Epassi service general terms of contract for employer customers
Epassi is a digital service which combines employee benefits into a service and offers a smart and reliable way of improving employee wellbeing. With the Epassi service, the employer company offers employee benefits to their employees. We have prepared a list of essential matters that will facilitate our cooperation. After you have registered as an Epassi customer, we both undertake to comply with these Terms of Contract. These General Terms of Contract apply between the Customer and Epassi as part of the Service Contract. More detailed instructions on the use of the Epassi service are available at https://www.epassi.fi/en/home. Epassi will notify the Customer’s contact person of any potential changes to the instructions before their implementation. In case of conflict, the Service Contract has precedence over the instructions.
Contents
1. Definitions
2. Service
3. Scope of application
4. Use of the Service
5. Availability of the Service
6. Customer service
7. User account and information provided by the Service providers
8. Data protection
9. Invoicing
10. Special terms of the Epassi Wellbeing benefit
11. Validity of the Contract
12. Termination of the Contract
13. Contract amendments
14. Right of reference
15. Intellectual property rights
16. Confidentiality
17. Limitations of liability
18. Applicable legislation and dispute resolution
1. DEFINITIONS
1.1 Customer refers to you as the employer using the Service.
1.2 Epassi refers to Epassi Finland Oy.
1.3 Epassi Finland Oy (hereinafter also referred to as “Epassi” or “Epassi Finland”) is responsible for the provision of the service package related to the obtaining of and paying for the employee benefits to the Customer as well as for processing the employee and fringe benefit payments.
1.4 Epassi Clearing Oy (hereinafter also referred to as “Epassi Clearing”) is responsible for processing the employee and fringe benefit payments as well as for general payment processing services in accordance with the payment institution licence. Epassi Clearing has a payment institution licence pursuant to the Act on Payment Institutions (297/2010) granted by the Financial Supervisory Authority (The Financial Supervisory Authority, Snellmaninkatu 6, 00101 Helsinki (https://www.finanssivalvonta.fi/en/));
1.5 Parties refer jointly to Epassi Payments and the Customer.
1.6 Payment instrument refers to a personal instrument of operating method or their combination which can be used for payment orders.
1.7 Epassi Payment instrument refers to the Payment instrument organised by Epassi, which becomes available for the Employees and other consumers due to deployment of the Epassi systems and/or Service.
1.8 Epassi Wallet refers to mobile payment and/or payment processing service operations provided by Epassi Clearing and/or its Partner or jointly by them which are offered to the Employees and/or consumers.
1.9 EpassiBIKE: With the EpassiBike service, the Employer can offer an employee bicycle benefit through a leasing contract to the Employee. With Epassi Bike, the employee can acquire a traditional or electric bicycle and accessories (according to the legislation or tax instructions of employee benefits and the employer's rules) for the lease contract period. At the end of the leasing contract period, the Employee may subject to certain terms of redeem the bike for himself. Epassi manages the service for the Employer and the Employee. The special terms of the EpassiBIKE service are presented separately in Appendix 5
1.10 Employee benefit Payment instrument refers to a targeted non-taxable or tax-subsidised payment instrument for employee benefits or other fringe benefits intended for the Customer’s Employees, the use of which is limited to certain pre-determined purposes of use.
1.11 General Payment instrument refers to a payment instrument that is used by consumers when using the Epassi Wallet services for payment orders.
1.12 Mobile app refers to the mobile app, developed and owned by Epassi, for the monitoring, paying and use development of Employees’ employee benefits as well as for the use of Epassi Wallet services.
1.13 Service refers to a service package focusing on the maintenance and management of non-taxable and tax-subsidised employee benefit payment services offered for the Customer and the Employees online, including also the Online service and Mobile app intended for their technical management, and EpassiBike-service.
1.14 Online service refers to the Service management tool offered for the Parties online (www.services.Epassi.fi).
1.15 Service provider refers to seller of services who has signed a contract with Epassi offering services that can be paid for with the Epassi Payment instruments.
1.16 Contract refers to the service contract package between the Parties, which is described in detail in Service Contract.
1.17 Balance refers to the access right, which is measured in money, that is uploaded in the Employee benefit Payment instrument.
1.18 Partner refers to a third party cooperating with Epassi Clearing pursuant to a contract whose services or service functionalities are available in Epassi Wallet.
1.19 Employee refers to the Customer’s Employee who uses the Epassi Payment instruments.
2. SERVICE
2.1 The Parties have agreed on the deployment of the Service for the management of the Customer’s non-taxable and tax-subsidised employee benefits and other fringe benefits. The Service enables the management of employee benefit distribution, payment processing and monitoring.
2.2 Partner refers to a third party cooperating with Epassi Clearing pursuant to a contract whose services or service functionalities are available in Epassi Wallet.
2.3 Employee refers to the Customer’s Employee who uses the Epassi Payment instruments.
3. SCOPE OF APPLICATION
3.1 These General Terms of Contract have been translated into English and Swedish in order to improve their usability. In the case of a conflict between the application of different language versions, the original Finnish Terms of Contract take precedence.
3.2 The Contract between Epassi and the Customer consists of the whole for which the following order of precedence applies:
I. Contract
II. Data Processing Contract
III. General Terms of Contract
IV. Epassi Service Descriptions
V. EpassiBike-Service Description
4. USE OF SERVICE
4.1 The Customer is entitled to use the Service after the Contract has entered into force. The Service is offered as a “Software as a Service” (SaaS) service, in which the Customer orders access to the Service which is made available online. Once the Customer has made the order, the Customer will be granted access to the Service in accordance with the Contract. These General Terms of Contract are applied to all parts of the Service, including functionalities possibly added later.
4.2 The Customer agrees that the Service is delivered as it is. The Service does not fulfil other special requirements than those agreed with the Customer in the Contract and the Customer uses the Service at their own risk. The Service and its delivery are not always flawless, and the Service is continuously being improved.
4.3 The Epassi Payment instrument is a personal payment instrument and it can only be used to make payments to the Service providers who have joined Epassi’s merchant location network.
4.4 In addition to the Terms of Contract, the Customer undertakes, when using the Service, to comply with the currently valid legislation concerning Payment instruments as well as other applicable rules and regulations, instructions of the authorities and especially the currently valid instructions of the Tax Administration concerning the acquisition of fringe and employee benefits using targeted payment instruments and the instructions concerning employee benefits in taxation. The Customer is aware that restrictions caused by the decisions and instructions of the authorities and their amendments may affect the use of the Service as well as the non-taxable and tax-subsidised employee benefits offered to the Employees.
4.5 When deploying the Service, the Customer approves that Epassi may transfer its outstanding claims from the Customer to Epassi Clearing. This is necessary for ensuring the Service’s functionality. Epassi Clearing, as Epassi’s subcontractor, is responsible for the management of Epassi Payments’ transactions and remitting the employee benefit payments to its Service providers.
4.6 It is not possible to exchange the Balance uploaded to the Employee benefit Payment instrument into cash for the Employee’s use. When using the Employee benefit Payment instrument, the Service provider cannot give change in cash when the value of the payment exceeds the value of the obtained service.
4.7 The Employee can, after deploying Epassi Wallet, upload balance or funds on their own MyMoney account or convert the Partner’s regular customer scheme points into monetary funds. All balances and funds uploaded to Epassi Wallet by the Employee are subject to the separate Terms of Use between the Employee and Epassi, which are available at https://www.epassi.fi/terms-of-use.
4.8 When deploying the Service, the Customer has reported the employee benefit use value for the calendar year. If the Customer wishes to make changes to the employee benefit value for the following calendar year, the Customer must report the benefit values for the following calendar year to Epassi no later than on 1 December of the current year.
4.9 The products and functionalities available to the Customer after the Service deployment are described in the Contract’s Appendix 3 Epassi Service Description for Employers.
5. AVAILABILITY OF SERVICE
5.1 Epassi continuously develops and maintains the Service and aims at always keeping the Service available. However, Epassi cannot guarantee an uninterrupted or flawless Service functionality. Epassi aims to implement Service updates and maintenance without causing interruptions in the Service use. The aim is to implement updates and maintenance requiring service interruptions at times when the discontinuation of the Service causes minimal harm to the Customer and the Customer’s Employees. Epassi continuously develops its services in order to guarantee the best possible Service for the Customer.
