SSH Communications Security Corporation is the controller for any personally identifiable information we obtain and store for the purposes of EU GDPR. Our representative in the European Union is General Counsel, SSH Communications Security Corporation, Kornetintie 3, 00380 Helsinki, Finland. Depending on your jurisdiction, you may have additional rights to obtain or control information we have about you.
- DATA PROCESSING
- PERSONAL DATA PROCESSED BY US
- SOURCES OF PERSONAL DATA
- LAWFUL BASIS FOR PROCESSING
- DISCLOSURE OF DATA
- RECRUITMENT DATA
- PROFILING AND AUTOMATED DECISION-MAKING
- IP ADDRESSES AND LOG DATA
- UNSUBSCRIBING FROM MARKETING EMAILS
- DATA RETENTION
- SECURITY OF PROCESSING
- INTERNATIONAL TRANSFERS OF PERSONAL DATA
- ANONYMOUS DATA COLLECTION
- RIGHTS OF THE DATA SUBJECTS
- RIGHT TO CHANGE THESE TERMS
SSH processes personal data of its customers, potential customers, marketing contacts and other persons who have showed interest towards SSH products and services. Processing activities are conducted for sales and marketing purposes, invoicing, payments and transactions, analytics, customer relationship management, development of business operation and other comparable business purposes. The processing is necessary to conduct legitimate business operations based on legitimate interest.
SSH also processes personal data of its customers to enable commercial transactions in the online store based on legitimate commercial interest.
As an employer, SSH also processes personal details of its employees, consultants, contractors, former employees and job applicants. The processing is necessary for recruitment, human resources, employment and administrative purposes to manage employee and job applicant relationships effectively and appropriately, and to fulfil employer duties accordingly to appropriate legislation at a time. The processing activities can be based on contractual responsibilities arising from applicable employment contracts, such as salary payment and sick pay, legal obligations imposed by employment law and other relevant legislation, including taxation purposes and occupational health care obligations, and legitimate interest, including business compliance, reporting duties and administrative purposes. SSH may also rely on consent for specific processing purposes, such as recruitment and background checks.
PERSONAL DATA PROCESSED BY US
The personal information SSH may process related to its customers, potential customers and marketing contacts may include the following data:
- contact information (name, home/correspondence address, email address, phone number;
- position/title, company name;
- IP address, log data;
- invoicing/payment details and bank account number.
Personal information SSH processes of its employees, consultants, contractors and former employees may depend on position within SSH and the requirements of applicable laws, but may include the following data:
- contact information (name, home/correspondence address, email address, phone number, emergency contact information);
- other personal information (date of birth, social security number, national identification number, nationality, preferred language, passport number);
- job applications, references, resumes;
- employment contracts and amendments;
- visas, immigration data;
- bank account number and payroll information
- holiday, sickness and absence data;
- vehicle license plate number;
- health information related to occupational health care;
- education details, employment details, employment history;
- photos, videos;
- recommendation letters, employment certificates, termination letters.
Personal information SSH processes of job applicants may include the following data:
- contact information (name, home/correspondence address, email address, phone number);
- other personal information (date of birth, nationality, preferred language);
- job application, references, resumes;
- previous working experience.
SOURCES OF PERSONAL DATA
Most of the personal data processed by SSH is collected directly from the data subjects, including information entered into the forms of the Website. SSH also processes personal data in connection with contractual relationships. Personal data may also be collected indirectly, for example from marketing lists and third-party providers.
LAWFUL BASIS FOR PROCESSING
We process personal information based on the most appropriate lawful basis for processing depending on the specific processing purpose. We never process any personal data without a valid lawful basis for processing.
Lawful bases for processing:
- explicit, specific and unambiguous consent
- contractual obligation
- legal obligation
- legitimate interest
- vital interest
- public interest
DISCLOSURE OF DATA
We treat your personal information confidentially and only share it when there is a business reason to do so, including improving our marketing. This includes sharing information within the SSH group and with the channel partners and other organizations related to our business. We do not sell or distribute any personal information for third-party marketing.
PROFILING AND AUTOMATED DECISION-MAKING
SSH does not process personal data for profiling or automated decision-making.
