Description of Data Protection and Descriptions of Registers

Talenom Privacy Policy

Last updated: August 15th 2022

This Privacy Policy (“Privacy Policy” or “Policy”) applies to the Talenom Group and its subsidiaries located in Finland and Sweden. This Privacy Policy describes the data security and data protection practices, processes and technology that Talenom uses to protect its customers’ data. The policy applies to Talenom’s website, digital services targeted at customers and the production systems for financial management services.

Data protection principles

Talenom’s data protection principles include communicating the purpose of data processing and the criteria for making data processing legitimate, protecting the data by technical, administrative and physical means, as well as providing the statutory right of access and right to request changes to the data.

Limitations

This Privacy Policy does not apply to third-party websites, applications or services that may be available through the additional services of partners offered as part of Talenom’s services. By opening a partner website, the customer exits Talenom’s service, in which case a third party can collect and share information about the customer. Talenom recommends that before agreeing to the collection and use of his or her personal data in any third-party service, the customer should always review the data protection practices of the service in question.

Personal data Registers and descriptions of Registers

Marketing Register

Customer Data Register

Personal Data Register for Specialist Services

Phone Call Recordings

Recruitment Register

Processing of personal data on behalf of the controller

In some of its services, Talenom will process personal data on behalf of a customer. In such cases, the customer is the controller of the personal data Register thus created and Talenom is the processor of personal data as referred to in the EU General Data Protection Regulation (GDPR). The measures related to the processing of personal data are always agreed on a case-by-case basis with the customer, using the description of the measures for processing personal data included in this document: Statement of Processing operations.

Technical protection of data Registers

Data contained in personal data Registers that are processed electronically are protected by digital means: using firewalls and passwords, offering Talenom’s customers two-factor authentication to the customer information systems and using other technical means generally accepted in the security industry. Data transfer between the customer and Talenom is encrypted using Transport Layer Security (TLS) technology in the following Talenom services: Talenom Online, Talenom App, Mezo and Talenom Link, Talenom Kevytyrittäjä and Tilijaska. Data are backed up regularly and backups are stored in a separate location from the primary data.

Talenom conducts internal and third-party assessments that cover both the technical security of critical information systems and the processes and guidelines related to administrative data security and data protection.

Administrative protection of data registers

Talenom has an information security policy that every new employee must read through when joining Talenom. Employees are informed of the existence and location of the information security policy, and reminded of its binding nature, at regular information security training sessions. The information security policy describes the general rules for information security and data protection that are binding on employees, including technical rules, information security processes, as well as practices and guidelines applicable to daily work.

The information contained in the registers is accessible to Talenom’s employees and to employees of companies operating on Talenom’s behalf based on access rights granted to them.

The access rights of users are monitored regularly, and the user access management policy prohibits the creation of dangerous combinations of access rights. The access rights of the administrators of various systems, in particular, are reviewed regularly and removed when the user no longer needs them. The access rights of departing employees will be deleted from all systems at the termination of employment.

Customer data are only processed by the employee assigned to that particular task. Processing customer data on any other grounds is prohibited, even if the employee has technical access to the data due to his or her role or for business reasons.

All Talenom employees, and any external persons operating on behalf of Talenom, are bound to secrecy regarding all customer and personal data held by Talenom. The obligation of secrecy is specified in the employment contracts of Talenom employees and agreements concluded with third parties.

Physical protection of data registers

Customer data are processed in information systems located in a data center in Finland or in cloud services within the European Union. In the data centers located in Finland, the most important production systems have been duplicated and placed in two physically separate data centers to keep the data safe and secure the continuity of service under normal and emergency conditions. The data centers have certified security practices, access control and supervision in place maintained by the service provider.

The e-mail service used for customer communications and the systems for statistics on the use of digital customer systems are located on servers in the United States and are protected by those service providers in accordance with European Union data protection legislation. Statistical data in digital systems do not contain personally identifiable information.

Materials that are maintained manually are located on premises that have access control to prevent unauthorized access. The most important premises also have video surveillance, enabling the investigation and verification of possible breaches of physical security.

Use of Cookies

Talenom can collect information on visitors to the Talenoms websites and use cookies on the website. Cookies are small text files that are stored on the device used by the website visitor. Talenom uses cookies to improve the user experience of its website, assess the content used by visitors and support marketing activities. The information collected by cookies is anonymous, and cookies cannot be used to obtain data on a particular identifiable person.