6. CUSTOMER SERVICE
6.1 Epassi’s Customer service helps the Customers and the Customer’s Employees in using the Service and answers questions related to the benefit deployment, use and reporting. Epassi’s Online service (https://services.Epassi.fi) includes instructions and materials for the Customer to use when instructing their Employees. All instructions provided by Epassi should be complied with.
7. USER ACCOUNT AND INFORMATION PROVIDED BY THE SERVICE PROVIDERS
7.1 When registering with the Service, the Customer creates a user profile for maintenance purposes and the related personal user IDs for itself (for the company) in order to be able to log in to the company-specific maintenance and reporting pages intended for employers. The Customer can add the information of the Customer’s Employee in the Service so that the Employee can start using the Epassi Payment instrument either by approving the Epassi app Terms of Use with the Mobile app or by logging in to the Epassi Online service. The Employees can use the Epassi Payment instrument also with their telephone number if the Customer has added the information for their Employees in the Service. When using the telephone number as the payment method, the Employee must always report this to the Service provider’s representative when making the payment and, simultaneously, tell their telephone number and the amount to be charged to the Epassi Payment instrument to the Service provider’s representative and show their identification card.
7.2 The Customer is responsible for the confidentiality of the login information and other account information and undertakes to store the IDs carefully. The Customer’s IDs must be immediately changed if there is a suspicion that they have fallen into the wrong hands. The Customer must immediately inform Epassi of any observed unauthorised use of the user information. For information security reasons, Epassi recommends that the Customer change the ID regularly.
7.3 Epassi publishes the information about the Service providers, their services and products provided by them in the Service. The Service providers are responsible for the correctness and updating of the information in the Service. Epassi is not responsible for their correctness.
8. DATA PROTECTION
8.1 Epassi processes personal data as required by the EU’s General Data Protection Regulation and currently valid data protection legislation. The Parties undertake to comply with the currently valid data protection legislation.
8.2 The Customer acts as the controller pursuant to the data protection legislation for all such personal data that the Customer has uploaded in the Service and Epassi acts as the processor of the said personal data in order to produce the Service. Epassi processes such personal data on behalf and for the benefit of the Customer in accordance with the personal data processing contract signed between the Parties. The Customer must, as the controller, prepare its own privacy policies and acquire the required consent for the processing of personal data.
8.3 Epassi also collects personal data of the Customer’s Employees in the Service directly from the users (i.e. Employees) in connection with the use of the Service. For such personal data, Epassi acts as the controller and processes such personal data in accordance with the Service’s Privacy Policy. The Privacy Policy is available to the Customer’s Employees in the Mobile app in connection with the registering and on Epassi’s website (https://www.epassi.fi/en/home).
8.4 The Customer discloses the information on the Employees entitled to the benefits to Epassi’s payment instrument register for the use of the employee benefits.
8.5 Epassi is not responsible for the processing of the information in a third-party service provider’s (e.g. Partner’s) service but they are subject to the terms and conditions of the said Service provider and/or Partner.
9 Invoicing and service fee
9.1 As a rule, the invoicing takes place when the employee benefits are made available to the Employees so that the invoice consists of the balance, measured by quantity, uploaded to the Employee benefit Payment instrument by the Customer and the service fee in accordance with Epassi’s valid price list. The term of payment of the invoice is fourteen (14) days net.
9.2 All Customer-specific additional work related to the use of the Service are invoiced in accordance with Epassi’s separate current valid price list.
9.3 Regardless of the used invoicing method, unused balance will not be refunded to the Customer after the termination of the Contract. The balance must be used before the termination of the Contract or, for the agreed services, no later than within the calendar year following the termination. If the balance is used outside the contract period, a service fee pursuant to the terminated contract will be charged from the Customer by Epassi.
9.4 Value added tax will be added to the Service fee in accordance with the currently valid instructions of the authorities.
9.5 When the Customer selects the Epassi GO service package, the invoicing takes place when the employee benefits are distributed to the Employees in advance. Epassi then invoices the Employee benefit Payment instrument and the service fee in accordance with the valid price list. The Balance is available to the Employees when the invoice has been paid until the end of the year at which the benefits are targeted when uploading. If the Contract continues after the turn of the year, unused Balance is refunded in the following year’s invoicing when the Customer uploads more Balance for its Employees’ use.
9.6 If the Customer selects the Epassi Plus service package, the Employees cannot use the Employee benefit Payment instruments for paying for the benefits without valid Balance. The first invoice sent to the Customer is an estimate invoice that is based on the annual Balance use estimate agreed in the Contract between the Customer and Epassi and on the percentage of the benefits uploaded in advance. The following invoices are based on the actual use of the Balance and in relation to the percentage of benefits uploaded in advance, and notwithstanding agreement to the contrary with the Customer, they are invoiced with one (1) month agreed interval. In case the advance payment decreases in accordance with their use below Epassi’s determined minimum threshold, Epassi has the right to submit a supplementary invoice at least for the amount corresponding to the benefits uploaded in advance. If the Contract continues after the turn of the year, unused Balance paid by the Customer will be carried over to the following calendar year to be used.
9.7 Epassi’s service fee in accordance with the valid price list is added to all invoices.
10. VALIDITY OF THE CONTRACT
10.1 The Contract is valid until further notice one (1) calendar year at a time starting from the entry into force of the Contract. A Party must terminate the Contract no later than three (3) months before the turn of the year if the contract period for the next year will not be implemented, otherwise the Contract will continue in force until the end of the following calendar year.
11. TERMINATION OF THE CONTRACT
11.1 The Contract is deemed to have been terminated and ended on the Customer’s side if the Service is not used for two (2) consecutive calendar years. Any uploaded Balance will not be refunded after the termination of the Contract in accordance with this section and it is deemed to have expired on the same day when the Contract has been deemed to have been terminated and ended.
11.2 The Parties have the right to terminate the Contract with immediate effect if the other Party has materially acted contrary to the Terms of Contract or instructions.
11.3 Epassi has the right to block the Customer’s access to the Online service, remove the reports and other information, prevent the Customer’s Employees from using the Employee benefit Payment instruments and from accessing the Service through the Mobile app when the period of notice has ended.
11.4 Epassi has the right to terminate the Contract with immediate effect if it is observed or suspected that the Service is used unlawfully or in a manner that may cause damage to Epassi.
12. CONTRACT AMENDMENTS
12.1 Epassi has the right to amend the Data Processing Contract, General Terms of Contract and its valid price list. Epassi informs the Customer of the amendments no later than two (2) months before the entry into force of the amendments. If the Customer does not approve the amendments, the Customer has the right to stop using the Service and terminate the Contract signed with Epassi with one (1) month period of notice.
12.2 Epassi has the right to make changes that do not materially affect the Service content and update and publish Service Descriptions and instructions by reporting this in the Service. The changes will enter into force immediately.
12.3 Epassi has the right to transfer the Contract to its Group companies without separate consent from the Customer. In addition, Epassi has the right to transfer this Contract further to a third party, including all the rights and obligations, in connection with a company restructuring or asset acquisitions without separate consent from the Customer.
13. RIGHT OF REFERENCE
13.1 Epassi has the right to use the name the Customer’s company as its reference, unless the Customer expressly prohibits this in writing.
14 Intellectual property rights
14.1 Information saved in the Online service by the Customer belongs to the Customer. The intellectual property rights and other rights of the Service belong to Epassi. Thus, ownership rights are not transferred between the Parties with this Contract.
15. FORCE MAJEURE
15.1 A force majeure event shall be deemed to be any unforeseeable circumstance beyond the control of a Party occurring after the conclusion of the Agreement, such as a labor dispute, which prevents the fulfillment of obligations under the Agreement. A Party shall be released from its obligations under the Agreement if the fulfillment of such obligations is prevented due to a force majeure event, and the deadline for fulfilling the contractual obligations shall be extended by the period during which the affected Party was unable to fulfill its obligations due to the force majeure. A Party wishing to invoke a force majeure event must promptly notify the other Party in writing, including when the force majeure event ceases. The failure of a subcontractor to fulfill its contractual obligations due to the aforementioned reasons shall also be considered a force majeure event for the Party, provided that the Party is unable to replace the affected subcontractor with another or to perform the obligation itself. If the force majeure event continues for more than 30 days, the other Party shall have the right to terminate the Agreement with a notice period of its choosing.
