HANDLING OF PERSONAL DATA AT INNOLINK
The legality, reliability, security and transparency of personal data processing are important values for us, and they are also a part of the responsibility of our business. It is important to us that our customers, survey respondents, staff and job applicants know and can trust that their personal data is safe, and that the data is only used for the purposes for which it was collected.
To guarantee the best possible protection for the personal data we process, we constantly audit our data protection practices and regularly update our data security-related procedures and technical solutions. We train our personnel and regularly review the regulations and instructions related to the processing of personal data.
Our responsible operating methods are based on the EU and Finnish legislation, and our operations are guided by the agreed practices of the market research industry. As a member company of the Finnish Association of Marketing Research Agencies, we comply with the ethical operating rules drawn up by the ICC (International Chamber of Commerce) and ESOMAR (European Society for Opinion and Marketing Research), which define the obligations and customer’s rights related to research activities.
We collect and process the personal data of our customers and potential customers, survey respondents, staff and job applicants. In this statement, we explain what kind of information we collect, how we use the information we collect and how it is processed. We also tell you about the data subject’s rights in relation to their own personal data.
Innolink Group Oy, Innolink Research Oy and Innolink Staff Oy (hereinafter referred to as “Innolink”)
Contact person in matters concerning the register
Innolink Group Oy and Innolink Research Oy: Katriina Virtanen, tel. +358 50 436 4519
Innolink Staff Oy: Jenny Hieta, tel. +358 50 513 7719
Innolink Germany GmbH: Dörte Nordbeck, Tel. +49 176 56114845
2. PROCESSING OF PERSONAL DATA OF CUSTOMERS AND POTENTIAL CUSTOMERS
2.1. The personal data processed
Our customers primarily comprise companies, non-profit organisations and public sector organisations. The registers contain the contact information of our customers and potential customers, which may include:
- the name, position in the organisation, postal address, e-mail address, telephone number, direct marketing consent or prohibition as well as the IP address.
2.2. Legal basis for processing personal data
We process personal data only on the legal grounds permitted by the General Data Protection Regulation (GDPR) and other legislation.
Primarily, we process the personal data of customers or potential customers on the basis of an agreement or consent. Secondarily, the processing of personal data may be based on a legitimate interest. For example, a legitimate interest can come into question as a basis for processing when we are in contact with potential customers or former customers that have previously purchased our services or products in accordance with the general practice prevailing in the industry.
2.3. Purposes of processing personal data
We may use customer or potential customer information for the following purposes:
providing service in accordance with the contract, managing the customer relationship, customer communication, marketing and sales promotion of products and services (including electronic direct marketing), selling products and services, handling and implementing complaints and additional service requests, invoicing and other financial measures, developing products and services, developing business, online behaviour (including opening links and visits to the website of the controller and its representatives).
2.4. Data sources
We primarily collect data from our customers or potential customers. For example, information can be collected from contact requesters, raffle participants, newsletter subscribers or research panellists. We also collect information about visitors to our website by means of cookies. Read more about cookies below.
External sources, such as public or commercial registers, are also used as data sources.
3. PROCESSING OF THE PERSONAL DATA OF SURVEY RESPONDENTS
3.1. The personal data processed
Depending on the research to be conducted, different background information can be collected from the survey respondents. This data may include:
- contact information, such as name, position in the organisation, postal address, e-mail address, telephone number
- information related to segmentation and profiling, such as gender, year of birth, education-related information, financial and employment-related information
- information related to personal interests
- survey responses
- information about refusal to participate in research
In connection with telephone interviews, the interviews can be recorded. The interviewees will be informed in advance about the recording.
3.2. Legal basis for processing personal data; information sources
The processing of personal data of survey respondents is based on consent or a service contract concluded with the customer, based on which the customer provides Innolink with the respondents’ contact information.
The data is primarily collected from the survey respondents themselves.
3.3 Purpose of processing personal data
The information provided by the respondents is used for reporting and analysing the research results.
In accordance with industry practices, we are committed to protecting the anonymity of research respondents. The research results are thus reported to the research customer in such a form that individual respondents cannot be identified. The exception is individual studies where the research respondent has given their express consent to the reporting of the answers in such a way that the answer can be linked to personal data.
We never pass on the personal data provided by the research respondent for marketing purposes or to third parties.
4. PROCESSING OF THE PERSONAL DATA OF STAFF
4.1. Personal data to be processed, purpose of use and legal basis
We collect and use staff information to fulfil the obligations and tasks arising from legal obligations or the employment contract. Therefore, the basis for processing is usually a legal obligation or an agreement/consent made with the employee. Legitimate interest can also come into question in some situations.
