“Personal data” means any information that concern natural persons (“data subjects”) from which a person can be identified, directly or indirectly, in the manner described in more detail in the EU GDPR.
Controller and data protection officer
Controller: Digiloikka Oy
Business ID: FI27900332 (2790033-2)
Address: Lemminkäisenkatu 14-18 A, 20520 Turku, FINLAND
tel. +358 40 0782 838
Purposes and lawful basis for the processing of personal data
We process personal data for the following purposes:
- delivering products and services, concluding customer contracts and fulfilling orders (contractual relationship or its preparation, legitimate interest)
- customer service and communication and customer satisfaction surveys (legitimate interest, consent, contractual relationship)
- marketing, including market research, other marketing promotion and analysis, and the production of statistics and measurements on the effectiveness of marketing and combining and updating personal data for direct marketing purposes (legitimate interest, consent)
- direct marketing, including electronic direct marketing and telemarketing, as well as planning and measuring the effectiveness of advertising and marketing, and combining and updating personal data for direct marketing purposes (legitimate interest, consent)
- management of stakeholder and subcontractor relations and cooperation with service providers (legitimate interest, contractual relationship or its preparation)
- improving the user experience of our website and other services and monitoring user traffic (consent)
- carrying out legal obligations (such as activities related to accounting and taxation) and reporting obligations (compliance with a legal obligation)
- internal and Group-level reporting and other internal administration (legitimate interest, compliance with a legal obligation)
- processing of warranty and liability matters and complaints and conducting legal and official proceedings (compliance with a legal obligation)
- Customer due diligence (KYC) compliance and process management (compliance with a legal obligation)
- preventing and investigating abuses and ensuring data security and the safety of persons and property (legitimate interest, compliance with a legal obligation)
The lawful basis of our processing for the purposes of delivering products and services, concluding customer contracts and fulfilling orders and their related obligations is the performance of a contract or its preparation.
The lawful basis for processing personal data may also be the legitimate interest of the controller or a third party. For example, processing for the purposes of managing customer relationships, customer communications, reporting, processing complaints and legal proceedings is based on a legitimate interest. In all processing based on legitimate interest, Digiloikka Oy ensures that the processing is proportionate to the interests of the data subject and that the data is processed for purposes that meet the reasonable expectations of the data subject. Upon request, we will provide further information on how we process personal data based on our legitimate interest.
Regarding to camera surveillance, the legal basis for processing personal data is legitimate interest. The processing is necessary for the protection of property against theft, unauthorised access to data or other activities carried out with the intent to cause harm, and for the prevention and investigation of criminal offences.
In the case of new customers, certain marketing measures, such as marketing to private customers through electronic channels, are based on the explicit consent of the data subject. For existing customers, we may send electronic direct marketing based on our legitimate interest when the marketing concerns the direct marketing of products or services belonging to the same group of products.
When we process personal data in order to comply with legal obligations or to fulfil some specific reporting obligations, the lawful basis for processing is primarily compliance with a legal obligation. For example, the processing of personal data for the purposes of the KYC process is based on a legal obligation.
Automated decision-making and profiling
The processing of personal data does not include automated decisionmaking or profiling.
Categories of personal data and sources of data
- Identifying and contact information. The system stores the name, email address, phone number, street address, postal code and city as basic information about customers/contact persons of the customer businesses, potential customers and representatives of potential customers. For contact persons of customer businesses or potential customer businesses, the system stores the contact person's position in the company and the name and identifier of the represented business (business ID or equivalent).
- Data on the use of websites and other digital services. IP address, electronic communication identification data, search and browsing data, browser and operating system data and registration data
- Data related to KYC process. Information related to identification, such as personal identification number, official document collected for the verification of customer identity, corresponding information on beneficial owners of the company, corresponding information on politically exposed persons (PEPs) linked to the company.
