Privacy Policy for supplier and partner data
Privacy Policy for partner data
This Privacy Policy applies to the partner activities of the Administer Group. Administer Plc and its group companies (collectively referred to as “Administer”) are committed to processing personal data in accordance with this Privacy Policy and applicable data protection legislation. We hope that our customers, the users of our services and our partners will familiarise themselves with our Privacy Policy.
Administer Plc and its group companies act as joint controllers with regard to the processing of data on suppliers and partners. This Privacy Policy describes how the Administer Group collects and processes personal data for common purposes.
1. Joint controllers
This Privacy Policy applies to the joint supplier and partner data file of Administer Plc and its group companies. Administer Plc is responsible for the technical administration of the personal data file and acts as a single point of contact with regard to data protection issues.
Administer Plc
Itämerenkatu 5
FI-00180 Helsinki
Business ID 0593027-4
Telephone: +358 (0)20 703 2000
All joint controllers of the register can be found on the Group’s website at https://administergroup.com/administer-konserni-yhtiolistaus/.
2. Contact persons for the data file
Administer Plc’s customer service is available in matters concerning the data file on weekdays between 9 a.m. and 4 p.m. by phone on +358 (0)20 703 2010. You can also send us your questions concerning the data file by e-mail to Tiedotus@Administer.fi or by letter to Administer, Itämerenkatu 5, FI-00180 Helsinki, Finland.
If you have any questions concerning data protection, please contact the Group’s Data Protection Officer: Anja Hänninen, tel. +358 (0)40 5220 621. You can also send us your questions concerning data protection by e-mail to Tietosuoja@Administer.fi or by letter to Administer, tietosuoja, Itämerenkatu 5, FI-00180 Helsinki, Finland.
3. Name of the data file
The supplier and partner data file of Administer Plc and its group companies. The data file includes CRM systems, systems related to accounts payable and receivable as well as marketing systems.
4. Basis and purpose of the processing of personal data
Data is collected in the data file for the purpose of enabling cooperation with various stakeholders and fulfilling contractual obligations. The personal data in the data file are divided into partner relationship management data and sales and marketing data.
Administer processes the information contained in the data file for the purpose of fulfilling the contractual obligations of Administer and its stakeholders, such as suppliers of goods and services, subcontractors and their employees and consultants as well as for the realisation of legitimate interests and the fulfilment of statutory obligations. The processing of personal data may also be based on an assignment issued by a partner or customer or on some other factual context. Certain processing actions are carried out on the basis of the data subject’s separate consent.
Contract: We process personal data to fulfil the contract for a service or product in relation to which we have agreed on cooperation. Without the aforementioned data, we cannot verify processing transactions related to the cooperation or engage in correspondence related to the contract.
Legitimate interest: We process data for the purpose of developing business operations and customer service, the execution of sweepstakes, events and studies, the prevention and investigation of misconduct, the presentation of and defence against of legal claims, the analysis of the use of our services as well as profiling and segmentation, and for marketing by telephone, marketing by post or marketing targeted on the basis of work duties. We process data within the Administer Group and also disclose personal data to selected third parties for marketing purposes, for example. These purposes are necessary for our business operations and are justified by the factual connection between the data subject and Administer and are therefore in our legitimate interest. Given the nature of the data processed, the purposes for which it is used and the relationship between the data subject and Administer, it is our view that the data processing is not in conflict with the fundamental rights or freedoms of the data subject. The data subject can object to the processing at any time.
Consent: We may process the data subject’s data in order to carry out electronic marketing activities or to disclose contact information for the purposes of direct marketing activities by selected partners. We may request the data subject’s consent in the event that the purposes of data processing change. Consent is also requested separately in certain circumstances; for example, consent to photography when registering for an event.
Legal obligation: We may be required to retain some personal data of the data subject in order to comply with accounting legislation or other mandatory legislation. In this case, the processing is based on compliance with a legal obligation.
The processing of personal data related to the management of a partner relationship is based on a contractual relationship. The purposes of the processing of personal data include the management and development of partner relationships, the sale of products and services, customer service and the management and development of business operations as well as the monitoring and allocation of subcontractors’ working hours. A partner’s personal data are needed for invoicing when the partner has participated in the provision of a service sold to Administer’s customer.
In marketing, the data in the partner information system is used to send electronic and printed newsletters, invitations to customer events and similar communications. The purposes of sales and marketing actions include communication with partners, new customer acquisition, customer relationship management, marketing Administer’s brand, products and services, including direct marketing and other similar sales and marketing actions. The data in the data file is used to support Administer’s business development, in addition to which the data file is used to maintain direct marketing permits and restrictions.
5. Contents of the data file
The data file only contains data that are necessary for the realisation of the data file’s purpose. The data file contains information on the contact persons and representatives of Administer’s subcontractors, i.e. suppliers of goods and services (company contact persons/representatives) and other representatives of partners, such as representatives of the state and municipalities, the public authorities, partners, representatives of educational institutions and non-profit organisations.
