Privacy Notice for Camera, Access Control and Visitor Management

You can read the Privacy Notice for Camera, Access Control and Visitor Management of Comatec Group, Insinööritoimisto Comatec Oy and Its Subsidiaries from this page. Links to other Privacy Notices below.

Privacy statement
Recruitment Privacy Notice

1. Controller and Contact Details

Insinööritoimisto Comatec Oy (business ID: 0946936-6) and its subsidiaries ”Comatec”, ”controller”, ”we”)

Information about Comatec Group and its group companies: Comatec Group


Address: Kalevantie 7 C, 33100 Tampere, Finland

Comatec Group has joint data protection operations and a Data Protection Officer who acts as the contact person for data protection matters:

E-mail: dpo@comatec.fi

Tel. +358 29 000 2000 (operator)

2. Scope of the Privacy Notice

This privacy notice describes how Insinööritoimisto Comatec Oy and its subsidiaries process personal data related to camera, access control and visitor managment within Comatec Group.

The data controller is the Comatec Group company whose employee is the subject of the processing activities in question.

With regard to the Comatec Group camera surveillance, access control and visitor management system, the controller is Insinööritoimisto Comatec Group Oy.

3. Purpose and Legal Basis for the Processing of Personal Data

Personal data are processed to ensure the legal protection and security of individuals employed by Insinööritoimisto Comatec Oy and its subsidiaries, as well as persons visiting certain offices. This includes:

  • identifying and verifying access events of individuals moving within the premises
  • protecting the property of the employer and employees
  • preventing and investigating criminal offences

The legal bases for the processing of personal data are:

  • the legitimate interest of the data controller
  • a contract
  • the consent given by the data subject

When we process personal data based on legitimate interest, we assess the benefits of the processing and any potential adverse effects on the data subject. We have determined that the rights and interests of the data subjects do not override our legitimate interest. As a general rule, our legitimate interest is based on conducting, promoting, and developing our business and ensuring the security of our company.

We will provide further information on the processing of personal data based on legitimate interest upon request.

4. Register Data Content (Categories of Personal Data Processed)

The content of the register consists of data relating to employees of the Comatec Group and individuals visiting Comatec Group premises, which are stored in three different systems.

We may process necessary identification data of the data subject as well as other data required for the intended purpose, such as:

  • Video surveillance system: video images of individuals within the camera surveillance area, as well as the date and time.
  • Access control system: name, cost center information, personnel number, access badge ID number, as well as approved and denied access events of the person with access rights, including dates and times.
  • Visitor management system: name, company, phone number, email address, and photograph (entered by the visitor themselves), as well as the time of the visit and details of the meeting host.

5. Regular Sources of Personal Data

The data processed in the video surveillance system is obtained from surveillance cameras installed at the Comatec Group’s Tampere office, which are located on different floors and capture the movement of individuals entering and exiting, as well as items carried by them.

Access control data is generated from the data subject’s actions when they use an access badge that grants entry. The access control system’s reader devices and system record the usage data of the badge. The controller has installed access control readers at the Tampere and Joensuu offices.

The Group also has offices where camera or access control systems are not managed by Comatec, where such systems are operated and managed by the property landlord under the lease agreement.

Visitor data is collected in the visitor management system based on the visitor’s consent when registering for visits at the Tampere and Vantaa offices. The system supplier processes the data on behalf of Comatec.

6. Regular Disclosure of Personal Data

Personal data may be disclosed between companies belonging to the same group as the controller within the Comatec Group, in accordance with applicable data protection legislation, for the purpose of ensuring premises security.

Where there are grounds to review video surveillance recordings, an employee representative—such as an occupational safety representative, employee representative, or other person assessing the matter from the perspective of employees must also be present.

In these situations, the legal basis for the disclosure of personal data is legitimate interest (security and the reduction of overlapping processing activities).

Personal data may also be processed by various service providers and other third parties (so-called data processors), such as system suppliers.

If the controller or a company within the same group is involved in a merger, business acquisition, or other corporate arrangement, personal data may be disclosed to the parties involved in the arrangement or to parties assisting in the transaction.

