Author: Jari Mononen, CISO
Approved: Perttu Eerola, CPO
This document highlights the steps Unikie has taken for the General Data Protection Regulation (GDPR) which will apply since 25 May 2018.
Many of the GDPR’s main concepts and principles are much the same as those that are already in the current Data Protection Act (DPA), so most of the state of compliance steps will remain valid under the new GDPR act. The main changes are to make the company procedures visible and systematically documented, to deal with the GDPR’s new transparency and individuals’ rights provisions.
The GDPR places greater emphasis on the internal documentation to demonstrate the accountability. Compliance with all the areas are listed in this document and will require company to review the approach to governance and how to manage data protection as a corporate issue. One aspect of this is to review the contracts and other arrangements in place when sharing data with other organizations.
Unikie’s personal data processing requires a legal basis. Personal data is processed lawfully, fairly and in a transparent manner. Data is also collected only to the amount necessary regarding the purpose of the processing. Data is also updated when required and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes.
Unikie takes GDPR seriously and ensures that decision makers and key people in our organization are aware that the law is changing towards the GDPR. Key persons and stakeholders are aware of the impact and are constantly identifying the areas that could cause compliance problems under the GDPR. Implementing the GDPR involves people from administration, information management, HR, recruiting, sales and accounting.
Unikie GDPR statement is available on the corporation public web page.
Unikie keeps track on all the personal data we hold, where it came from and who it is shared with. Unikie maintains records of the data processing activities and data accuracy.
The list of the Unikie data repositories is in Annex 1. The content of the list is not public.
Unikie has reviewed the current company privacy notice according to the GDPR. When collecting any personal information, Unikie explains how we intend to use that information. This is done through the privacy notice. In the privacy notice, we also explain the lawful basis for processing the data, the data retention periods and that individuals have a right to complain to the Data Protection Ombudsman, if they think there is a problem with the way we are handling their data. The Data Protection Ombudsman’s Privacy notices code of practice reflects the new requirements of the GDPR.
Unikie’s procedures ensure that they cover all the GDPR rights individuals have, including the steps how personal data is deleted or how the data is provided to individual.
The GDPR includes the following rights for individuals:
Unikie stores personal data under GDPR only in recruiting candidate and company employee registers. So, most of the rights are natural and are related either to the data stored during the recruiting process or employee data during the employment.
Unikie employees will follow the data protection policy. Unikie will also ensure that personal data is processed with the same privacy principles with partners and subcontractors.
Unikie will comply in 30 days when subject access request (SAR) notice is received. SAR must be delivered in written format to Unikie and it will be processed without charge. Unikie is prepared to answer individual SAR requests related following details:
The answer for the SAR is delivered in written format. It can be sent either using verified email address, fetch from Unikie Tampere office or sent using conventional mail.
Unkie has the lawful basis for data processing activity according to the GDPR. Unkie has two main repositories containing personal data
Employee registers contain the basic information of the people working for Unkie. The data collected is used for contacting the workforce, keeping track of the work history, counting the work hours done and bank details to be able to pay the salaries. Processing employee data is based on controller’s legal obligation and contract. The details of the data registered is specified in Annex 1.
Recruitment register contains the potential applicants for new job opportunities. The collected information including the personal details, contact information, talents and CVs with details of earlier job experiences are used for staffing and match making with open vacancies. The persons stored into the recruitment register have given the consent (chapter 7) for storing the information according to the Unkie Privacy Notice (chapter 3).
Unikie reviews the types of processing activities annually to identify the lawful basis for the data processing and to comply with the GDPR’s ‘accountability’ requirements.
Unikie seeks, records and manages the person consent for storing the data into the Recruitment register. No data is stored into any register without given consent. In practice, when a person leaves an open application and records the recruiting information, the person need to read and agree the given Unkie Privacy Notice. In case information is received directly and stored manually into the register, the consent is also asked from the person.
Consent to process any recruitment data is freely given, is specific for the recruitment purpose, is informed to the person and is unambiguous. The concent option in electronic forms is a positive opt-in – i.e., consent is not inferred from silence, pre-ticked boxes or user inactivity. Consent can also be verified according to the SAR (chapter 5).
Consent to record and process any personal data in Employee Register is received in written format when new work contract is signed.
The GDPR sets the age when a child can give their own consent to this processing at 16. Unikie does not offer any online services to children and does not process any children’s personal data underage at 16.
Unkie follows carefully the access rights, access statistics and anomalies on our data servers. We are prepared to detect, report and investigate a personal data breach. Organizations storing high risk information are required to notify the Data Protection Ombudsman (and possibly some other bodies) when they suffer a personal data breach. When Unkie does not process any data that would contain a risk to the rights and freedoms of individuals – such as discrimination, damage to reputation, major financial loss, loss of confidentiality or any other significant economic or social disadvantage – our data processed can be treated as low risk information.
Even when data we process can be treated as a low risk information, Unkie follows good design practices and adopts a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of GDPR. Only such information that is really required is collected and adequate security and privacy measures needed are implented for decent data usage.
Unikie does not need official Data Protection Officer (DPO) according to GDPR. However, Unkie’s CPO has also additional responsibility for data protection compliance. CPO has the required knowledge, support and authority to carry out the role effectively.
Unkie operates in four member states inside EU – in Finland, Germany, Estonia, Sweden and Poland. Unikie has also presence in USA, but information collected inside EU is not processed or transferred outside EU. The Unkie’s lead data protection supervisory authority (LDPSA) is Office of Data Protection Ombudsman in Finland. The Unikie’s central administration and LDPSA will make the most significant decisions related to the GDPR.