16. CONFIDENTIALITY
16.1 The Parties undertake to keep confidential all information related to the Contract or information that has been marked as confidential information or that should be understood as confidential, unless otherwise provided in this Contract or valid legislation. The Parties have no right to disclose confidential information to a third party or use such information for purposes other than those mentioned in this Contract without written consent from the other Party. However, Epassi has the right to disclose such confidential information to its Group companies, possible subcontractors and the authorities.
16.2 The confidentiality obligation is valid during the validity of this Contract and two (2) years after the termination of the Contract, unless a longer confidentiality period is required by the legislation.
17. LIMITATIONS OF LIABILITY
17.1 Epassi’s liability for damage related to this Contract and these Terms of Contract is limited to a maximum of the aggregated amount of service fees collected from the Customer on the basis of the Contract within one (1) year if the damage has not been caused by an error concerning the Balance uploaded in the Service. Prices paid for the services and products to the Service providers are not included in the service fees.
17.2 Liability for all damage of both Parties related to this Contract and these Terms of Contract is limited to a maximum of the aggregated amount of benefits and service fees invoiced from the Customer on the basis of the Contract within one (1) year. Prices paid for the services and products to the Service providers are not included in the service fees. Neither Party is responsible for indirect or consequential damage caused to the other Party, unless the damage has been caused intentionally, by gross negligence or by breaching the confidentiality obligation.
17.3 Epassi is also not responsible for indirect or direct damage caused by unavailability of Epassi’s Online service at a given time. In addition, Epassi is not responsible for damage caused to the Customer due to force majeure. Force majeure refers to unexpected events that neither Party could have reasonably anticipated or prevented. In cases of force majeure, the Parties undertake to do their best to fulfil their contractual obligations.
17.4 Epassi is not responsible for any matter beyond its control, such as the Epassi Payment instrument ending up in the possession of an unauthorised person due to a mistake, negligence or failure to comply with the instructions of the Customer or Customer’s Employee. Epassi is not responsible for the Service provider’s operations, products offered by them or the services, their availability, usability and quality nor any other damage caused by the operations of the Service provider.
18. APPLICABLE LEGISLATION AND DISPUTE RESOLUTION
18.1 This Contract is governed by Finnish law. Possible disputes are primarily resolved by negotiating. If the dispute cannot be resolved by negotiating, the dispute will be finally resolved by the Helsinki District Court. In addition, Epassi has always the right to take legal action in the district court of the Customer’s registered office.
PARTIES
Epassi Finland Oy (Business ID 3220764-7) and Epassi Clearing Oy (Business ID 2872241-9) acting as joint controllers (hereinafter referred to, depending on the context, together or separately as “Epassi”) act as processors on behalf of the Customer who has entered into the Service Agreement with Epassi (either “Customer” or “Controller”) as described in this agreement.
Epassi and the Customer are hereinafter referred to individually as a “Party” and collectively as the “Parties”.
“Data Protection Legislation” means national and EU legislation concerning data protection, such as the General Data Protection Regulation (“GDPR”, EU 2016/679). Terms related to data protection are used in the meaning defined by the GDPR.
This personal data processing agreement (hereinafter the “Processing Agreement”) applies to the processing of personal data as part of the employer-customers’ Epassi service agreement (the “Service Agreement”), under which Epassi provides services to the Customer (the “Services”).
This Processing Agreement defines the obligations of the Parties regarding data protection and compliance with Data Protection Legislation. The Parties (and their representatives) must comply with this Processing Agreement in the performance of their obligations under the Service Agreement.
The scope of processing is described in more detail in Appendix A (Description of Personal Data Processing and list of approved sub-processors). Any other processing of personal data must be agreed upon separately.
The Parties are aware and understand that Epassi is the controller for all personal data related to the use of the Services by the Customer’s employees (i.e., Epassi’s end users). Additionally, Epassi is the controller for personal data related to, among other things, the provision of regulated payment services intended for end users (distribution and use of personal payment instruments) and end-user services (such as the Epassi mobile application).
The Customer is responsible for ensuring that, as the controller, it has the right to process and transfer personal data to Epassi in accordance with this Processing Agreement and the Service Agreement.
Epassi shall comply with the Data Protection Laws while providing the Services.
To the extent that Epassi is processing Personal Data on behalf of the Customer, Epassi shall process Personal Data solely to the extent necessary for fulfilling their obligations under the Service Agreement and in accordance with the documented and lawful instructions expressly provided in the Service Agreement or this Data Processing Agreement.
Th Customer can instruct Epassi on processing of Personal Data under this Data Processing Agreement. Should Epassi recognize that any instructions of the Customer go beyond what has been agreed in this Data Processing Agreement or the Service Agreement, Epassi shall discuss the possibilities of implementing the Customer’s instructions. If the Parties do not reach a mutual understanding regarding the modification of the instructions, the modification of the instructions shall be treated as a new instruction as a contractual amendment in accordance with the Service Agreement. If the Customer’s written instruction exceeds what is required by law, Epassi has the right to reasonable compensation in accordance with the reasonable costs incurred by Epassi or as otherwise agreed between the Parties.
Should Epassi identify that it can not fulfil its obligations under this Data Processing Agreement or if Epassi is of the view that an instruction regarding the processing of Personal Data would be in breach of applicable Data Protection Laws, Epassi shall inform the Customer thereof, unless Epassi is prohibited from notifying the Customer under the applicable laws.
Epassi may use sub-processors for the processing of Personal Data provided that
(i) the sub-processing is agreed upon in a written Processing Agreement; and
(ii) the Processing Agreement concluded with the sub-processor complies in all material respects with similar requirements concerning personal data as the terms of this Processing Agreement.
Epassi shall notify the Customer in writing and without delay of any changes to the sub-processors used (such as the use of a new sub-processor to replace a previous one). The Customer has the right to object to the change in Epassi’s sub-processors within thirty (30) days of Epassi’s notification. The Customer and Epassi shall strive to resolve the root causes of the Customer’s justified objection so that the change to the sub-processors can be made. If the Customer and Epassi do not reach a solution that allows the change to the sub-processors to be made as per Epassi’s notification, the Customer has the right to terminate the Service Agreement in the manner agreed therein.
Epassi is responsible for the processing of Personal Data carried out by its sub-processors as if it were its own. Epassi’s sub-processors are defined in Appendix A of this Processing Agreement (Description of Personal Data Processing and list of approved sub-processors)
For the implementation of the Services and the Service Agreement, Epassi may transfer Personal Data to third countries outside the EU/EEA. The locations to which Personal Data may be transferred are listed in Appendix A of this Processing Agreement (Description of Personal Data Processing and list of approved sub-processors).
If Personal Data is transferred to a country outside the EU/EEA, Epassi ensures that all such transfers of Personal Data comply with the applicable Data Protection Legislation. If the third country to which the data is transferred does not provide an adequate level of data protection based on a decision of adequacy by the European Commission, Epassi is responsible for ensuring that the transfers comply with the requirements of the applicable Data Protection Legislation and implements the additional safeguards required for the transfers under the Data Protection Legislation, such as appropriate contractual arrangements using the European Commission’s standard contractual clauses for international transfers.
Epassi keeps and retains the Personal Data confidential. During the term of the Service Agreement, Epassi does not disclose or transfer the Personal Data, in whole or in part, to a third party unless otherwise expressly and in writing agreed with the Customer, or unless otherwise required by applicable Data Protection Legislation, or unless the Customer has given prior written authorization for this, or it is necessary for the functionality of this Processing Agreement and the Service Agreement. Epassi is responsible for ensuring that all persons who have the right to process personal data are bound by a confidentiality agreement or are subject to a statutory duty of confidentiality.
