Data protection
Privacy notice of the subcontractor and partner register
1. Controller
GRK Infra Oyj (business ID: 0533768-1)
Address: Jaakonkatu 2, 01620 Vantaa
Phone: +358 10 321 4110
Email: tietosuoja@grk.fi
2. The name of the register
Subcontractor and partner register
3. Purposes and legal grounds for processing personal data
This privacy notice applies to all GRK Group companies, GRK Infra Oyj, GRK Suomi Oy, GRK Sverige AB and GRK Eesti AS (hereinafter referred to as “Controller” or “GRK”).
The controller processes the personal data of data subjects in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (2016/679) and national data protection legislation.
The purposes of processing personal data are:
- Performing activities related to the selection, evaluation, procurement, contracting and management of subcontractors and suppliers, monitoring the accuracy of invoicing and maintaining the business relationship.
- Planning, resourcing, coordination, implementation and quality assurance of cooperation and projects.
- Ensuring occupational safety and efficiency of work sites
- Managing employee access rights and permits on sites.
- Compliance with the requirements of the controller and the controller’s client.
- Processing personal data of users of mobile applications provided by the controller; personal data are collected in the register in order to allocate work and driving assignments to the right persons according to the payroll or billing basis.
- Control of the usage of GRK’s assets.
- Compliance with the legal obligations of the data controller, such as the Occupational Safety and Health Act, the Tax Procedure Act and the Act on the Tax Code and the Tax Code Register for the Construction Sector, the Act on the Contractor’s Obligations and Liability when Work is Contracted Out and the Accounting Act.
The legal basis for the processing of personal data is as follows: - The controller’s legal obligations are the basis for processing personal data where the controller needs to process the data subject’s personal data in order to comply with a legal obligation imposed on the controller. For example, according to Article 52b of the Occupational Safety and Health Act, the main contractor must keep an up-to-date list of employees and self-employed persons working on a common construction site in order to ensure safety at work and to monitor the obligations laid down in that Act.
- A contract is the basis for processing personal data where the controller needs to process personal data for the implementation of a contract between the controller and the data subject, or for the implementation of pre-contractual measures at the request of the data subject. This is the case, for example, where the controller enters into a contract with a business operator (sole trader) to obtain services from the latter.
- The legitimate interest of the controller is the basis for processing personal data where there is a material connection between the data subject and the controller. Such a material connection arises, for example, where the data subject contacts the controller on his or her own initiative or where the controller processes the data subject’s personal data, for example, in the context of a business or cooperation between the data subject’s employer and the controller.
The disclosure and processing of the data subject’s personal data is necessary for the performance of the obligations arising from the contract between the controller and the data subject and from the law. If the necessary personal data of the data subject could not be processed, it would not be possible for the data subject to work on the controller’s sites or to cooperate with the controller.
4. Categories of personal data processed
The register contains information on the following persons:
- Subcontractors and suppliers and their agents and employees
- Other partners and their representatives and employees
- Consultants, self-employed persons (sole traders)
- Members of the controller’s own staff working on the sites
The following information about the data subject, which is necessary for each of the purposes mentioned above, is processed, such as: - Name
- Date of birth
- Phone number
- E-mail address
- Address
- Details of the cooperation relationship: nature of the working and commissioning relationship
- Attendance record at the site
- Other identifying information (e.g. business ID or tax number for those working with a tax card)
- Educational background and work history, qualifications
- Start and end dates of work
- Employer’s details, name and business ID or foreign equivalent
- Induction
- Information on the employer’s home country
- Information on employment and residence in Finland, as well as on insurance
The main contractor of a joint construction site must submit this information monthly to the Tax Administration for tax control purposes on employees and self-employed persons working on the joint construction site, as well as on employers and subcontractors.
Data processed when using mobile applications - Name
- E-mail address
- Tax number
- Address
- Phone number
- Vehicle registration number
- Working time records
- Time and place of driving loads
- Location data
5. Regular sources of personal data
As a rule, personal data is obtained from the following sources:
- From the data subjects themselves
- From the employer of the data subject
- From public authorities and public registers, such as the Patent and Registration Office’s Business and Community Information System.
6. Henkilötietojen luovutus ja siirto
The controller discloses personal data to the tax authority in order to comply with its legal tax obligations.
In the context of submitting quotes, the controller discloses to its customers the personal data necessary for its own staff and those of its subcontractors who are named in the quote as the persons performing the work. Such data, which are processed in order to meet the customer’s requirements, include, for example, CV, work history and qualification data attached to the quote.
An external auditor auditing the controller’s activities may also process personal data in connection with the audit.
