetary salary
    • Fringe benefits
    • Employee benefits
    • Bank account details
  • Absence information
    • Sick leaves
    • Annual leaves
    • Other possible absences
  • Travel expense reports and mileage allowances
  • Competence and personal assessments
  • Information related to supporting and monitoring work ability
  • Information on work performance, such as statistics and evaluations
  • Access rights to information systems, usernames, and possible log data
  • Working time records
  • Possible trade union membership, if the information is needed for deducting membership fees directly from salary
  • Possible debt collection information and information on deductions from salary
  • Access control information
  • Call recordings

The processing of personal data is based on the following purposes:

  • The purpose of personal data is to enable the fulfillment of employer obligations in the management of the employment relationship.
  • The purpose of personal data processing is to manage employment matters and related employer obligations, such as payroll, as well as to plan and develop our business, taking into account personnel perspectives.
  • Call recordings are stored to verify the content of communications and to ensure the realization of rights and responsibilities. Call recordings can also be used in internal personnel training to improve service quality and develop services.

We take into account and strictly adhere to the special requirements related to the processing of sensitive data and data belonging to special categories of personal data in all our data processing operations.

 

Legal basis for the processing of personal data

The legal basis for processing personal data is/are one or more of the following:

  • The legitimate interest of the data controller or other group companies
  • Contractual relationship, i.e., processing is necessary for the performance of an employment or internship relationship
  • Processing is necessary for compliance with our legal obligations
  • The data subject has given explicit consent to the processing of their personal data

 

Regular sources of personal data

Personal data is primarily collected from the data subject themselves before or during the employment relationship. In some cases, we may also collect data from external sources if it is a prerequisite for performing job duties. Such situations may include, for example, conducting a security clearance or checking credit information. The data subject will be informed in advance of these cases where data is collected from external sources, and separate consent will be requested if necessary.

In addition, we may receive personal data from other group companies when it is necessary to fulfill employer obligations and manage the employment relationship.

 

Regular disclosures of personal data

Personal data is disclosed to the following parties for the implementation of statutory obligations and operations:

  • Tax authorities for the implementation of taxation
  • Pension and insurance companies for the maintenance of employer-taken insurances
  • Labor and debt collection authorities and the Employment Fund for the implementation of their statutory tasks
  • Occupational health service providers for the organization of statutory occupational health care

In addition, Rainmaker may disclose personal data to its client companies to the extent necessary for the management of work and the performance of tasks. Personal data may also be disclosed to employee unions based on the employee’s explicit authorization. Personal data may also be transferred to other Rainmaker group companies when it is necessary to fulfill employer obligations and manage the employment relationship.

 

Transfer of data outside the EU/EEA area

Rainmaker may transfer personal data outside the EU/EEA area as part of its operations. If this is done, we ensure that personal data is transferred outside the EU/EEA area only in accordance with data protection legislation and that the data is adequately protected in the manner required by the applicable data protection legislation.

 

Principles of personal data protection and retention

Access to employee personal data is granted to designated individuals to the extent necessary for the performance of human resources and payroll tasks. Individuals processing employee personal data have been given separate personal usernames and passwords issued by the system administrator, as well as training on data processing. They are also bound by a confidentiality obligation. Employee health information is stored separately from other data.

Electronic data is protected by usernames and passwords. Personal data is collected in an information system protected by firewalls to prevent external access. The server where the personal data is stored is kept in locked premises with access limited to a designated number of maintenance personnel. Computers used to access the database are located in locked and monitored premises. Manual material is stored in a locked location.

We retain personal data only for as long as it is necessary to fulfill the purposes of its processing or as long as applicable legislation requires. After the retention period, personal data is deleted, securely destroyed, or anonymized so that the data can no longer be linked to an identifiable person. Below are typical retention periods for personal data:

  • Personal, contact, and identification information – 10 years from the end of employment
  • Employment relationship information – 10 years from the end of employment
  • Payroll information – 10 years from the end of employment
  • Absence information – 10 years from the end of employment (excluding sick leave certificates, which are retained for 2 years)
  • Travel expense reports and mileage allowances – 10 years from the end of employment
  • Competence and personal assessments – 2 years
  • Information on work performance, such as statistics and evaluations – 2 years
  • Information related to supporting and monitoring work ability – 10 years
  • Access rights to information systems, usernames, and possible log data – 0-3 months from the end of employment
  • Annual leave and working time records – 10 years from the end of employment
  • Access control information – 1 year
  • Possible trade union membership – 10 years from the end of employment
  • Possible debt collection information – 10 years from the end of employment
  • Call recordings – 1 month.

 

Management of risks to data subjects

We strive to minimize the risks to data subjects in the processing of personal data. Rainmaker’s risk management measures for personal data include, among others, regular personnel training and ensuring data protection competence, regular risk monitoring and assessment, and impact assessments regarding the processing of personal data.

In the event of possible personal data breaches, Rainmaker will act in accordance with the instructions of the data protection authorities, assessing the risks that may arise to the data subject. If it is likely that a data breach will result in a high risk to the realization of the data subject’s rights and freedoms, the data controller will notify the data subject of the incident without delay.

 

Data subject’s rights

The data subject has the right to exercise the rights listed below. To exercise these rights, the data subject can contact the data controller (Rainmaker). The data controller’s contact person and contact information are stated at the top of this statement.

The data subject has the right to inspect the personal data concerning them stored in the personal register and to demand the rectification or deletion of incorrect data. In this case, the data subject will be provided with a copy of the data concerning them, and it will be updated at the data subject’s request.

In certain situations, the data subject has the right to transfer the data they have provided to another system. Such a situation may arise when the data controller processes personal data based on consent or a contract.

The data subject also has the right in some situations to request the erasure of their data. This right may be limited, for example, by a legal obligation to retain the personal data in question. If the need for personal data processing ceases, the data will be erased without a separate request.

In accordance with the General Data Protection Regulation (from 25 May 2018), the data subject has the right to object to or request the restriction of the processing of their data. In connection with the request, the data subject must specify the particular situation on which they base their objection to the processing. Rainmaker may refuse to implement a request for objection only on grounds provided by law. Restriction of processing means that the data is stored, but it is otherwise processed only on the basis of consent, for a legal claim, for the protection of the rights of another person, or for reasons of important public interest of the Union or a Member State. Restriction of processing is appropriate, for example, if the lawfulness of the processing has been contested. In this case, the processing of data is restricted until the lawfulness of the processing has been verified.

The data subject has the right to avoid decisions based solely on automated processing that produce legal effects or other significant effects. In addition, the data subject may request that decisions based on automated decision-making be reviewed by a human before a final decision is made. At Rainmaker, we do not make decisions in the processing of the job applicant register that would be based solely on automated processing and that would have legal or other significant effects.

If the data subject believes that their data has been processed improperly or unlawfully, we encourage them to first contact Rainmaker so that we can investigate the matter together. The data subject also has the right to lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose up-to-date contact information and contact channels can be found on the Office of the Data Protection Ombudsman’s website.

 

Changes to this statement

If changes are made to this statement, we will update the information on our website and add a note indicating the date of the update.

Updated 5 March 2025