Data protection description of customer and stakeholder data filing system
Valkjärventie 7 B
CEO Henry Liukko-Sipi, +358 40 535 2121, email firstname.lastname@example.org
Director, Tommi Tanttu, +358 44 079 1500, email email@example.com
Purposes of processing personal data
The purposes of processing are:
- managing customer relationships and customer services
- fulfilling the rights and obligations of the customers and the controller
- processing personal data in accordance with applicable data protection legislation for purposes related to the controller’s products and services including developing, providing, fulfilling, marketing, maintaining products and services and providing technical support
- directing the controller’s advertising and/or direct marketing (including newsletter) on basis of customer data via the controller’s mediums and services
2. Lawful basis for processing personal data
Lawful basis for processing personal data are contract, consent and legitimate interest of the controller.
The legitimate interest of the controller shall be the legal ground for processing personal data when there is a material connection between a customer and the controller. The material connection is formed, for example, when the data subject has on its own initiative contacted the controller, or when the controller processes the data subject’s personal data in connection with a business or co-operation matter between the data subject’s employer and the controller.
On basis of its legitimate interest, the controller may also save to its customer data filing system personal data of contact persons and representatives of potentials clients which can be, on reasonable grounds, expected to be interested to acquire products and services provided by the controller.
The controller’s electronic direct marketing shall be sent to those data subjects who have given their voluntary consent to electronic direct marketing. When the data subject is requested to give his or her consent, he or she shall be simultaneously informed that withdrawal of consent is possible easily and at any time. Withdrawal of consent may be done by giving a notice to the controller or by clicking the cancelling option, which shall be found in every marketing message (“Unsubscribe” -link), whereupon personal data of the data subject shall be removed from the controller’s list concerning subscribers of electronic direct marketing.
3. Categories of personal data to be processed
The data filing system includes personal data of the following categories:
- Representatives and contact persons of the controller’s customers (customer, contract or co-operation relationship)
- Representatives and contact persons of the controller’s subcontractors and suppliers
- Potential customers (material connection, legitimate interest)
The following personal data of the data subjects, relevant on basis of the above mentioned legal grounds, shall be processed:
- E-mail address
- Phone number
- Company and title
- Company’s contact details
- Additional information provided by the data subject himself or herself
- Information based on the customer relationship, such as contact history, feedback and tracking information
4. Regular information sources of the data filing system
Personal data has been obtained from the following information sources:
- directly from the data subject himself or herself
- public/commonly available sources (such as the Internet or Register of Companies)
- the data subject’s employer or other representative of the controller’s customer, business or co-operation contact or contract party
- Companies’ information is checked from Suomen Asiakastieto Oy’s data filing systems in business contexts, hence reports may include data concerning companies’ representatives
5. Personal data recipients
In principle, the controller shall not give the personal data of the data subjects to third parties, except when authorities in accordance with legislation require to do so or mandatory laws stipulate this.
Despite the above stated, the controller uses trustworthy service providers in connection with implementing its technical services, which process personal data on behalf of the controller and on basis of data protection agreement between the controller and service providers, which agreement is in accordance with data protection legislation. The service providers shall process the personal data, for which the controller is responsible for, in accordance with the controller’s documented instructions.
We use the following service providers in the context of processing personal data:
Rainmaker Numbers Oy
Datacenter Finland Oy
6. Retaining personal data
The controller shall process and retain data only as long it is necessary for the purposes of processing, determined in advance. Personal data which has become redundant and for which storage and processing the controller no longer has legal basis, shall be removed on regular basis in accordance with the controller’s own data protection policy. Personal data has become redundant, for example, when the customer, business, co-operation or contract relationship to the controller has ceased, notwithstanding cases where legislation requires retaining personal data.
7. Rights of the data subject
The data subject shall have the following rights, applicable on case by case basis.
Right to withdraw consent
On basis of EU’s general data protection regulation (679/2016 ”GDPR”) article 7, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right of access by the data subject to his or her data
On basis of article 15 GDPR, the data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and certain information concerning data processing stipulated in the article.
