Administer Plc and its group companies (collectively referred to as “Administer”) are committed to processing personal data in accordance with this Privacy Policy and applicable data protection legislation. We hope that our customers, the users of our services and our partners will familiarise themselves with our Privacy Policy.

Administer Plc and its group companies act as joint controllers with regard to the processing of data on customers and contact persons. This Privacy Policy describes how the Administer Group collects and processes personal data for common purposes. 

1. Joint controllers

This Privacy Policy applies to the joint customer and contact person data file of Administer Plc and its group companies. Administer Plc is responsible for the technical administration of the personal data file and acts as a single point of contact with regard to data protection issues.

Administer Plc
Itämerenkatu 5
FI-00180 Helsinki
Business ID 0593027-4
Telephone: +358 (0)20 703 2000

All joint controllers of the register can be found on the Group’s website at https://administergroup.com/administer-konserni-yhtiolistaus/.

2. Contact persons for the data file

Administer Plc’s customer service is available in matters concerning the data file on weekdays between 9 a.m. and 4 p.m. by phone on +358 (0)20 703 2010. You can also send us your questions concerning the data file by e-mail to tiedotus@Administer.fi or by letter to Administer Plc, Itämerenkatu 5, FI-00180 Helsinki, Finland.

If you have any questions concerning data protection, please contact the Group’s Data Protection Officer: Anja Hänninen, tel. +358 (0)40 5220 621.  You can also send us your questions concerning data protection by e-mail to tietosuoja@administer.fi or by letter to Administer Plc, tietosuoja, Itämerenkatu 5, FI-00180 Helsinki, Finland.

3. Name of the data file

The customer and contact person data file of Administer Plc and its group companies. The data file includes CRM systems, systems related to accounts payable and receivable as well as marketing systems.

4. Basis and purpose of the processing of personal data

The personal data used by Administer are divided into customer relationship management data and marketing data. The basis for the processing of personal data is a contractual relationship, the realisation of the legitimate interests of the controller (e.g. if the data subject has previously been a customer of Administer), the data subject’s consent, a separate assignment given by the customer or other relevant context and a legal obligation.

Contract: We process personal data to fulfil the contract for a service or product ordered by the data subject or their employer. Without the aforementioned data, we cannot provide our services in accordance with the contract, verify customer transactions, communicate with the customer in matters related to the contract, provide technical support or issue invoices for our services.

Legitimate interest: We process data for the purpose of developing business operations and customer service, the execution of sweepstakes, events and studies, the prevention and investigation of misconduct, the presentation of and defence against of legal claims, the analysis of the use of our services as well as profiling and segmentation, and for marketing by telephone, marketing by post or marketing targeted on the basis of work duties. We process data within the Administer Group and also disclose personal data to selected third parties for marketing purposes, for example. These purposes are necessary for our business operations and are justified by the factual connection between the data subject and Administer and are therefore in our legitimate interest. Given the nature of the data processed, the purposes for which it is used and the relationship between the data subject and Administer, it is our view that the data processing is not in conflict with the fundamental rights or freedoms of the data subject. The data subject can object to the processing at any time.

Consent: We may process the data subject’s data in order to carry out electronic marketing activities or to disclose contact information for the purposes of direct marketing activities by selected partners. We may also request the data subject’s consent in the event that the purposes of data processing change. Consent is also requested separately in certain circumstances; for example, consent to photography when registering for an event.

Legal obligation: We may be required to retain some personal data of the data subject in order to comply with accounting legislation or other mandatory legislation. In this case, the processing is based on compliance with a legal obligation.

The processing of personal data related to the management of the customer relationship is based, in particular, on fulfilling contracts and the provision of the services specified therein. The purposes of the processing of personal data include the sale of products and services, customer service and the management and development of business operations as well as the management and development of the customer relationship. In managing accounts payable and receivable, Administer requires the personal data of the customer’s contact persons for purposes such as invoicing and collection as well as for the provision of related services.

