Espoo Marketing’s Customer Data File
2. Data controller
Espoo Marketing Oy (Business ID 1627645-8)
3. Contact of the register
A Grid, Otakaari 5, 02150 Espoo
4. Purposes for processing personal data and the legal basis of processing
The purpose of the data file is to keep a register of companies in the Helsinki Metropolitan Area, companies that can be attracted to Espoo and partners of Espoo Marketing Oy (companies, organisations, communities and private persons, such as investors and international partners) in order to manage customer and cooperative relations, facilitate corporate service and disseminate useful information.
The information in the data file is used to assure the quality and scope of services produced by Espoo Marketing Oy, to distribute news that improves the environment for entrepreneurship in the Espoo region, to send messages concerning corporate services and events and to attract new companies to Espoo. The data file also supports research activity and statistics.
The legal grounds for processing: legitimate benefit and/or consent/agreement given by the data subject.
5. Contents of the register (description of the categories of data subjects and the categories of personal data)
Groups of persons whose data can be processed are contact persons of the data controller’s partner, stakeholder and customer companies, those classed as an ex officio partner and/or potential customer, and persons who have been in contact with the data controller.
A data file may contain, among other things, the following personal and organisational data about the data subjects:
- e-mail address and telephone number
- organisation and position
- locations and addresses of the organisation’s branches
- organisation’s business ID and turnover
- profiling and grouping data (such as the company’s field of business and mailing groups)
- data fundamental to the management of the customer relationship
- data concerning sales of marketing services
- additional data given by the customer itself
- possible mailing bans (e-mail and mail)
- information about changes to the above data
6. Sources of personal data
Personal data shall be collected from the data subject him-/herself and from publicly available Internet sources and other possible public sources. Personal data may also be collected, saved and updated from data files of a data controller providing an address, updating or other similar service.
7. Disclosure of personal data
Personal data is processed confidentially. Espoo Marketing Oy may, however, hand over data in a manner permitted by legislation when, for example, it is considered that a third party can offer special information or benefit to companies/organisations.
The data controller may also hand over customers’ personal data to third parties if so required by Finnish authorities.
8. Transfer of data outside EU or the EEA
Data may be transferred outside the EU or the European Economic Area with the consent of the data subject.
9. Data storage periods
Data shall be stored for as long as the data controller utilises it for managing a customer relationship and for sales of marketing services.
10. Register maintenance systems and principles of protection
Espoo Marketing Oy has an agreement with all its data systems suppliers for processing personal data. The data systems are protected by firewall and other necessary technical measures.
Only persons represented by the data controller and technical persons for data system services may access the data in the data file. The users commit to an obligation of secrecy.
If material is manually printed from a data file, it is kept in a locked facility and only the data controller has the right to use it.
The data controller’s IT equipment is located in protected and controlled facilities. Access rights to the client information systems and files are based on personal access rights the use of which is controlled. Access rights are granted task-specifically. Each user accepts the access and confidentiality undertaking regarding information and information systems.
11. Right of access to data
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
The controller shall provide information without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
All information and actions taken on the grounds of a data subject’s right of access request, any information provided under Articles 13 and 14 of the GDPR and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
A data request shall be directed to the e-mail address stated in paragraph 3.
12. Right to rectify data
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Whether the data is incomplete will be determined in the light of the purpose for which the data in the register is processed.
If the controller refuses the request of a data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal and inform the data subject of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
A rectification request shall be directed to the e-mail address stated in paragraph 3.
13. Right to lodge a complaint
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. This right is laid down in Article 77 the General Data Protection Regulation (GDPR, 2016/679).
14. Other potential rights
Requests shall be directed to the e-mail address stated in paragraph 3.
Right to erasure (Article 17 of the GDPR)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds laid down in Article 17(1) applies. The data subject does not have the right to erasure for example if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to restriction of processing (Article 18 of the GDPR)
The data subject shall have the right to obtain from the controller restriction of processing where one of the requirements laid down in Article 18(1)(a–d) applies.
Right to object (Article 21 of the GDPR)
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to data portability (Article 20 of the GDPR)
The data subject shall have the right to have his or her data transmitted only if the processing of data is based on consent or on a contract, and if the processing is carried out by automated means. The data subject’s right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
If the processing of data is based on consent, the data subject shall have the right to withdraw his or her consent at any time.