Register and privacy statement
The following is the Stairon Group Oy register and privacy statement, which complies with the Personal Data Act (sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Drafted 17 September 2020
2. Contact person for the privacy statement
Timo Kylä-Nikkilä, CEO, firstname.lastname@example.org, 050 574 1142
3. Name of the register
Stairon’s customer register
4. Legal basis and purpose of processing personal data
The legal basis for processing personal data under the GDPR is: – consent of the person (documented, voluntary, specific, intentional and unambiguous)
The purpose of processing personal data is to maintain contact with customers and the marketing of services.
Data is not used for automated decision-making or profiling.
5. Data content of the register
Data stored in the register includes, depending on the information requested: the person’s name, contact details (telephone number, email address, postal address), URL, information on products ordered and other information pertaining to the customer relationship and services ordered.
6. Regular data sources
Data stored in the register is obtained from customers, for example; in messages sent via online forms, via email, phone, on social media channels, in contracts, at customer meetings and in other cases where the customer discloses its information.
7. Regular transfer of personal data outside the EU or the EEA
Data is not regularly transferred to outside parties. Data may only be published to the extent agreed upon with the customer. Data may be transferred at the behest of the controller also outside the EU and EEA.
8. Principles of protecting the register
Caution is exercised in processing the register and all data processed by information systems is properly protected. When register data is stored on Internet servers, the physical and digital data protection of the server equipment is properly ensured. The controller ensures that all stored data, server access rights and other information critical to the protection of personal data are processed confidentially and only by employees who are authorised to do so in carrying out their assigned tasks.
9. Right of inspection and right to rectification
Each person in the register is entitled to inspect all data pertaining to them that is stored in the register and demand the rectification of any inaccurate data or supplementing of incomplete data. If a person wants to inspect data pertaining to them that is stored in the register or demand rectification of the data, they must submit a written request to the controller. If necessary, the controller may ask that the person submitting a request for the inspection or rectification of data provide proof of their identity. The controller must respond to the customer within a period of time specified in the GDPR (as a rule, within one month).
10. Other rights pertaining to the processing of personal data
Each person in the register is entitled to request that their personal data be erased from the register (“right to be forgotten”). Likewise, the data subject holds other rights under the GDPR, such as the right to restrict the processing of their personal data under certain circumstances. Requests must be submitted in writing to the controller. If necessary, the controller may ask that the person submitting a request for erasure of data provide proof of their identity. The controller must respond to the customer within a period of time specified in the GDPR (as a rule, within one month).