Date: 25 March 2022
1. DATA CONTROLLER
The data controller under the GDPR is Helsinki Identity Oy (hereinafter Helsinki Identity or we). The contact details of the controller are as follows:
Helsinki Identity Oy (3234775-4)
Haapaniemenkatu 7-9 B
Contact details for data protection matters: Joni Ihantola
2. PERSONAL DATA PROCESSED AND SOURCES OF PERSONAL DATA
We primarily collect and process personal data collected directly from you. We collect personal data in various ways, for example, in communication regarding customer agreements and supplier agreements, when job applicants send us applications, when an employee starts employment with us or when a person attending an event registers for the event.
Personal data collected and processed by us may include:
- Social security number
- Job title
- Home address
- Date of birth
- Bank account number
- Salary and benefits or remuneration
- E-mail address
- Telephone number
- Dietary preferences
We may also process other types of information you may voluntarily disclose, such as information you share when you contact us face to face, by phone, e-mail or other electronic communication application.
We may also receive some of the aforementioned information from third parties, including your name, home address, e-mail address and telephone number.
3. PURPOSE AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
Helsinki Identity process personal data for the following purposes:
To provide our services, to obtain services and products from our suppliers and perform our obligations under contractual relationships (legal basis: performance of the contract and legitimate interest)
Helsinki Identity processes your personal data to enter into agreements with its customers, suppliers and other stakeholders, to offer its customers the Services they use and to obtain services and products from its suppliers.
To comply with our legal obligations (legal basis: fulfilling a legal obligation)
We may process your personal data to administer and fulfil our legal obligations. For example, we may process the data to fulfil our accounting obligations, our obligations arising from employment and commission relationships and to provide information to competent authorities such as tax authorities.
For claims handling and legal proceedings (legal basis: legitimate interest)
Helsinki Identity may process personal data in connection with the processing of claims and legal proceedings. We may also process data for the prevention of fraud and misuse of the Services and for upkeeping our data, system and network security
For recruiting (legal basis: consent)
Your personal data may also be processed for our potential future recruitment processes based on your consent. Based on your consent, your application will be retained in the recruitment system upon completion of recruitment so that the registrar can contact you regarding other potential recruitment processes.
For customer service and communication (legal basis: legitimate interest)
Helsinki Identity may process personal data to process and respond to customer feedback and service requests.
For stakeholder communication and marketing (legal basis: legitimate interest)
Helsinki Identity processes your personal data to communicate with you about our Services and any possible changes to them. Your personal data may also be used for marketing the Services directly to you. In addition, personal data is processed in order to send out newsletters, and in connection with participation in events and other marketing activities.
For quality improvement and trend analysis (legal ground: legitimate interest)
We may also process information about your use of the Services to improve the quality of the Services for example by analysing any trends in the use of the Services. In order to ensure that our services are in line with your needs, personal data can be used for things like customer satisfaction surveys. When possible, we will do this using only aggregated, non-personally identifiable data.
3.2 Legal grounds for processing
Helsinki Identity processes your personal data to fulfil our obligations under mandatory legislation and our contractual obligations as your contractual party.
Furthermore, we process your personal data to pursue our legitimate interest to run, maintain and develop our business and to create and maintain customer relationships. When choosing to use your data on the basis of our legitimate interests, we weigh our own interests against your right to privacy and for example provide you with the option to opt-out from our marketing communications.
In some parts you may be requested to consent for the processing of personal data. In this event, you may withdraw your consent at any time.
4. RECIPIENTS OF PERSONAL DATA
We do not share your personal data with third parties outside the group which Helsinki Identity belongs to unless one of the following circumstances applies:
For the purposes set out in this Privacy Statement and to authorized service providers
To the extent that third parties need access to personal data in order for us to perform the Services, we provide such third parties with your data. In addition, we may provide your personal data for processing on our behalf to our subsidiaries or to authorized service providers who perform services for us (including data storage, accounting, sales and marketing).
When data is processed by third parties on behalf of Helsinki Identity, Helsinki Identity has taken the appropriate contractual and organizational measures to ensure that your data are processed exclusively for the purposes specified in this Privacy Statement and in accordance with all applicable laws and regulations and subject to our instructions and appropriate obligations of confidentiality and security measures.
Please bear in mind that if you provide personal data directly to a third party, such as through a link, the processing is typically based on their policies and standards.
The data will be used for legal purposes or in legal proceedings
We may also share your personal data with third parties outside of Helsinki Identity if we consider that access to and use of the personal data is reasonably necessary to: (i) comply with applicable laws and regulations and/or a court order; (ii) detect and prevent misuse, crime, technical failures and information security problems; and/or (iii) guarantee Helsinki Identity’ and your safety and the protection of property, as well as the public interest. We will notify you directly of any such processing, if possible in that case.