Sales and marketing uses the information in the customer information system to manage, maintain and develop both existing customer relationships and potential customer relationships. Personal data are used for communicating information on, and marketing, Administer’s services and events, such as sending electronic and printed newsletters and invitations to customer events and similar communications, the marketing of Administer’s brand and products and services, direct marketing and other similar sales and marketing activities. The data in the data file is used to support Administer’s business development, in addition to which the data file is used to maintain direct marketing permits and restrictions.

5. The kinds of data we collect 

We only collect personal data necessary for pre-defined purposes from the data subject. The purpose determines what kind of data are collected on the data subject in each situation. When collecting data, we aim to inform the data subject of what kinds of information are necessary for using the service or otherwise mandatory for the fulfilment of the contract, and what kinds of information the data subject can provide if they so wish.

Administer processes the following data for customer relationship management and sales and marketing purposes:

• The person’s first name and last name
• The person’s contact details (e-mail address, phone number, mailing address)
• The person’s job title, operational area of responsibility and procurement-related area of responsibility
• The language used by the person, e.g. Finnish or English
• Information on the person’s direct marketing authorisations and restrictions
• Information on the use of electronic services and content, such as subscriptions to newsletters 
• Information related to marketing and sales promotion, such as marketing actions targeting a person and participation in them
• Information provided by the person themselves, e.g. comments and feedback left in the message field of the website contact form
• Telephone recordings
• Other data collected with the data subject’s consent

In addition to the data listed above, the following data are processed by Administer in connection with the management of customer relationships:

• Company name, line of business, Business ID
• Company contact details (e-mail address, phone number, mailing address, company website and possible social media channels such as Twitter, LinkedIn and Facebook)
• The company’s customer number
• The company’s contact persons
• Data related to the management of the customer relationship and correspondence as well as classification, such as contact requests, data related to the ordering, delivery and invoicing of services, feedback and complaints related to services as well as records of customer service events, such as e-mails
• Data related to the identification of the customer’s contact persons and user management, such as user IDs.

For potential customers – such as people who may be interested in our services, or former customers – we typically process data concerning their name, contact information, mother tongue, occupation and other identification data, such as target group information. For former customers, we process data related to previous contracts. For potential contact persons of corporate customers or partners, we also process data concerning their job duties, such as their position or area of responsibility in the company.

Data obtained through cookies on a data subject’s web browsing are stored for the purposes of monitoring and developing the use of the service. Such data includes, for example, the time of the visit, the pages the person has visited, the web address from which the person came to the website, and the server from which the person has accessed the website.

As our services are not aimed at children, we do not knowingly process children’s personal data or form children-only target groups from our users.

6. Regular sources of data

As a rule, Administer collects personal data directly from the data subject by phone, online, at meetings or in some other similar way, such as by e-mail. Personal data concerning the data subject can also be obtained after being collected by a third party, for example, in connection with various events. Administer regularly updates the data file, such as during an existing contractual relationship, on the basis of data provided by the customer and data otherwise obtained during mutual cooperation.

Personal data are also collected and updated from publicly available information sources, such as companies’ websites and other public and commercial registers. In addition, information is collected in the data file using cookies on Administer’s website.

7. Disclosures and transfer of data

Administer observes data protection legislation and the related restrictions on the disclosure of data. Data is only disclosed to the extent necessary for the purpose for which the data are used and for the appropriate delivery of services. As the servers and other technical equipment used by Administer may be owned and controlled by an external service provider used by Administer, depending on the service provider, the data may be located either in Finland or outside Finland. Regardless of where the data are located, Administer takes appropriate security measures to ensure the protection of personal data in the context of disclosures.

To ensure service quality, Administer discloses data to its technical partners. The partners process the data they receive only to the extent required by the delivery of the service. The partners process the data they receive in accordance with the instructions issued by Administer and only after signing an agreement on the processing of personal data in accordance with the applicable data protection legislation.

