LAWLY SERVICE DESCRIPTION
Welcome and thank you for your interest in LAWLY. The service is provided by Ramboll Finland Oy (hereafter "Service Provider").
In LAWLY (hereafter "Service"), the Client is presented with the use of a web-based tool for the management of regulatory and other stakeholder requirements related to health, safety and the environment that are relevant to their operations.
The Service provides Clients with a tool to identify and comply with their regulatory and other stakeholder requirements. The content within the tool is tailored to the Client based on information provided by the Client. In addition, the Service includes other tools, for example, for the management of audits, risks and chemicals. The Service does not constitute or provide legal advice, recommendations or instructions on how a specific piece of legislation or other legal instrument impacts the operations of the Client or how the Client should act to ensure compliance. The Service Provider endeavours to ensure that the content provided by the Service includes all the most significant requirements applicable to the operations of the organisation. However, as the accuracy of the Service relies also on information provided by the Client, the possibility of gaps in the information provided cannot be entirely ruled out. The Service does not under any circumstances replace the advice provided by legal counsel. The Service Provider always recommends turning to specific experts when the Client wishes to assess the impact of obligations arising from regulations.
The various content packages that can be subscribed to are described in more detail at: https://www.lawly.fi
Access to the Service
In principal, the Service is accessible online at all times. However, despite the best efforts of the Service Provider, there may be short periods of time when there is a temporary disruption to the service due to system maintenance, general system or communication network failures or other so-called force majeure circumstances. Users cannot be guaranteed totally unobstructed access to the system at all times.
Users and Client Accounts
Users create their initial Client Account (aka. Home Account) directly online after which the system automatically configures the initial settings and sends out an activation email with information required to active the account.
Users with "Account administrator" permissions have the possibility to manage initial tailoring, other user accounts, subsidiary accounts and information attached to the client account.
Where required, the Administrators of the Service Provider have the capability to manage the accounts of all users and clients, account settings, access rights to accounts and data attached to client accounts.
Helpdesk and Expert Services
The Service includes a Helpdesk which serves to answer queries by email during office hours between 9am - 4pm (EET). The Helpdesk aims to support in queries relating to the technical operation of the service as well as the content. Queries that relate to the provision of expert advice or that require further research are forwarded to relevant Service Provider's consultants who will agree with the client on any potential further work that may be needed.
The Helpdesk Service includes, for example:
- advice and guidance on how to interpret regulatory requirements as they pertain to client operations;
- providing tips on how to implement regulatory requirements in practice in order to ensure compliance;
- sharing best practice examples gained from experiences and authority guidance documents.
New clients have the opportunity to familiarise with the system for a period of time free of charge (free trial subscription). To continue using the Service after the free trial subscription, the client must enter into a Service Agreement with the Service Provider.
Educational Institutions: students and teachers
Students and teachers enrolled in an educational institution have the opportunity to gain personal accounts (Academic Account) free of charge for the Service for a defined period of time. Availability of the Academic Accounts may vary depending on the country or region or the user.
Academic Accounts are for a single user and must not be utilised for commercial purposes. The account must be opened using the personal email gained from the educational institution and is valid for a period of one year at a time. Personal accounts have access to content packages defined by the Service Provider. The Service Provider may unilaterally alter the content package provided.
Unless the user requests an extension to the right of access for the personal account, the account is automatically closed and removed 12 months after the account has been created in accordance with data protection requirements.
Third party content
The Service includes links and references to third party websites. All the content, services and any applications provided by such third parties are subject to the terms and conditions defined by such parties.
Processing of client information and protection of personal data
Client information refers to all data that the client adds or uploads into the tool while using the Service. Personal data refers to all data that relates to an identified natural person or a natural person that can be identified. A person that can be identified is defined as a person that can be identified either directly or indirectly based on information such as a name, social security number, location, IP address or one or more physiological, genetical, psychological, financial, cultural or social characteristic.
Client information can include personal data such as that belonging to service users or other personal data that the user may insert into the tool.
Personal data in the tool
The Client controls the personal data that is added or uploaded into the tool, how it is used in the tool and for what purposes. Where possible, the Client is advised to avoid adding or uploading data of a sensitive nature or data that could jeopardise the right to privacy of a natural person into the tool. The Client is also advised to minimise, as far as possible, the processing of personal data in the tool and in accordance with regulatory requirements relating to data protection.
The tool permits the processing of at least the following types of personal data:
- Contact details of a person including name, email address, telephone number, employer
- Information added or uploaded to the tool by the service users such as messages, comments, reminders and notes
- Qualifications, permits and licenses as documented in the registers
- Requirements, findings and tasks that have been assigned to given persons using the service and various notes made into the registers
Stored personal data relates to the following groups of registered persons:
- Persons registered to use the service such as the employees of clients and partners as well as their contractors / partners
- Personal data relating to users and other persons in the case that a client adds such data into the tool
- Persons who develop and maintain the tool and service
For data security and data protection purposes we collect and process:
- Electronic identifiers and addresses of users of the service such as usernames, IP-addresses, information about the used browser and cookies
Stored security data relates to the following groups of registered persons:
- Persons accessing the service
Processing of personal data
The Service Provider handles the personal data added or uploaded by the Client into the tool in accordance with the data protection regulations currently in force and particularly having regard to the requirements laid out in European Regulation EU/2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
With regard to processing of personal data, the Client acts as the Data Controller as defined in legislation and is responsible for the legality of the data collection, the appropriate communications made as regards the data and ensures that the rights to privacy as well as any other duties are complied with.
With regard to processing of personal data, the Service Provider acts as the Data Processor as defined in legislation and processes personal data on behalf of the controller, i.e. the Client, in order to be able to provide to the Client the Service in accordance with the Service Agreement entered into. The right to process the data added into the tool is always based on the right of the Client to process such data.