IP ADDRESSES AND LOG DATA
We collect and use visitor IP addresses and log data for cybersecurity and analytics purposes. We remove or anonymize personally identifiable IP address information when it is no longer relevant for possible security investigations.
UNSUBSCRIBING FROM MARKETING EMAILS
All marketing emails include opt out possibility. If at any time you wish to no longer receive marketing emails from SSH Communications Security, you may opt out of future electronic marketing communications by locating the most recent email communication received from SSH and clicking the UNSUBSCRIBE and/or EMAIL PREFERENCE links located in the footer of the email. If you have previously unsubscribed from email communications before and would like to re-subscribe to specific SSH email subscriptions, please email firstname.lastname@example.org.
SSH retains and stores data for business and compliance reasons. With exception of storage, processing activities will cease immediately when there is no longer lawful basis for processing. All data is destructed within applicable time limits in accordance with applicable laws and regulations. SSH respects the principle of data minimization and all data is limited to what is necessary for the purposes of processing. If you wish to know more about our specific data retention periods or the criteria to determine the periods, please contact us at email@example.com.
SECURITY OF PROCESSING
SSH has adopted high standards of technical and organizational measures to ensure security in both electronical and physical data processing. Data retained in electronic form is secured with strong technical safety measures, including appropriate firewalls and encryption. Physically processed data is kept safely in storages with electronic locks. Your personal information will be kept confidential, and only limited people with effective non-disclosure agreements will have access to your personal data.
Absolute security can never be guaranteed, but SSH is committed to ensure the highest security measures available at a time. If a data breach occurs within SSH Group, it will be notified according to the GDPR rules and time limits.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
SSH may sometimes need to transfer personal information outside the EU. International data transfers may typically take place to USA and Hong Kong due to the geographical locations of SSH subsidiaries. When international data transfers are required, they are made in accordance with the appropriate safeguards defined in the GDPR.
ANONYMOUS DATA COLLECTION
In general, you can visit the Website without providing us with any personal information about yourself or your organization. However, we do collect statistical information about how users behave on this Website to improve the Website, understand our visitor demographics, and to provide more relevant content to our visitors. Anonymous data collection is also done by third-party service providers.
RIGHTS OF THE DATA SUBJECTS
SSH respects the principles of fair and transparent data processing and makes sure that all applicable rights are available to data subjects.
Depending on your jurisdiction, you may have the following personal privacy rights available to you:
- right to be informed of collection and use of your personal data
- right to access your personal data and any supplementary information
- right to rectification of your personal data if it is inaccurate or incomplete
- right to data portability when you want to transfer data to different service or IT-environment
- right to erasure when there is no purpose to continue processing or if data has been processed unlawfully
- right to withdraw consent for processing at anytime
- right to restrict processing when data is inaccurate, processing is unlawful, or when processing is based on legitimate interest and there are no overriding legitimate grounds to continue processing or the grounds are pending by the controller
- right to object direct marketing, including profiling, or processing for statistics, or processing based on legitimate or public interest
- right to lodge a complaint with the supervisory authority if you consider that processing of your data infringes the GDPR
OBTAINING OR REMOVING YOUR PERSONAL INFORMATION
If you wish and your jurisdiction gives you the right to obtain a copy of your personal information or to remove it, you can email us at firstname.lastname@example.org.
If you have a right to obtain a copy of your personal data, we will provide you with the following information:
- confirmation that SSH is processing your personal data
- free copy of the personal data
- purposes for processing
- categories of the personal data
- sources of the personal data
- data retention periods, or explanation how the length will be determined
- recipients of the personal data
- transfers to third countries
- existence of additional rights
- information on the right to complain to the supervisory authority in case of a personal privacy violation
We will comply with data access and/or erasure requests within one (1) month from the date of the request. SSH has right to decline any unreasonable, repetitive or excessive requests according to the GDPR.
OBTAINING OR REMOVING YOUR DATA FROM THE SSH ONLINE STORE
If you wish to access or remove your information from the SSH online store, you have the possibility to sign up to your account and delete your personal information.
RIGHT TO CHANGE THESE TERMS
SSH Communication Security reserves the right to change, modify, or update these terms at any time without notice. These terms were last modified on May 25, 2018.