Data protection description of customer and stakeholder data filing system.
1. Controller
Nexetic Oy
Klovinpellontie 1-3
02180 Espoo
Finland
CEO Henry Liukko-Sipi, +358 40 535 2121, email firstname.lastname@nexetic.com
Director, Tommi Tanttu, +358 44 079 1500, email firstname.lastname@nexetic.com
Purposes of processing personal data
The purposes of processing are managing customer relationships and customer services, fulfilling the rights and obligations of the customers, and the controller processing personal data in accordance with applicable data protection legislation for purposes related to the controller’s products and services, including developing, providing, fulfilling, marketing, maintaining products and services and providing technical support directing the controller’s advertising and/or direct marketing (including newsletter) on basis of customer data via the controller’s mediums and services.
2. Lawful basis for processing personal data
The lawful basis for processing personal data are contract, consent, and the legitimate interest of the controller.
The controller’s legitimate interest shall be the legal ground for processing personal data when there is a material connection between a customer and the controller. The material connection is formed, for example, when the data subject has, on its initiative, contacted the controller or when the controller processes the data subject’s personal data in connection with a business or cooperation matter between the data subject’s employer and the controller.
On the basis of its legitimate interest, the controller may also save to its customer data filing system the personal data of contact persons and representatives of potential clients, which can be, on reasonable grounds, expected to be interested in acquiring products and services provided by the controller.
The controller’s electronic direct marketing shall be sent to those data subjects who have voluntarily consented to electronic direct marketing. When the data subject is requested to give his or her consent, he or she shall be simultaneously informed that withdrawal of consent is possible quickly and at any time. Withdrawal of consent may be made by giving notice to the controller or by clicking the canceling option, which shall be found in every marketing message (“Unsubscribe” -link); after that personal data of the data subject shall be removed from the controller’s list concerning subscribers of electronic direct marketing.
3. Categories of personal data to be processed
The data filing system includes personal data in the following categories:
- Representatives and contact persons of the controller’s customers (customer, contract, or co-operation relationship)
- Representatives and contact persons of the controller’s subcontractors and suppliers Potential customers (material connection, legitimate interest)
The following personal data of the data subjects, relevant to the basis of the above-mentioned legal grounds, shall be processed:
- Name
- E-mail address
- Phone number
- Company and title
- Company’s contact details
- Additional information provided by the data subjects themselves
- Information based on the customer relationship, such as contact history, feedback, and tracking information.
4. Regular information sources of the data filing system
Personal data has been obtained from the following information sources: directly from the data subject himself or herself public/commonly available sources (such as the Internet or Register of Companies), the data subject’s employer or other representatives of the controller’s customer, business or co-operation contact or contract party Companies’ information is checked from Suomen Asiakastieto Oy’s data filing systems in business contexts; hence reports may include data concerning companies’ representatives.
5. Personal data recipients
In principle, the controller shall not give the personal data of the data subjects to third parties, except when authorities in accordance with legislation require to do so or mandatory laws stipulate this.
Despite the above stated, the controller uses trustworthy service providers in connection with implementing its technical services, which process personal data on behalf of the controller and based on a data protection agreement between the controller and service providers, which agreement is in accordance with data protection legislation. The service providers shall process the personal data for which the controller is responsible in accordance with the controller’s documented instructions.
6. Retaining personal data
The controller shall process and retain data only as long it is necessary for processing, determined in advance. Personal data which has become redundant and for which storage and processing the controller no longer has a legal basis shall be removed regularly by the controller’s data protection policy. Personal data has become redundant, for example, when the customer, business, cooperation or contract relationship with the controller has ceased, notwithstanding cases where legislation requires retaining personal data.
7. Rights of the data subject
The data subject shall have the following rights, applicable on a case by case basis.
Right to withdraw consent
Based on the EU’s general data protection regulation (679/2016 ”GDPR”) article 7, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right of access by the data subject to their data
Based on Article 15 GDPR, the data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and specific information concerning data processing stipulated in the article.