The Customer undertakes to keep all information it becomes aware of regarding Epassi’s security measures, arrangements, IT systems, or service providers, or which is otherwise considered confidential, strictly confidential and not to disclose any confidential information to third parties. The Customer may disclose such information if, under applicable legislation, the Customer is obliged to do so.
As agreed in the appendix to this Processing Agreement, Epassi maintains operational and technical measures protecting Personal Data at all appropriate times with reasonably implementable and available actions to protect Personal Data from accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. Epassi implements at least the following reasonably required measures, as applicable:
(i) Pseudonymization and encryption of Personal Data where required by Data Protection Legislation;
(ii) Ensuring the ongoing confidentiality, integrity, availability, and resilience of Personal Data processing systems and services at all times;
(iii) The ability to restore the availability of and access to Personal Data quickly in the event of a physical or technical incident; and
(iv)Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure the security of Personal Data processing.
Epassi restricts access to Personal Data only to authorized and appropriately trained personnel who need access to such data and who are bound by appropriate confidentiality obligations.
In the event of a data breach, Epassi shall notify the Customer in writing without undue delay once Epassi becomes aware of the data breach
Epassi’s notification of the data breach shall include at least the following information:
(i) a description of the nature of the data breach, including, where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of Personal Data records concerned;
(ii) a description of the likely consequences of the data breach;
(iii) a description of the measures Epassi has proposed or implemented as a result of the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
If Epassi does not yet have all the information related to the data breach, Epassi shall in any case provide the Customer with a reasonably detailed written notification of the data breach that has come to its attention. Epassi has the right to deliver the notification in parts if all information is not available at the time of the initial notification.
The Customer has the right to carry out an audit concerning Epassi’s processing activities under this Processing Agreement in order to ensure the level of protection and data security provided for the Personal Data processed under the Service Agreement.
When exercising the right to audit, the Customer must use a recognized, independent third-party entity with proven experience in the field, and with whom the Customer has entered into a separate agreement to protect the confidentiality of Epassi and the Personal Data. The third-party entity must not be a direct competitor of Epassi.
The schedule, method, and scope of the audit shall be agreed in advance between the Parties. The audit must not compromise the availability, quality, security, or confidentiality of Epassi’s services to other customers. If the audit does not identify material deficiencies in Epassi’s operations, the Customer shall bear all costs related to the audit. The audit may be scheduled to begin no earlier than 30 calendar days after Epassi has received notice of the audit.
If a request for an audit related to the processing of Personal Data is received directly from a competent supervisory authority, Epassi shall cooperate diligently with the Customer in responding to all such requests
At the Customer’s written request and in compliance with Data Protection Legislation, Epassi shall assist the Customer in fulfilling requests concerning Personal Data in accordance with Data Protection Legislation, including:
(i) providing the Customer with a copy of individuals’ Personal Data in a tangible form;
(ii) correcting, blocking, or deleting individuals’ Personal Data;
(iii) providing the Customer with the requested information and, upon reasonable request, cooperating in matters related to the processing of Personal Data under the Service Agreement, for example by assisting in facilitating the exercise of Data Subjects’ rights; and
(iv) assisting the Customer, upon reasonable request, in providing the individuals whose Personal Data is being processed with the information they have requested regarding the processing.
If the Customer so requires, Epassi shall assist the Customer in fulfilling other obligations arising from Data Protection Legislation, such as obligations related to data protection impact assessments and possible prior consultations, taking into account the nature of the processing and the information available to Epassi. The Parties shall separately agree on the need and scope of such assistance, and Epassi shall have the right to charge the Customer for the reasonable costs incurred.
The liability terms of the Service Agreement apply to this Processing Agreement.
The Parties agree that liability for administrative fines imposed by a supervisory authority or claims by Data Subjects shall be allocated between the Parties according to their respective responsibilities. Accordingly, the Party that, according to the final decision of the supervisory authority or the competent court authorized to impose such fines or damages, has violated its statutory obligations under Data Protection Legislation, shall be responsible for paying the fines or compensating the damages in question. If both Parties are found to have failed in fulfilling their obligations, the fines or damages shall be divided between the Parties according to their respective degrees of fault.
The provisions on applicable law and dispute resolution in the Service Agreement apply to this Processing Agreement.
This Processing Agreement shall remain in force for the duration of the Service Agreement and after the termination of the Service Agreement for as long as Epassi processes Personal Data on behalf of the Customer.
Upon termination of the agreement, Epassi shall either delete or, at the Customer’s written request, transfer the Personal Data it has processed under this Processing Agreement to the Customer.
Except as otherwise expressly agreed above, any amendments to this Processing Agreement shall be made in writing and duly accepted by both Parties.
Neither Party may assign its rights or obligations under this Processing Agreement, in whole or in part, without the prior written consent of the other Party, unless otherwise provided in this Processing Agreement or unless such assignment is made in connection with the transfer of the entire business of the assigning Party.
The appendices listed below are an integral part of this Processing Agreement.
This Processing Agreement includes the following appendices:
Appendix A: Description of the processing of Personal Data and a list of Sub-processors
Appendix A
Description on the Processing of Personal Data
Epassi performs services to the Controller that will include processing of Personal Data by the processor as further specified below with respect to: (a) the nature and purpose of the processing of Personal Data; (b) the type of Personal Data and categories of Data Subjects; (c) the applicable information security measures; and (d) duration of the processing of Personal Data under the Service Agreement, as follows:
Epassi processes the Controller’s employment related Personal Data for the purposes of providing the Controller with the Services agreed in the Service Agreement, i.a. the offering, assignment, management and reporting of use of non-taxable or tax-subsidized employee benefits and/or payment services, in the scope agreed between the Controller and Epassi in the Service Agreement.
The Controller’s employees’, who are the recipients and beneficiaries of the employment benefits offered through Epassi’s Service Personal Data as follows:
Name, phone number, e-mail address, employee identification number and amount and nature of employment benefits allocated to such end-user.
Personal data is transferred to Epassi in a secure channel through a sync-up interface connected to the Online service, or as otherwise agreed with the Controller (e.g. through the Controller’s secure e-mail, at the Controller’s risk), for the initial set-up of the Service for the employees of the Controller.
Epassi delivers the continuous processing and delivery of return data to the Controller through its Online service to the rightly authorized representative(s) of the Controller. Access to the Online service on the Controller’s side is protected via authorized user logins and passwords. Further information on Epassi’s Online service’s system security measures will be delivered to the Controller at the Controller’s request.
The Personal Data is processed for the full duration of the Service Agreement and for any additional duration thereafter as required to complete the processor’s duties in accordance with the Service Agreement and applicable Data Protection Laws and/or requests of competent authorities.
List of Sub-processors
|
Name of the service |
Use |
Name of the company, Location / Address |
|
Hetzner |
Hosting the Online service platform |
Hetzner Online GmbH |
|
Microsoft 360 |
Communication and processing of documents on SaaS-service |
Microsoft Ireland Operations, Ltd. |
|
Freshworks |
Support services for Finnish customers |
Freshworks GmbH |
|
Apsis |
Marketing tool |
APSIS International AB |
|
Telavox |
Support tool |
Telavox Oy |
|
NetSuite |
Support tool |
Gräsantörmä 2 |
Valid as of 20 July 2025
By using Epassi services you accept these user terms (”Terms of Use”) and agree to comply with them.
Epassi
Epassi Finland Oy, (Business ID 3220764-7), hereinafter also referred to as “Epassi”
Porkkalankatu 22 A, 00180 Helsinki, Finland
info@epassi.fi
https://www.epassi.fi/en/home
Epassi Clearing Oy, (Business ID 2872241-9), hereinafter also referred to as “Clearing”
Porkkalankatu 22 A, 00180 Helsinki, Finland
info@epassi.fi
https://www.epassi.fi/en/home
Definitions
Service Provider refers to a company or organisation which offers its services in the Epassi Service on the basis of the contract signed with Epassi.
Epassi Payment refers to a payment made through the Epassi Service or with the Epassi Wallet.
