1 Data processor
Foppa Oy (business ID 3019178-4) and its group companies (“Controller”).
Address: Siltasaarenkatu 8-10, 00530 Helsinki, Finland.
Contact information: info (at) foppa.fi
2 Name of the register
The name of the register is Foppa Oy’s customer and marketing register (the “Register”). The Register contains information about the Controller’s customers and potential prospects and their representatives. The data content is described in more detail below.
3 Data content of the Register
The Register may contain the following information:
- Phone number
- E-mail address
- Company and its address details (company with which the data subject is connected)
- Contract and billing information
- Data collected through cookies (analytics)
- Data collected through social media channels
- Information about the terminal device used by the data subject, such as device type, browser application and version, IP address and other terminal information
- Other information collected with the consent of the data subject
4 Purpose of processing personal data
- Customer relationship management
- Exercise of the rights and obligations of the data subject & controller
- Purposes related to the use & operation of online services
- Research and development activities
- Marketing of the controller’s products & services
- Fulfilling the legal obligations of the controller
The controller’s legal grounds for processing personal data under the EU General Data Protection Regulation are:
- Consent of the data subject
- Contracts relating to the customer relationship
- Legitimate interest of the controller
- Legal requirements
Data sources for the register
- The data subject themselves (emails, phone calls, social media services)
- Controller’s website (material downloads, event registrations, contact forms)
- Data collected during customer meetings
- Data subject’s use of online services (functions used, analytics data)
- Other situations in which the data subject discloses his/her data to the controller
- Public data sources, such as company websites, business registers or services providing business information, e.g. Vainu, Fonecta Finder
- Cookies & other similar technical solutions
5 Regular disclosure of information
As a general rule, the controller does not disclose personal data of data subjects to third parties. Data may be disclosed if required by a competent authority, for the performance of contractual obligations, or to the extent agreed with the data subject. In some situations, data of data subjects may be disclosed to subcontractors or partners of the Controller. Such parties will process personal data confidentially and in accordance with the instructions of the Controller.
The Controller may disclose statistical or anonymised data that cannot be linked to the data subject.
6 Transferring data outside the EU or EEA
Data may be transferred and stored on a server in the EU or EEA for processing by the Controller or a partner of the Controller in accordance with the EU General Data Protection Regulation and the Data Protection Act.
If personal data is transferred outside the EU/EEA, this will in all cases be done on a lawful basis:
- The European Commission has classified the level of data security in the recipient country as adequate
- The controller has implemented appropriate safeguards for the transfer of personal data using the European Commission’s Standard Contractual Clauses (SCCs), a copy of which will be provided upon request.
- The data subject has given his or her explicit consent to the transfer of personal data
- There is another legal basis for the transfer of personal data outside the EU/EEA.
7 Data retention period
8 Rights of the data subject
The data subject has the following rights, the exercise of which must be requested at the address mentioned in point 1. The person making the request may be asked to prove his/her identity to the Controller. The Controller will respond to requests for information from the data subject within one month of receipt of the request at the latest (the time limit laid down in the EU Data Protection Regulation).
- Right of access: the data subject has the right to check the personal data stored about him or her.Rectification and erasure (right to be forgotten): at the data subject’s request, the controller will rectify, erase or complete personal data that are inaccurate, unnecessary, incomplete or outdated for the purposes of processing. The controller may also rectify, erase or complete the data on its own initiative.
- Right to withdraw consent: for personal data collected on the basis of consent, data subjects have the right to withdraw their consent to the processing of their personal data.
- Right of portability: the data subject has the right to have his or her personal data provided on the basis of consent or in the performance of a contract transferred to another controller, where technically feasible. The controller will then transfer the data in a commonly used and machine-readable format (JSON). The controller is not responsible for the compatibility of the transfer format with the recipient’s system.
- Right to restrict and object to processing: if the controller processes the data in accordance with the following conditions
9 Principles of register protection
Personal data will be kept confidential. The data network of the controller and the hardware on which the register is located are protected by a firewall and other necessary technical measures. The controller and its subcontractors shall ensure that stored data, access rights to servers and other technical solutions and other information critical to the security of personal data are treated confidentially and only by employees whose job description includes this.
11 Amendment of the register description