The data will be used for other legitimate reasons
If Helsinki Identity is a party to a merger, asset deal or other acquisition, we may transfer your personal data to a third party involved in the process, such as a prospective buyer and its advisors. However, we will continue to ensure the confidentiality of all personal data transferred. We will give notice to everyone concerned when the personal data are transferred in said situation or become subject to a different privacy statement.
With your explicit consent
We may share your personal data with third parties outside Helsinki Identity when we have your explicit consent to do so. You have the right to always withdraw this consent free of charge by contacting us.
5. INTERNATIONAL DATA TRANSFERS OUTSIDE EUROPE
In principle, Helsinki Identity process your personal data within the territory of the Member States of the European Union (EU) and in the European Economic Area (EEA).
However, we have service providers in several geographical locations. As such, we and our service providers may transfer your personal data to, or access it in, jurisdictions outside the European Economic Area. We will take steps to ensure that the Users’ personal data receives an adequate level of protection in the jurisdictions in which they are processed. Where personal data is transferred to countries outside the EU/EEA, we will ensure that the transfer of personal data only takes place in accordance with the appropriate safeguards of the GDPR, for example by means of standard contractual clauses approved by the European Commission. For the current standard contractual clauses, please visit the European Commission’s website.
6. RETENTION PERIOD
Helsinki Identity does not store your personal data longer than is legally permitted and necessary for the purposes of providing the Services or the relevant parts thereof. The storage period depends on the nature of the information and on the purposes of processing. The maximum period may therefore vary per use. The following describes the processing times and the criteria for determining them.
The personal data will be stored for at least the duration of the customer’s customer and contractual relationship. Thereafter, a part of the personal data relating to the contractual relationship may be stored only as long as such processing is required by law or we have a legitimate reason to retain the data for example for claims handling, internal reporting, employer obligations, marketing or bookkeeping.
However, we will retain your e-mail address for direct marketing purposes until further notice if you have given us your consent for direct marketing. If you later prohibit direct marketing, we will remove other information related to the direct marketing order, but we retain the information that you have prohibited us from sending electronic direct marketing to ensure compliance with the ban.
7. YOUR RIGHTS
Right of access to data
You have the right to access or obtain a copy of your personal data processed by us. We may refuse to provide you with a copy of your data if doing so would compromise the rights and freedoms of others.
Right to withdraw consent
In case the data processing is based on a consent granted by you, you have the right to withdraw the consent at any time free of charge. Withdrawing a consent may lead to fewer possibilities to use the Services. Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out prior to the withdrawal.
Right to request the correction of data
You have the right to require us to correct or complete any inaccurate or outdated personal data that we have stored about you by contacting us.
Right to request the deletion of data
You may request us to delete your personal data from our systems. We will comply with such request unless we have a legitimate ground to not delete the data.
Right to object the data processing
You have the right to object the use of your personal data if such data is processed for other purposes than what is necessary for the performance of the Services or for compliance with a legal obligation. We will comply with such claim unless we have a legitimate ground to act otherwise. If you object to the further processing of your personal data, this may lead to fewer possibilities to use the Services.
Right to restrict the processing of data
You may request us to restrict processing of personal data for example when your data erasure, rectification or objection requests are pending and/or when we do not have legitimate grounds to process your data. This may however lead to fewer possibilities to use the Services.
Right to transfer data from one system to another
You have the right to receive your personal data from us in a structured and commonly used format and the right to transfer the data independently to a third party.
How to use your rights
The abovementioned rights may be used by sending a letter or an e-mail to us on the addresses set out above, including the following information: your full name, address, e-mail address and phone number. We may request the provision of additional information necessary to confirm your identity. We may reject or charge a handling fee for requests that are unreasonably repetitive, excessive or manifestly unfounded.
8. DIRECT MARKETING
You have the right to prohibit us from using your personal data for direct marketing purposes, market research and profiling made for direct marketing purposes by contacting us on the addresses indicated above or by using the functionalities of our Services or the unsubscribe possibility offered in connection with any direct marketing messages. If you object the use of your personal data for direct marketing purposes, your personal data will no longer be used for such purposes.
9. LODGING A COMPLAINT
If you consider that our processing of personal data infringes the applicable data protection laws, you may lodge a complaint with a local supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: https://tietosuoja.fi/en/home. Alternatively, you can file a complaint with the local supervisory authority of your place of residence.
10. INFORMATION SECURITY
We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Measures include for example encryption, pseudonymization, firewalls, secure facilities and access right systems. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability to restore the data. We regularly test our Services, systems, and other assets for security vulnerabilities.
Should despite of the security measures, a security breach occur that is likely to have negative effects to your privacy, we will inform you and other affected parties according to the applicable legislation, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as possible.