The data file contains the following types of data:
- The person’s first name and last name
- The person’s contact details (e-mail address, phone number, mailing address)
- The person’s job title, operational area of responsibility and procurement-related area of responsibility
- The language used by the person, e.g. Finnish or English
- Information on the use of electronic services and content, such as subscriptions to newsletters
- Information on the person’s direct marketing authorisations and restrictions
- Information related to marketing and sales promotion, such as marketing actions targeting a person and participation in them
- Information on the organisation the person represents: company name, Business ID, address, area of operations
- The person’s connections with other companies
- Data related to the partnership: the company’s service offering, information on past and current contracts and orders, the partner’s invoicing information
- Information on the work equipment and rights assigned to the person
- Data collected for the purpose of managing the use of information systems, such as access rights to information systems and related restrictions, the name and e-mail address of the holder of access rights, user IDs and passwords, login details, other identification data and log data stored in connection with information systems
- Working hours monitoring data on individual persons
- Communications: e-mail messages, chat messages, collaboration tools, voicemail messages, video recordings, phone recordings
- Information provided by the person themselves, e.g. text written in the message field of a contact form
Data obtained through cookies on a data subject’s web browsing is stored for the purposes of monitoring and developing the use of the service. Such data includes, for example, the time of the visit, the pages the person has visited, the web address from which the person came to the website, and the server from which the person has accessed the website.
6. Regular sources of data
As a rule, Administer receives personal data directly from the data subject or from the company they represent by phone, online, at meetings or in some other similar way. Personal data concerning the data subject can also be obtained after being collected by a third party, for example, in connection with various events. Administer regularly updates the data file, for example, during an existing contractual relationship, on the basis of data provided by the partner and data otherwise obtained during mutual cooperation.
Personal data are also collected and updated from publicly available information sources, such as companies’ websites and other public and commercial registers. In addition, information is collected in the data file using cookies on Administer’s website.
7. Disclosures and transfer of data
Administer observes data protection legislation and the related restrictions on the disclosure of data. Data is only disclosed to the extent necessary for the purpose for which the data is used and for the appropriate delivery of services. As the servers and other technical equipment used by Administer may be owned and controlled by an external service provider used by Administer, depending on the service provider, the data may be located either in Finland or outside Finland. Regardless of where the data is located, Administer takes appropriate security measures to ensure the protection of personal data in the context of disclosures.
To ensure service quality, Administer may, in certain circumstances, disclose data to its technical partners. The partners process the data they receive only to the extent required by the delivery of the service. The partners process the data they receive in accordance with the instructions issued by Administer and only after signing an agreement on the processing of personal data in accordance with the applicable data protection legislation.
7.1 Transfer of personal data outside the European Union/European Economic Area
Administer may transfer personal data outside the EU and EEA when using third-party service providers to store data on the basis of a cooperation agreement between the parties. In this case, the data transfers are carried out securely in accordance with data protection legislation and the restrictions laid out therein. Administer ensures an adequate level of protection of personal data by agreeing on matters pertaining to the confidentiality and processing of personal data as required by data protection legislation; for example, by using standard contractual clauses approved by the European Commission or other similar protection mechanisms.
8. Storage period of personal data
Administer stores the personal data collected in the data file for only the period of time necessary – and to the extent necessary – and legally permissible for the original or compatible purposes for which the personal data were collected. The purposes of processing personal data are described in section four (4).
When the partner relationship ends and the processing of personal data no longer serves a purpose, the personal data of the partner’s contact persons shall be erased or altered in such a way that the person is no longer identifiable. However, in connection with the destruction of data, the agreements relating to the possible customer relationship and other cooperation as well as e-mail messages pertaining to the interpretation of the contract shall not be erased. After the end of the partner relationship, personal data may be used if required by applicable legislation. Data collected for marketing purposes is erased from the data file after the data subject has withdrawn their consent.
Secure practices are observed in the destruction and erasure of data. Administer regularly erases data that is no longer necessary.
9. Data file protection principles
The personal data in the data file are protected in the manner required by the relevant legislation, with due consideration for data security. Administer has taken appropriate technical and organisational measures to protect personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction or unauthorised access.
Administer updates its security measures in accordance with the continuous development of technology. Data is protected by firewalls and various encryption techniques, in addition to which the server rooms selected for use are secure and subject to appropriate access control. The data in the systems is backed up regularly.
The employees involved in the processing of personal data have signed a data security and data protection commitment and received the necessary instructions and training for the processing of personal data. Access to the register is restricted by means of access rights so that the data stored in the system can be accessed and used only by those employees who have the right to access and use the data in the course of their duties. The access rights to personal data involve different levels of access and the granting and use of access rights is supervised in the Administer organisation.
10. Cookies
Cookies are small text files that are stored on the user’s terminal device when the user visits a website. On each subsequent visit, the cookies are sent back to our website or another website that identifies the cookie.
Cookies enable Administer, among other things, to identify the user’s device when they return to the site, to remember the user’s preferences and choices, to improve the user experience and to personalise our advertisements on our website and on other services. More information on cookies is available at www.aboutcookies.org.
Most web browsers accept cookies, but the user can also choose to change their browser settings to prevent new cookies from being stored, to disable existing cookies, or to request a notification before storing new cookies.
