Instructions for the personal data processor at Peppi

Process personal data in accordance with these instructions. You should also follow the instructions when transferring, storing, and archiving personal data. In addition to these instructions, please comply with applicable legislation regarding personal data. To the extent that these guidelines conflict with legislation, the requirements of the legislation shall apply.
The personal data processor must follow the following instructions:

1. Follow the duty of confidentiality.
2. Comply with information security requirements.
3. Delete or return the personal data to the data controller at the end of the processing. You should also delete any copies you have of them.
4. Report a possible detection of a data security breach immediately.
5. Do not outsource personal data processing tasks without the controller’s prior written consent.

The General Data Protection Regulation defines special categories of personal data for which stricter criteria have been set. Under the GDPR, special categories of personal data include, for example, data concerning minors. If data belonging to the special categories of personal data are to be processed, it must be carefully clarified that the processing of data is permitted under the Article 9 of the GDPR.

The handling of criminal records extracts is regulated in special legislation, for example the law on investigating the criminal background of those working with children, the law on public procurement and license agreements. In addition, the processing of personal data related to criminal convictions and violations has its own article in the data protection regulation.

Considerations for the personal data processor
You must always ensure that personal information does not become available to any unauthorized persons, regardless of whether the information is processed in information systems, on paper, using pictures, by talking on the phone or face-to-face. Also make sure that the place is suitable for processing personal data. Outsiders are not allowed to hear what is being said or see what information is being used.

Processing of personal data is always done based on the work duties and using your own user credentials. You can’t use other people’s credentials to process any personal data. Everyone is responsible for any personal data processing done using their credentials (username, access rights, access codes etc.). Your credentials should not be made available for others.

Log data is a record of the activities and events that occur in our information system, such as adding, deleting, changing, or viewing data. Log data can be used to monitor or check who has processed personal data in the system. Personal data may not be copied outside of the information system.

Ensure that personal data is transferred and stored only in authorized locations and devices, where it is processed in accordance with the register statement.

Secure e-mail can be used to send personal information between parties. Messages containing personal information should be deleted.

The use of paper printouts should be avoided if possible. If printouts are needed, material containing personal data must be stored in such a way that it cannot be accessed by unauthorized persons. Pay special attention when mailing paper documents containing personal data. Use envelopes or other appropriate packaging to prevent accidental or intentional disclosure. Take special care when transferring paper documents containing personal data from one place to another. Do not leave them unattended or exposed in public areas, such as printers, copiers, or desks. Papers containing personal data should be destroyed as data protection material.

A data breach is a serious security incident that involves unauthorized access, disclosure, or use of data, whether in electronic or paper form. If you discover or suspect a data breach, you must report it immediately to the appropriate authority.