PRIVACY POLICY

1. A Description of the Privacy Policy

This Privacy Policy pursuant to the Articles 13 and 14 of the General Data Protection Regulation (679/2016/EU) describes how the Controller will process client’s personal data. The group of data subjects consist of the service user’s (Controller) clients. The basis of providing required personal data is based on the assignment agreement with the Controller. In case the personal data, to provide services, are not given to the Controller, the Controller is unable to provide his/her services to the client. By using the Controller’s services, the client accepts the terms of the Privacy Policy and the purpose of
processing personal data.

2. The purpose of processing personal data and legal basis

The purpose of processing personal data is to upkeep a client register and to fulfill statutory obligations (i.e., bookkeeping or taxation) arising from the assignment agreement. The processing of personal data is based on the assignment agreement and for the consent given by the client. The Controller has legitimate interest to process personal data. The legitimate interest is based on the law or orders that regulate the Controller and are related
to the service agreed upon in the assignment agreement. Additionally, the legitimate interest is based on the enforcement of the obligations arising from the contract and the law.

3. Personal Data to be processed

The register includes the client’s: 

i. Name 

ii. Customer number

iii. Address
iv. Phone number 

v. Email address 

vi. Other important contact details 

vii. Purchase or usage details of the service 

viii. Details related to the processing of data, such as saving date and source.

4. The recipients of personal data

The personal data is received by the Controller and its personnel, who are operating on the Controller’s account. The Controller and its personnel can process personal data on the Controller’s account when invoicing the service as agreed upon in the assignment agreement. The Controller have made an agreement relating to the processing of personal data as required in the Regulation. The agreement includes the standards, terms and protection terms of personal data.

5. Storage period of personal data

The personal data of a data subject will be stored only as long as it is necessary to carry out the purposes specified in this Privacy Policy.

6. Sources from which personal data is regularly collected

Personal data is collected from and updated by the data subject. Upon consent of the data subject, personal data may be collected and updated from other
sources, e.g., from authorities or public search engines. Personal data may be collected and updated without consent from the data subject provided this is carried out under circumstances where the legislation permits such collection.

7. Disclosure and transfers of personal data to outside EU or ETA

The personal data may be disclosed based on valid legislation to authorities having statutory rights to obtain data and to third parties based on their claims.
In principle, personal data will not be transferred outside the European Union or outside the European Economic Area. If the personal data is transferred outside the EU or the ETA area, the Controller must take care of the transfer the data, and the protection level of the personal data by applying suitable and proper data protection methods as mentioned in the regulations.

8. Description of the protection of personal data

The Controller and the Processor processing personal data on the Controller’s account will implement appropriate technical and organizational data protection measures to ensure the protection of personal data. Personal data is recorded and saved in both electronic data bases and manually maintained materials.

The electronic data bases are protected by firewalls, passwords and other methods generally in the data protection branch accepted by technical measures. The manually maintained and processed materials are stored in premises where access by unauthorized persons is prohibited.

9. Rights of the data subject

The registered data subject can exercise the following rights provided by the data protection legislation:

o The data subject has the right to obtain access to the personal data concerning him or her and right to obtain correction of this data. The request of rectification must be specified in such manner that the inaccurate personal data can be easily noticed and rectified.

o The data subject has right to obtain erasure of personal data in accordance with and within the framework of applicable General Data Protection Regulation.

o The data subject has the right to obtain restriction of processing of his or her personal data in accordance with and within the framework of applicable data protection legislation.

o The data subject has the right to data portability i.e. to transmit his or her personal data from one register to another and obtain the personal data in a structured, commonly used and machine-readable format, and transmit them to another data controller in accordance with and within the framework of applicable data protection legislation.

o The data subject has the right to file a complaint to the national data protection authority (in Finland Data Protection Ombudsman) or to another data protection authority in the European Union or in the European Economic Area, if the data subject considers that his or her statutory rights regarding processing of personal data have been breached. The data subject can direct the requests to exercise the above referred rights to the contact
person responsible for data-protection matters. The Personal Data is not used for automatic decision-making, i.e., profiling.