Here are some examples of data that can be collected by cookies:

Visitor’s IP address
Time of visit
Pages visited and duration of visit
Browser type used
Operating system and version used
Referring page and subsequent page after leaving website

The information collected by cookies can be used, for example, for targeted advertising in the Google Display Network.

By using Talenom’s website, the visitor accepts the use of cookies and allows them to be stored on his or her computer. Most browsers accept cookies by default. The visitor can prevent the use of cookies by changing the browser settings, so that the browser will not allow the storage of cookies, in which case, the visitor accepts that preventing the use of cookies may affect the functionality of certain services.

User device information is automatically collected for development of digital products and customer service, for example using browser cookies or similar technologies

Tools

Google Analytics

We use Google Analytics to analyze e.g. user behavior and number of users on our website. We use this information for business development. The storage period of the cookie is 2 years. More information: Data security – Analytics (google.com)

Hubspot

We use HubSpot software, which is marketing automation software, to collect data and conduct marketing through the information we collect. HubSpot uses cookies to collect information about how users use our site. With HubSpot, we run email marketing campaigns and other targeted content sharing. The storage period of the cookie is 1 year. More Information: HubSpot – Privacy Policy

Hotjar (used only in Tilijaska-service)

Using the Hotjar analytics tool, we visualize the movement of users on a website using thermal maps and recordings. In addition to session information, the Hotjar analytics tool collects user information, if provided by the user. With the help of behavioral data, we are able to develop services in a user-oriented manner. The storage period of the cookie is 1 year.
More information: Hotjar – Privacy Policy

Rights of data subjects

In accordance with Articles 15 to 22 of the EU General Data Protection Regulation, data subjects have the following rights:

right of access to personal data
right to rectification
right to erasure
right to restriction of processing
right to data portability

These rights apply to personal data stored in Talenom’s information systems. Certain rights of data subjects are restricted by other legislation, based on which Talenom has the right and obligation to legitimately refuse to rectify or erase data, restrict processing or transmit data from one system to another. One example of such legislation is the Accounting Act, which governs the storage of payroll documents, irrespective of the rights of data subjects specified in the General Data Protection Regulation.

If a data subject wishes to access or rectify his or her personal data contained in a data register owned by a customer of Talenom, the data subject must submit a request to the controller to access or rectify the data. The controller will then handle the request with the processor, i.e. Talenom. In such cases, the controller must submit a written request by email to: tietosuoja[at]talenom.fi

The request for access or rectify the data must specify the personal data that the data subject wants to access and provide the name of the data register concerned.

Communicating personal data breaches

The controller will inform the data subject of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of the data subject. The notification will describe the nature of the personal data breach and the measures taken, as provided by law.

In cases where the personal data breach concerns personal data contained in a personal data register owned by a customer of Talenom, the customer is responsible for informing the data subjects. The controller must be informed of the breach without undue delay. The notification must describe the nature of the personal data breach and the measures taken, as provided by law.

The data protection authorities must be informed of a personal data breach within 72 hours of its discovery if the breach is likely to result in a high risk to the rights and freedoms of the natural person. The notification is made in accordance with the current guidelines of the Data Protection Ombudsman

Data Protection Officer

Enni Kaivorinne
Tel. 0207 525 535
Email: tietosuoja[at]talenom.fi

Changes to the Privacy Policy

Talenom is continuously developing its business and reserves the right to change this Privacy Policy by providing prior notice of such changes through its digital services and other customer communications. Changes may be based on legislative amendments and compliance with the resulting requirements.

An up-to-date version of this document can be found at www.talenom.fi – website

Description of Register – Marketing Register

Name of data register

Marketing Register

Applicable legislation

European Union General Data Protection Regulation (EU 679/2016) and national data protection legislation

Last updated

August 15th 2022

Controller

Talenom Plc.
Business ID: 2551454-2
Yrttipellontie 2
FI-90230 Oulu
Tel. +358 (0)207 525 000 (switchboard)

Purpose of processing personal data and legal bases for processing

Personal data is stored and processed in order to direct the marketing and sales of Talenom’s financial management services based on customer data through the controller’s media and services. The basis for processing personal data is the legitimate interest of the controller and, in some cases, the data subject’s consent.

Personal data can be processed for the following purposes:

Contacting a potential customer
Arranging meetings with a potential customer
Sending newsletters and sales materials
Creating marketing communications, market surveys and opinion polls.

