Privacy notice for customer and stakeholder register
1. Data Controller
Technion Oy (Business ID 1928803-2)
Address: Linkkikatu 15, 21100 Naantali, Finland
Phone: +358 40 191 1000
2. Name of the register
Customer and stakeholder register
3. Purposes of processing personal data and legal basis
The data controller processes personal data in accordance with applicable data protection legislation, including EU General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (1050/2018).
The purposes of processing are:
- managing customer and co-operation relationships and customer services
- fulfilling the rights and obligations of the customers and other stakeholders and the data controller
- processing of personal data concerning stakeholders (suppliers, subcontractors, other co- operation partners) for co-operation and business purposes
- processing of personal data for purposes related to the data controller’s products and services including developing, providing, performing, and marketing of products and services
Legal basis for processing of personal data is, depending on the purposes of processing, legal obligations of the data controller, contract, consent, or legitimate interests of the data controller.
The legitimate interest of the data controller is the legal basis for processing of personal data when there is a material connection between a data subject and the data controller. Such material connection is formed, for example, when the data subject has on its own initiative contacted the data controller, or when the data controller, for example, processes the data subject’s personal data in connection with a business or co-operation activities between the data subject’s employer and the data controller.
On basis of its legitimate interest, the data controller may also save to its customer register personal data of potential clients and their contact persons and representatives who can be, on reasonable grounds, expected to be interested to acquire products and services provided by the data controller.
The data controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. Withdrawal of consent is possible easily and at any time. In addition, in accordance with applicable data protection legislation, electronic direct marketing can also be sent to recipients for whom the data controller can reasonably consider that the products or services marketed have essential connection with the potential customer’s area of responsibility or work duties.
Withdrawal of consent to direct marketing may be done by giving a notice to the data controller or by clicking the cancelling option, which can be found in every marketing message (“Unsubscribe” link), whereupon personal data of the data subject will be removed from the data controller’s list concerning subscribers of electronic direct marketing.
4. Categories of personal data processed
The register includes personal data of the following persons:
- Customers of the data controller and their representatives and contact persons
- Representatives and contact persons of the data controller’s subcontractors and suppliers
- Potential customers, subcontractors and suppliers and their representatives and contact persons
- Other stakeholders
The following personal data of the data subjects, relevant on the basis of the above-mentioned purposes of processing, are processed, such as:
- E-mail address
- Phone number
- Name and business ID of the company, contact person and title
- Order information, contract and offer information, invoice and payment information
- Customer feedback and contact information
- Information based on customer and co-operation relationship, such as contact history, feedback and follow-up information
- Additional information provided by the data subject
5. Regular information sources of the register
Personal data has been primarily obtained from the following information sources:
- Directly from the data subject for the purpose of managing customer relationship
- Directly from the data subject in connection with other co-operation relationship
- Public/commonly available sources (such as internet, social media and Trade Register)
- Data subject’s employer or other representative of the data controller’s customer, business or co-operation contact or contract party
- Companies’ information is checked from Suomen Asiakastieto Oy’s registers in business contexts; reports may include data concerning companies’ representatives
6. Processors and recipients of personal data
In connection with implementing its technical services, the data controller uses reliable service providers which process personal data on behalf of the data controller on basis of data processing agreement required by applicable data protection legislation. The service providers will process the personal data, for which the data controller is responsible for, in accordance with the data processing agreements and data controller’s documented instructions.
The data controller may also disclose personal data to other data controller or a third party if agreed with the data subject on a case-by-case basis.
In addition, and pursuant to requirements of applicable data protection legislation, the data controller may disclose contact information of a data subject to data controller’s co-operation partners for example when the data controller organizes a customer or education event together with such co-operation partner. Such co-operation partner is responsible for processing of personal data for its own part.
Personal data may be transferred outside European Union or European Economic Area in accordance with and subject to the applicable data protection legislation. The data controller ensures adequate level of data protection as required by applicable data protection legislation also in situations in which the personal data is transferred outside European Union or European Economic Area by complying with adequacy decisions issued by the European Commission and by using, when required, standard contractual clauses approved by the European Commission together with necessary additional safeguards for such transfers.
8. Storage period for personal data
The data controller will process and retain personal data only as long as required by legislation or as long it is necessary for the purposes of processing which have been determined in advance. Personal data which has become redundant, i.e. personal data which the data controller no longer has legal basis or requirement to retain or process, will be deleted on regular basis in accordance with the data controller’s own data protection policy.
9. Rights of the data subject
The data subject has the rights pursuant to the EU General Data Protection Regulation.
Right of access
The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and a copy of the personal data processed.
Right to rectification, erasure and restriction of processing
The data subject has the right to request from the data controller the rectification of inaccurate data concerning him or her, as well as the erasure of any personal data concerning him or her or to request the restriction of processing on the grounds laid down by law.
Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, processing of personal data concerning him or her when personal data is processed on basis of the legitimate interest of the data controller. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
Right to data portability
The data subject has the right to receive data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used and machine- readable format and the right to transmit those data to another data controller, in cases where processing is based on consent or contract and the processing is carried out by automated means. The data subject has the right to have personal data transmitted directly from one data controller to another, where technically feasible.
Right to withdraw consent
In case where processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw his or her consent by notifying the data controller. The withdrawal of consent shall not affect the lawfulness of the processing of personal data based on consent before its withdrawal.
Right to lodge a complaint with a supervisory authority
Supervisory authority in Finland is the Office of the Data Protection Ombudsman. Contact details and instructions are available on address www.tietosuoja.fi.
Exercise of data subject rights
You may exercise your above stated rights by contacting the data controller via phone or by sending an e-mail to the e-mail address indicated in the beginning of this Privacy Notice. We aspire to provide a reply as soon as possible and, where needed, provide you with additional instructions or ask additional questions based on your request.
Please note that prior to fulfilling a request we have a right as well as an obligation to verify your identity, due to which we must be able to identify you in an adequate manner.
If your request is manifestly unfounded or excessive, we may charge a reasonable fee for administrative costs to carry out your request or refuse to act on the request.
10. Processing of personal data and profiling
The data controller does not use automated decision-making, such as automated profiling, as part of processing personal data.
11. General description of appropriate technical and organizational security measures of the data controller
Access to the register have been granted solely to such designated representatives of the data controller who have signed appropriate non-disclosure commitments and have a legitimate need to process personal data contained in the register in connection with performing their work duties.
The data controller has provided all its employees and service providers with written instructions and orders on processing of personal data and data protection, which instructions and orders they have committed to comply with.
Data security of information systems has been arranged adequately.
The data controller will revise its processing operations and equipment on regular basis and, amongst other things, assess risks related to processing of personal data, for example when introducing new technology.
12. Amendments to this Privacy Notice
The data controller may amend this Privacy Notice if needed.
This Privacy Notice has been last updated on 15.6.2023.