DESCRIPTION OF FILING SYSTEM
In this document, we are giving information to you, the data subject, about the processing of your data and the rights of the data subject, in accordance with the EU General Data Protection Regulation.
Mäkituvantie 5, 01510 Vantaa
Business ID: 0930921-5
THE PERSON IN CHARGE OF THE FILING SYSTEM
Harri Wuoristo, Tiivistekeskus Oy, 0207653030, firstname.lastname@example.org
NAME OF THE FILING SYSTEM
Customer register of the webstore of Tiivistekeskus.
PURPOSE OF PROCESSING PERSONAL DATA
Personal data is processed for purposes relating to the administering of customer relationships of the webstore maintained by Tiivistekeskus Oy, maintaining the customer register, communication, marketing and filing and processing of the customers’ orders. As part of marketing, personal data is also processed for purposes of direct marketing and electronic direct marketing. The customer has the right to forbid direct marketing targeted at them.
The controller processes the data by itself and uses subcontractors that process the personal data on the controller’s behalf.
The data shall be processed within the limits permitted and required by the applicable data protection legislation.
DESCRIPTION OF THE CATEGORY OF DATA SUBJECTS
The filing system contains data of companies and persons registered in the webstore of Tiivistekeskus.
DESCRIPTION OF DATA ON THE DATA SUBJECTS
The data to be stored in the filing system contains data given by the users of the webstore of Tiivistekeskus themselves while registering at the webstore, or data provided to the filing system by the salesperson of Tiivistekeskus with the customer’s consent.
The filing system contains the following data: the company’s name, address, business identification number, phone number, a person’s name and e-mail address.
LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA
Pursuant to the EU’s General Data Protection Regulation (hereinafter also the “GDPR”), the legal bases for the processing of personal data are the following:
- (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
- (b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- (c) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
The above mentioned legitimate interest pursued by the controller is based on a relevant and appropriate relationship between the data subject and the controller following from situations such as where the data subject purchases from the controller’s webstore and is a customer of the webstore, and where the data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
STORING OF PERSONAL DATA
The collected personal data shall be stored only for as long as and to the extent that is necessary with respect to the original and compatible purposes for which the personal data is collected.
The need to store personal data shall be evaluated every five years and in any case, the data regarding the data subject shall be deleted from the filing system ten years after the end of the customer relationship between the data subject and the controller, and after the duties and measures relating to the customer relationship have been completed.
The controller shall regularly evaluate the need to store personal data in accordance with internal practice rules. In addition, the controller shall take every possible reasonable step to ensure that personal data, which is inaccurate, erroneous or outdated for the purposes of processing, shall be deleted or rectified without undue delay.
THE RECIPIENTS OF PERSONAL DATA (CATEGORIES OF RECIPIENTS) AND REGULAR DISCLOSURE OF DATA
The personal data is not disclosed to third parties.
The controller is using data processors Digia Oyj and M-Files Corporation to process personal data for the purpose of ICT services.
TRANSFER OF DATA OUTSIDE EU OR EEA AREA
The data included in the filing system is not transferred outside EU or EEA.
CONFIDENTIALITY AND SECURITY OF THE REGISTER
The filing system is processed as confidential and it is secured from third parties. The IT system is physically located in such place that the personal data is not accessible to unauthorized parties. The system is protected by a firewall. The data is secured by back-ups in cases of failure.
Only employees that need access to the personal data due to their position at work have been granted access to the register. The user rights of the register are granted and monitored by the person responsible for register issues (Harri Wuoristo). Employees of Tiivistekeskus who process register user rights and act as service administrators are bound by professional secrecy. The data is expressed or disclosed to outside parties only due to a notification obligation required by law, such as upon request of the customer itself or upon a request by an authority in accordance with law.
RIGHTS OF THE DATA SUBJECT
The data subject has the following rights pursuant to GDPR:
- the right to obtain confirmation as to whether or not personal data concerning the data subject is being processed by the controller, and where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data has been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to its source. This form is used to give the data subject the basic information described in (i)–(vii);
- the right to withdraw their consent at any time without it affecting the lawfulness of processing based on consent before its withdrawal;
- the right to obtain from the controller without undue delay the rectification of inaccurate and erroneous personal data concerning them and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement;
- the right to obtain from the controller the erasure of personal data concerning them without undue delay, provided that (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing is based, and where there is no other legal ground for the processing; (iii) the data subject objects to the processing on grounds relating to a particular personal situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data has been unlawfully processed; or (v) the personal data has to be erased for compliance with a legal obligation in Union or national law to which the controller is subject;
- the right to obtain from the controller restriction of processing, where (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defense of legal claims; or (iv) the data subject has objected to processing on grounds relating to a particular personal situation pending the verification whether the legitimate grounds of the controller override those of the data subject;
- the right to receive the personal data that has been provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent meant in the regulation and the processing is carried out by automated means;
- the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data infringes the GDPR.
Requests regarding the carrying out of the data subject’s rights and additional information, feedback and questions may be sent via e-mail to the person responsible for the filing system: Harri Wuoristo, Tiivistekeskus Oy, 0207653030, email@example.com.