Content of data register

The following information can be stored on data subjects:

Name
Phone number
Email address
Organisation and position
Interaction history

Regular sources of data

Data are primarily obtained from the following sources:

Almatalent.fi -service
Asiakastieto.fi – service
Services providing public contact details
Contact forms on the Talenom.fi website
Talenom’s customer register

Disclosure of data

Talenom can disclose personal data to any unit belonging to the Talenom Group. Talenom does not sell, rent or otherwise disclose personal data to other parties.
Talenom may be obliged to disclose personal data if required to do so under applicable law or regulations, or to meet a request by a judicial or administrative authority.

Transfer of data outside the EU or the EEA

As a general rule, personal data will not be transferred outside the European Union (“EU”) or the European Economic Area (“EEA”). Contact information used in marketing communications and statistical information generated by the use of Talenom’s digital systems will be transferred outside the EU and the EEA, such as to servers located in the United States. They are protected by these service providers in accordance with European Union data protection legislation. Data transfers outside the EU or the EEA are carried out in accordance with the requirements of the standard data transfer clauses of the European Union Data Protection Regulation.

Practices related to the disclosure of data

Storage and erasure of data

Talenom erases personal data in the marketing register at the request of the data subject.

Description of Register – Customer Data Register

Name of data register

Customer Data Register

Applicable legislation

European Union General Data Protection Regulation (EU 679/2016), national data protection legislation and Anti-Money Laundering Act

Last updated

August 29th 2022

Controller

Talenom Plc.
Business ID: 2551454-2
Yrttipellontie 2
FI-90230 Oulu
Tel. +358 (0)207 525 000 (switchboard)

Purpose of processing personal data and legal bases for processin

Personal data are stored and processed for the purpose of providing Talenom’s financial management services in accordance with agreements between Talenom and Talenom’s customers. Personal data are processed in order to meet the obligations provided by law and those related to official processing, as well as to improve the quality of Talenom’s products and services.

Content of data register

The following information can be stored on data subjects:

Name, personal identity code and the required organisation data such as beneficial owners
Customer identification information required by Anti-Money Laundering Act (KYC data)
Contact details (address, phone number, email address)
Customer relationship management data created in customer service
Customer’s services and invoicing data

Regular sources of data

Talenom stores customer-related information at the beginning of the customer relationship. Registered customers add their own and their personnel’s personal information to Talenom’s digital services. Personal information can be downloaded based on digital material provided by the customer. The customer may provide survey information related to quality improvement by answering the surveys.

Disclosure of data

Talenom can disclose non-sensitive personal data to any unit belonging to the Talenom Group. Talenom may disclose non-sensitive personal information to its partners for service development, quality control and marketing purposes. Talenom does not sell or rent personal data to other parties. Talenom may be obliged to disclose personal data if required to do so under applicable law or regulations, or to meet a request by a judicial or administrative authority.

Talenom can disclose TiliJaska -customer’s KYC data to the Electronic Money Institution PPS EU SA as required by Anti-Money Laundering Act. The disclosure of data is based on an agreement between Talenom and PPS EU SA, whereby PPS EU SA’s privacy policies are applied to the processing of personal data. Find the Privacy Policy from this link.

Transfer of data outside the EU or the EEA

As a general rule, personal data will not be transferred outside the European Union (“EU”) or the European Economic Area (“EEA”). The contact information used in customer communications and the statistical information generated by the use of Talenom’s digital systems will be transferred outside the EU or the EEA, such as to servers located in the United States. They are protected by these service providers in accordance with European Union data protection legislation. Data transfers outside the EU or the EEA are carried out in accordance with the requirements of the standard data transfer clauses of the European Union Data Protection Regulation.

Practices related to the disclosure of data

A certificate of disclosure will be drawn up for the transfer of data to the authority, which is stored in customer-specific data warehouses as a sign of the transfer of data. The data subject shall always be informed in advance of the disclosure, unless otherwise specified by the authority. The processing of digital materials is monitored by storing log data for the information systems and monitoring the data automatically or manually. If necessary, log data can also be used as evidence.

Storage and erasure of data

Talenom will erase the Customer’s personal data from its information systems to the extent required by law when the Customer leaves the Processor. The data will be erased after one + ten (1+10) years following termination of the customer relationship. After erasure from the operational information systems, the data will be automatically deleted from backups within six (6) months.