Personal data may be transferred and processed by companies belonging to the same group as the controller on the basis of their legitimate interest for internal administrative reasons, such as sales, marketing, invoicing, internal reporting and business development.
For the technical implementation of its services, the controller uses trusted service providers who process personal data on behalf of the controller under a data processing agreement between the controller and each service provider, as required by applicable data protection legislation. The service providers shall process the personal data under the responsibility of the controller in accordance with the data processing agreement and the controller’s documented instructions.
The controller uses the Zeroni service to manage the people working on the site.
Personal data may be transferred outside the European Union or the European Economic Area in accordance with and within the limits of data protection legislation. The controller shall ensure an adequate level of data protection in accordance with the requirements of the applicable data protection legislation, including in situations where personal data are transferred outside the European Union or the European Economic Area, by complying with the equivalence decisions adopted by the European Commission and, where applicable, by using the standard contractual clauses for the transfer of personal data adopted by the European Commission, together with any necessary additional safeguards.
7. Retention of personal data
As a rule, the controller processes personal data during the course of the business relationship.
The controller processes and retains the data only for as long as required by law or as necessary for the predefined purposes for which the personal data are collected. For example, a list of people working on a common construction site must be kept for six years from the end of the year in which the site was completed. Personal data that have become redundant and that the controller no longer has a purpose or obligation to retain or process will be deleted at regular periods in accordance with the controller’s own data protection practices. The controller may also process personal data for as long as necessary for the establishment, exercise or defence of legal claims.
The Zeroni service saves and retains data that the controller has provided through the Zeroni service or otherwise communicated to the Zeroni service, for as long as the controller is registered with the Zeroni service. Upon termination of the use of the Zeroni service by the controller, the personal data will be stored by the Zeroni service provider for a period of five years thereafter, in order to allow the Zeroni service provider to respond to any questions/queries concerning the controller’s data within the scope of the purpose of the register. After this period, the controller’s personal data will be deleted from the Zeroni service provider’s information system, except for the data that must be retained by law. The controller’s register data will be published on the Zeroni service and made available to users of the Zeroni service.
8. Protection and security of personal data
Access to the register of personal data is only granted to representatives of the controller who are bound by the obligation of confidentiality and who have a legitimate need to process the data of the register for the exercise of their duties.
The controller has provided its employees and service providers with binding written instructions and provisions on the processing of personal data and data protection, which they have undertaken to comply with.
The security of information systems is adequately ensured, including through encryption and other technical safeguards. We regularly review our personal data processing activities and the systems and devices used in them, including assessing the risks inherent in our personal data processing activities, for example when new technologies are introduced.
9. Automated processing of personal data and profiling
The controller does not use automated decision-making, such as automated profiling, as part of its personal data processing activities.
10. Rekisteröidyn oikeudet
The data subject has rights under the EU General Data Protection Regulation.
Right | Description |
Right of access to personal data | The data subject has the right to obtain confirmation from the controller that personal data concerning him or her are or are not being processed. If personal data are processed, the data subject has the right of access. |
Right to request rectification, erasure or restriction of processing | The data subject has the right to request the controller to rectify inaccurate data concerning him or her and to erase any personal data concerning him or her on the grounds provided by law. The data subject’s right to erasure does not apply to data for which processing is necessary for compliance with a legal requirement or for the establishment, exercise or defence of legal claims. Some personal data processed by the controller are subject to a legal retention obligation and the controller cannot therefore erase such data before the expiry of the legal retention period. |
Right to object | The data subject has the right to object to the processing of his or her personal data on grounds relating to his or her particular situation, where the controller processes the personal data on the basis of a legitimate interest. |
Right to data portability | The data subject has the right to receive personal data concerning him or her which he or she has provided to the controller in a commonly used and machine-readable format and the right to transmit such data to another controller without the controller’s interference, where the processing is based on consent or on a contract and the processing is carried out automatically. The data subject shall have the right to obtain the transfer of personal data directly from one controller to another, where technically possible. |
Right to withdraw consent | Where personal data of the data subject is processed on the basis of his or her consent, the data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of consent prior to its withdrawal. |
Right to file a complaint to the supervisory authority | Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to submit a complaint to a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach has occurred, if he or she considers that the processing of personal data concerning him or her infringes the GDPR. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact details and instructions can be found at www.tietosuoja.fi. |
Before executing the request, the controller has the right and the obligation to verify the identity of the person making the request, which is why the controller must be able to identify the person making the request in an appropriate manner.
If the request is clearly unjustified or unreasonable, the controller may either charge a reasonable fee based on administrative costs for carrying out the requested action or refuse to carry out the requested action.
11. Further information
The controller may update this privacy notice from time to time. This privacy notice was last updated on 16 May 2024.