Administer uses the following cookies:
- Google Analytics is used to track anonymous visitor data, such as the number of visits, from which search engine the website has been accessed, and what search terms have been used.
- Hotjar is used to analyse and develop the website’s content and user interface. The cookie is used to anonymously track what users do on the website.
- Hubspot is used to develop the website’s content. The cookie provides tracking information about the activities of people who have left submitted their contact information using forms on the website, such as what pages the person reads.
- Third-party cookies: It is possible to share content with social networking services such as Twitter, LinkedIn and Facebook through the Administer website. These third parties may process personal data on different terms than Administer. Administer shall not be held responsible for the privacy practices of any third-party website linked to the Administer website.
11. Profiling
Administer carries out profiling in order to target marketing communications at the right groups. Only relevant and correct information is used in the context of profiling. For example, sensitive data and special categories of personal data are not used as a basis for profiling.
Administer carries out profiling through Hubspot as follows:
- The data subject expresses what they are interested in; for example, they indicate they wish to receive e-mail marketing regarding payroll and HR services
- Administer uses cookies on websites to collect data on a data subject’s online behaviour, based on which Administer aims to identify the data subject’s areas of interest and, based on that assessment, display preferable or relevant advertising to each data subject. The cookies used by Administer are described in more detail in section ten (10).
The data subject has the right to object to profiling when it is related to direct marketing, such as the sending of newsletters. A data subject can opt out of the direct marketing newsletters sent by Administer, for example, by using the unsubscribe link in the newsletter.
12. Links from the Administer website to other websites
The websites of our Group companies contain external links that direct the user to other websites, such as those of our partners. Administer’s partners may use cookies to collect information about a user’s visit to Administer.fi and other websites in order to target their advertising. Administer shall not be held responsible for the collection or processing of personal data by third parties in this manner.
13. The rights of the data subject
The data subject has the right to inspect their personal data in Administer’s data file and, if they wish, to obtain a copy of said data. The data subject also has the right to demand that Administer rectify, erase or supplement their personal data in the data file if the personal data are inaccurate, unnecessary, incomplete or outdated in relation to the purpose of the processing.
Requests for inspection and rectification shall be addressed to the data file’s contact person, whose contact information is provided at the beginning of this Privacy Policy, by sending a signed letter or similarly certified document that makes it possible to verify the requesting party’s right to make the request. If necessary, Administer can request the data subject to further specify their request in writing and the identity of the data subject can also be verified before taking any other measures. Administer shall respond to requests for inspection within one month of the request being presented. As a rule, the information is provided free of charge. However, if the data subject’s requests for information are unfounded or unreasonable – for example, if a data subject makes repeated requests for information – Administer shall have the right to charge a reasonable fee for collecting the data. The fee shall consist of the administrative costs incurred from carrying out the requested action and providing the related information. The data subject can choose whether to personally retrieve the data from Administer’s office or to receive the data by registered mail.
Where the processing of personal data is based on the data subject’s separate consent, the data subject has the right to withdraw the consent at any time. The data subject also has the right to request the erasure of their personal data (the right to be forgotten) when the data are no longer needed for the purposes for which they were collected or otherwise processed, or when there are no legal obligations concerning Administer in the role of the controller pertaining to the processing or storage of the data. Data stored in log files and previously sent messages will not be erased by Administer in this context, as they may be needed after several years to resolve potential violations or disputes. Administer also has the right to refrain from erasing data from the data file when Administer has a legitimate interest in not erasing the data in question or when the data concerns, for example, contractually pertinent issues related to a current partnership or customer relationship.
In certain situations, the data subject has the right to request the restriction of processing or object to the processing of their personal data for purposes such as direct marketing and related profiling. The data subject also has the right to request the transfer of data from one system to another or to another controller.
The data subject has the right to lodge a complaint with a supervisory authority if they are of the opinion that the processing of their personal data violates the General Data Protection Regulation. A complaint can be made, for example, if Administer does not appropriately implement the data subject’s rights as laid out in the General Data Protection Regulation. A notification of a fault in the processing of personal data can be submitted on the Office of the Data Protection Ombudsman website: https://tietosuoja.fi/en/report-of-fault-in-personal-data-processing.
14. Amendments to the Privacy Policy
Administer constantly develops its business operations, which is why Administer reserves the right to amend this Privacy Policy by announcing such amendments on its services. Amendments to the Privacy Policy may also be based on changes in legislation.
Administer shall communicate amendments to the Privacy Policy on its website by publishing the updated Privacy Policy and specifying the date of the amendment. For this reason, Administer recommends that users regularly check the current Privacy Policy on the Administer website. In the event that Administer makes significant amendments to the Privacy Policy, Administer may also announce such amendments in other ways, such as by sending an e-mail message or publishing a release on the website and/or social media pages before the amendments take effect.
This Privacy Policy was last updated on 7 December 2021.
15. Contacts
If necessary, Administer can request the data subject to further specify their request in writing and the identity of the data subject can be verified before taking any other measures. When Administer acts only as a processor for another controller with regard to personal data, the data subject is advised to contact that controller with regard to any requests. We process all communications confidentially.