Description of Register – Personal Data Register for Specialist Services

Name of data register

Personal Data Register for Specialist Services

Applicable legislation

European Union General Data Protection Regulation (EU 679/2016) and national data protection legislation

Last updated

August 15th 2022

Controller

Talenom Plc.
Business ID: 2551454-2
Yrttipellontie 2
FI-90230 Oulu
Tel. +358 (0)207 525 000 (switchboard)

Purpose of processing personal data and legal bases for processing

Personal data are stored and processed for the purpose of providing customers with Talenom’s specialist services in accordance with agreements between Talenom and Talenom’s customers.

Content of data register

The following information can be stored on data subjects:

name
contact information
personal identity number
health information
Organisation information

Regular sources of data

Personal data are mainly collected from the following sources:

Data provided by the data subject
Services providing public contact details
Basic data and contact details provided by Talenom

Disclosure of data

Talenom does not sell, rent or otherwise disclose personal data to other parties. Talenom may be obliged to disclose personal data if required to do so under applicable law or regulations, or to meet a request by a judicial or administrative authority.

Transfer of data outside the EU or the EEA

Practices related to the disclosure of data

Storage and erasure of data

Talenom erases the data subject’s personal data from its information systems in accordance with the time limits required by law. After erasure from the operational information systems, the data will be automatically deleted from backups within six (6) months.

Description of Register – Phone Call Recordings in Customer Service

Name of data register

Phone Call Recordings in Customer Service

Applicable legislation

European Union General Data Protection Regulation (EU 679/2016) and national data protection legislation

Last updated

August 15th 2022

Controller

Talenom Plc.
Business ID: 2551454-2
Yrttipellontie 2
FI-90230 Oulu
Tel. +358 (0)207 525 000 (switchboard)

Purpose of processing personal data and legal bases for processing

Personal data are stored and processed for the purpose of providing customer service. Recording is conducted based on an agreement between Talenom and the customer, or based on the legitimate of the controller, in accordance with the General Data Protection Regulation.
Recorded phone calls will be used to prove what has happened and improve the quality of customer service.

Content of data register

The following information can be stored on data subjects:

Name and contact details
Organisation data
Phone calls recorded when contact is established between the customer and the customer service center.

Regular sources of data

Personal data are collected when the customer calls Talenom’s customer service center or Talenom’s specialists calling the customer using Talenom’s call management system.

Disclosure of data

Transfer of data outside the EU or the EEA

Practices related to the disclosure of data

Storage and erasure of data

Recorded phone calls will be kept for six months, after which they will be erased from the information systems automatically.

Description of Register – Recruitment Register

Name of data register

Recruitment Register

Applicable legislation

European Union General Data Protection Regulation (EU 679/2016) and national data protection legislation

Last updated

August 15th 2022

Controller

Talenom Plc.
Business ID: 2551454-2
Yrttipellontie 2
FI-90230 Oulu
Tel. +358 (0)207 525 000 (switchboard)

Purpose of processing personal data and legal bases for processing

The purpose of the personal data register is to store and process job applications received by Talenom Plc. and the related data. Applicants can apply for a specific job or submit an open application. Applicants give their consent to adding their personal data to Talenom’s recruitment database in accordance with the General Data Protection Regulation.

Content of data register

The following information can be stored on data subjects:

name and contact details
information contained in the job application and CV
requested duties
experience and skills profiles
Any additional information provided by the applicant

Regular sources of data

Data provided and stored in the system by the data subjects themselves.

Disclosure of data

Talenom can disclose non-sensitive personal data to any unit belonging to the Talenom Group. Talenom may disclose non-sensitive personal information to its partners for service development, quality control or marketing purposes. Talenom does not sell, rent or otherwise disclose personal data to other parties. Talenom may be obliged to disclose personal data if required to do so under applicable law or regulations, or to meet a request by a judicial or administrative authority.

Transfer of data outside the EU or the EEA

Data stored on the recruitment service will be transferred outside the EU or the EEA, such as to servers located in the United States. They are protected by these service providers in accordance with European Union data protection legislation. Data transfers outside the EU or the EEA are carried out in accordance with the requirements of the standard data transfer clauses of the European Union Data Protection Regulation.

Practices related to the disclosure of data

Storage and erasure of data

Application data will be stored for 12 months after the application was submitted.

