Privacy policy of the password management service
Data controller and their representative and contact information
The data controller is SOK Corporation.
You can find the contact details of the contact person related to the register in sPoint.
Contact information of the data protection officer
The purposes and legal basis of the processing of personal data
The password management service can be used to either change an existing password, or to reset and change a locked or forgotten password. A person employed by an S Group company, or another person with S Group’s AD identification code, can change their current AD password themselves with the change service. The password reset service changes a password that has been locked or forgotten. In order to register into the password reset service, an employee or other data subject must give their current phone number. The service will send a confirmation code or make a call-back to reset the password.
The phone number will also be used for a two-step authentication, which prevents unauthorised usage of the AD ID if the usernames and passwords end up in the hands of third parties.
The processing of personal data is based on a contractual employment between the data subject (employee) and the data controller or another S Group company (employer), or on a commission agreement between the data subject (assignee) and the data controller or another S Group company (customer).
Recipients or recipient groups of personal data
Personal data submitted to the password change service will not be disclosed to third parties.
Transferring data to a third country or international organisations
In general, the data on the portal is kept within the EU/EEA, but in some cases they can be transferred to third countries, such as the USA, for processing log data or troubleshooting. The contractual partners have signed appropriate data processing agreements in order to meet the information security requirements.
Duration of storing personal data
The personal data is stored as long as the data subject has a valid AD ID and password to S Group’s online and application environment. The phone number disclosed during registration is removed from Azure Active Directory 30 days after the termination of the employment.
Personal rights
The data subject has the right to access their own personal data through the password management service as laid down in Article 15 of the General Data Protection Regulation (GDPR).
The data subject has the right to demand that the data controller corrects eventual incorrect or erroneous information as laid down in Article 16 of the Data Protection Regulation. The data subject can use the password management service to change the phone number they have submitted to the service. The data subject may also remove their phone number.
The data subject has the right to have their personal data removed in case the preconditions stated in Article 17 of the Data Protection Regulation are met.
The data subject has the right to restrict the processing of their personal data in case the preconditions stated in Article 18 of the Data Protection Regulation are met.
The data subject has the right according to Article 20 of the Data Protection Regulation to move the personal data from one system to another for the part for which the data was received from the data subject, its processing is automatic and its processing is based on consent or agreement.
The data subject has the right, based on Article 21 of the Data Protection Regulation, to object to the processing of the data that applies to them, in case the data was gathered in order to perform a task that concerns the common good, or based on legitimate interest, in case the other criteria included in the Article are met.
If the processing of the information is based on consent, the data subject has, according to Article 7 of the Data Protection Regulation, the right to withdraw their consent at any time. The data subject may remove their phone number using the password management service. A password cannot be reset or changed without a phone number.
The data subject has the right to file a complaint with the supervisory authority.
Other things to note
Providing personal data is required by the agreement (a contractual employment or commission agreement). The employer or customer may require that the data subject uses the self-service portal to reset a forgotten password.
The process contains no automated decision-making, such as profiling.