7.1 Transfer of personal data outside the European Union/European Economic Area

Administer may transfer personal data outside the EU and EEA when using third-party service providers to store data on the basis of a cooperation agreement between the parties. In this case, the data transfers are carried out securely in accordance with data protection legislation and the restrictions laid out therein. Administer ensures an adequate level of protection of personal data by agreeing on matters pertaining to the confidentiality and processing of personal data as required by data protection legislation; for example, by using standard contractual clauses approved by the European Commission or other similar protection mechanisms.

8. Storage period of personal data

Administer stores the personal data collected in the data file for only the period of time necessary – and to the extent necessary – and legally permissible for the original or compatible purposes for which the personal data were collected. The purposes of processing personal data are described in section four (4).

As a rule, personal data are stored for a maximum of three (3) years from the last active event between Administer and the data subject. When the storage period specified for the data has expired, Administer either destroys or erases the personal data or transforms the data into a form that makes the data subject unidentifiable. However, in connection with the destruction of data, the agreements relating to the possible customer relationship and other cooperation, as well as past messages, are not erased. After the end of the customer relationship, personal data may be used if required by applicable legislation. Data collected for marketing purposes is erased from the data file after the data subject has withdrawn their consent. Secure practices are observed in the destruction and erasure of data. Administer regularly erases data that is no longer necessary.

9. Protection of personal data

The personal data in the data file are protected in the manner required by the relevant legislation, with due consideration for data security. Administer has taken appropriate technical and organisational measures to protect personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction or unauthorised access.

Administer updates its security measures in accordance with the continuous development of technology. Data is protected by firewalls and various encryption techniques, in addition to which the server rooms selected for use are secure and subject to appropriate access control. The data in the systems are backed up regularly.

The employees involved in the processing of personal data have signed a data security and data protection commitment and received the necessary instructions and training for the processing of personal data. Access to the register is restricted by means of access rights so that the data stored in the system can be accessed and used only by those employees who have the right to access and use the data in the course of their duties. The access rights to personal data involve different levels of access and the granting and use of access rights is supervised in the Administer organisation.

10. Cookies

Cookies are small text files that are stored on the user’s terminal device when the user visits a website. On each subsequent visit, the cookies are sent back to our website or another website that identifies the cookie.

Cookies enable us, among other things, to identify the user’s device when they return to the site, to remember the user’s preferences and choices, to improve the user experience and to personalise our advertisements on our website and on other services. More information on cookies is available at www.aboutcookies.org. 

Most web browsers accept cookies, but the user can also choose to change their browser settings to prevent new cookies from being stored, to disable existing cookies, or to request a notification before storing new cookies.

Administer uses the following cookies:

• Google Analytics is used to track anonymous visitor data, such as the number of visits, from which search engine the website has been accessed, and what search terms have been used.
• Hotjar is used to analyse and develop the website’s content and user interface. The cookie is used to anonymously track what users do on the website.
• Hubspot is used to develop the website’s content. The cookie provides tracking information about the activities of people who have left submitted their contact information using forms on the website, such as what pages the person reads.
• Third-party cookies: It is possible to share content with social networking services such as Twitter, LinkedIn and Facebook through the Administer website. These third parties may process personal data on different terms than Administer. Administer shall not be held responsible for the privacy practices of any third-party website linked to the Administer website.

11. Profiling

Administer carries out profiling in order to target marketing communications at the right groups. Administer carries out profiling through Hubspot as follows:

• The data subject expresses what they are interested in; for example, they indicate they wish to receive e-mail marketing regarding payroll and HR services
• Administer uses cookies on websites to collect data on a data subject’s online behaviour, based on which Administer aims to identify the data subject’s areas of interest and, based on that assessment, display preferable or relevant advertising to each data subject. The cookies used by Administer are described in more detail in section ten (10).

The data subject has the right to object to profiling when it is related to direct marketing, such as the sending of newsletters. A data subject can opt out of the direct marketing newsletters sent by Administer, for example, by using the unsubscribe link in the newsletter.