Personal data collected on staff include:
- basic information, such as name, personal number, address, telephone number, e-mail address
- information about the employment relationship, such as start date, possible limited duration and basis thereof, agreed working hours, end date
- salary information and bank contact information, tax card or withholding tax rate
- educational information and special skills
- information about realised working hours and absences
- information related to an individual employee created during the employment relationship, such as conversation notes
- processing and log data on the use of information systems
- other information relevant to the employment relationship
Data is collected only to the extent that it is necessary at any given time. Information irrelevant to the employment relationship or the obligations arising from the employment relationship is not collected or stored.
4.2. Data sources
Personal data is primarily obtained from the employees themselves. Based on law or consent, the employer can also receive information from other sources, such as a pension insurance company, accident insurance company or occupational health care, to the extent permitted by law (e.g. work capacity assessment).
5. PROCESSING OF THE PERSONAL DATA OF JOB APPLICANTS
Information is collected from job applicants in order to carry out the recruitment process. Data collection and processing are based on the consent given by the applicant.
The personal data collected may include the following:
- basic information such as name, address, telephone number, e-mail address
- job application and CV (including employment history)
- educational information and special skills
- information on references
- suitability assessment information
- other information relevant to the recruitment process
If a site user leaves a contact request through the site, we collect the information in the comment form as well as the user’s IP address and browser version information to facilitate the identification of spam messages.
7. DISCLOSURES OF PERSONAL DATA AND TRANSFER OF PERSONAL DATA OUTSIDE THE EU
We can disclose personal data on a limited and confidential basis to our subcontractors or partners in order to perform the agreed service (such as conducting research interviews, calculating salaries and making payments). We have concluded comprehensive personal data processing agreements with our subcontractors and partners as well as verified the reliability of operators from public registers, such as the Finnish trade register and tax debt register.
Our subcontracting relationships are mainly long-term strategic partnerships. All employees of Innolink and its subcontractors have signed non-disclosure agreements and are committed to handling personal data with the care and confidentiality they require.
The personal data we process is not transferred outside the EU.
8. STORAGE AND DELETION OF PERSONAL DATA
Personal data is stored as long as is necessary due to the purpose of use of the data.
The survey responses will be stored for the duration of the contract with the customer, and subsequently as separately agreed with the customer. Information related to prizes and raffles is archived in accordance with the Accounting Act.
Basic information related to an employee and information about key work tasks are stored for 10 years after the end of the employment relationship. Other employment relationship information is kept for 2 years after the employment relationship ends.
Job applicants’ information is kept for 2 years after the recruitment decision is made, unless otherwise agreed with the applicant.
Personal data is deleted from our registers after the specified or agreed deadlines.
Retention periods can be extended if the preparation, presentation or defence of a legal claim requires it.
Among other things, retention periods are based on warranty promises and requirements, general expiration times as well as long, returnable and renewable customer relationships observed in practice.
9. PRINCIPLES OF PERSONAL DATA PROTECTION
Personal data is protected by technical and organisational methods against accidental or intentional inappropriate and/or illegal changes, access to data, destruction and other irrelevant processing.
All physical materials containing personal data are stored on locked office premises with limited access rights. Personal data registers in electronic form are stored only in password-protected designated locations, from which they are retrieved and destroyed centrally after the set deadlines.
Among other things, information security measures also include appropriate firewall arrangements for information systems, physical protection of servers (e.g. locked rooms and backups), encryption of data transfer as well as the restriction of access to information systems and/or their data, implemented with access rights.
Innolink’s staff handling personal data are regularly trained in data protection and information security matters. All Innolink employees have signed a confidentiality agreement.
Innolink has concluded comprehensive data processing agreements with its subcontractors and partners, and it has required their employees to sign a confidentiality agreement as well.
10. RIGHTS OF THE DATA SUBJECT
10.1. The right of inspection and the right to demand the correction or deletion of data
Persons whose identifiable information has been stored in Innolink’s registers (data subjects) have the right to check the information concerning themselves and the right to demand correction and deletion of the information.
The written inspection request must be submitted by e-mail, letter or in person to the contact person for register affairs mentioned in Section 1.
The request must include the following information:
• first and last name
• contact information, such as address, phone number, e-mail address
• information about the register and the type of personal data in question
• information regarding the correction or limitation of data being demanded
• date, location and signature
If necessary, we may request additional information to confirm the identity of the requester.
10.2. Other rights related to the processing of personal data
If Innolink has no legal or contractual right or obligation to process personal data, a data subject has the right to object to the processing of their data or to request that the processing of their data be restricted. At any time, the data subject can make a request such as is described in Section 10.1.
Among other things, this means that the data subject can prohibit the use of their personal data for direct marketing purposes.
If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time.
This statement on the processing of personal data at Innolink was prepared and approved on 1 December 2022. If we make changes to this statement, we will update the new statement on our website and mark the date of the update on it. If the changes we make are significant from the point of view of the data subjects, we will inform the data subjects about them, for example by sending an e-mail or by preparing a notice for our website.