The data protection policy of MPS Enterprises

Ensuring data protection is part of MPS Enterprises’ compliance activities, risk management and our operating principles that are based on ethical guidelines. The data protection policy defines how all the operations and operating countries of MPS Enterprises Group will aim to ensure the lawfulness of the processing of personal data and a high level of data protection.

This data protection policy has been approved by the management team and the information management team of MPS Enterprises.

1 The scope and aims of the data protection policy

Data protection covers the protection of an individual’s private life and other rights protecting privacy in connection with the processing of personal data.

The data protection policy aims to ensure the rights of the customers, employees and other stakeholders of MPS Enterprises pursuant to the legislation of each operating country of MPS Enterprises as well as to ensure the rights of the data processor and the compliance with obligations when processing personal data. When ensuring data protection, special attention should be paid to the confidentiality of personal data as well as to preventing unauthorised persons from accessing the data and to making sure that the data is not used in a way that is damaging to the data subject.

Data protection is closely connected with data security. The data security policy of MPS Enterprises defines what is meant by data protection and how it is maintained.

2 The life cycle and use of the data

All MPS Enterprises information systems and the data stored in them are located in the EU.

The processing of personal data is carried out on the basis of the data subject’s consent or another basis specified in the applicable legislation. Personal data is only processed for legitimate purposes and only to the extent and for as long as required by the purpose for which it is processed. We try to ensure the accuracy of the data being processed and updated data may be collected from the data subject themselves or from reliable sources. The data will be erased when it is no longer needed.

The data is used for the purposes stated in connection with the data being collected within the limits set by current legislation. The data is only disclosed on explicitly stated or legal grounds to parties that have been explicitly stated or specified in the legislation. The data may be transferred outside the country where the controller is located provided that the legislation that applies to the personal data file in question allows the transfer. In these cases, we will comply with the potential procedures applying to the transfer laid down in the legislation of each country.

3 Informing the data subjects

The controller is the company belonging to MPS Enterprises for whose purposes the personal data has been collected. The documentation required by Finnish and EU legislation will be produced for each personal data file. The data subjects will be given the legally required or otherwise necessary information about the processing of personal data as the personal data is being collected. When possible, the information can also be made available in other ways, e.g. it can be published on the controller’s website.

4 Responsibilities and organisation

The operations and group management teams are responsible for the implementation of data protection in their own units. Every MPS Enterprises employee must know and manage the data protection regulations and risks of their own area of responsibility. Each business unit is responsible for the resource allocation for and practical implementation of data protection in their own unit. Business units are also responsible for data protection when outsourcing the processing of personal data. The unit ensures that the chosen partner complies with this data protection policy. Written agreements specifying the responsibilities and obligations of the parties are always drawn up when outsourcing the processing of personal data.

5 Ensuring data protection

Matters concerning data protection are included in the orientation of the employees who will process personal data, and all employees will undergo online training in data protection at MPS Enterprises. In addition, training in data protection is regularly organised for all employees.

All persons processing personal data are bound by a statutory or otherwise agreed and documented obligation of secrecy. Every MPS employee has signed a non-disclosure agreement in connection with the signing the employment contract.

Access to information systems containing personal data is controlled using the Group’s identity management solution or other documented measures. Log data is collected for all personal data files to the extent required by law or to an extent that is otherwise sufficient.

If data protection is suspected or known to be compromised, the matter will be investigated without delay. Furthermore, the data subject whose personal data has been compromised must be notified without delay provided that notifying the data subject is necessary for taking remedial action or limiting the damage. Each business unit or controller assesses and monitors compliance with the data protection policy in their own operations.

6 Procedure if data protection has been compromised

We consider actions that infringe either the laws concerning the processing of personal data, this data protection policy or the instructions given based on it to be actions that compromise data protection. If we determine that the action that compromises data protection meets the criteria for an offence, we will report the matter to the authorities. If the action that compromises data protection does not meet said criteria but nevertheless compromises data protection, the person who committed the action could be reprimanded, warned or dismissed.

7 Informing employees, data subjects and stakeholders

The employees of MPS Enterprises will be informed of this data protection policy and any changes to it through the MPS Enterprises intranet. The data protection policy will be updated as necessary. In addition to this, intra-company instructions about matters related to data protection will be given within MPS Enterprises.