Privacy Policy
Ensuring and maintaining privacy is a highly important priority for Netox. Our services are built on skilled individuals, strong certified and secure practices, and tested technology. Privacy is crucial and deeply integrated into our operations.
Netox protects the privacy of data subjects and adheres to the General Data Protection Regulation (GDPR) of the European Union (2016/679) as well as other applicable data protection laws and best practices.
In our privacy policies, we outline how we handle your personal data. These privacy policies may be updated as needed, for example, in response to changes in legislation.
Privacy Policies:
1. Customers
We inform about the processing of personal data for the management of customer relationships.
Data Controller
Netox Oy
Krouvintie 4
90400, Oulu
tietosuoja@netox.fi
Netox acts as the data controller for the data collected for the management of customer relationships. When performing tasks agreed upon with the customer (assignments), such as IT support services, Netox acts as a data processor and the customer as the data controller, whereby processing takes place according to written instructions received from the customer.
How We Process Your Personal Data
Management of Customer Relationships
- Netox processes personal data to maintain customer relationships, and for example, to provide customer service via telephone, email, and our digital channels.
- We also process personal data for contractual purposes and invoicing.
Providing the service
- Netox processes personal data for the provision of services. We inform our customers by providing notifications related to our services. We conduct analysis and reporting related to the service provided to the customer to offer our customers the best possible solutions and services.
- In assignments from the customer, Netox acts as a processor of personal data (for example, data of the customer’s employees).
Product and Service Development
- We process personal data as part of service development. Our goal is to improve customer understanding and to create services that better suit your interests.
What is the legal basis for processing personal data
- Execution of a contract and compliance with legal obligations.
- Legitimate interests, such as developing, improving, and selling our services, as well as maintaining good customer relationships by utilizing customer feedback and surveys.
What personal data we process
For the processing and execution of contracts, the following data about the customer (company or individual) is collected:
- Name (company, contact person)
- Email address
- Phone number
- Address information
- Billing information
The information is primarily collected from the customer themselves at the time of contract formation. Information may also be collected during negotiations prior to the contract or when the customer requests a quote for Netox’s services.
What personal data we process in connection with customer assignments
We process, for example, data about the customer’s employees.
- Name
- Email address
- Phone number
- Home address
- IP address
- Computer name
- Employer
- Supervisor
- Job title
- Position
How we protect and retain your personal data
The personal data held by Netox is processed in a server environment with a very high and certified (ISO/IEC 270001 / ISO 20000-1) level of security. Our services comply with the requirements of the General Data Protection Regulation (GDPR) for data processing and protection. Access to data is only granted to personnel who require it for their work, and all usage is logged, with logs retained for the duration required by applicable legislation.
Netox staff are trained professionals in the field who adhere to Netox’s security and privacy policies in their work. They receive regular training in both security and privacy matters. Both Netox staff and subcontractors used by Netox are bound by confidentiality regarding all information they handle.
Do we transfer or disclose your personal data
Netox partially uses subcontractors for service provision. These may include, for example, the supplier of the invoicing system, the supplier of the customer service system (ticketing system), and the supplier of the server environment. Netox uses secure partners operating in the EU/EEA area, whose secure operation is ensured both contractually and, if necessary, through audits. Required partners for service provision are approved in the contract.
Customer data is stored in Netox’s data centers in the EU/EEA area. If Netox processes data located on the customer’s own servers outside the EU/EEA area in connection with customer assignments, it is processed there via remote connection from Finland.
Netox does not disclose the personal data it receives from customers or in connection with assignments to others unless required by applicable legislation.
2. Marketing
Here we explain how personal data is processed for marketing purposes.
Data Controller
Netox Oy
Krouvintie 4
90400, Oulu
tietosuoja@netox.fi
How we process your personal data
Marketing
We process personal data of our customers and potential customers for marketing communications, such as newsletters, to inform about our existing and new services, as well as other relevant topics.
Contests and competitions
We process personal data of participants in contests and competitions to conduct the draw and to contact the winner and award the prize.
Events and webinars
We process personal data of those registered for events and webinars to organize the events and to communicate before and after event.