Statement of processing operations

Controller (Customer)

Name: Customer

Processor (Supplier)

Name: Talenom Plc.
Address: Yrttipellontie 2, FI-90230 Oulu
Tel: +358 (0)207 525 000 (switchboard)

Subcontractor’s contact details

The Customer has given general power of using third party contractors for the Supplier. The Supplier will provide Customer a list of third party contractors upon request.

Purpose of processing personal data and legal bases for processing

Personal data are processed and stored for the purpose of providing the Supplier’s financial management services in accordance with the agreement between the Supplier and the Customer. Personal data are processed and stored in order to meet the obligations provided by law and those related to official processing:

• To produce and develop the services ordered by the Customer from the Processor
• Customer’s payroll and human resources administration
• Customer’s accounting and receivables follow-up
• Limited company administration
• Association administration and invoicing
• Housing cooperation administration and invoicing
• Customer identification information required by Anti-Money Laundering Act
• Beneficial owners

Groups of data subjects and personal data groups

Customer’s employees for payroll and human resources administration (HR)
Customer’s person customers for accounting and following receivables (ACC)
Limited company stakeholders for limited company administration (LC)
Association members for association administration and invoicing (AA)
Housing cooperation members for housing cooperation administration and invoicing (HC)
Benefits payable under the Acts on Motor Insurance, Patient Insurance, Accident Insurance,
Pharmaceutical Injuries Insurance, and Environmental Damage Insurance (INS)

The following personal data are processed:
• name, username (HR, ACC, LC, AA, HC, INS)
• address, e-invoice address, telephone number, e-mail address, information on the use of the online service (HR, ACC, LC, AA, HC, INS)
• personal identity number, language (HR, LC, HC, INS)
• account information (HR, ACC, LC, AA, HC, INS)
• information on debt recovery enforcement (HR, ACC, LC, AA, HC, INS)
• dividends, shareholder loans (ACC, LC)
• amount of tax, tax card, employment contract (HR, LC)
• absences, holidays, medical certificates (HR, LC)
• gender (HR)
• employment information (HR)
• pay information and criteria, benefits (HR)
• information on trade union membership fee (HR)
• working hours records, unit price (HR)

Regular sources of data

The Customer adds the data of their customers and staff members to the Supplier’s digital services. Personal data can be added based on digital and / or physical materials provided by the customer. In addition, personal data will be collected from the tax authorities, the Social Insurance Institution of Finland, accident insurance companies, trade unions, lending services, enforcement authorities and other parties who provide information that must be processed in payroll accounting.

Information about the devices of the users of the Supplier’s digital products and online services will be collected automatically, using browser cookies or similar technologies, for the purpose of developing the digital products and improving customer service.

Groups of the recipients of personal data – also those in third countries as well as international organisations

The Processor may disclose the Customer’s personal data within the limits of the applicable legislation and in accordance with the terms of the agreement between the Processor and the Customer. Data contained in the register can be disclosed to the tax authorities, pension insurance companies, insurance companies, trade unions, the Social Insurance Institution of Finland, employment pension funds, lending services, electronic money institutions, Confederation of Finnish Industries or Statistics Finland.

The Supplier has a statutory duty to disclose personal data to the authorities if they submit a lawful information request in writing.

Personal data will not be transferred outside the European Union (“EU”) or the European Economic Area (“EEA”) without the prior written consent of the Customer. Data transfers outside the EU or the EEA requested by the Customer will be made in accordance with the requirements of the standard data transfer clauses of the EU Data Protection Regulation.

Practices related to the disclosure of data

Personal data will be disclosed to the Customer’s auditor without prior authorisation for the purpose of implementing the agreement between the Customer and the auditor. With regard to other partners of the Customer, such as lawyers and consultants, written authorisation will always be requested from the Customer before disclosing any information.

When disclosing written materials, a certificate of disclosure will be drawn up, indicating the basic details of the materials, the party to whom data were disclosed, and the time of disclosure. The certificate of disclosure will be stored in the Customer’s folders in case the disclosure needs to be proved later.

When disclosing digital materials, personal credentials will be created for the Customer’s partner, so that the partner can log in to the Processor’s information system and access the disclosed data. The Customer’s request for creating credentials and granting access to the Customer’s data also means that the Customer is consenting to the disclosure of the data to that particular partner.