Epassi Service refers to the mobile and platform service for obtaining and paying for employee benefits offered to consumers by Epassi Finland Oy (targeted payment instrument) as well as to optional functionalities activated by each Epassi Wallet user.
Epassi Wallet refers to mobile payment and/or payment processing functionalities of the Epassi Service offered to consumers by Epassi Clearing Oy and/or its Partner or jointly by them (general payment instrument). The additional terms and conditions of Epassi Wallet are provided in section II.
Service refers to a service, product, benefit or discount provided by a Service Provider which has signed a contract with Epassi Finland Oy, in the Epassi Service at a given time.
Partner refers to a third party cooperating with Epassi Clearing Oy pursuant to a contract whose services or service functionalities are available in Epassi Wallet or which otherwise participates to performance of the Service (like Paytrail).***
I EPASSI SERVICEThe Epassi service is a digital service where you can use the employee benefits provided by your employer to pay for the products and services of Service Providers, or the functionalities of the Epassi Wallet. The Epassi service, its content, and Services may include advertisements from Epassi, Service Providers, or third parties. Third-party services are subject to third-party terms and conditions.
Service Providers provide information in the Epassi service about the products and services they offer, including product descriptions and prices. If the user has any restrictions related to the use of the Service Provider’s products or services, the user must agree on those directly with the Service Provider.
Through the Epassi service, the user may enter into a contractual relationship with third parties, i.e., Service Providers and Partners. In such cases, an independent contractual relationship is formed between the user and the Service Provider or Partner. Epassi encourages all users to review the terms and conditions before committing to them.
I.1. Deployment
When you download the Epassi app from the application store and approve the Terms of Use in the app or log in to the Epassi Service and approve the Terms of Use, a contract on the Epassi Service deployment has been established between you and Epassi. For the deployment of Epassi Service, Epassi will provide you with a one time password. Use of Epassi’s services requires the user to confirms their identity through strong authentication and set-up of a personal PIN code.
Using the Epassi Service for professional or commercial activities is prohibited.
The deployment of Epassi Wallet requires further actions from the user (see section “II Epassi Wallet”).
I.2. Epassi Service availability and technical conditions
The Epassi service is available via a mobile application or as a web service at https://services.epassi.fi. The different usage methods of the Epassi service may have differing features from each other or its usage possibilities may be limited in relation to another usage method.
Using the Epassi service requires an Epassi account, a smart device and a compatible operating system or a computer and a functioning internet connection. The Epassi account is by default personal, unless otherwise agreed. You are responsible for the operation, data security, and compatibility of your device as well as arranging the internet connection. You must ensure that you are using the latest possible version of the Epassi application. Version updates are published in the application store. Not performing updates may prevent the use of the Epassi service or Services.
Epassi does not guarantee that the Epassi service or Services are continuously available. Epassi or the Service Provider may interrupt the provision or use of the Service without notifying the user in advance or according to the separate terms of each Service. Epassi strives to inform in advance within a reasonable time about known service interruptions and to schedule regular interruptions and updates during the service’s quiet usage hours. Epassi reserves the full right to interrupt the provision of the Service during maintenance and other such breaks.
I.3 Customer’s responsibility and careful use
You are responsible for ensuring that the user information you provide is correct and always up to date. Your PIN code, with which you log in to the Epassi Service, is personal. The PIN code must not be given to other individuals. The user is responsible for all use of their Epassi account related to the Epassi Service.
If you suspect that your device or Epassi account information has ended up in the hands of a third party, you must immediately report it to Epassi customer service. Merely closing the phone subscription provided by the operator is not sufficient to prevent the use of the Epassi service and the execution of payment transactions.
In cases of misuse and/or loss, you are responsible for the use of the Services and the payments made in the Services until you have made a loss report to Epassi, and your account has been closed.
Epassi is never responsible for any possible damages caused to a third party by your incorrect procedure.
I.4. Service fees and compensations
The use of the Epassi service is free of charge, but requires data transfer over the network.
Your operator may charge fees related to mobile data transfer. You are responsible for the costs of data transfer or other telecommunication services charged for the use of the Epassi service and Services. Any possible fees or charges related to the use of the Services offered in the Epassi service are agreed separately with the Service Provider or Epassi at the time of the transaction.
Additional terms related to the use of the Epassi Wallet are in section “II Epassi Wallet”.
I.5 Epassi’s right to close the Epassi Service
Epassi has the right to close the Epassi service and prevent its use entirely or partially if:
Epassi will notify you of the closure and/or restriction of the Epassi service by email to the address you have provided or by a notice published in the application.
International sanctions refer to sanctions, economic sanctions, export or import bans, trade embargoes, or other restrictive measures imposed, administered, approved, or enforced by the Finnish state, the United Nations, the European Union, the United States of America, and the United Kingdom or their competent authorities or institutions.
I.6 Liability for damages
If you believe that there is a defect in the Epassi service, you have the legal remedies available under applicable law. Epassi primarily strives to correct the defect. If you notice a defect, please contact Epassi customer service.
Epassi does not guarantee that the Service is error-free or available without interruption. If we cause damage by acting contrary to the agreement, we will only compensate for direct damage, unless we have caused the damage intentionally, through gross negligence, or unless otherwise provided by mandatory law.
Epassi or Clearing is not responsible for the content, terms, functionality, security, or user fees related to the services offered by the Service Providers or Partners included in the Epassi service or other third-party credit and/or payment institutions.
Epassi or Clearing is not responsible for the interruption of the Service or damage caused by force majeure or other similar reasons that unreasonably complicate Epassi's operations. A force majeure event affecting Epassi or its subcontractor, Service Provider, or Partner entitles Epassi to suspend the provision of the Epassi service in the affected area for the duration of the event.
I.7 Changes to the contract, terms of contract and service features
Epassi continuously develops the Service, and Epassi has the right to change these terms, the content of the Epassi service, and the requirements set for the devices intended for the use of the Epassi service. Epassi will notify you of significant changes either by a message to your mobile device, email, or a notice published in the application. Changes that do not increase your obligations or reduce your rights will take effect immediately. If a change increases your obligations or reduces your rights, the change will take effect no earlier than one month after the change notice or with your acceptance.
The agreement continues with the modified content unless you terminate your Epassi service before the change takes effect. You have the right to terminate the agreement immediately as described in section I.13 until the announced effective date of the changes. Please note that you must also promptly inform your employer about the termination of your Epassi service.
I.8 Processing of personal data
Epassi processes your personal data in accordance with the applicable legislation and as further described in the privacy policy.
Please review our privacy policy: https://www.epassi.fi/privacy-policy
I.9 Intellectual property rights
All rights related to the Epassi service, Epassi Wallet, and its content, including ownership rights, copyrights, patents, trademarks, and all other intellectual property rights, belong to Epassi and/or the Service Provider and/or the Partner and/or another notified third party, unless otherwise specifically stated.
You have a limited, non-exclusive, non-transferable, and non-sublicensable right to use the Service in the form in which it is offered to you at any given time. The right to use is limited solely to the purposes described in these Terms of Use, the instructions published on Epassi's website (https://www.epassi.fi/fi/tyontekijalle), and the service descriptions.
I.10 Transferring the contract
Epassi has the right to assign this agreement and the rights and obligations based on it in whole or in part to a designated party. You do not have the right to assign this agreement to a third party.
I.11 Cancellation of the Epassi Service contract
You have the right to cancel the Epassi Service deployment and contract within fourteen (14) days after signing the contract by reporting this to Epassi customer service. Please note that you must also promptly inform your employer about the cancellation of your Epassi service.
I.13 Validity and termination of the contract
The agreement is valid until further notice. You can terminate the agreement to end immediately by sending a termination notice to Epassi by email to info@epassi.fi. Please note that you must also promptly inform your employer about the termination of your Epassi service. Please note that merely deleting the Epassi application from your mobile device does not terminate the agreement or the use of the Epassi service. The user-specific identifier of the Epassi service must be specifically remembered to be removed when your mobile phone number is transferred to another person or you terminate the phone subscription and your phone number is released for third-party use.