Personal data may also be disclosed to third parties where required by law or by an authority, or for the investigation of misuse and to ensure security.

Further information on recipients of personal data will be provided upon request.

7. Transfer of Data Outside the EU/EEA

Personal data are not routinely transferred or disclosed outside the European Union or the European Economic Area. However, service providers involved in the processing of personal data may be established outside the European Union or the European Economic Area, or they may transfer personal data to so‑called third countries.

When personal data are transferred outside the European Union or the European Economic Area, the controller ensures an adequate level of protection for personal data, inter alia by agreeing on matters related to the processing of personal data in accordance with applicable data protection legislation, such as by using standard contractual clauses approved by the European Commission or on the basis of an adequacy decision issued by the European Commission.

Further information regarding transfers of personal data and the safeguards used can be provided upon request.

8. Retention of Personal Data

Personal data is stored and processed confidentially in appropriately secured systems. Access to the data is restricted to those individuals whose job duties require it. The systems are protected by access rights, passwords, and technical security measures.

Personal data is retained only for as long as necessary to fulfil the purposes described in this privacy notice or to comply with the controller’s statutory obligations.

Video surveillance recordings are retained for 14 days or for a longer period if required for investigative purposes, after which the data is automatically overwritten.

Access control data is retained for 365 days, after which it is automatically anonymised in the system, unless longer retention is exceptionally necessary for the investigation of a suspected offence. Personal data is removed from the access control system when the user is removed from the Comatec Group’s HR system, for example upon termination of employment.

Personal data in the visitor management system is automatically deleted after 365 days.

Unnecessary data is deleted or anonymised without undue delay.

Further information on personal data retention practices will be provided upon request.

9. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling in our recruitment processes.

10. Rights of the Data Subject

Data subjects have the rights provided under data protection legislation in relation to their personal data. However, the application of these rights in each individual case depends on the legal basis, purpose, and context of the processing of personal data.

  • Right of access to personal data. The data subject has the right to obtain confirmation as to whether their personal data are being processed and to receive the other information required under data protection legislation concerning the processing of their personal data. The data subject also has the right to obtain a copy of their personal data.
  • Right to rectification of personal data. Subject to certain limitations, the data subject has the right to request the rectification or deletion of incorrect or inaccurate personal data.
  • Right to erasure of personal data. The data subject has the right, under the conditions set out in data protection legislation, to request the erasure of their personal data. Upon request, we will erase the personal data unless legislation or another applicable exception under data protection legislation requires us to retain the personal data.
  • Right to restriction of processing. Under the conditions laid down in data protection legislation, the data subject has the right in certain situations to request the restriction of the processing of their personal data.
  • Right to data portability. The data subject has the right to request the transfer of their personal data to another controller. The right to data portability generally applies to personal data that the data subject has provided to the controller in a structured, commonly used, and machine‑readable format, where the processing is based on the data subject’s consent or a contract, and/or where the processing is carried out by automated means.
  • Right to object to processing. Under the conditions set out in data protection legislation, the data subject has the right to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if the processing is necessary for compelling and legitimate grounds of the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and to profiling related to such direct marketing.
  • Right to withdraw consent. If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent to the processing of their personal data. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

Exercising Your Rights

We encourage you to contact us if you have any questions regarding the processing of your personal data.

You may submit a request concerning your rights as a data subject by post or by email using the contact details provided in this privacy notice.

The identity of the person making the request may be verified before the request is processed. The request will be responded to within a reasonable time and, as a rule, within one month from the submission of the request and verification of identity. If the request cannot be granted, the refusal will be communicated separately.

11. Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent data protection authority if the data subject considers that their personal data have been processed in violation of data protection legislation.

The contact details of the Finnish data protection authority can be found at: www.tietosuoja.fi

12. Updating the Privacy Notice

We may update the content of this privacy notice and our practices related to the processing of personal data if there are changes in our operations or in applicable legislation.

This privacy notice was last updated on 6 May 2026.