Data Protection Statement – Subcontractors

Last updated: 10 October 2024

Introduction

Siili Solutions Plc and its group companies ("Siili") place the highest value on protecting the privacy of its subcontractors’ persons and is committed to processing personal data carefully and responsibly. This Data Protection Statement (“Statement”) informs data subjects about how Siili processes personal data of its subcontractors’ persons. Personal data refers to any information related to an identified or identifiable person, a data subject. Data subjects under this Statement include the persons of Siili’s subcontractors belonging to Siili’s partner network.

Siili is the data controller of personal data about its subcontractors’ persons. As the data controller, Siili is responsible for personal data processing and defines the purposes and means for the data processing.

Siili processes personal data in accordance with all applicable laws, as well as Siili’s Data Protection Policy, Information Security Policy and guidelines derived from them.

Personal Data Collection Methods and Sources

Siili primarily collects personal data from the data subjects themselves or from the companies that employ the data subjects or who represent them. Usually, personal data is collected via a form available on Siili’s subcontractor portal or by emailing the contact persons who administrate Siili’s partner network. Additionally, data is maintained and updated with information produced by cooperation partners and Siili during the cooperation relationship.

Whenever personal data is intended to be collected from other sources, Siili will seek a data subject’s consent as required by law. However, consent is not needed if the authority discloses data to Siili in order for Siili to carry out its tasks as required by law.

Personal Data Collected and Processed

Siili may process the following personal data:

Basic Data – First and last names, business contact information (telephone, email, mailing address), country and locality, gender, photos.
Work-related Data – Represented partner/organization, information related to work tasks such as position, role, and the unit the person works in.

Education, Skills, and Experience Data – CV, education and degree information, professional experience, skills and competencies, certificates, interests, information on training and event attendance.

Performance and Development Data – Feedback given by Siili and its clients.

Working Time Control, Absences, and Vacations – Time and attendance management records, sick leave, parental leave, study leave, job alternation leaves, and other absences having an impact on invoicing, vacation periods.

Subcontractors’ Feedback to Siili – Subcontractor questionnaire answers and other feedback provided by a subcontractor to the extent answers and feedback can be linked to an individual.

Work Equipment and Access Rights – Information concerning work equipment and work-related services such as computers, mobile phones and the use of such equipment, information on access rights including usernames and passwords. If a data subject installs services meant for personal use in their work equipment, also related information is recorded.
Security Data – Data collected by cookies, IP addresses, log data and internet browsing information to the extent allowed by applicable legislation.

Siili may also process information concerning the modification or update of the above categories.

Legal Bases and Purposes of Data Processing

Siili processes personal data for predefined purposes based on contract, legal obligation, consent or Siili’s legitimate interests. Siili ensures that its interests can be considered legitimate and conducts an evaluation of the lawfulness of its interests.

Siili processes personal data to fulfill responsibilities and obligations related to cooperation relationship and facilitating business processes. This includes tasks such as, monitoring working time and absences, managing invoicing, and collecting feedback.

Sensitive personal data, such as health-related data, is not typically processed. If a data subject voluntarily discloses information about their diet or food allergies, for example, in the context of enrolling in an event, Siili processes such personal data only for arranging food services. This information is deleted when no longer needed, and it is not stored permanently in the register.

The table below provides more information on the legal bases and purposes of processing.

Personal Data Category	Legal Bases	Purposes
Basic Data	Contract, Siili’s legitimate interests: personal data is needed for managing and maintaining the cooperation relationship.	Managing and maintaining the cooperation relationship, such as identification of individuals as well as communications to subcontractors’ persons.
Work-related Data	Contract, Siili’s legitimate interests: personal data is needed for managing and maintaining the cooperation relationship.	Managing and maintaining the cooperation relationship, enabling business processes (e.g., client work).
Education, Skills, and Experience Data	Contract, Siili’s legitimate interests: the data is needed for ensuring sufficient skill level for different tasks and allocating subcontractors’ persons to the right client assignments as well as for following up on personal development and training.	Performance, talent and rewards management and development and enabling business processes (e.g., client work).
Performance and Development Data	Siili’s legitimate interests: by means of feedback, the skills and work of a person can be developed.	Defining work targets, evaluating a person’s performance.
Working Time Control, Absences, and Vacations Data	Contract, legal obligation, Siili’s legitimate interests: personal data is needed for managing and maintaining the cooperation relationship.	Working time control for invoicing, managing absences and vacations, and enabling business processes (e.g., client work).
Subcontractors’ Feedback to Siili	Siili’s legitimate interests: ensuring and developing satisfaction and wellness in relation to the cooperation relationship, as well as developing cooperation relationship and other operations.	Measuring work satisfaction and developing cooperation relationships and other operations.
Work Equipment and Access Rights Data	Contract, Siili’s legitimate interests: by documenting work equipment and access rights Siili ensures that persons have suitable equipment and rights considering their work tasks and use and access rights are traceable.	Managing work equipment and access rights.
Security Data	Contract, consent (regarding non-essential cookies), Siili’s legitimate interests: by documenting IP address and log data Siili ensures traceability of events and changes in information systems, applications, networks, and data content for the purpose of ensuring and maintaining information security. By access control, Siili ensures that outsiders cannot access its business premises. Using essential cookies is necessary for the proper functioning of Siili’s website and services.	Ensuring and improving workplace and information security. Cookies are employed to personalize website content and advertisements according to your preferences, facilitate social media functionalities, analyze website visits and usage patterns, and overall improve the website's performance. For further details on how Siili uses cookies, please refer to Siili’s Cookie Statement.