Right to rectification
On basis of article 16 GDPR, the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking in to account the purposes of processing, the data subject shall have the right to have incomplete personal data completed, including means of providing a supplementary statement.
Right to erasure
On basis of article 17, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase data without undue delay, provided that one of the grounds stipulated in the article fulfills.
Right to restriction of processing
On basis of article 18 GDPR, the data subject shall have the right to obtain from the controller restriction of processing, provided that one of the grounds stipulated in the article fulfills.
Right to data portability
On basis of article 20 GDPR, the data subject shall have the right to receive data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, in cases where processing is based on consent or the processing is carried out by automated means.
Exercising the right described above to data portability, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible.
Right to object
On basis of article 21 GDPR, the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time processing of personal data concerning him or her and having its legal ground on the legitimate interest of the controller, including profiling. The controller shall no longer process personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal rights.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time of processing data concerning him or her for such marketing, including which profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to lodge a complaint with a supervisory authority
If the data subject considers that the processor is infringing applicable legislation concerning personal data processing or data protection, the data subject shall have the right to lodge a complaint with a supervisory authority.
Responsibilities of the controller arising from the rights of the data subject
The controller shall inform the data subject about all measures that have been taken on basis of a request made pursuant to articles 15-22, without undue delay and in any case within one month having received such a request. The time limit may be prolonged for at most two months where needed, taking into consideration quantity and complexity of the requests made. The controller shall inform the data subject about such possible prolongment within one month having received the request, as well as about the reasons for delay. If the data subject has presented his or her request electronically, the information must be provided electronically when possible, unless the data subject requests otherwise.
If the controller does not carry out the measures based on the data subject’s request, the controller must immediately and at the latest within one month since having received the request, notify the data subject about the reasons for this, as well as about the possibility to lodge a complaint with a supervisory authority and use other legal remedies.
You may exercise your above stated rights by contacting the controller via sending an e-mail to the following e-mail address: firstname.lastname@example.org. We aspire to provide a reply as soon as possible and where needed, provide you additional instructions or ask additional questions based on your request.
Please notice that prior to fulfilling a request we have a right as well as a duty to verify your identity, due to which we must be able to recognize you in an adequate manner.
If your request is eminently unwarranted or unjustified, we may collect a reasonable fee for administrative costs to carry out your request or refuse to carry out your request.
8. Delivering personal data to the controller
Delivering categories of personal data enlisted in section 4 to the controller is necessary to the controller to be in a customer, business or co-operation relationship with a party on whose behalf the data subject is in contact with the controller (including the data subject’s employer).
The data subject is not per se under obligation to deliver his or her personal data to the controller, however not delivering personal data may complicate the previously mentioned relationship between the controller and the previously described party represented by the data subject.
The controller shall not use solely automated decision-making, including automated profiling, as part of processing personal data.
10. Further processing of personal data
The controller shall not process personal data for other purposes besides those described in this data protection description.
Should the controller further process personal data for other purposes, the controller has a duty, in accordance with data protection legislation, to notify the data subject about this intent prior to further processing. In that case the controller shall also give all additional information concerning the matter.
11. General description of appropriate technical and organizational security measures of the controller
Access to the customer data filing system has been granted solely to such designated employees who have undersigned appropriate non-disclosure agreements.
The controller has provided all its employees with binding written instructions and orders concerning the processing of personal data and data protection, which the employees have agreed to follow.
Information security of information systems has been arranged adequately, including encryptions and technical restrictions.
The controller shall revise its processing operations and machinery on regular basis and, amongst other things, estimate risks related to processing of personal data for example when introducing new technology.
12. Updates to this Privacy Statement
Data controller may update this Privacy Statement from time to time. Should there be material changes to this Privacy Statement or our processing activities, we will inform you well before the effective date of the changes by sending an email or in another effective manner to give you a reasonable notice period to assess the consequences of such changes.
13. How to contact Nexetic
Should you have any questions concerning this Privacy Statement or wish to know more about Nexetic’s data processing activities, please feel free to contact us at +358 10 281 8130.