Right to rectification
Based on Article 16 GDPR, the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including means of providing a supplementary statement.
Right to erasure
Based on Article 17, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase data without undue delay, provided that one of the grounds stipulated in the article fulfills.
Right to restriction of processing
Based on Article 18 GDPR, the data subject shall have the right to obtain from the controller restriction of processing, provided that one of the grounds stipulated in the article is fulfilled.
Right to data portability
Based on Article 20 GDPR, the data subject shall have the right to receive data concerning him or her, which he or she has provided to the controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, in cases where processing is based on consent or the processing is carried out by automated means.
Exercising the right described above to data portability, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible.
Right to object
On the basis of Article 21 GDPR, the data subject shall have the right to object, on grounds relating to their particular situation, at any time processing of personal data concerning them and having its legal ground on the controller’s legitimate interest, including profiling. The controller shall no longer process personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for establishing, exercising, or defense of legal rights.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time of processing data concerning them for such marketing, including profiling, to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to complain with a supervisory authority
Suppose the data subject considers that the processor infringes on legislation concerning personal data processing or protection. In that case, the data subject shall have the right to complain to a supervisory authority.
Responsibilities of the controller arising from the rights of the data subject
The controller shall inform the data subject about all measures taken based on a request made under articles 15-22GDPR without undue delay and, in any case, within one month of receiving such a request. The time limit may be prolonged for at most two months where needed, considering the quantity and complexity of the requests made. The controller shall inform the data subject about such possible prolongation within one month of receiving the request and the reasons for the delay. If the data subject has presented their request electronically, the information must be provided electronically when possible unless the data subject requests otherwise.
If the controller does not carry out the measures based on the data subject’s request, the controller must immediately and at the latest within one month since having received the request, notify the data subject about the reasons for this, as well as about the possibility to lodge a complaint with a supervisory authority and use other legal remedies.
Exercising rights
You may exercise your above-stated rights by contacting the controller via sending an e-mail to the following e-mail address: info@nexetic.com. We aspire to reply as soon as possible and, where needed, provide additional instructions or ask further questions based on your request.
Please notice that before fulfilling a request, we have a right and a duty to verify your identity, so we must be able to recognize you adequately.
If your request is eminently unwarranted or unjustified, we may collect a reasonable fee for administrative costs to carry out your request or refuse to carry out your request.
8. Delivering personal data to the controller
Delivering categories of personal data enlisted in section 4 to the controller is necessary for the controller to be in a customer, business, or cooperation relationship with a party on whose behalf the data subject is in contact with the controller (including the data subject’s employer).
The data subject is not per se under obligation to deliver their data to the controller; however, not providing personal data may complicate the previously mentioned relationship between the controller and the previously described party represented by the data subject.
9. Profiling
The controller shall not use solely automated decision-making, including automated profiling, to process personal data.
10. Further processing of personal data
The controller shall not process personal data for other purposes besides those described in this data protection description.
Should the controller further process personal data for other purposes, the controller has a duty, per data protection legislation, to notify the data subject about this intent before further processing. In that case, the controller shall also give all additional information.
11. General description of appropriate technical and organizational security measures of the controller
Access to the customer data filing system has been granted solely to such designated employees who have undersigned appropriate non-disclosure agreements.
The controller has provided all its employees with binding written instructions and orders concerning processing personal data and data protection, which the employees have agreed to follow.
Information security of information systems has been arranged adequately, including encryptions and technical restrictions.
The controller shall revise its processing operations and machinery regularly and, amongst other things, estimate risks related to processing personal data, for example, when introducing new technology.
12. Updates to this Privacy Statement
The data controller may update this Privacy Statement from time to time. Should there be material changes to this Privacy Statement or our processing activities, we will inform you well before the effective date of the changes by sending an email or in another effective manner to give you a reasonable notice period to assess the consequences of such changes.
13. How to contact Nexetic
If you have any questions concerning this Privacy Statement or want to know more about Nexetic’s data processing activities, please get in touch with us at info@nexetic.com.