Finnish Business ID: 3010084-6
c/o Antti Kivi, Tarkk’ampujankatu 12 A 20, 00150 HELSINKI
2. Contact Person
3. The Name of the Register
Client Register of Visiosto oy
4. Data Subjects
The register may contain personal data of the controller’s clients and potential clients and their representatives.
The register may also contain data of the controller’s business and organisation clients and potential business and organisation clients and personal data of their representatives.
5. The Purposes of Processing Personal Data
The data are used to handle the requirements of client relationship and messaging to clients. The data are also used for marketing purposes.
As regards marketing, the legal basis for processing personal data is the legitimate interest of the controller. As regards handling client relationships and messaging to clients, the legal basis for processing personal data is the legitimate interest of the controller and fulfilling contracts between clients and the controller.
6. The Data in the Register
The register may contain the following personal data:
- Name, phone number and email address
- Postal address, postcode and post office
- Electronic billing address and electronic billing operator
- Information about client relationship
7. Special Categories of Personal Data
The register doesn’t contain special categories of personal data, like data concerning health.
8. The Sources of Personal Data
The personal data processed is got from the person themselves. The register may also contain the controller’s own notes about the persons.
9. The Processors of the Data
The personal data may be processed by other controllers on behalf of the controller only if the person in question has given their explicit permission to that during or after giving their personal data to the register. ‘Other controller’, in this context, doesn’t refer to subcontractors et cetera but to third parties that process personal data for their own purposes.
The controller may use subcontractors et cetera that process personal data in order to fulfill contracts between clients and the controller and to handle client relationships and messaging to clients. The personal data may be processed by technical partners, for example by providers of cloud-computing services.
10. Transfer of Data Outside EU or EEA
If the personal data is processed outside EU or EEA, the controller is responsible for that the transfer of data complies with the current legislation on processing personal data and is carried out accordingly.
The personal data may be processed in a cloud-computing service registered outside EU or EEA. In these cases, sufficient privacy protection and processing of personal data is arranged according to EU-U.S. Privacy Shield Framework or under the standard contractual clauses adopted by the European Commission.
11. Data Protection Principles
The digitally-processed personal data is secured and stored in the controller’s digital storage that can only be accessed by those who need the data in order to carry out their assignments. Those persons must use personal usernames and passwords to access the data. Storing personal data on paper is avoided. Data transferred outside the controller are encrypted. The used workstations and storage media are encrypted.
12. Storage Limitations
The personal data is stored as long as is necessary to fulfill contracts between the client and the controller and handle the client relationship and messaging to the client. After the client relationship has ended, the personal data is stored up to two years. Names, contact detail, and other possible information necessary for accounting is stored for six year from the end of the year during which the fiscal year has ended, as required by the Accounting Act.
13. Rights of the Data Subject
The data subject has the right:
- To obtain information on the processing of their personal data
- Of access to their data
- To rectification and complementing of their data
- To the erasure of their data and to be forgotten if:
- The basis for processing the data is consent and there’s no other legal basis for the processing
- The erasure doesn’t conflict with the controller’s legal obligations and legitimate interest
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
- To revoke their consent and restrict the processing of their data insofar as the basis for the processing is consent
- To receive the personal data that they provided to the controller in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller
- To object to the processing of their personal data, for example by objecting to direct marketing
- To make a complaint to the supervisory authority
14. Updating the Privacy Statement