- Image and video recordings. Materials for on-site surveillance cameras
We collect personal data directly from data subjects, for example in connection with a service transaction, or when the data subject buys or orders our products or services, either on the data subject’s own behalf or on behalf of the organisation being represented, or in connection with registration to a service, when the data subject visits our website or other digital services, uses our digital services, subscribes to our newsletter, responds to a customer satisfaction survey or otherwise contacts us. We also receive personal data from other external sources, such as private registry services and registers maintained by the authorities.
Retention of personal data
Image and video recordings are generally stored for 3 days to 24 months, depending on the purpose of processing and the location of the office in question. Due to situations that endanger property or safety, we may retain camera and video recordings for a longer period of time if this is necessary for the establishment, exercise or defence of legal claims.
Upon request, we will provide additional information on our practices for storing personal data.
Recipients of personal data
Personal data may be disclosed between companies belonging to the same group as the controller in accordance with the requirements of data protection legislation for the purposes described in this privacy statement.
In processing personal data, we may also use various service providers and other third parties, such as providers of technical solutions or server space and accounting and financial management service providers. In using third parties to process personal data, we enforce the contractual clauses required by data protection legislation.
We may disclose personal data to third parties in situations required by law or the authorities, or in order to investigate abuses and to ensure safety. We may be required to disclose personal data in connection with litigation or similar legal proceedings.
If the controller or a company belonging to the same group as the controller is involved in a merger, business transaction or other corporate transaction, personal data may be disclosed to other parties to the arrangement or to parties assisting in the arrangement.
Upon request, we will provide additional information on the recipients of our disclosures of personal data.
Transfer of personal data outside the European Economic Area
We do not transfer personal data outside the EU/EEA.
Protection of personal data
Data security and the protection of personal data are of utmost importance to us. We use appropriate technical and organisational safeguards to protect personal data. Personal data stored by us is protected by technical and organisational means. We store data on servers and systems that are protected by firewalls, passwords, and other technical measures. Access to personal data is granted only when necessary for the processing of the data. Individuals who process personal data are bound by professional secrecy on matters related to the processing of personal data.
Rights of data subjects
Data subjects have rights to their personal data in accordance with data protection legislation. However, the application of rights in each individual case depends on the purpose and situation of the processing.
- Right of access to personal data. Data subject have the right to receive confirmation as to whether their personal data is being processed as well as other information on processing as referred to in data protection legislation. Data subjects have the right to receive a copy of their personal data.
- Right to rectification of personal data. Data subjects have the right, with certain restrictions, to demand that incorrect or inaccurate data be rectified or erased.
- Right to erasure of personal data. Data subjects have the right to request the deletion of their personal data in accordance with the conditions of data protection legislation. Upon request, we will delete personal data unless the law or any other applicable exception in accordance with data protection legislation requires us to retain the data.
- Right to restrict processing. Data subjects have the right, within the conditions specified in data protection legislation, to request restrictions on the processing of personal data in certain situations.
- Right to transfer personal data. Data subjects have the right to request the transfer of their personal data to another controller. In principle, the right to transfer applies to personal data which the data subject has provided to the controller in a structured and machinereadable form, and which is processed based on the data subject's consent or contract, and/or which are processed automatically.
- Right to object to processing. Data subjects have the right, within the conditions specified in data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse such request if processing is necessary to satisfy the compelling and legitimate interests of the controller or a third party. However, data subjects always have the right to object to the processing of personal data for direct marketing purposes and for profiling related to direct marketing.
- Right to withdraw consent. If the processing of personal data is based on the data subject's consent, the data subject has the right to withdraw consent to the processing of their personal data. Withdrawal of consent has no effect on previous processing.
Exercise of the data subject’s rights
Right to lodge a complaint with the supervisory authority
Data subjects have the right to lodge a complaint with the competent data protection authority if they feel that their personal data has been processed in violation of data protection legislation. Contact information of the Finnish Data Protection Authority can be found here.