In the event that the business sector to which the Client belongs is subject to special provisions as regards data protection, the Client must inform the Service Provider and provide guidance on any additional or different requirements that may become applicable.
Access to client information
The Client, any users authorised by the Client, persons developing and maintaining the tool and service and any persons requested to provide expert support or advice have access to client information.
Providing support to the Client
The Service Provider can provide support to the Client when separately requested to do so with respect to the provision of the service in the following matters:
- requests concerning the level of granted authorisations of registered users
- requests concerning the addition or removal of users
- requests concerning the investigation or notifications required in the case of data protection breaches
In order to provide the service, the Service Provider may contract third parties for the provision of content and IT-related services. Only approved partners are used as subcontractors. Approved partners have been assessed to be reliable and have committed to comply with confidentiality provisions as well as to operate in accordance with the requirements relating to data protection. Approved partners are re-assessed on a regular basis.
The services potentially provided by subcontractors can include, for example, advisory consulting or support services, the management of end user services, telecommunications and data centre services, services for backing up data as well as services for managing servers and maintaining services. Information detailing the use of subcontracted services are available upon request. The use of subcontractors is always subject to the prior approval of clients. Clients are notified of any changes to the subcontractors used.
Client information is not released to third parties or to the authorities unless the Client advises otherwise or prevailing legislation so requires.
Cookies and network analytics
Physical location of client information
In terms of client and service data, platform and back-up services, data is in data centres located within the EU. Client information is not transferred outside of the EU when using any part of the service (including during maintenance, data recovery or data destruction).
Retention period for client information
Client information is retained of a period of 60 days after the expiry of the service agreement or the end of the trial period. After this period, the data is automatically deleted. In addition, back-ups and change logs of the system are permanently deleted 2 months after the data is automatically deleted. Deleted information cannot be retrieved.
Data security and data protection related logs are kept as long as deemed necessary in case they are needed to identify or resolve potential data breaches.
Requests for support, contracts, orders and other messages sent to the Helpdesk are retained in case they are needed to resolve potential conflicts after a service agreement has expired or a trial period has ended.
Logs maintained by the processor
The Service Provider maintains a log in accordance with article 30, paragraph 2 of the EU Data Protection Regulation of the data processing it has carried out and can make it available to the client or the authorities upon request.
Potential breaches of data protection provisions
Any identified breaches of data protection provisions are notified by email to the Account Administrators of the relevant client account or to an email address specified by the Client.
Data protection is defined as the protection of information, information systems and services in order to prevent damage to the business or clients. The aim is to protect information and systems from unauthorised access and any deliberate or unintentional processing, amendment, transfer, release or deletion of information in order to maintain:
- confidentiality - information is only accessible to authorised persons
- completeness - the correctness, reliability and currency of the information is not changed inadvertently or on purpose
- accessibility - the information is available and usable when it is needed
These principles of data protection are applied to all client information whether they include personal data or not. In addition to the principles described here, the Service Provider also applies general data protection procedures which are available upon request.
Organisation and management of data protection
The Service Provider has a designated person responsible for the implementation of required data protection procedures. The roles and responsibilities of the persons who maintain equipment and systems containing personal data and client information are defined and their task descriptions take account of the rights and duties arising from data protection provisions.
The confidentiality of data and the nature of the tasks undertaken are taken account of in the selection of staff. The importance of maintaining confidentiality is outlined in work contracts or a separate non-disclosure agreement.
Rules relating to data processing and data protection are available to all staff. Staff is trained in appropriate data protection procedures and methods to process personal and client data safely. Staff are informed of any potential threats to data protection (in connection with computers, networks, email, programs and web services).
The location of servers hosting personal data and client information have been located in areas designed for the purpose taking into account dust, temperature, humidity, fire and water protection as well as protection against theft. The operation of servers is ensured by reserve power and protected from power surges, outages and other electrical failures.
Areas where data systems containing personal data and client data are located have restricted access to named authorised personnel.
Security of equipment
The processing of personal data or client information is only done using equipment that is intended for business use, that meets business requirements (relating to e.g. compatibility, data protection and management) and that has been checked for safety. The safe use of server equipment, network equipment and end-user equipment is ensured by careful installation, controlled start-up and continuous maintenance. Unauthorised access to equipment is ensured by password protection.
Critical servers and network equipment have been twinned with secondary equipment. Secondary equipment can be used as reserve equipment in case of need. All equipment in use has been listed and their expected life span is reviewed regularly taking account of manufacturer guarantees and service agreements. Data protection is taken account of in the servicing of equipment and when equipment is decommissioned and recycled.
Security of software
Only verified software and their official versions are used. These include operating systems, data connection systems and applications. The security features of software relating to identification and data protection as well as supervision and change log tracking are taken advantage of to the extent necessary.
Protection against virus and malware intrusion has been arranged by using a centralised, continuously updated, protection software. Equipment is continuously maintained and monitored in terms of software updates and their successful installation. By managing licenses and agreements appropriately, the Service Provider ensures that required the software in use remains operational and supported.
Security of data connections
The Service is provided and client information is stored in a separate network protected by firewalls. All connections are secured by SSL/TLS-coding.
Managing continuity and extraordinary circumstances
A plan has been prepared for the reinstatement of information from back-up systems and the plan is regularly tested. The operation and accessibility of the system is monitored using monitoring software. As part of the maintenance and development work of the Service, risks are assessed based on collected information and experience and preventive actions are taken to minimise risks.
- All enquiries relating to the Service and Service Agreements should be directed to: firstname.lastname@example.org
- Enquiries relating to Ramboll Finland Oy, including questions relating to the implementation of data protection provisions and requests to see documentation should be directed to: email@example.com
Last updated: 9.12.2019