Epassi has the right to terminate this agreement to end two (2) months after the termination. Epassi has the right to terminate the agreement immediately if you have materially breached these terms or use the Epassi service for illegal or inappropriate activities. Epassi will send a termination or cancellation notice as a message to your mobile device, email, or by publishing it in the application.
I.14 Applicable legislation, remedies outside the court and place of jurisdiction
This agreement is governed by Finnish law, excluding its conflict of law rules, regardless of the country from which the Epassi service is used.
You can submit a dispute related to the use of the targeted payment instrument in the Epassi service to the Consumer Disputes Board for resolution, see http://www.kuluttajariita.fi. You can also file a lawsuit in the district court of your domicile in Finland or the Helsinki District Court. If you do not have a domicile in Finland, the jurisdiction is the Helsinki District Court.
II EPASSI WALLETIn addition to the Terms of Use of the Epassi service presented above, the following special terms apply to the functionalities of the Epassi Wallet.
You can load money into the Epassi Wallet as an OwnMoney balance. With the OwnMoney balance, you can pay for products and services in the network of Epassi Service Providers, provided that the payment method and Service Provider's system allows the use of OwnMoney. If the payment method and the Service Provider's system allows the use of OwnMoney, you can also use the OwnMoney balance for payments of employee and fringe benefits where the employer-provided benefit balance is less than the price of the Service to be purchased (i.e., the employer-provided benefit balance alone is not sufficient for the purchase).
Paying with Other Balances in the Epassi Service
As an Epassi user, you can link the points and/or balances of an Epassi Partner (e.g., Finnair) loyalty membership to the Epassi Wallet. With the points and/or balances, you can pay for products and services in the network of Epassi Service Providers. When paying with points, the Epassi Wallet automatically converts the points into a euro amount for the execution of the payment order in the ratio defined by the Partner and Epassi.
The functionalities of the Epassi Wallet are only available as part of the Epassi service and always require the simultaneous acceptance of the terms of the Epassi service.
Epassi Clearing Oy has a payment institution license granted by the Financial Supervisory Authority. The Financial Supervisory Authority supervises the operations of Epassi Clearing Oy: Financial Supervisory Authority, Snellmaninkatu 6, P.O. Box 103, 00101 Helsinki (www.fiva.fi).
Additional definitions only concerning the Epassi Wallet
II.1 Deployment
The agreement for the Epassi Wallet service is formed when you have accepted these Epassi terms of use and activate the functionalities of the Epassi Wallet for the first time.
You activate each functionality of the Epassi Wallet in the Epassi service by following the instructions for that functionality. Epassi and Epassi Clearing Oy reserve the unilateral right to change the content of each functionality or to suspend their provision at any chosen time.
The use of OwnMoney requires you to fulfill the identification obligations related to payment services (so-called KYC obligations).
The Epassi Wallet and the funds contained in it are only available as long as the user has a valid employment relationship with the current employer.
To use Wallet payments, you need:
II.2 Preparing and performing the Wallet Payments
You can make Wallet payments with the Epassi mobile application, phone number, NFC tag, or in online and other stores via the Epassi web service or payment button, which have indicated that they accept Wallet payments.
With the Epassi Wallet, you can make payments at the locations of Service Providers cooperating with Epassi Clearing Oy. Before that, you must load funds into the Epassi Wallet as an OwnMoney balance. The minimum transfer amount is 20 euros, with a daily maximum of 1,000 euros and an annual maximum of 20,000 euros. Clearing reserves the right to limit the funds transferred to the application and to make changes to the minimum and maximum transfer amounts.
You can make payments up to the amount of funds or balances visible in the application.
You can also make payments with accumulated loyalty points or other approved payment methods from Epassi Clearing Oy’s Partners. The loaded balance or available Partner points are visible in your Epassi Wallet.
It is not possible to convert Partner loyalty points or balances into cash in advance and then transfer them out of the Wallet. Instead, they are used at the time of purchase for the corresponding value. Refunds for services paid with Partner points or balances are returned as equivalent Partner points or balances.
If you wish to stop using the Epassi Wallet, you can request the return of your OwnMoney balance to the same bank account from which it was loaded.
The Epassi Wallet cannot be used for other bank transfers or payments beyond those described above.
II.3 Payment transaction and balance information
In the Epassi web service and mobile application, you can view your current balances and all payments made with your credentials. OwnMoney loads to the Customer Fund Account are also visible in the web service.
II.4 Notification about an incorrect payment transaction and unauthorised payments
You must regularly check the made payments from the Epassi Service, Bank Account transactions or the Partner’s service.
If you have accidentally made an incorrect payment to a service provider, you must notify the service provider without delay and no later than 13 months from the date the transaction was charged from your bank account or through the Partner's service.
If a third party has made unauthorized transactions from your Epassi account, you must contact Epassi customer service, the service provider, or Epassi's Partner.
You will lose your right to receive compensation if you fail to submit the notification within a reasonable time.
You are responsible for unauthorised payments only if:
(A) You have handed over your mobile device with the downloaded Epassi app or Epassi Service as well as the required access IDs to an unauthorised party which makes it possible to make payments;
(B) you have lost the mobile device with the downloaded Epassi app and/or the access IDs, they have ended up in the possession of an unauthorised party or are used in an unauthorised manner due to you acting carelessly; or
(C) you have not submitted the notifications mentioned above in section I.3 concerning the loss of the mobile device or Epassi Service IDs or the notification to the Partner concerning the loss of the payment processing information, the payment instrument ending up in the possession of an unauthorised third party or other unauthorised use without undue delay after observing it or immediately after the unauthorised use should have been observed when you have received the information about the implemented payments.
In cases referred above in subsections A and B, you are responsible for unauthorised payments up to EUR 50. However, this limitations does not apply if you have acted intentionally or by gross negligence.
However, you are not responsible for unauthorised payments made using the functionalities after submitting the report of loss.
You are, nevertheless, fully responsible for the payments if you have intentionally submitted an incorrect notification or acted otherwise deceitfully.
II.5 MyMoney Balance refunds and service fees
If you wish to stop using the Epassi Wallet, you can request a refund of your OwnMoney balance to the same bank account from which it was loaded. Epassi charges a fee of five (5) euros per refund transaction. Refunds under five (5) euros are not processed.
Privacy policy
Epassi Finland Oy, Epassi Sweden AB and Epassi Clearing Oy
1. GENERAL INFORMATIONEpassi Finland Oy, Epassi Sweden AB and Epassi Clearing Oy (together ”Epassi”, “we” or “us”) respects your privacy and is dedicated to protecting the privacy of persons using Epassi’s services. This privacy policy describes how Epassi processes personal data; e.g. what kinds of personal data we collect, for which purposes the personal data is used and to which parties the personal data can be disclosed.
This privacy policy applies to users of Epassi’s services, including users of Epassi’s end-user services and our websites as well as when we communicate about our services or for customer relationship management reasons. In addition, this privacy policy also applies to our employer customers’ contact persons, potential employer customers’ contact persons and merchant customers’ contact persons.
Personal data refers to any information relating to a natural person (“data subject”) that can identify him/her directly or indirectly. Personal data, data subject, controller and other key terms are defined in the General Data Protection Regulation (2016/679, “GDPR”). Epassi complies with the GDPR in all processing of personal data in conjunction with other applicable national data protection legislation (“data protection legislation”).
Our services may also contain links to external websites and services operated by other organizations that we do not manage. This privacy policy is not applicable to their use, so we encourage you to review the privacy policies that apply to them. We are not responsible for the privacy policies of other websites or external services.
2. JOINT CONTROLLERS AND CONTACT INFORMATIONJoint controller: Epassi Finland Oy
Business ID: 3220764-7
Address: Porkkalankatu 22 A, 00180 Helsinki, Finland
Email: dataprivacy@epassi.com
Joint controller representative: Taika Pöntinen
Joint controller: Epassi Sweden AB
Business ID: 556617-0030
Address: Storgatan 31, 461 30 Trollhättan, Sweden
Email: dataprivacy@epassi.com
Joint controller representative: Taika Pöntinen
Joint controller: Epassi Clearing Oy
Business ID: 2872241-9
Address: Porkkalankatu 22 A, 00180 Helsinki, Finland
Email: dataprivacy@epassi.com
Joint controller representative: Taika Pöntinen
Epassi collects only such personal data that is relevant and necessary for the purposes described in this privacy policy. The personal data is subject to periodic updates, as required by mandatory law. The personal data is processed fully separately from other Epassi systems and is not connected to other processing purposes.
