Human Resources management system's privacy statement

Articles 13 and 14 of the EU General Data Protection Regulation

Data Protection Act (1050/2018)

Articles 13 and 14 of the Combined Data Subject Information Document (EU Data Protection Regulation 2016/679)

1. Controller

Seinäjoki University of Applied Sciences
Kampusranta 11, Frami F
FI-60320 Seinäjoki, Finland
+358 20 124 3000

2. Controller’s representative

Director of Administration

2a. Official responsible for the personal data file

Director of Administration

2b. Contact persons in matters relating to the data file

Leena Myllyaho, HR Secretary, Payroll Administration (System Administrator)
Seinäjoki University of Applied Sciences
tel. +358 40 8302414

Mirva Rantamäki, Henkilöstösihteeri, palkka-asiat
050 444 0369

Teija Rintamäki, HR Secretary
Seinäjoki University of Applied Sciences
tel. +358 40 830 3989

2c. Contact details of the Data Protection Officer

Jarmo Jaskari, Data Protection Officer, Seinäjoki University of Applied Sciences
tel. +358 40 868 0680

3. Name of the data file

Human Resources management system

4. Purpose of processing personal data/data file use

Salary and bonus payment and processing and forwarding of payroll information to various stakeholders. Planning, management, monitoring and statistics of personnel, salary and service relations matters, as well as issues related to domestic and foreign travel of personnel and expense invoices, as well as managing the employer’s statutory and voluntary tasks.

The system is entered with the information that the limited company needs when handling the employer’s duties about its employees and trustees.

• Maintenance of personnel administration information
• Maintenance of employment relationship data (based on salary)
• Payment of salaries, bonuses, travel invoices and expense invoices
• Payment of other payments (e.g. taxes, pension payments, social security payments, foreclosures)
• Making travel plans, travel advance applications, travel invoices and expense invoices, as well as approving, rejecting them or transferring them to the author for correction
• Statistics (e.g. EK’s September statistics, quarterly statistics to be sent to the pension institution, internal personnel administration statistics, quarterly declaration of unemployment benefits, Statistics Finland’s statistics)

Materials to be stored:

• Accounting materials (tax, credit card, sotu, foreclosure, social security payments)
• Annual declaration (insurance company)
• Salary cards
• Material related to the payment of salaries/meeting fees

  • Salary calculations
  • Salary breakdown
  • Salary accounting transfer listings
  • Bank list Sepa (salary payment lists)
  • Salary preparation material (e.g. absence events, holiday pay, events, travel invoices)
  • Parameter salary list
  • Checklist for paid driving
  • Katre salary information transfer list
  • Foreclosure settlement
  • Settlement of Ay payments

• Holiday pay reservation lists
• Service time decisions
• Salary certificates

5. Purpose of maintaining the data file

Statutory obligation of the registrar. The use of the register is based on the legislation on limited liability companies. Legislation and regulations are listed in the section Regular data release and monitoring and in the following list:

  • Act on the Protection of Privacy in Working Life 759/2004
  • University of Applied Sciences Act 932/2014
  • Health Insurance Act 1224/2004
  • Employment Contracts Act 55/2001
  • National Pension Act 568/2007
  • Income Tax Act 1535/1992

5a. Data content of the file

The register contains information on persons employed by the limited company (salaried employees, bonus recipients) and trustees.

The register stores:

• The person’s basic information (e.g. name, date of birth, social security number, contact information)
• Details of the service relationship
• Salary information
• Payment-related information (e.g. account number, trade union membership, tax information, pension information)
• Salary and bonus payment information
• Information about trainings
• Information about domestic and foreign trips and travel costs
• Information about expense invoices.

Data storage periods are determined in accordance with the limited company’s archive formation plan.

5b. Information systems using the data file

  • Project management system and working time tracking
  • User management
  • Tyvi
  • Siirinet
  • Financial management information system
  • Wages included
  • Incomes Register
  • Kela’s business services

6. Regular sources of data

  • From the person himself: personal information (with eForm), premium payment information (with eForm), suspension information, paid and unpaid absences by event type, change tax cards and travel information and expense account information
    From the tax authority: information related to the tax rate (electronic transfer)

7. Regular disclosure of data

• Direct transfer of tax cards with the taxman
• Settlement of Ay membership fees for trade associations (monthly and ¼-year notices)
• Statistical information for Statistics Finland, EK and OKM (salary information, basic information on work and official relationship)
• Annual and accident notification information for insurance companies
• Notifications related to daily allowances to Kela
• Salary payment information and bonus payment information for banks and accounting.
• Salaries paid to Reportronic and suspension information.
• Service relationship information (not salary information) to user management, from which information is transferred, e.g. to student administration system and Project management system.
• Other statutory transfers

8. Transfer of data outside the EU or the EEA

No data stored in the file is transferred outside the EU or the EEA.

9. Principles of data file protection

A.      Manual material

Manual material is stored in locked cabinets.

B.      Computer-processed data

The information systems in which the personal data file is maintained are managed following the company’s information security rules and guidelines. The information systems and their interfaces are protected technically by such means as a firewall, and the system data are backed up regularly.

Access right groups are used to restrict access to the information systems, ensuring that each user can only access the data they need in their tasks.

The system can only be accessed via a secure network connection.  A personal username and password are required to access the system. Access rights are withdrawn when a person no longer performs relevant tasks.

Behaviour control:
The system automatically logs user activity on the system, and logs are generated to monitor system usage and attempts to use the system in accordance with job tasks. The log files are stored in an information system with restricted access (read or write) for the persons responsible for the maintenance of the service and the systems. Any accesses and modifications are recorded in the log. The logs stored in the database are used to monitor and report on the correct use of the information systems and on possible cases of misuse.

Sections 21 and 40 of the Universities of Applied Sciences Act contain provisions on confidentiality of information. Further provisions are contained in section 24 of the Act on the Openness of Government Activities. Particular attention is paid to the security of confidential and sensitive data referred to in section 11 of the Personal Data Act.