Legal basis for processing personal data
Anyone can subscribe to Netox’s newsletter. Subscribing to the newsletter is consent to receive the newsletter, and the subscription can be canceled at any time by using the “unsubscribe” link in the newsletter. After unsubscribing, your email address will be removed from Netox’s systems. The email address requested during subscription is used only for delivering the newsletter.
Legitimate interest, such as marketing communications to existing and B2B customers. Recipients can opt out of electronic marketing by using the “unsubscribe” link in the messages.
What personal data we process
Personal information:
- Name (company, contact person)
- Email address
How we protect and retain your personal data
Our services comply with the requirements of the General Data Protection Regulation (GDPR) for data processing and protection. Access to data is restricted to personnel who require it for their work, and all usage is logged, with logs retained for the duration required by applicable legislation.
Netox staff are trained professionals who adhere to Netox’s security and privacy policies in their work. They receive regular training in both security and privacy matters. Both Netox staff and subcontractors used by Netox are bound by confidentiality regarding all information they handle.
Do we transfer or disclose your personal data
We may transfer personal data outside the EU or the European Economic Area (EEA) if our trusted service provider operates completely or partly outside these territories. In these cases, we will ensure appropriate safeguards in accordance with the applicable data protection legislation, for example by using the European Commission’s standard contractual clauses.
Netox does not disclose personal data obtained in connection with customers or assignments to others unless required by applicable legislation.
3. Whistleblowing channel
Here we explain how personal data is processed for Whistleblowing channel purposes.
Data Controller
Netox Oy
Krouvintie 4
90400, Oulu
tietosuoja@netox.fi
What personal data we process
Legal basis for processing personal data
The purpose of the whistleblowing reporting channel is to ensure that Netox Oy complies with its ethical guidelines and the legislation referred to in § 2 of the Whistleblower protection Directive regarding e.g. protection of privacy and personal data, harassment, environmental protection and prevention of bribery.
Investigation of suspected misconduct
The personal data contained in reports submitted to the Whistleblowing channel, as well as any personal data arising during the investigation of the reports, are used for the purpose of investigating and preventing misconduct.
Legal basis for processing personal data
The processing of personal data is based on a legal obligation ( Whistleblower protection Directive) and Netox’s legitimate interest in ensuring the legality of its operations and ethically sustainable conduct.
What personal data we process
Information is collected from reports made through the Whistleblowing channel and from Netox’s internal sources during the investigation, including relevant employees and systems.
Reports can be made by Netox employees, temporary employees working for Netox, and other relevant stakeholders such as Netox partners. The handling of reports received through the Whistleblowing channel is the responsibility of Netox’s Whistleblowing team.
Reports can be made anonymously. Depending on the subject matter of the report and the content provided by the reporter, reports may contain personal data of the reporter, the subject of the report, and other relevant individuals. These may include:
- Basic information such as name and contact details and position at Netox.
- Information provided in the report, including the description and basis of the alleged misconduct and all other relevant details, such as location data and event details.
- Investigation data, including all information required for investigating the alleged misconduct.
Netox removes personal data that is deemed irrelevant or excessive for the relevant matter. Generally, sensitive personal data (such as ethnic origin, religion or belief, sexual behavior and orientation, health, political opinion, and membership of a trade union) are not processed in the whistleblowing process. If any sensitive personal data is processed, for example, when processing is necessary for preparing, presenting, or defending a legal claim, processing is carried out in accordance with local and EU legislation.
Registered individuals include the reporters, the subjects of the reports, and the handlers. It should be noted for clarity that Netox does not process personal data of the reporter if the report is made anonymously.
Do we transfer or disclose your personal data
Personal data is stored in the EU/EEA area. Information may be disclosed to third parties to comply with applicable laws, regulations, and/or court orders.
How we protect and retain your personal data
Netox processes the personal data it holds confidentially, and individuals involved in processing reports are bound by confidentiality obligations. The reporting process is encrypted and protected with a password. Anonymity of the reporter is ensured through technical functions of the system both during reporting and monitoring. All communication is fully encrypted during storage and transmission. Two-factor authentication ensures secure use of the case management system, ensuring that only authorized individuals have access to the reports.
