In brief
RELEX’s workforce optimization solution is a service that helps retail companies plan and manage their workforce needs.
In terms of processing personal data, RELEX’s workforce optimization solution has the following key characteristics:
- The solution processes personal workforce data of RELEX customers in order to allocate shifts to available individuals with the appropriate skillset.
- Part of the data processing is decided on by RELEX’s customers—namely those relating to authorizing users and work shift management.
- Part of the data processing is decided on by RELEX—namely those relating to the technical delivery of the solution.
In full
This privacy notice (“privacy notice“) informs you about how Retail Logistics Excellence – RELEX Oy (“RELEX Oy”) and its affiliated companies globally (jointly “RELEX“) process the information we collect about (1) the individuals interacting with our solutions to plan and manage our customers’ workforce needs, (2) the individuals accessing their shift information, and (3) the individuals doing detailed shift management.
In this privacy notice, “Personal data” or “data” herein refers to data which we can connect to an identifiable individual. “You” refers to the contact person of a RELEX customer and prospective customer whose personal data is processed.
Please note that our customers—your employer—typically also process information related to your employment outside of this specific RELEX solution. This notice only elaborates on the processing of personal data taking place in relation to this specific solution.
Roles and responsibilities
The responsibilities for controllership are split between RELEX and its customers (typically your employer). This means the following:
Our customer (typically, your employer) is the controller responsible for data processing of activities that directly relate to workforce optimization. In this case, RELEX processes the data for the following purposes on our customers’ behalf:
- Workforce planning and optimization. Data processing relating to workforce allocation and shift management takes place in the RELEX solution and includes processing data on employees, such as absences, competences, and availabilities.
- User authentication. To make sure only authorized users are permitted to access the solution.
- Support activities. The relevant data is stored in the solution and support may come across your data when solving technical issues with the solution.
RELEX is the controller responsible for data processing of activities supporting the solution provisioning. In this case, RELEX processes the data for the following purposes in its own name.
- Ongoing delivery project management. Tracking and sharing information of ongoing activities, solution maintenance, meetings, development initiatives, and customer activities.
- Communications. Informing you about issues related to our solutions and about collecting feedback. There is a dedicated privacy notice on feedback.
- Usage monitoring and metrics collection. Monitoring the solution and its use so we can provide you with solutions of good operational quality, security, usability, and learn in which areas we should improve.
- Support ticketing. To provide global support and maintenance services.
Both RELEX and each of our customers operate as independent controllers over their respective areas of data processing. While the customer’s role is referred to in this privacy notice, such references are informational by nature and for the purpose of providing the full picture for the reader. They do not bind the customer company in any way, and the customer is ultimately responsible for the processing of your data which it does in the role of controller.
Categories of personal data
The personal data that is processed as part of this privacy notice includes the following:
| Responsible entity | Data types which the customer company decides on; that is, the customer company is the controller. | Data types which the customer company decides on; that is, the customer company is the controller. | Data types which RELEX decides on; that is, RELEX is the controller. | Data types which RELEX decides on; that is, RELEX is the controller. |
| Whose data is processed | If your work shifts are managed via the solution | If you are managing others’ shifts via the solution | If your work shifts are managed via the solution | If you are managing others’ shifts via the solution |
| Which data types are processed | • Name • User ID and password • Email addresses • Phone number • Home address • Work history • Work shifts and places of work • Availability • Absences • Employment terms, such as agreed hours • Other employment-related information, such as competence, and information in free text fields. | • Phone number • Name • Business email address • Employer’s name • Information on solution trainings | • Visited solution spaces • Utilized features • Timestamps • Device set-up • Other user activity in the solution and logs • Other information submitted to the RELEX support ticketing system | • Name • Business email address • Position • Employer’s name • User identifier • Your device’s IP address • User activity in the solution and logs • Phone numbers and call contents if you call RELEX support • Other information submitted to the RELEX support ticketing system |
Legal basis
If the data processed by RELEX is identifiable to an individual, RELEX collects the data under the following legitimate interests:
- To enable RELEX to monitor its service provisioning, and secure its solutions from a variety of threats, as well as adjusting and correcting faults based on such information and further developing the services based on customer needs.
- To enable RELEX to react to and resolve issues arising from its solutions as part of its global support organization’s activities.
- To enable RELEX to run smooth delivery projects, monitor progress, request customer resource allocations, organize meetings, and inform customer representatives of relevant matters in furtherance of successful continuous delivery of its solutions and supporting services.
The data processing undertaken by RELEX for the solution and project delivery is mandatory for the efficient delivery and maintenance of its solutions. The usage monitoring and related product communications are typical and mandatory activities when providing software-based services and delivering projects. These cannot be done without processing the limited amounts of personal data referred to above.
Some of our solutions utilize solution analytics and employ tracking technologies that follow which areas and features of the solutions are used and how they are used. If such activities are not necessary for providing the solution’s features, we only collect such data with user consent. More information on usage tracking is made available in the respective dedicated privacy notice, which can be accessed from the user interface of the solution.
Data movement
Source of data
RELEX may receive personal data from its customers (typically your employer), directly from you (for example; when contacting RELEX support) or user activities (for example; when you are logging into RELEX’s solutions).