Personal data will be processed for the following purposes:
3.1. User profiles and Authentication of end-users
The personal data is processed in order to verify the user’s identity, complete
an user profile and carry out the end-users’ KYC (Know Your Customer) process so that Epassi is able to identify end-users according to its legal obligation and provide end-user services.
The personal data we process within the scope of this purpose include:
The personal data required for authenticating the end-user is processed by Telia Finland Oyj on behalf of Epassi.
Legal basis: The processing of personal data is based on a contract and a legal obligation.
Retention period: Personal data is stored for as long as the end-user uses the Epassi services and maximum period of five years thereafter, and even after such a period in case any open inquiries relating to the end-user exist or required by the mandatory national legislation.
3.2. Authentication of merchant customers
The personal data is processed in order to collect and store the KYC (Know Your Customer) information and the risk categories of the Epassi’s merchant customers to comply with our legal obligations.
The personal data we process within the scope of this purpose include:
The data is processed by Visma Solutions Oy as a processor on behalf of Epassi.
Legal basis: The processing of personal data is based on a legal obligation.
Retention period: Personal data is stored for as long as the end-user uses the Epassi services and maximum period of five years thereafter, and even after such a period in case any open inquiries relating to the consumer exist or required by the mandatory legislation.
3.3. Epassi product and system data
The personal data is processed for the distribution, use, maintenance, and development of Epassi specific and general payment instruments, financial data, application usage data and other tech solution back-end data.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on valid and legal contract relationship when distributing and using services, and in other respects, the processing is based on Epassi’s legitimate interest to maintain and develop such services, both toward its employer customers and end-users (consumer customers). The processing of the personal identification code is based on the applicable legislation, or the consent given by the data subject.
Retention period: Personal data is stored for as long as the end-user uses the Epassi services and thereafter for a maximum period of two years. Personal data processed and retained for transactional and financial information is stored for 10 years from date of creation as required by mandatory law. The storing may continue based on reasons presented in Section 3.1 and 3.2 for even longer periods of time.
3.4. Reporting to employer customers about used benefits
The personal data is processed in order to report to Epassi’s employer customer of benefit usage in relation to allocated benefit. The processing is necessary in order to inform the employer customers of the use of employment benefits for payroll purposes, conclude salary deductions as well as for taxation and invoicing purpose. The personal data can also be processed and shared with employer customers to investigate fraud or misuse of benefits (or suspected cases thereof).
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on a contract. The processing of personal data is based on a legal obligation (fraud/misuse).
Retention period: Personal data is stored for as long as the end-user uses the Epassi services or as required by law in relation to fraud/misuse (10 years transaction history).
3.5. Storage of end-users’ transaction history
The personal data is processed in order to store the end-users’ transactional history to establish or defend legal claims, if necessary.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on Epassi’s legitimate interest to store transaction history in order to establish or defend legal claims.
Retention period: Personal data is stored for a period necessary in order to establish, exercise or defend legal claims. For transactional and financial information, the storing period is at least 10 years as required by mandatory law.
3.6. User communications and marketing
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on Epassi’s legitimate interest to promote Epassi’s products and/or services to the users. The processing of personal data is also based on the consent given by the data subject in relation to direct marketing in order to provide targeted marketing and advertising, as well as to provide marketing of third parties’ products or services. The data subject has the right to refuse personal data being used for direct marketing and may at any time recall prior consent.
The electronic user communications (as delivered via email) are conducted through APSIS and Apsis International AB acts as the processor. More information on data transfers in Section 6.
Retention period: Personal data is processed as long as the end-user remains a customer of Epassi and/or has accepted the relevant marketing opt-ins for direct marketing purposes.
3.7. Evaluation and follow-up of emails
The personal data is processed in order to evaluate and follow-up the email recipients’ actions when the email has been sent to the end-users of the Epassi services. This might also include generating aggregated statistics regarding the actions.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on Epassi’s legitimate interest to be able to follow up on how the recipients of e-mail act when receiving e-mails from Epassi.
Retention period: Personal data is processed as long as the end-user remains a customer of Epassi and/or has accepted the relevant marketing opt-ins for direct marketing purposes.
3.8. Website, web analytics and cookies
The personal data is processed in order to develop Epassi’s services using web analytics and cookies as well as to administrate our website and fulfill user requests.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on the consent given by the data subject.
Retention period: Personal data is stored for a maximum period of two years.
3.9. Communicating with Epassi’s employer and merchant customers
The personal data is processed in order to communicate with the Epassi’s employer and merchant customers’ contact persons.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on Epassi’s legitimate interest to communicate with Epassi’s employer and merchant customers’ contact persons.
The personal data is processed by HubSpot, Inc. as a processor on behalf of Epassi.
Retention period: Personal data is processed/stored for as long as the employer or merchant customer’s contact person is identified as the contact person representing the company.
3.10. Marketing directed to contact persons of Epassi's employer customers
The personal details of the contact persons of Epassi’s employer customers can be used to merket Epassi's and/or its partners services. The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on consent by the contact person of Epassi’s employer customer. Retention period: Personal data is processed/stored for marketing purposes during the marketing capaign and two (2) years after the campaign or until the contact person withdraws his/her consent.
3.11. Communicating with Epassi's financing partner for EpassiBIKE service
The personal data is processed in order to communicate with the Epassi’s financing partner.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on Epassi’s legitimate interest to communicate with Epassi’s financing partners’ contact persons.
The personal data is processed by Tukirahoitus Oy, Svea Bank AB or Svea Bank AB, filial i Finland or Tukirahoitus Oy as a processor on behalf of Epassi.
Retention period: Personal data is processed/stored for as long as the financing partner’s contact person is identified as the contact person representing the company.
3.12. Product deliveries
The personal data is processed in order to deliver products to Epassi’s end-users.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on a contract and on Epassi’s legitimate interest to communicate with Epassi’s employer and merchant customers’ contact persons.
The personal data is processed by Shopify, Inc. as a processor on behalf of Epassi.
Retention period: Personal data is processed/stored for as long as the end-user is employed by the same employer, is leasing a product from an employer, or as long as a certain legal obligation requires.
3.13. Support Matters
The personal data is processed in order to administrate the support matters for Epassi’s employer customers and end-users as well as to provide phone line support.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on Epassi’s legitimate interest to administrate the support matters.
Retention period: Personal data is stored for this purpose only as long as necessary for the purpose it was collected and thereafter for a maximum period of 2 years.
3.14. Complying with legal obligations (accounting, bookkeeping etc.)
The personal data is processed in order to fulfil our legal obligations, such as for example accounting or tax legislation related obligations.
The personal data we process within the scope of this purpose include:
Legal basis: The processing of personal data is based on a legal obligation.
Retention period: Personal data is stored for as long as a certain legal obligation requires. For example, in Finland the Accounting Act imposes an obligation to maintain information on the accounting’s supporting material for 6 years following the end of the financial year. In Sweden, the obligation is 7 years following the end of the financial year.
For processing activities that are based on a legitimate interest, we have carefully balanced such legitimate interest with the data subjects right to privacy and concluded that our interest outweighs the data subjects’ rights and freedoms.
Where the processing is such that a consent is required by the applicable legislation, we will state so and obtain the consent, and this will be the legal basis for the processing. However, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. If such withdrawal means that we are no longer able to provide our services, we may cease to provide the services.
4. DATA SOURCESThe personal data is mainly collected directly from the data subjects themselves, for example, at the time of registration or use of our services or during a customer relationship.
The personal data can also be collected from the end-user’s employer in relation to services which are provided by the employer and Epassi to the end-user. These are gathered based on the need to contract the end-user as a consumer customer of Epassi and create their personal account at Epassi.
The personal data may also be collected automatically when the data subject uses our services e.g., when using our end-user services and visiting our website.
