Privacy policy | RTK-Palvelu

Privacy Statement of the Customer and Marketing Register of RTK-Palvelu Oy

1 Controller

The controller is RTK-Palvelu Oy (Business ID: 2659323-8)

The contact person for requests related to the filing system is Hanna Mari Muikku, Data Protection Officer.

RTK-Palvelu Oy
Address: Papinhaankatu 8, 26100 Rauma, Finland
Switchboard: +358 400 606 055
Email: tietosuoja@rtkpalvelu.fi

2 Name of filing system

The name of the filing system is the Customer and Marketing Register of RTK-Palvelu Oy

3 Purpose of data processing

The controller processes personal data for purposes related to the management of the customer relationship, customer communications, implementation of customer surveys, marketing, and provision of electronic services aimed at customers.

For the aforementioned purposes, the Controller processes customers’ personal data for the purpose of producing services for customers and related marketing and communications.

4 The legal basis for data processing

The legal bases for the processing of personal data are the following grounds under the EU General Data Protection Regulation (hereinafter also referred to as “GDPR”):

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes (GDPR Art. 6, 1a);
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6, 1b);
(c) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6, 1f);
(d) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes (GDPR Art. 9, 2a).

The legitimate interest of the data controller is based on a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or potential client of the data controller, and when the processing is carried out for purposes that the data subject could reasonably have expected at the time the personal data were collected and in connection with the appropriate relationship.

5 Data content of filing system (processed personal data groups)

As a rule, the filing system contains the following personal data on all data subjects:

(a) the data subject’s basic information and contact details (incl. first name, last name, address, telephone number, email address);
(b) information related to the data subject’s company or other organisation and the person’s position or job title in said company or organisation;
(c) user IDs for electronic services;
(d) information concerning the use of electronic services;
(e) the subject’s direct marketing consents and prohibitions.

The filing system also contains data on the contacts between the customer or potential customer and the controller and related material (telephone conversations, emails, meetings), and feedback, complaints and other data promoting good customer management.

6 Regular sources of data

Personal data are primarily collected directly from the data subject, the contact person of a corporate client or the website of the corporate client, at the beginning of, or during, the customer relationship.

Personal data are also collected when customers use the company’s electronic services.

Within the frame set by applicable legislation, personal data are also collected and updated based on publicly accessible sources related to the implementation of the customer relationship between the controller and the data subject. The controller uses the data to take care of its obligations related to maintaining customer relationships. If necessary, the data are verified from Suomen Asiakastieto Oy or business data services, such as the trade register.

In addition, the personal data of potential customers are checked against information purchased from data providers.

7 Period for storing personal data

The data collected in the register are stored only for as long and to the extent necessary for the original purpose, or for purposes compatible with the one for which they were collected.

Any unnecessary data will be removed in accordance with the company’s practices; however, the data will not be deleted until the obligations and measures related to the customer relationship have been fully completed.

The controller also regularly assesses the necessity of the data storage [in accordance with its internal codes of conduct] and takes every reasonable step to ensure that personal data that are inaccurate, erroneous or outdated, having regard to the purposes for which they are processed, are erased or rectified without delay.

8 Regular disclosure of data

The data contained by the filing system shall not be disclosed to third parties unless otherwise provided by applicable legislation or by a decision of the competent authority.

Nevertheless, the controller may disclose the data of the filing system to direct marketing registers of companies belonging to the same group as the controller.

In processing personal data, the controller makes use of subcontractors acting on behalf of and for the benefit of the controller, i.e. processors.

9 Transfer of data outside EU or EEA

The personal data contained by the filing system are processed primarily in the EU region. Nevertheless, in the processing of personal data, we may use service providers with access to the personal data from outside the EU/EEA region. In any cases where the data are processed outside the EU/EEA, the service providers are committed to complying with the Privacy Shield framework or the EU Standard Contractual Clauses.

10 Principles of securing the filing system

The database containing personal data is on a server stored in a locked facility that may only be accessed by designated persons authorised to access the data by virtue of their duties.

The server has been protected by an appropriate firewall and technical safeguards.

The databases and systems may only be accessed using personal IDs and passwords granted separately. The controller has restricted user rights and authorisations to the data systems and other storage mediums, in that the data may be examined and processed solely by persons whose involvement is necessary for their lawful processing.

Additionally, all database and system activities are logged in the controller’s IT system logs.

The controller’s employees and other persons are bound by a confidentiality obligation and are to keep secret any information obtained in connection with the processing of personal data.

11 The rights of the data subject

The data subject may request the controller to provide access to the personal data concerning himself or herself, request rectification or erasure of said data, and ask for restriction of processing. The data subject may also object to processing, as well as request data portability between systems.

The controller shall process the request by the data subject and respond to it within the deadline set under data protection legislation. Additionally, the data subject has the right to withdraw his or her consent to processing if the processing of personal data was based on consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject also has the right to lodge a complaint with a supervisory authority. The requests by data subjects must be addressed to the controller’s contact person identified in section 1.