Exchanges of data
We exchange some of your data with our customers who have procured our solutions when conducting the abovementioned activities related to our service provisioning. Where we utilize intermediary partners to deliver our solutions, we may also exchange data with such companies for the same purpose. We provide these companies with access to the personal data that they may need for their agreed activities.
Transfers of data to processors
Your data may be made accessible to RELEX’s service providers or other vendors that RELEX uses to support, operate, deliver, and maintain its solutions. While doing so, such third-party service provider personnel may process, store, or incidentally access limited amounts of your data when undertaking their contracted activities. You can read more about such processors here.
Data processing locations and transfers of personal data outside the European Economic Area (EEA)
The customer employee information is stored in an EU-based public cloud. Other data types are stored primarily in the EU area. RELEX may also use service providers that are located outside the European Union or the EEA in provisioning both our solutions and supporting services.
RELEX’s affiliates globally may take part in provisioning the solution. Some of the RELEX affiliates are located outside the European Union or the EEA. In isolated cases, some of the employees of such affiliates may process the data for the purposes specified in this privacy notice.
We only do global or cross-border data transfers for a reason and after assessing the resulting privacy risk.
You can read more about our processors and locations of personal data processing here.
When transferring your data outside (1) the European Union or the EEA and (2) such countries that the European Commission has decided as having an adequate level of data protection; we ensure that the transfer is legal and safe by concluding an agreement based on the EU Commission’s standard contractual clauses or by taking other measures that may be required under applicable legislation.
You can ask for additional details relating to the transfer and the appropriate safeguards that we have put in place. The fixed content of the EU Commission’s standard contractual clauses is available here, or you can ask for a copy of the related documents from the RELEX contact mentioned below.
Other processing activities
M&A activities: Where RELEX takes steps to sell, buy, merge or otherwise reorganize its businesses in certain countries, it may involve disclosing data to prospective or actual purchasers, sellers, or partners and their advisors. In such circumstances, RELEX takes all reasonable steps to ensure that the appropriate measures to protect personal data are taken by such prospective or actual purchasers, sellers, or partners and their advisors.
There may also be circumstances not covered by this notice where processing or disclosure of your data may be justified or permitted. One such example includes complying with a court order, or a warrant issued by the authorities, where we are compelled to produce the information.
Other circumstances in which there may be a justifiable legitimate interest to disclose your data to a third party are where such disclosure is necessary to address an ongoing problem, or where we need to meet other legitimate information requirements of our third parties. In any such action, we act according to the applicable laws.
Retention
Your data is processed by default for the duration of our contractual relationship with the customer. Some data, though, are processed for a shorter or longer time, depending on the need. Examples of shorter need-based retention periods are, for example, solution logs (typically from a few months to a few years, depending on the type of the log). Examples of longer need-based retention periods are support tickets, which are retained for as long as the respective solution is under active maintenance.
Security
RELEX has implemented appropriate technical and organizational measures to ensure sufficient data security. Security measures are put in place to prevent unauthorized access to your personal data and any unauthorized manipulation of it. This includes restricting access to your data and hosting it with service providers that can demonstrate an adequate level of data security.
We identify risks relating to the processing such as online security, physical security, risk of data loss, and take appropriate steps to address such risks. Also, we limit access to our databases containing personal data to authorized persons having a justified need to access such information.
Exercising your rights
You have the following rights to your personal data that we have gathered:
- You have the right to access and get a copy of the data that we can identify pertaining to you and move the data to a third party in an interoperable format.
- Should you find any errors in your data, you can ask for these errors to be corrected.
- You have a right to object to our collection and the use of your data, where our use of your data infringes on your rights more extensively than what can objectively be deemed as permissible.
- You may request us to cease storing your personal data when we no longer have a defensible need to store it or as otherwise allowed by applicable data protection law.
- If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request us to cease any further processing of your personal data, or only store it, until the issue is resolved.
- Where our collection of data is based on user consent, you may also withdraw your consent via the appropriate settings.
Exercising your rights
To exercise your rights for the data where your employer is a controller, you should contact them. RELEX is not able to directly respond to your requests on processing by RELEX on behalf of the customer.
To exercise your rights for the data where RELEX is a controller, our contact information can be found below. If you feel that RELEX is not fulfilling your statutory rights, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman.
Profiling
RELEX does not engage in the profiling of individuals in the context of providing its solutions.
RELEX contact information
The Finnish parent company of RELEX group ‘Retail Logistics Excellence – RELEX Oy’ act as the data controller for personal data covered by this privacy notice. Our contact information is:
Retail Logistics Excellence – RELEX Oy
Business ID FI 1963444-1
Address: Postintaival 7, FI-00230 Helsinki, Finland
Email: Info@relex.fi
Website: www.relex.fi
The contact person for matters relating to this privacy notice at RELEX is:
RELEX Privacy Director: Hannes Saarinen, privacy@relexsolutions.com
Changes
To keep this notice up to date, we make changes and additions to this from time to time. We publish the changed notice on our website or on any other channel where this privacy notice has previously been made available. If the changes are significant, we may also notify you by other means. Any changes apply from the date that we publish the revised notice.