Tietosuojaseloste (englanniksi)

Laadi asiakirja
Tietoa asiakirjasta

Tietosuojaseloste on viestintäväline, jolla yritys kertoo henkilötietojen käsittelyn periaatteistaan. Se on siis tietosuojaa koskevaa tärkeää ulkoista viestintää.

Kuinka Sopimustieto toimii?
Laadi asiakirjat helposti ja nopeasti pikavalinnoilla Helppous
Voit kysyä juristeiltamme reaaliaikaisesti neuvoja Tuki
Allekirjoitat sähköisesti ja arkistoit automaattisesti Viimeistely
Yli 70 000 käyttäjää luottaa Sopimustietoon

Lisätietoa asiakirjasta

Selvitys henkilötietojen käsittelystä rekisteröidyille

Tietosuojaseloste on asiakirja, jossa yritys kertoo, miten se käyttää ja suojaa keräämiään henkilötietoja. Tietosuojaseloste annetaan tiedoksi rekisteröidyille, eli niille, joiden henkilötietoja käsitellään. Käytännössä seloste on laadittava siis mitä moninaisimmissa tilanteissa. Jos keräät esimerkiksi henkilöasiakkaittesi tietoja, on sinulla velvollisuus selosteen laatimiseen.

Kun Suomessa oli voimassa vielä vanha henkilötietolaki, kirjoitettiin rekisteriselosteita. Tietosuojaseloste on käytännössä laajennettu versio rekisteriselosteesta.

Huoli henkilötiedoista on kasvanut viime vuosina

Tietosuojaselosteen laatimisvelvollisuus perustuu EU:n yleiseen tietosuoja-asetukseen (General Data Protection Regulation eli ”GDPR”), joka tuli velvoittavaksi toukokuussa 2018. Tietosuoja-asetuksessa korostetaan henkilötietojen käsittelyn avoimuutta ja säädetään aiempaa yksityiskohtaisemmin yritysten informointivelvollisuudesta ja rekisteröityjen oikeuksista. GDPR antaa tietosuojavaltuutetulle mahdollisuuden langettaa kovatkin sakot, jos asetusta on rikottu.

GDPR:n myötä Suomessa kumottiin henkilötietolaki, jolla henkilötietoja (ml. rekisteriselosteita) ennen säänneltiin. Vanhat rekisteriselosteen pohjat eivät ole enää ajantasaisia.

Sopimuskoneen tietosuojaselosteen malli huomioi GDPR:n vaatimukset

Sopimuskoneen tietosuojaseloste on älykäs selostepohja, joka muuntuu valintojesi mukaan. Pohjan mallisisällöt ovat juristiemme laatimia. Ne sopivat sellaisenaan suureen osaan tietojenkäsittelytilanteista, mutta halutessasi voit muokata niitä tai kirjoittaa kokonaan omia sisältöjäsi. Sopimuskone neuvoo sinua eri vaihtoehtojen merkityksestä, kun laadit selostettasi.

Tämä tietosuojaselosteen malli on englanniksi. Vaihtoehtoisesti voit käyttää suomenkielistä versiota, joka on erikseen Sopimuskoneessa.


--------------------

Privacy Statement

What is a privacy statement?

A privacy statement (also called privacy policy) is a communication tool that a company uses to explain how it uses and protects the personal data it collects. The privacy statement is provided for information to the data subjects, that is, the people whose personal data is being processed. In practice, you need to create this statement in various different situations. For example, if you collect information from your individual customers, you have an obligation to draft a statement.

In Finland, register descriptions were required under the old Personal Data Act. A privacy statement is an extended, updated version of the register description.

Why is a privacy statement required?

The obligation to draw up a privacy statement is based on the EU’s General Data Protection Regulation (GDPR) which entered into force in May 2018. The General Data Protection Regulation emphasises the openness of the processing of personal data and contains more detailed provisions concerning the obligations to inform for companies and the rights of the data subjects. GDPR allows the Data Protection Ombudsman to impose heavy fines for infringements.

In Finland, the regulation superseded the Personal Data Act which was previously used to regulate personal data (including register descriptions). The old register description templates are no longer up to date.

What is personal data?

Personal data refers to all information that can be used to identify a private individual, either directly or indirectly. For example, your name, personal identification number, date of birth, telephone number and network identification information, such as your IP address, are all personal data.

How do I use Sopimustieto to create a privacy statement?

Sopimustieto will instruct you in the creation of an appropriate privacy statement. Sopimustieto’s versatile privacy statement template includes dozens of standard clauses created by our lawyers which are typically used in privacy statements. You can add, delete or edit our standard clauses or add your own content as you see fit.

This not a template for an individual privacy statement or a form template, but modern Finnish technology that will create a tidy, high-quality document almost by itself.

Once you have created the statement, make it available for your data subjects on your website, for example.

Which standard content does Sopimustieto offer?

Our privacy statement template includes the following sections based on data protection legislation, among other things:

  • Basis and purpose of processing personal data
  • Personal data being processed
  • Regular data sources
  • Retention period for personal data
  • Rights of the data subject (e.g. right to be forgotten)
  • Disclosure of personal data to third parties
  • Transfer of personal data outside the EU or the EEA
  • Principles of protecting personal data (e.g. data security)
  • Profiling (the automated processing of personal data in order to evaluate the personal characteristics of the data subject)
  • Contact information for the controller

The information that needs to be provided to the data subjects depends on the situation. For example, the legal basis for and purpose of the processing of personal data and the contact details of the controller, your company, must always be explained. Not everything needs to be mentioned. If, for example, personal data is not used for profiling the data subjects or transferred outside of the EU or the EEA, this does not need to be separately mentioned.

On which basis can I process personal data?

The processing of personal data must be based on a reason stated by law. Examples of such include:

  • Consent by the data subject (specific and clearly documented)
  • An agreement that the data subject is party to (e.g. customer agreement)
  • The controller’s legitimate interest (e.g. their role as an employer)
  • Public interest or the exercise of official authority by the controller
  • The controller’s statutory obligation or a law

In addition to the formal legal basis, the processing of personal data must have a specific purpose that must be explained in the privacy statement. This obligation has not changed from the days of the register description. Purposes may include, for example, recruitment, employment relationship management, marketing, maintaining customer relationships and partnerships and organising events. However, the introduction of the GDPR has emphasised the principle of data minimisation – personal data must not be processed unless a reasonable basis for it exists. In other words, data must not be collected and stored “just because”.

How extensively do I need to explain the disclosure of personal data to third parties?

A disclosure of personal data occurs when, for example, the controller discloses or transfers personal data to an external processor. The data subject must be provided with a report of such disclosures.

For example, the external processor may be an accounting firm that your company (the controller) has contracted to calculate wages and to which you explain when wages need to be paid or when an employee leaves the company or receives a raise.

As a rule, the data subject should always be provided with information regarding the actual (named) recipient of the personal data. If you do not want to specify the recipients, please record the personal data recipient groups as precisely as possible by describing the type of the recipients (reference to their processing activities), their field of business, sector and location, for example.

Which rights does the data subject have?

The data subject has specific rights set in the General Data Protection Regulation, such as the right to access and rectify all personal data concerning them that is being processed. Under specific circumstances, the data subjects also have the right to have their data erased (“right to be forgotten”). The privacy statement must explain all these rights, which Sopimustieto has taken into account.

Laadi asiakirja