EN
FI

Data Protection Policy

1. Data Protection Policy

Ensuring data protection is a part of Tokmanni’s compliance activities, risk management and responsible operations. This Data Protection Policy specifies how to ensure that personal data is processed legally and with a high level of data protection in all Tokmanni’s operations and how data protection is controlled at Tokmanni. Data processing is based on legislation in force. This Data Protection Policy has been approved by Tokmanni’s Steering Committee on Data Protection and the Executive Group.

2. Scope and objectives of Data Protection Policy

Data protection consists of the protection of privacy of individuals and other rights that secure the individual’s rights in connection with the processing of personal data. Data protection applies to the processing of personal data of both Tokmanni’s employees and Tokmanni’s customers and other partners.

This Data Protection Policy seeks to secure the statutory rights of individuals concerning the processing of their personal data when these individuals are Tokmanni’s customers, employees and other stakeholders and to secure the rights of the processor of personal data and ensure that the processor follows its obligations.

When implementing data protection, particular attention must be paid to the secrecy of personal data, prevention of unauthorised access to personal data and prevention of use of the data in ways that could harm the individual.

Data protection is closely associated with information security. Tokmanni’s Information Security Policy specifies what information security means and how it is maintained.

3. Collecting and using personal data

The processing of personal data is based on a person’s consent or another legal justification for collecting data. Personal data is processed only for the purpose it has been collected for. Personal data is processed only during a predetermined time related to their intended purpose. Measures are taken to verify the correctness of the data being used by updating it from the person himself/herself and other reliable sources. When the data is no longer needed for its intended purpose, it is destroyed with appropriate methods. The archiving times of personal data are stated in more detail in the data file description. Data is disclosed only to the parties stated in the data file description or in legislation.

4. Data file descriptions

A data file description has been created of all personal data files. The data file description contains further information for the data subjects on the use of their personal data. The data file descriptions are available in Tokmanni’s intranet; the data file description of Tokmanni’s customer register is also available on Tokmanni’s website. The processing or personal data of Tokmanni’s employees is reviewed in more detail in a mandatory online course on data protection. The online course was launched in May 2018, and all Tokmanni employees must complete it. The completion is monitored with regularly run reports.

5. Responsibilities and organisation

Responsibility for implementing data protection lies with Tokmanni’s Executive Group.

On the company level, data protection is administered by the Data Protection Group that contains an appointed member from each department of Tokmanni. Each member of the Data Protection Group is responsible for implementing data protection in his/her department and ensuring that data protection is actively maintained at the department. The Data Protection Group reports to the GDPR Steering Committee. The members of the Data Protection Group and the Steering Committee are listed at the end of this document. Tokmanni has also appointed a person in charge for data protection who coordinates inspections and other matters related to data protection.

Each department is independently responsible for allocating resources for data protection and implementing it in practice in the unit. A department remains responsible for data protection even if it outsources data processing. The department must ensure that the selected partner follows this Data Protection Policy and that an appropriate agreement on the processing of personal data is made with the partner.

The online course on data protection teaches every Tokmanni employee the basics of data protection and processing of personal data. Everyone must be familiar with the data protection regulation that applies to his/her area of responsibility and be able to manage the risks.

6. Ensuring data protection

Matters related to data protection are a part of the job orientation for new employees who process personal information. In addition, data protection matters are regularly included in meeting agendas.

Tokmanni’s intranet has a separate site for data protection matters. The site contains data file descriptions, practical advice and more. You can also ask questions on the site. In matters related to data protection, Tokmanni employees can also email tietosuoja(at)tokmanni.fi. The email address is coordinated by the person in charge of data protection who will forward the questions to the correct person.

All people who process personal data are bound by an obligation of secrecy, either statutory or separately agreed and documented.

The use of information systems that contain personal data is controlled by access management. Only people who have a statutory need to process personal data are granted access to personal data. Logs are collected from all registers at sufficient detail required by law or otherwise.

Actions to take when data protection is jeopardised

If data protection is suspected or found to have been jeopardised, the matter must be investigated immediately. A notification is sent to the person in charge of data protection who will coordinate the investigation. The person in charge of data protection informs the Data Protection Group and the GDPR Steering committee of a potential personal data breach. The data protection authority is also notified of a potential personal data breach if the notification threshold is exceeded. The GDPR Steering Committee will make the decision on notifying the data protection authority.

The data subject whose data protection has been jeopardised by the personal data breach must be informed of the matter without delay if the notification is necessary to carry out corrective actions or limit the damage.

Each department or controller assesses and monitors the actualisation of data protection in their functions. The person in charge of data protection carries out internal audits on data protection as part of his/her normal inspections.

Actions that are considered to jeopardise data protection are those that breach the data protection legislation, this Data Protection Policy or instructions based on it. Actions that breach data protection instructions may lead to consequences under employment law or criminal law. Data protection is taken seriously at Tokmanni and actions that breach data protection are dealt with immediately.

7. Communications about data protection

Tokmanni communicates the existence of this Data Protection Policy and any changes thereto for the employees in the intranet and, if necessary, by email. The Data Protection Policy will be updated as necessary. The version of Data Protection Policy valid at the time will be published on the tokmanni.fi website and in Tokmanni’s intranet.

Page last updated: 14.04.2020