Privacy notice – combined description of file and information sheet

Personal Data Act (523/1999), Sections 10 and 24
Valid from December 1, 2016

1. Controller

ePassi Payments Oy, 2090737-1
Pohjoinen Rautatiekatu 25
00100, Helsinki

2. Contact person for the data file

Samppa Sarja
ePassi Payments Oy
Pohjoinen Rautatiekatu 25
00100 Helsinki
Tel. +358 45 127 6920

3. Name of the data file

ePassi user data file

4. Purpose of the data file

The data file is maintained for the purposes of identifying the users of the electronic payment system and maintaining the service relationship (including, among other things, administration, quality assurance, development, customer service, verification of service events, and prevention of misuse). The purpose of the data file is to identify persons during a payment transaction and/or persons entitled to a non-taxable employee benefit during a payment transaction and to maintain a transaction history regarding the use of the payment system as required by the Tax Administration.

The data file is not public. The employer cannot access the transaction history of an individual person. At the individual level, the employer can only access the information on the used benefits as required by the Tax Administration. More information on the disclosure of information is under Item 7, Disclosure and transfer of information.

The customer service personnel of ePassi processes employee data during a customer service event. Only some of the data file controller’s personnel can view the data file as required by their duties. All of the data file controller’s personnel have signed a non-disclosure agreement.

5. Contents of the data file

As a minimum requirement, the register stores the person’s name and telephone number. Furthermore, it stores the usage history of non-taxable employee benefits for the period specified by the Tax Administration and/or payment transaction history. The mandatory details for each person are:

  • Last name
  • First name
  • Telephone number
  • Credentials (information required for logging in)

Furthermore, the following can be stored as requested by the employer:

  • Email address
  • Employee’s ID number assigned by the employer
  • Employee’s department
  • Employee’s location
  • Other information provided by the employer relevant for benefit usage statistics
  • Terms of employment (part-time percentage and activation, interruption, and expiration dates for the employee’s benefit)
  • Benefits available to the employee

The information may also include the personal ID if it is required by the law or, for example, the Financial Supervisory Authority’s instructions. Primarily, the information is provided by the employer in connection with the implementation of employee benefits. The employee may update their email address at a later time. In connection with a payment transmission transaction, information is collected on the service provider the customer has used. The following details are stored in addition to the above information:

  • Customer communication, feedback and contact history
  • System logs and data related to the processing of information
  • Information related to the use of online services
  • Username and password
  • Access rights
  • Address in connection with each login to the service

Address in connection with each login to the service

ePassi only stores the information necessary for ePassi’s operations and the intended purpose if there are legitimate prerequisites for processing it. If a piece of information is no longer useful for its purpose or becomes outdated or if there are no grounds for processing it, it is destroyed securely.

Personal information is stored in the data file for the period when the customer is employed by an employer that uses the payment service of if the customer remains ePassi’s customer after the termination of employment (for example, if the customer has unused personal balance). The data subject’s payment system usage history is maintained for the period specified by the authorities (five following calendar years and the current tax year).

The employee is entitled to request the employer to remove the employee’s name from the data file during the validity period of the benefit, in which case the employee cannot use the non-taxable employee benefits. A private customer is entitled to request the closure of their account through ePassi’s customer service.

As allowed by law, information related to a customer may be obtained and updated also from external data sources for the purposes communicated to the customer.

The data subject is entitled to forbid the controller from processing the data subject’s information for the purposes of direct advertising, remote sales and other direct marketing, and market and opinion research.

6.Use of cookies

ePassi uses session-specific cookies in its online service for providing services and facilitating the use of the service. The customer may enable or disable the use of cookies in the browser settings.

7.Disclosure and transfer of information

The customer’s personal information is not disclosed outside ePassi or third parties working for ePassi that maintain or improve the service or participate in the production of the services. Information is disclosed to the authorities (including the tax authorities, police, or the Financial Supervisory Authority) only as required by law. Personal information may be disclosed for scientific research or statistical purposes as set forth in the Personal Data Act. In connection with a payment transaction, the name of the payer and, under certain conditions, the employer’s details are communicated to the service provider for verifying the payer’s identity.

No personal information is transferred outside the European Union or the European Economic Area.

8.Data protection principles

The data security of the ePassi customer data file and the confidentiality, integrity, and availability of the personal information are ensured through appropriate technical and administrative measures. The personal information is secured against unauthorized access and unlawful or accidental processing. The personal information is only processed by personnel specifically appointed by ePassi and, as assigned by ePassi, by third parties that maintain or develop the services whose duties involve the processing of personal information.

The online service offered by ePassi is protected with an SSL certificate that helps the customer authenticate the service. The data systems connected to the data file use SSL server certificates for authentication.

9.Right of access

In accordance with Sections 26 to 28 of the Personal Data Act, the data subject has the right of access to the data on him/her in the personal data file. The data subject can see their information stored in the data file by logging into the service with their personal credentials. Furthermore, a written, signed access request can be mailed to: ePassi Payments Oy, Rekisteriseloste/S. Sarja, Pohjoinen Rautatiekatu 25, FI-00100 Helsinki, Finland. The access request must include the details necessary for locating the information, the person’s name and their mailing address.

10.Rectification

The employer of a data subject may update and change the data subject’s information by logging into the ePassi online service. An employee must contact their employer for any requests to update their information, except for their email address and password.