Data protection description of customer, stakeholder and newsletter data filing system.
FP Finnprofiles Oy
Financial manager Mirja Peltomaa
Purposes of processing personal data
The purposes of processing are:
– managing customer relationships and customer services
– fulfilling the rights and duties of the customers and the controller
– processing personal data in accordance with applicable data protection legislation for purposes related to the controller’s products and services including developing, providing, fulfilling, marketing, maintaining products and services and providing technical support
– directing the controller’s advertising and/or direct marketing (including newsletter) on basis of customer data via the controller’s mediums and services
Lawful basis processing personal data
Legal basis for processing personal data are agreement, consent and legitimate interest of the controller.
The legitimate interest of the controller shall be the legal ground for processing personal data when there is a material connection between a customer and the controller. The material connection is formed, for example, when the data subject has on its own initiative contacted the controller, or when the controller processes the data subject’s personal data in connection with a business or co-operation matter between the data subject’s employer and the controller.
On basis of its legitimate interest, the controller may also save to its customer data filing system personal data of contact persons and representatives of potentials clients which can be, on reasonable grounds, expected to be interested to acquire products and services provided by the controller.
The controller’s electronic direct marketing shall be sent to those data subjects who have given their voluntary consent to electronic direct marketing. When the data subject is requested to give his or her consent, he or she shall be simultaneously informed that withdrawal of consent is possible easily and at any time. Withdrawal of consent may be done by giving a notice to the controller or by clicking the cancelling option, which shall be found in every marketing message (“Unsubscribe” -link), whereupon personal data of the data subject shall be removed from the controller’s list concerning subscribers of electronic direct marketing.
You can order FP Finnprofiles Oy’s newsletter via our web page. For more information regarding the processing of personal data in connection with the newsletter, please see data protection description of newsletter.
Categories of personal data to be processed
The data filing system includes personal data of the following categories:
– Representatives and contact persons of the controller’s customers (customer, contract or co-operation relationship)
– Representatives and contact persons of the controller’s subcontractors and suppliers
– Potential customers (material connection, legitimate interest)
The following personal data of the data subjects, relevant on basis of the above mentioned legal grounds, shall be processed:
– E-mail address
– Phone number
– Company and title
– Company’s contact details
– Additional information provided by the data subject himself or herself
– Information based on the customer relationship, such as contact history, feedback and tracking information
Regular information sources of the data filing system
Personal data has been obtained from the following information sources:
– directly from the data subject himself or herself
– public/commonly available sources (such as the Internet or Data filing system of Companies)
– the data subject’s employer or other representative of the controller’s customer, business or co-operation contact or contract party
– Companies’ information is checked from Suomen Asiakastieto Oy’s data filing systems in business contexts, hence reports may include data concerning companies’ representatives
Personal data recipients
In principle, the controller shall not give the personal data of the data subjects to third parties, except when authorities in accordance with legislation require to do so or mandatory laws stipulate this.
Despite the above stated, the controller uses trustworthy service providers in connection with implementing its technical services, which process personal data on behalf of the controller and on basis of data protection agreement between the controller and service providers, which agreement is in accordance with data protection legislation. The service providers shall process the personal data, for which the controller is responsible for, in accordance with the controller’s documented instructions. In regards the data subject, we are responsible for data processing performed by the service providers on our behalf the same as for our own activities.
We use the following subcontractors in the context of processing personal data:
Creative Guideline Oy, only concerning newsletter
Emotion Design, only concerning newsletter
Retaining personal data
The controller shall process and retain data only as long it is necessary for the purposes of processing, determined in advance. Personal data which has become redundant and for which storage and processing the controller no longer has legal basis, shall be removed on regular basis in accordance with the controller’s own data protection policy. Personal data has become redundant, for example, when the customer, business, co-operation or contract relationship to the controller has ceased, notwithstanding cases where legislation requires retaining personal data.
Rights of the data subject
The data subject shall have the following rights, applicable on case by case basis.
Right to withdraw consent: On basis of EU’s general data protection regulation (679/2016 ”GDPR”) article 7, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right of access by the data subject to his or her data:On basis of article 15 GDPR, the data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and certain information concerning data processing stipulated in the article.
Right to rectification:On basis of article 16 GDPR, the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking in to account the purposes of processing, the data subject shall have the right to have incomplete personal data completed, including means of providing a supplementary statement.
Right to erasure:On basis of article 17, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase data without undue delay, provided that one of the grounds stipulated in the article fulfills.
Right to restriction of processing:On basis of article 18 GDPR, the data subject shall have the right to obtain from the controller restriction of processing, provided that one of the grounds stipulated in the article fulfills.
Right to data portability:On basis of article 20 GDPR, the data subject shall have the right to receive data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, in cases where processing is based on consent or the processing is carried out by automated means.
Exercising the right described above to data portability, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible.