In addition, and with the permission of the data subject, data may be collected in other ways in a marketing context.
Personal data may be updated and supplemented by collecting data from private and public sources.
5. RETENTION OF PERSONAL DATAPersonal data collected in connection with our services shall be retained as long as defined in this privacy policy and as required by the law unless such data is replaced through regular updates or otherwise. The periods vary greatly from one type of processing to another.
We evaluate the necessity and accuracy of the personal data on a regular basis and endeavor to ensure that the incorrect and unnecessary personal data are corrected or deleted.
Detailed retention times can be provided upon requests.
6. DISCLOSURES, TRANSFERS AND RECIPIENTS OF PERSONAL DATAFor the purposes stated in this privacy policy, the personal data may be disclosed, when necessary, to authorities, among and to other companies within the same group of companies of Epassi, and to selected third parties, such as third-party service providers (such as our IT vendors and marketing agencies conducting marketing on our behalf etc.). In such case, the personal data will only be disclosed for purposes defined above and any disclosure is always limited to only the strictly necessary personal data included in such purposes. We do not sell or otherwise disclose personal data to any third parties outside Epassi for such third parties’ own purposes.
Regular disclosures of personal data undertaken to third parties in order to provide the agreed services:
In addition, Epassi may share the personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.
The personal data is also disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the products and services as well as to guarantee the safety and usability of the Epassi products and services.
In order for Epassi to provide the agreed services, personal data is processed also by the following processors of Epassi. List of the processors and other recipients:
Some of the services used by Epassi for processing personal data may operate outside the territory of the European Union (EU) or the European Economic Area (EEA). Thus, personal data can be transferred outside the European Union and the European Economic Area. In case personal data is transferred outside the EU/EEA, such transfers are either made to a country that is deemed to provide a sufficient level of privacy protection by the European Commission or transfers are carried out by using appropriate safeguards such as Standard Contractual Clauses (SCC) adopted, including any supplementary measures, where assessed to be necessary, or otherwise approved by the EU Commission or competent data protection authority in accordance with the GDPR.
The following recipients may transfer personal data outside the EU/ EEA:
Securing the confidentiality, integrity, and availability of personal data is important to Epassi. Epassi's Security Management System is based on the requirements from laws, regulations, contracts and certain standards (such as ISO 27001). Security Management System consists of appropriate technical, administrative, and organizational security measures to protect personal data against unauthorized access, disclosure, destruction, or other unauthorized processing.
Administrative and organizational measures:
Technical measures:
Nevertheless, considering the cyber threats in modern day online environment, we cannot give full guarantee that our security measures will prevent illegally and maliciously operating third parties from obtaining access to personal data or absolute security of the personal data during its transmission or storage on our systems.
All parties processing personal data have a duty of confidentiality in matters related to the processing of personal data. Access to personal data is restricted to those employees and parties who need it to perform their duties. We also require our service providers to have appropriate methods in place to protect personal data.
9. USE OF COOKIES AND SIMILIAR TECHNOLOGIESThe Epassi website uses cookies.
A cookie is a small text file that is stored on your computer and contains information. Cookies are normally used to improve the website for you as a visitor. There are two types:
One type saves a file that remains on the visitor's computer. This file is used, for example, to make it easier for you to use the website according to your preferences and interests.
The second type is called session cookie. While a visitor is on a website, it is temporarily stored in the visitor's computer memory. Session cookies disappear when you close your browser. No personal information is stored about you, such as your email address and name.
Our website uses both types. When you visit the site, a session cookie is sent between your computer and our web server to facilitate navigation, among other things. Session cookies are also used when you use our e-services. The cookie disappears when you end your visit.
Our website also uses Google Analytics to collect anonymous data for service development purposes.
10. AUTOMATED DECISION-MAKING AND PROFILINGEpassi does not use any automated decision-making nor any profiling pursuant to the Article 22 GDPR.
11. RIGHT OF THE DATA SUBJECTSThe data subject has certain rights in relation to the processing of personal data under applicable data protection laws.
Right of access and right of inspection
The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed.
The data subject has the right to inspect and view data concerning them and, upon a request, the right to obtain the data in a written or electric form. This applies to information that the data subject has provided to Epassi insofar the processing is based on a contract/consent.
Exercising this right is generally free of charge.
Right to rectification and right to erasure
The data subject has the right to demand the rectification of incorrect personal data concerning them and to have incomplete personal data completed.
The data subject has the right to require Epassi to delete or stop processing the data subject’s personal data, for example where the data is no longer necessary for the purposes of processing. However, please note that certain personal data is strictly necessary in order to achieve the purposes defined in this privacy policy and may also be required to be retained by applicable laws.
Right to data portability
The data subject has the right to receive the personal data that he or she has provided to Epassi in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller. The right to data portability applies on the processing of the personal data based on consent or a contract.
Right to restriction of processing
The data subject has the right, under conditions defined by data protection legislation, to request the restriction of processing of his or her personal data. In situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, Epassi will limit the access to such data.
Right to object to processing
The data subject has the right to object to the processing of your personal data where Epassi is relying on its legitimate interests as the legal ground for processing. For example, the data subject may object to his or her personal data being used for marketing purposes.
Right to withdraw consent
In cases where the processing is based on the data subjects’ consent, the data subject has the right to withdraw his or her consent to such processing at any time.
Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a competent data protection authority if the data subject considers that the processing of personal data relating to the data subject infringes current legislation.
However, we request that the matter will be dealt with Epassi in the first instance.
The relevant authority in Finland is the Data Protection Ombudsman (http://www.tietosuoja.fi)
In Sweden relevant authority is Swedish Data Protection Authority (https://www.imy.se/).
Exercising rights
Requests regarding the rights of data subjects shall be made in written or in electronic form, and the request shall be addressed to the controller, Epassi.
Identity will be checked before the information is given out, which is why we may have to ask for additional details. The request will be responded to within a reasonable time and, where possible, within one month of the request and the verification of identity.
If the data subject’s request cannot be met, the refusal shall be communicated to the data subject in writing. Epassi may refuse the request (for example erasure of data) due to a statutory obligation or a statutory right of the company, such as an obligation or a claim relating to our services. Please note that Epassi may charge a reasonable fee where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character.
The data subject may exercise the aforementioned rights by sending a written request by email or mail using the contact information provided in this privacy policy, including the following information: name, phone number, email address, user id and details of the products and services you have used.
If you have any questions relating to our data protection policies or wish to exercise your rights, please do not hesitate to contact us.
12. CHANGES TO THIS PRIVACY POLICYEpassi may make changes to this privacy policy at any time by giving a notice on the website and/or by other applicable means. The data subjects are highly recommended to review the privacy policy on our website every now and then.
If the data subject objects to any of the changes to this privacy policy, the data subject should cease using the services, where applicable, and he/she can request that we remove the personal data, unless applicable laws require us to retain such personal data. Unless stated otherwise, the then-current privacy policy applies to all personal data we process at the time.
This privacy policy has been published on 21.10.2021, version 1.0
Version history
|
Version number |
Change description |
Date |
|
1.0 |
Document created |
|
|
2.0 |
Document updated |
25.2.2022 |
|
2.1 |
Document updated |
17.3.2022 |
|
2.2 |
Document updated (EpassiBIKE) |
21.6.2022 |
|
2.3 |
Document updated |
3.5.2023 |
|
2.4 |
Document updated |
21.11.2023 |
|
2.5 |
Document updated |
19.12.2023 |
|
2.6 |
Document updated |
15.3.2024 |
|
2.7 |
Document updated |
12.9.2024 |
|
2.8 |
Document updated |
25.6.2025 |
Jätä tukipyyntö
tai soita 0200 69000
ma-ke & pe 8.00-16.00 1,75 € + pvm (mvm)
to 8.00-14.00 1,75 € + pvm (mvm)
Laskutus ma-pe 9.00-15.00
![English-Default-Badge-Black[77]](https://www.epassi.fi/hs-fs/hubfs/English-Default-Badge-Black%5B77%5D.png?width=136&height=41&name=English-Default-Badge-Black%5B77%5D.png "English-Default-Badge-Black[77]"){kind=icon}