12. Links from the Administer website to other websites

The websites of our Group companies contain external links that direct the user to other websites, such as those of our partners. Administer’s partners may use cookies to collect information about a user’s visit to Administer.fi and other websites in order to target their advertising. Administer shall not be held responsible for the collection or processing of personal data by third parties in this manner.

13. The rights of the data subject

The data subject has the right to inspect their personal data in Administer’s data file and, if they wish, to obtain a copy of said data. The data subject also has the right to demand that Administer rectify, erase or supplement their personal data in the data file if the personal data are inaccurate, unnecessary, incomplete or outdated in relation to the purpose of the processing.

Requests for inspection and rectification shall be addressed to the data file’s contact person, whose contact information is provided at the beginning of this Privacy Policy, by sending a signed letter or similarly certified document that makes it possible to verify the requesting party’s right to make the request. If necessary, Administer can request the data subject to further specify their request in writing and the identity of the data subject can also be verified before taking any other measures. Administer shall respond to requests for inspection within one month of the request being presented. As a rule, the information is provided free of charge. However, if the data subject’s requests for information are unfounded or unreasonable – for example, if a data subject makes repeated requests for information – Administer shall have the right to charge a reasonable fee for collecting the data. The fee shall consist of the administrative costs incurred from carrying out the requested action and providing the related information. The data subject can choose whether to personally retrieve the data from Administer’s office or to receive the data by registered mail.

Where the processing of personal data is based on the data subject’s separate consent, the data subject has the right to withdraw the consent at any time. The data subject also has the right to request the erasure of their personal data (the right to be forgotten) when the data are no longer needed for the purposes for which they were collected or otherwise processed, or when there are no legal obligations concerning Administer in the role of the controller pertaining to the processing or storage of the data. Data stored in log files and previously sent messages will not be erased by Administer in this context, as they may be needed after several years to resolve potential violations or disputes. Administer also has the right to refrain from erasing data from the data file when Administer has a legitimate interest in not erasing the data in question or when the data concerns, for example, contractually pertinent issues related to a current customer relationship.

In certain situations, the data subject has the right to request the restriction of processing or object to the processing of their personal data for purposes such as direct marketing and related profiling. The data subject also has the right to request the transfer of data from one system to another or to another controller.

The data subject has the right to lodge a complaint with a supervisory authority if they are of the opinion that the processing of their personal data violates the General Data Protection Regulation. A complaint can be made, for example, if Administer does not appropriately implement the data subject’s rights as laid out in the General Data Protection Regulation.  A notification of a fault in the processing of personal data can be submitted on the Office of the Data Protection Ombudsman website: https://tietosuoja.fi/en/report-of-fault-in-personal-data-processing.

14. Amendments to the Privacy Policy

Administer constantly develops its business operations, which is why Administer reserves the right to amend this Privacy Policy by announcing such amendments on its services. Amendments to the Privacy Policy may also be based on changes in legislation.

Administer shall communicate amendments to the Privacy Policy on its website by publishing the updated Privacy Policy and specifying the date of the amendment. For this reason, Administer recommends that users regularly check the current Privacy Policy on the Administer website. In the event that Administer makes significant amendments to the Privacy Policy, Administer shall also announce such amendments in other ways, such as by sending an e-mail message or publishing a release on the website and/or social media pages before the amendments take effect.

This Privacy Policy was last updated on 7 December 2021.

15. Contacts

We are happy to help you with any questions you may have regarding the processing of your personal data and the exercise of your rights. Please contact us in writing. The contact information is provided at the beginning of this Privacy Policy, in section 2: “Contact persons for the data file”.

If necessary, Administer can request the data subject to further specify their request in writing and the identity of the data subject can be verified before taking any other measures. When Administer acts only as a processor for another controller with regard to personal data, the data subject is advised to contact that controller with regard to any requests. We process all communications confidentially.