Data will be disclosed to the tax authorities, lending services, electronic money institutions, pension insurance companies, insurance companies, trade unions, the Social Insurance Institution of Finland or employment pension funds without the customer’s authorisation or consent when the disclosure is specified in legislation.

The processing of digital materials is monitored by storing log data for the information systems and monitoring the data automatically or manually. If necessary, log data can also be used as evidence.

Technical and organisational security measures

Data contained in the data register that is processed digitally is protected by technical means: using firewalls and passwords, offering the Customer’s employees two-factor authentication to the Supplier’s information systems and using other technical means generally accepted in the security industry. Data transfer between the Customer and the Supplier is encrypted using TLS (Transport Layer Security) technology in the software and applications used by Talenom or provided to its Customers. Data are backed up regularly and backups are stored in a separate location from the original data.

The Supplier will protect the customer’s data from unauthorised use and distribution. Only identified employees of the Supplier and the employees of companies operating on behalf of the Supplier have access to the data contained in the register, based on access rights granted to them. The access rights of users are monitored, and the user access management policy prohibits the creation of dangerous combinations of access rights. The creation of such combinations is monitored as part of access rights management. The access rights of the administrators of various systems, in particular, are reviewed regularly and removed when the user no longer needs them. The access rights of departing employees are deleted from all systems at the termination of employment.

Customer data are only processed by the employee assigned to that particular task. Processing personal data on any other grounds is prohibited, even if the employee has
technical access to the data due to his or her role or for business reasons. All the Supplier’s employees, and any external persons operating on behalf of the Supplier, are bound to secrecy regarding all the Customer’s financial management and personal data. The obligation of secrecy, including sanctions, is specified in the employment contracts of theSupplier’s employees and the agreements concluded with third parties.

Employees who process the Customer’s data receive regular training, a key part of which is the criteria for making data processing legitimate. The data security and data protection awareness of the Supplier’s employees is maintained regularly by various means: By holding regular information sessions on the subject for all personnel and by organising an annual mandatory training course at the end of which employees must pass a test in order to complete the training.

The Supplier has a data security policy that every new employee must read through when joining the Supplier. Employees are informed of the existence and location of the data security policy, and reminded of its binding nature, at regular data security training sessions. The data security policy describes the general rules for data security and data protection that are binding on employees, including technical rules, data security processes, as well as practices and guidelines applicable to daily work.

Customer data are processed in information systems located in a data center in Finland or in cloud services within the European Union. In the data centers located in Finland, the most important production systems have been duplicated and placed in two physically separate data centers so as to keep the data safe and secure the continuity of service under normal and emergency conditions. The data centers have certified security practices, access control and supervision in place maintained by the service provider.

Materials that are maintained manually are located on premises that have access control to prevent unauthorised access. The most important premises also have video surveillance, enabling the investigation and verification of possible breaches of physical security.

The Supplier will conduct internal and third-party assessments that cover both the technical security of critical information systems and the processes and guidelines related to administrative data security and data protection.

For their own part, the Customer is responsible for implementing and maintaining adequate technical and organisational security measures.

Planned erasure of data groups

The Processor will erase the Customer’s personal data from its information systems to the extent required by law when the Customer leaves the Processor. The data will be erased after one + ten (1+10) years following termination of the customer relationship. After erasure from the operational information systems, the data will be automatically deleted from backups within six (6) months

Rights of data subjects

The controller will describe the matters that are communicated to data subjects in a separate document created by the controller. In accordance with Articles 15 to 22 of the EU General Data Protection Regulation, data subjects have the following rights:
• right of access to personal data
• right to rectification
• right to erasure
• right to restriction of processing
• right to data portabilit

Controller’s instructions for processor

The Customer can draw up more detailed data processing instructions for the processor that the Supplier will keep in customer-specific folders and that will form part of the customerspecific instructions.

Communicating personal data breaches

To the controller
The controller will be informed of a personal data breach without undue delay. The notification will describe the nature of the personal data breach and the measures taken, as provided by law.

To the data subject
The controller will inform the data subject of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of the data subject. The notification will describe the nature of the personal data breach and the measures taken, as provided by law.

To the supervisory authority
It is the responsibility of the controller to notify the information security authorities within 72 hours of the disclosure if the data protection breach is likely to result in a high risk to the rights and freedoms of a natural person. Talenom will assist the controller in making the notification, upon a separate request. The notification is made in accordance with the current guidelines of the Data Protection Ombudsman.