Privacy statement of customer and marketing register
PRIVACY STATEMENT OF CUSTOMER & MARKETING REGISTER
In this document, we are giving information to you, the data subject, about the processing of your data and the rights of the data subject, in accordance with the EU General Data Protection Regulation.
1 Controller
The controller of the customer register is Etra Balti AS
Etra Balti AS is part of Etola Group and Etra Oy Finland
The contact person in matters related to the filing system is:
Tarmo Rosenberg, CEO
Etra Balti AS
Lampputie 2, 00740 Helsinki
53 322 100
2 Name of the filing system
The name of the filing system is Etra Balti AS´s Customer & Marketing Register.
3 Purposes of processing personal data
Personal data is processed for purposes relating to the administering, management and developing of customer relationships, offering, selling and delivering services and products, and development and invoicing of services and products. Personal data is also processed for purposes of handling notices of defects and other claims.
In addition, personal data is processed for the purposes of customer communications, such as announcements and news reporting, and marketing, including direct marketing and electronic direct marketing.
The customer has the right to forbid direct marketing targeted at them.
The controller processes the data by itself and it uses subcontractors that operate on the controller’s behalf and in its name to process the personal data.
4 Legal basEs for the processing of personal data
Pursuant to EU’s General Data Protection Regulation (hereinafter also the “GDPR”), the legal bases for the processing of personal data are the following:
(a) the data subject has given their consent to the processing of their personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
The above mentioned legitimate interest pursued by the controller is based on a relevant and appropriate relationship between the data subject and the controller resulting from situations such as where the data subject is a client [or a potential client] of the controller, and where the data subject can at the time and in the context of the collection of the personal data reasonably expect that processing for that purpose may take place.
5 Data content of the FILING SYSTEM [Personal data groups being processed]
The filing system contains the following personal data of the data subjects:
(a) basic information and contact information: [first name, last name, address, phone number, e-mail address];
(b) information relating to the data subject’s company or other organization and position or title in the company or organization in question;
(c) direct marketing permissions and prohibitions.
6 Regular sources of informationPersonal data is collected from the data subject.
Personal data is also collected and updated within the limits of applicable legislation [from publicly available sources, which relate to the enforcement of the customer relationship between the controller and the data subject, and by means of which the controller carries out its duties relating to the maintaining of customer relationships.]
7 Storage period of personal DATA
The collected personal data shall be stored only for as long as and to the extent that is necessary in relation to the original and compatible purpose for which the personal data has been collected.
The controller shall regularly evaluate the need to store the data [in accordance with internal practice]. In addition, the controller shall take every reasonable step to ensure that personal data that is inaccurate, erroneous or outdated for the purposes of processing, shall be deleted or rectified without delay.
8 The recipients of personal data (categories of recipients) and regular disclosure of data
Data is not disclosed to third parties, with the exception of Etra Balti AS ICT-services and marketing communications contractors that are obligated by the supply and framework agreements to adhere to the guidelines set by Etra Balti AS, as well as the rules and regulations of the EU General Data Protection Regulation and the current legislation.
9 Transfer of data outside EU or EEA AREA
The data included in the filing system may be transferred outside EU or EEA. [When transferring personal data outside the EU or EEA, the controller follows the model contract clauses adopted by the European Commission regarding transfer of personal data to third countries.]
10 Security principles of the filing system
Material containing personal data is kept in locked premises to which entry is granted only to appointed and authorized persons for carrying out their work assignments.
The database containing personal data is on a server which is kept in locked premises to which entry is granted only to appointed and authorized persons for carrying out their work assignments. The server is protected by an appropriate firewall and technical security.
All databases and information systems are accessible only with individual and personal login information [username and password]. The user rights and authorizations to the information systems and other data carriers are restricted by the controller, so that the information can only be viewed and processed by persons who are legally admitted and required to do so. In addition, all interactions on the databases and systems are registered to the log data of the controller’s IT system.
The employees and other personnel of the controller have committed to comply with professional secrecy and concealment regarding the information received in connection with processing of personal data.
11 Rights of the data subject
Pursuant to the GDPR, the data subject has the following rights:
(a) the right to obtain confirmation as to whether or not personal data concerning the data subject is being processed by the controller, and where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data has been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to its source. This form is used to give the data subject the basic information described in (i)–(vii);
(b) the right to withdraw their consent at any time without it affecting the lawfulness of processing based on consent before its withdrawal;
(c) the right to obtain from the controller without undue delay the rectification of inaccurate and erroneous personal data concerning them and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement;
(d) the right to obtain from the controller the erasure of personal data concerning them without undue delay, provided that (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing is based, and where there is no other legal ground for the processing; (iii) the data subject objects to the processing on grounds relating to a particular personal situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data has been unlawfully processed; or (v) the personal data has to be erased for compliance with a legal obligation in Union or national law to which the controller is subject;
(e) the right to obtain from the controller restriction of processing, where (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defense of legal claims; or (iv) the data subject has objected to processing on grounds relating to a particular personal situation pending the verification whether the legitimate grounds of the controller override those of the data subject;
(f) the right to receive the personal data that has been provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent meant in the regulation and the processing is carried out by automated means;
(g) the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data infringes the GDPR.
Requests concerning the data subject’s rights shall be addressed to the contact person of the controller referred to in Section 1.