Privacy and register description

PRIVACY POLICY OF VELLAMO PUMPUT OY’S CUSTOMER REGISTER

1 Controller

The controller of the register is VELLAMO PUMPS LTD. (Business ID 3239699-4)

The contact person for register matters is: Kimmo Issakainen, CEO

VELLAMO PUMPS LTD Address: Sinikangaskaari 1A, 73310 TAHKOVUORI

E-mail: info@vellamopumps.com

 

2 Name of the register

The name of the register is VELLAMO PUMPS LTD customer register.

3 Purpose of processing personal data

Personal data is processed for purposes related to the management, management and development of customer relationships, the provision and delivery of services, and the development and invoicing of services. Personal data is also processed for the purposes required to settle any complaints and other claims.

In addition, personal data is processed in communications to customers, such as information and news purposes, as well as marketing, as part of which personal data is also processed for direct marketing and electronic direct marketing purposes.

The customer has the right to prohibit direct marketing directed at him or her.

The controller processes the data itself and uses subcontractors acting on behalf and on behalf of the controller in the processing of personal data.

  1. Legal bases for processing

The legal basis for the processing of personal data is the following criteria in accordance with the EU’s General Data Protection Regulation (hereinafter also referred to as the “GDPR”):

  1. the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes (GDPR Art. 6. 1.a);
  2. the processing is necessary for the performance of a contract to which the data subject is a party or for the adoption of pre-contractual measures at the request of the data subject (GDPR Art. 6). 1.b);
  3. processing is necessary for the legitimate interests of the controller or a third party (GDPR Art. 6. 1.f).

The aforementioned legitimate interest of the controller is based on a meaningful and appropriate relationship between the data subject and the controller resulting from the fact that the data subject is the controller’s customer and when the processing takes place for purposes that the data subject could reasonably have expected at the time of the collection of the personal data and in the context of an appropriate relationship.

5 Data content of the register (categories of personal data to be processed)

In principle, the register contains the following personal data on all data subjects:

  1. basic information and contact details of the person: [first name, surname, address, telephone number, e-mail address];
  2. information relating to the person’s company or other organisation and the person’s status or job title. in an undertaking or organisation;
  3. direct marketing authorisations and prohibitions of the person.

6 Regular data sources

Personal data is collected from the data subject.

Personal data is also collected and updated, within the limits of applicable law, from publicly available sources related to the realisation of a customer relationship between the controller and a data subject person, through which the controller fulfils its obligations related to maintaining customer relationships.

7 Retention period for personal data

The data collected in the register is stored only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

The need to store personal data is assessed every five years.]; and in any case, the data concerning the data subject shall be deleted from the register 10 years after the termination of the data subject’s customer relationship with the controller, and the obligations and actions relating to the customer relationship have been completed. For example, accounting documents are kept for five years from the end of the financial year.

The controller regularly assesses the need to store data in accordance with its internal code of conduct. In addition, the controller shall take all reasonable steps possible to ensure that personal data inaccurate, inaccurate or outdated in relation to the purposes of the processing are deleted or rectified without delay.

8 Recipients of personal data (categories of recipients) and regular disclosures of data

Personal data will not be disclosed to third parties.

9 Transfer of data outside the EU or EEA

The personal data contained in the register will not be transferred outside the EU or EEA.

10 Principles of registry protection

Materials containing personal data are stored in locked premises, which can only be accessed by designated persons and persons authorised to access them for the sake of their duties.

The database containing personal data is located on a server that is stored in a locked state, accessible only to designated persons and persons authorised to access them for the purpose of their duties.  The server is protected by an appropriate firewall and technical security.

Databases and systems can only be accessed with separately issued personal usernames and passwords. The controller has limited the access rights and powers to information systems and other storage platforms so that the data can only be viewed and processed by persons necessary for their lawful processing. In addition, database and system access events are registered in the logs of the controller’s IT system.

The controller’s employees and other persons have undertaken to observe professional secrecy and to keep confidential the information received in connection with the processing of personal data.

11 Rights of the data subject

The data subject has the following rights under the EU’s General Data Protection Regulation:

  1. the right to receive confirmation from the controller that personal data concerning him or her are being processed or not processed and, if such personal data are processed, the right to access the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom personal data have been or are to be disclosed; (iv) where possible, the planned retention period of personal data or, where that is not possible, the criteria for determining that period; (v) the right of the data subject to request from the controller the rectification or erasure of personal data concerning him or her or to restrict or object to the processing of personal data; (vi) the right to lodge a complaint with a supervisory authority; (vii) if personal data is not collected from the data subject, all available information on the origin of the data (GDPR Art. 15). This basic information described (i)–(vii) shall be provided to the data subject on this form;
  2. the right to withdraw consent at any time without prejudice to the lawfulness of processing carried out on the basis of consent prior to its withdrawal (GDPR Article 7);
  3. the right to demand that the controller rectify inaccurate and inaccurate personal data concerning the data subject without undue delay and the right to have incomplete personal data completed, including by providing further explanations, taking into account the purposes for which the data were processed (GDPR Article 16);
  4. the right to have the controller delete personal data relating to the data subject without undue delay, provided that (i) the personal data are no longer needed for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other legal basis for processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no reasonable grounds or the data subject to object to the processing for direct marketing purposes; (iv) the personal data have been tampered with unlawfully; or (v) the personal data must be erased in order to comply with a legal obligation applicable to the controller under Union or national law (GDPR Art. 17);
  5. the right for the controller to restrict the processing if (i) the data subject disputes the accuracy of the personal data, in which case the processing is limited for a period during which the controller can verify their accuracy; (ii) the processing is unlawful and the data subject objects to the erasure of personal data and instead requests that their use be restricted; (iii) the controller no longer needs such personal data for the purposes of the processing, but the data subject needs them to establish, exercise or defend a legal claim; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation, pending verification of whether the legitimate grounds of the controller override the data subject’s grounds (GDPR Art. 18);
  6. the right to have access to personal data relating to him or her which the data subject has provided to the controller in a structured, commonly used and machine-readable format, and the right to transfer that data to another controller, without prejudice to the controller to whom the personal data has been transmitted, provided that the processing is based on the consent referred to in the Regulation and the processing is carried out automatically (GDPR Art. 20);
  7. the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her violates the EU’s General Data Protection Regulation (GDPR Article 77).

Requests for the exercise of the data subject’s rights are addressed to the controller’s contact person mentioned in section 1.