Personal data may also be processed based on Siili's legitimate interest to prevent and investigate misuse and issues, as well as to comply with legal requirements. Siili may process personal data also for defending its legal rights, carrying out a trial or authority process and the execution of an authority order.

In addition, personal data can be processed for reporting and analytics based on Siili’s legitimate interest or legal obligation. If identification of an individual person is not necessary considering the purpose, Siili ensures that personal data is processed in such a form that data subjects are not identifiable from the report or other end result.

Disclosures of Personal Data

Siili may disclose personal data to the following recipients:

Siili Group Companies: Personal data may be shared with companies within the Siili Group, based on Siili’s legitimate interest. These companies process personal data in accordance with this Statement or their own statement, substantially similar to this one.
Service Providers and Subcontractors: Personal data may be disclosed to Siili’s service providers and subcontractors who process personal data on behalf of Siili. Through appropriate contractual arrangements, Siili ensures that personal data is processed in accordance with this Statement and applicable laws.
Clients: Personal data may be disclosed to Siili’s clients and potential clients in relation to work assignments.
Business Partners: Personal data may be disclosed to trusted third parties, such as travel agencies, airlines, accommodation providers, banks, mobile operators, external advisors, and auditors, based on Siili’s legitimate interest.
Authorities, Legal Processes, and Legislation: Siili discloses personal data to competent authorities as required by mandatory legislation. Personal data may also be disclosed in connection with legal processes or as a response to the requests by authorities based on law, court order, court proceedings, or authority process, in compliance with applicable laws.
Mergers and Acquisitions: In the event that Siili decides to sell, merge, or rearrange its business, such actions may include disclosing personal data to potential or actual purchasers and their advisors. If the disclosure of personal data is necessary in such a situation, Siili will share only the necessary personal data and only as permitted by applicable legislation.

Data Transfers Outside of the European Economic Area

Siili may transfer personal data to Siili Group companies located outside of the European Economic Area (EEA) for arranging Siili Group’s operations. Siili may transfer personal data also to its clients, cooperation partners, service providers and subcontractors located outside of the EEA for the purposes described in this Statement.

When personal data is transferred outside of the EEA, Siili uses appropriate transfer basis (such as standard contractual clauses approved by the European Commission and possible supplementary measures) to ensure an adequate level of data protection.

Data Retention

Siili retains personal data for as long as it’s necessary for the initial or compatible purposes for which the personal data have been collected. Retention periods are determined based on mandatory legislation and common industry practices.

The retention period for subcontractors’ personal data generally ranges from one year from the date of collection to ten years following the end of business transaction or related communications or the financial year.

Siili may also delete personal data that is no longer needed for its intended purpose during the cooperation relationship. Information that becomes unnecessary, outdated, or for which there is no longer a valid reason for processing, will be anonymized or securely destroyed.

More information about personal data retention periods and deletion practices can be found in Siili’s Data Retention Policy. Detailed information on the retention of personal data collected with cookies is available in Siili's Cookie Statement.

Data Security

Siili employs appropriate organizational and technical measures to guard against accidental and/or unlawful access, alteration, and destruction, or other processing, including unauthorized disclosure and transfer of personal data.

These measures encompass (without limitation) proper firewall arrangements, malware detection, appropriate encryption of telecommunication and messages, as well as the use of secure and monitored equipment and server rooms. Data security is of special concern when third parties provide and implement IT systems.

Data security requirements are diligently observed in IT system access management and monitoring of access to IT systems. Siili personnel, processing personal data as part of their tasks, are trained and properly instructed in matters of data protection and data security.

For more information on Siili’s data security practices, please refer to Siili’s Information Security Policy.

Automated Decision-Making

Siili does not make decisions about data subjects through automated decision-making.

Data Subject Rights

Data subjects have the following rights according to data protection legislation:

Right to obtain information on the processing of personal data: The data subjects have the right to be informed of the collection and processing of their personal data.
Right of access to their data: The data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. If data concerning the data subject is being processed, the controller must provide the data subject with a copy of the personal data being processed.
Right to rectification of their data: The data subjects have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.
Right to the erasure of data: In certain cases, the data subjects have the right to have the controller erase data concerning them without undue delay.
Right to restriction of processing: The data subjects can request the controller to restrict the processing of personal data concerning them.
Right to object to the processing of data: The data subjects have the right to object to the processing of their personal data on grounds relating to their particular situation when a processing is based on legitimate interests pursued by the controller or a third party.
Right to data portability: The data subjects have the right to receive the personal data that they have provided to the controller in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller.
Right not to be subject to a decision based solely on automated processing: The data subjects have the right to demand human involvement in decisions that concern them.
Right to file a complaint to the data protection authority: The data subjects have the right to file a complaint with the national data protection authority (in Finland, the Data Protection Ombudsman) or other data protection authority within the EU or EEA if they have experienced that personal data have not been processed lawfully.

If Siili processes certain personal data based on the data subject’s consent, they have a right to withdraw their consent at any time.

Data subjects can exercise their rights by contacting dataprotection@siili.com.

Data subjects may not be able to exercise their rights in all situations. For instance, the basis for data processing has an impact on the data subjects’ possibility to exercise their rights (e.g., if the processing is based on legal obligation, it is not possible to erase the data upon the request of the data subject).

Changes

Siili may change or amend this Statement as necessary, and therefore it is recommended that you revisit this Statement regularly. Substantial changes will be communicated to the data subjects directly.

Contact Information

For questions related to data protection, you can email Siili's data protection team at dataprotection@siili.com.