Right to object:On basis of article 21 GDPR, the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time processing of personal data concerning him or her and having its legal ground on the legitimate interest of the controller, including profiling. The controller shall no longer process personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal rights.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time of processing data concerning him or her for such marketing, including which profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to lodge a complaint with a supervisory authority:If the data subject considers that the processor is infringing applicable legislation concerning personal data processing or data protection, the data subject shall have the right to lodge a complaint with a supervisory authority.
Responsibilities of the controller arising from the rights of the data subject:The controller shall inform the data subject about all measures that have been taken on basis of a request made pursuant to articles 15-22, without undue delay and in any case within one month having received such a request. The time limit may be prolonged for at most two months where needed, taking into consideration quantity and complexity of the requests made. The controller shall inform the data subject about such possible prolongment within one month having received the request, as well as about the reasons for delay. If the data subject has presented his or her request electronically, the information must be provided electronically when possible, unless the data subject requests otherwise.
If the controller does not carry out the measures based on the data subject’s request, the controller must immediately and at the latest within one month since having received the request, notify the data subject about the reasons for this, as well as about the possibility to lodge a complaint with a supervisory authority and use other legal remedies.
Exercising rights:You may exercise your above stated rights by contacting the controller via sending an e-mail to the following e-mail address: email@example.com. We aspire to provide a reply as soon as possible and where needed, provide you additional instructions or ask additional questions based on your request.
Please notice that prior to fulfilling a request we have a right as well as a duty to verify your identity, due to which we must be able to recognize you in an adequate manner.
If your request is eminently unwarranted or unjustified, we may collect a reasonable fee for administrative costs to carry out your request or refuse to carry out your request.
Delivering personal data to the controller
Delivering categories of personal data enlisted in section 4 to the controller is necessary to the controller to be in a customer, business or co-operation relationship with a party on whose behalf the data subject is in contact with the controller (including the data subject’s employer).
The data subject is not per se under obligation to deliver his or her personal data to the controller, however not delivering personal data may complicate the previously mentioned relationship between the controller and the previously described party represented by the data subject.
Processing personal data and profiling
The controller shall not use automated decision-making, including automated profiling, as part of processing personal data.
Further processing of personal data
The controller shall not process personal data for other purposes besides those described in this data protection description.
Should the controller further process personal data for other purposes, the controller has a duty, in accordance with data protection legislation, to notify the data subject about this intent prior to further processing. In that case the controller shall also give all additional information concerning the matter.
General description of appropriate technical and organizational security measures of the controller
Access to the customer data filing system has been granted solely to such designated employees working at the controller’s client management services and sales, who have undersigned appropriate non-disclosure agreements.
The controller has provided all its employees with binding written instructions and orders concerning the processing of personal data and data protection, which the employees have agreed to follow.
Information security of information systems has been arranged adequately, including encryptions and technical restrictions.
The controller shall revise its processing operations and machinery on regular basis and, amongst other things, estimate risks related to processing of personal data for example when introducing new technology.
What personal data do we collect for our newsletter, and what data do we save about the data subjects?
For its newsletter, FP FinnProfiles (hereinafter ‘FinnProfiles’) will only collect the person’s (hereinafter ‘subscriber’) e-mail address, to which the newsletter will be sent.
In order to avoid incorrect newsletter subscriptions, we utilise a double confirmation of subscription.
– The subscriber cannot order the newsletter before they have ticked the box ‘I want to subscribe to the newsletter’ by clicking with the mouse.
– The newsletter subscription will not be activated before the subscriber has confirmed the order at the e-mail address to which the subscription relates.
In addition to the e-mail address, our WordPress Newsletter plugin will save the following data about the subscriber:
– The e-mail list(s) the subscriber joins. There are two options: the Finnish and English list. The subscriber can join both lists, if they wish.
– Information about whether the newsletter has been successfully sent to the subscriber.
– Information about whether the subscriber has opened the newsletter.
– Information about whether the subscriber has clicked the link in the newsletter.
– If the subscriber clicks the link in the newsletter, the URL address of the clicked link will also be saved.
– In addition, the IP address at which the newsletter is read will also be saved.
How can I cancel the newsletter subscription, and for how long will the data related to the subscriber be saved?
The subscriber can leave the mailing list in one of two ways:
– In the e-mail concerning the activation of the subscription, there is a link via which the subscription can be cancelled. The same activation e-mail also contains a link to the subscriber’s own subscription information, where the subscriber can afterwards manage the e-mail lists they have joined.
– The newsletter subscription can also be cancelled by clicking the ‘unsubscribe’ link sent in every e-mail.
We erase the data of the subscribers who have unsubscribed from the newsletter once a year. Data erasure will take place during the month of January. If the subscriber wants the data to be erased without delay (in the course of 30 days, at the earliest), they must send a data erasure request via e-mail to firstname.lastname@example.org.
What is the intended purpose of the collected personal data?
The e-mail address will only be used for sending the newsletter. The data collected by the WordPress Newsletter plugin will only be used for measuring the effectiveness of FinnProfiles’ communications.
The data or e-mail addresses we collect will not be disclosed to third parties, excluding the WordPress Newsletter plugin we are using.