Herein is the data register and privacy notice of DB Pro Oy in accordance with the Personal Data Act (sections 10 and 24) and the EU’s General Data Protection Regulation (GDPR).
Drawn up on 21 May 2018. No changes.
1. Data controller
DB Pro Oy, Hiilikatu 3, FI-00180 Helsinki. Business ID: 2406027-8
2. Contact person for the register
Riina Keurulainen, email@example.com, tel. +358 40 8420048
3. Name of register
Marketing and customer register. In this register, we process the personal data of our customers, our potential customers and their representatives.
4. Legal basis and purpose of processing personal data
The legal basis for the processing of personal data under the EU’s general data protection regulation is one of the following:
- person’s consent (documented, voluntary, personalized, informed and unambiguous)
- a contract to which the data subject is a party
- a legitimate interest of the data controller (e.g. customer relationship, employment relationship, membership).
The purpose of personal data processing is communication with customers, maintaining customer relationships, marketing and improving the user experience of a website.
5. Data content of the registers
The following information can be stored on a data subject:
- the person’s name, e-mail address and title/area of responsibility
- the company name, contact information and industry, as well as basic data on a case-by-case basis on the company’s IT infrastructure
- customer relationship management and contact information (e.g. purchase and cancellation information, feedback, and recordings of customer service events)
- online behavioral information on the data controller’s websites and within its services
- data related to marketing and sales promotion, such as marketing measures targeted at the data subject and participation in them (e.g. participation in webinars and events)
- technical data, and cookies and the related data sent to the data subject’s browser.
- Data on jobseekers/employees.
6. Regular sources of data
The information stored in the register is obtained from the customer by means such as messages sent via web forms, email, phone, social media services, contracts, customer meetings and other situations in which the customer provides its data.
The data controller also uses Google Analytics to monitor cookies and IP addresses related to website visits. Personal data can also be purchased from external registers for marketing purposes. In such a case, it is ensured that the party forwarding the data is entitled to disclose it. Personal data can also be collected and supplemented from public sources.
Further information on Google Analytics: https://analytics.google.com/analytics/web/
7. Regular deliveries of data and the transfer of data outside the EU or EEA
Data is not provided to third parties for sale or marketing purposes. Data may be disclosed or published to the extent agreed with the customer.
Service providers may be used for the processing of personal data; such service providers may have access to personal data outside the EU/EEA area. In such situations, the data controller will ensure that the procedure is appropriate and lawful in accordance with the legislation on the processing of personal data.
Personal data may only be transferred from the EU/EEA area on one of the following legal grounds:
- the European Commission has decided that an adequate level of data protection has been ensured in the recipient country concerned
- appropriate safeguards have been implemented for the transfer of personal data using the standard data protection clauses provided by the European Commission
- the data subject has given their explicit consent for the transfer of personal data
- there are other legitimate grounds for the transfer of personal data, such as the United States Privacy Shield framework accepted by the European Commission.
8. Principles of data register protection
Careful handling of the register is ensured and data processed by information systems is given the appropriate protection. When keeping data records on Internet servers, the physical and digital security of the server hardware is appropriately ensured. The data controller ensures that stored data, server access rights and other critical data with regard to the security of personal data are processed confidentially and only by employees to whose job description they belong.
9. The right of access and the right to rectification
Every data subject on the register has the right of access to his/her data stored in the register and to demand that any incorrect information be rectified or incomplete information supplemented. If a person requests access to or the rectification of his/her data, such a request should be sent in writing to the data controller. The data controller may, if necessary, request that the applicant prove his or her identity.
10. Other rights related to the processing of personal data
Depending on the grounds for collecting personal data, a data subject on the register has the right to request the deletion of his/her personal data from the register (“right to be forgotten”). Data subjects also have other rights under the EU’s general data protection regulation, such as restricting the processing of personal data in certain situations. Requests should be sent to the data controller in writing. The data controller may, if necessary, request that the applicant prove his or her identity.