A limited number of individuals involved in processing reports containing personal data are granted access according to the permissions granted by Netox. Access rights are personal, regularly reviewed, and revoked when no longer needed by the user.
Data is retained only for as long and to the extent necessary to fulfill the purposes defined in this privacy policy. Material collected during investigations is securely stored until the expiration of the claim presentation period, after which the material is destroyed. Information is typically retained for up to two (2) years after the end of the investigation. The retention period may vary according to mandatory legal requirements, such as laws concerning occupational safety, corruption, ethics, and accounting.
If a claim is found to be unfounded, the information is promptly deleted.
4. Privacy policy for recruitment
We explain how we process personal data of individuals (“data subjects”) who submit job applications.
Data Controller
Netox Oy
Krouvintie 4
90400, Oulu
tietosuoja@netox.fi
How we process your personal data
Netox processes personal data of data subjects to carry out recruitment. The purpose of the recruitment process is to select individuals suitable for Netox’s needs.
Data subjects can submit their applications to Netox through the Recruitee service. Only designated individuals have access to applications, and only designated individuals process the applications. All information related to job applications is collected directly from the data subject.
Legal basis for processing personal data
Personal data of job applicants is processed in accordance with applicable legislation either at the request of the data subject or for the performance of a contract in which the data subject is involved, or for the implementation of pre-contractual measures at the request of the data subject..
What personal data we process
During the recruitment process, processed data may include:
- Basic personal information (name, date of birth, contact details)
- Information about education, work experience, and skills
- Possible job application, CV, and photo
- Information related to the job search
- Information related to personal and suitability assessments
Henkilötiedot säilytetään EU/ETA alueella. Tietoja voidaan luovuttaa soveltuvan lain, sääntelyn, ja/tai tuomioistuimen päätöksen noudattamiseksi myös kolmansille osapuolille. Rekrytoinnin johtaessa työsuhteeseen, hakemuksen tiedot siirretään Netoxin HR järjestelmään ja lakisääteiset ilmoitusvelvollisuudet täytetään eri viranomaisten suuntaan.
Do we transfer or disclose your personal data
Personal data is stored in the EU/EEA area. Information may be disclosed to third parties to comply with applicable laws, regulations, and/or court orders. When recruitment leads to employment, application data is transferred to Netox’s HR system, and statutory reporting obligations are fulfilled towards different authorities.
How we protect and retain your personal data
Netox ensures data security with appropriate administrative and technical security measures. For information about the data protection and security of the Recruitee system, you can read more here: https://recruitee.com/privacy-policy
When applying for an open position, personal data is retained after the end of recruitment for as long as necessary to fulfill Netox’s rights and obligations and respond to potential claims. However, the retention period is no more than two (2) years from the recruitment decision. With the applicant’s consent, their information may be kept for other open positions or future recruitment for a maximum of two (2) years. Upon the applicant’s request, their data will be deleted if there is no justification for retaining it.
5. Rights of data subjects
Right of access to personal data
Data subjects have the right to request access to their personal data within the limits and in accordance with data protection legislation. Data subjects have the right to information about how and for what purposes their personal data is processed.
Right to rectification of data
Data subjects have the right to request rectification of their data within the limits and in accordance with data protection legislation.
Right to erasure of data
Data subjects have the right to request erasure of their data within the limits and in accordance with data protection legislation.
Right to restriction of processing
Data subjects have the right to request restriction of the processing of their personal data within the limits and in accordance with data protection legislation.
Right to object
Data subjects have the right to object to the processing of their personal data within the limits and in accordance with data protection legislation. Data subjects have the right to object to processing actions based on the legitimate interests of the data controller. The objection must specify the situation on which the data subject objects to the processing.
Right to data portability
Where data subjects have provided data to the data controller themselves, they have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transfer that data to another controller within the limits and in accordance with data protection legislation.
Right to withdraw consent
The right to withdraw consent if the processing is based on consent. If personal data is processed based on the data subject’s consent, the data subject has the right to withdraw consent.
The right to file a complaint to authority
Data subjects should note that there may be conditions associated with exercising these rights, and Netox may have the right to reject requests. If a request is rejected, the reasons for rejection will be communicated to the data subject.
Processing of data requests
Data requests should be sent to tietosuoja@netox.fi.