Privacy and Registry statement
Personal Data Act (523/99) 10 §, GDPR
Creation date: 28.10.2021.
2. Data protection officer
044 077 8388
3. Register name
Website user register
4. Purpose of the processing of personal data
Personal data stored in the register is processed in accordance with the requirements of section 8 of the Personal Data Act for the management of the registrar’s customer relations. The processing of personal data is based on the customer relationship related to the data controller’s business, the customer’s consent, the order given by the customer or any other material connection to which the customer has given permission.
The registrar generally uses personal data for customer relationship management and development, complaint handling, customer communication, marketing planning and targeting, customer service development, payment control, and service and business development. The registrar uses personal data for distance selling and direct marketing purposes as permitted by the Personal Data Act.
In addition, the controller’s partners may, subject to certain restrictions, have the right to use the data for the above-mentioned purposes related to their own business, such as the development and implementation of various common services, concepts and business models and marketing (under the DPA). The information in the register can be momentarily transferred, for example, for sending marketing communications to a system whose data security has been ensured by the registrar and a potential partner.
5. Information content of the register
The register contains the following information about registered customers.
Information related to the person, customer relationship management and business connection, including:
- Company name, business ID and contact person
- Name of private customer
- Address information (local address, postal code, post office)
- Email address, phone number, website address
- Purchase information such as product, price, quotation, delivery and billing information
- Marketing authorizations (calling, print direct marketing, SMS, email and targeted digital advertising)
- Customer relationship communication history (e.g. e-mails and call information), complaints
- Participation in sweepstakes organized by the controller
6. Regular sources of information
Personal data is collected from the data subject himself in the registrar’s own activities in connection with customer transactions, for example in stores and business premises, by telephone, online service, customer events and customer meetings. Personal data may also be collected, stored and updated from companies and authorities providing update services, if permitted by the Personal Data Act and a matter-of-fact connection.
7. Regular disclosures and data retention
The data may be made available to the controller’s partners and authorities within the limits set by the applicable legislation. The information may be disclosed to the authorities if required by law or regulation, for example to investigate abuses. In addition, within the framework of the Personal Data Act, the data controller may transfer the information contained in the register containing the marketing authorization to its direct marketing registers after the end of the customer relationship and the material connection. Personal data stored in the ERP system is retained in accordance with the requirements of the Accounting Act (10 years), data stored in the CRM system is retained in accordance with the requirements of the Accounting Act, if applicable, and deleted if the request does not conflict with the requirements of the Accounting Act. In the complaint system, personal data is stored until the end of the investigation or for 1 year, after which the identifying personal data is deleted.
8. Data transfer outside the EU or the European Economic Area
The data will not be disclosed outside the EU or the European Economic Area without the customer’s consent. The servers required for the use of the programs are located in the EU or EEA territory or in the EU and non-EEA countries referred to in Section 22 of the Personal Data Act, where the EU Commission has determined the adequacy of the level of data protection.
9. Registry Security Principles
The personal data contained in the register will be kept confidential. The use of the register is instructed in the controller’s organization and access to the personal register is limited so that only those employees who have the right to do so on behalf of their duties and need the information in their duties have access to and use the information stored in the system. Personnel handling personal data are bound by professional secrecy.
Access to the system requires each user of the registry to enter a username and password. In addition, the data network of the controller and the hardware on which the registry is located are protected by a firewall and other technical measures. The destruction of materials containing personal data is done in a secure manner.
10. Right of inspection of the data subject
Upon request, the customer has the right to know what information about him or her has been stored and where the information is regularly obtained for the register, where the information is used and regularly disclosed. The information is provided to the customer in a comprehensible form and, if necessary, in writing. Data verification is free once a year. Requests are addressed in person by a signed letter to Keyflow Oy.
11. Other rights related to the processing of personal data
The data subject also has the right to prohibit the data controller from processing data concerning him or her for the purposes mentioned in this register description, unless otherwise agreed between the data controller and the data subject. Requests for correction of information concerning marketing bans (calling, printed direct marketing, text messaging and e-mail, targeted digital advertising) are addressed by a personally signed letter to Keyflow Oy.