1. DATA CONTROLLER
Millog Oy, Business ID 2051859-5, Hatanpään valtatie 30, 33100 Tampere, Finland
Phone: +358 20 469 7000
2. NAME OF REGISTER
Millog Oy’s customer and contact information register
3. PURPOSES OF, AND LEGAL BASIS FOR, THE PROCESSING
The register is used in compliance with existing laws and regulations for the purposes customer relation management and development, marketing and customer communication.
The purposes of processing are:
- Managing customer relationships and customer service
- Fulfilling the rights and obligations of the customer and the data controller
- Processing for the purposes related to the data controller’s products and services such as developing, providing, performing, marketing, maintenance and technical support of products and services
- Directing the data controller’s advertising (including newsletter) and allocation of marketing on basis of customer data via the data controller’s mediums and services
- Address list for customer magazines and releases
- Respondents to customer satisfaction surveys
- Lists of invited guests for stakeholder events
- Photographing in events
- Security-cleared carriers for the transport of sensitive material
- Persons participating in training events organized by Millog Oy and/or jointly by Millog Oy and The Finnish Defence Forces
Legal basis for processing of personal data are legal obligations of the data controller, contract, consent and legitimate interests of the data controller.
The legitimate interest of the data controller is the legal basis for processing of personal data when there is a material connection between a data subject and the data controller. Such material connection is formed, for example, when the data subject has on its own initiative contacted the data controller, or when the data controller, for example, processes the data subject’s personal data in connection with a business or co-operation matter between the data subject’s employer and the data controller.
On basis of its legitimate interest, the data controller may also save to its customer register personal data of potential clients and their contact persons and representatives which can be, on reasonable grounds, expected to be interested to acquire products and services provided by the data controller.
The data controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. When the data subject is requested to give his or her consent, he or she will be simultaneously informed that withdrawal of consent is possible easily and at any time. In addition, in accordance with applicable data protection legislation, electronic direct marketing can also be sent to recipients for whom the data controller can reasonably consider that the products or services marketed have essential connection with the potential customer’s area of responsibility or work.
Withdrawal of consent may be done by giving a notice to the data controller or by clicking the cancelling option, which can be found in every marketing message (“Unsubscribe” link), whereupon personal data of the data subject will be removed from the data controller’s list concerning subscribers of electronic direct marketing.
4. CONTENT OF THE REGISTER
The register contains personal data of the following persons:
- Customers of the data controller and their representatives and contact persons
- Co-operation partners, subcontractors and suppliers of the data controller and their representatives and contact persons
- Potential customers of the data controller and their representatives and contact persons
The following personal data of the data subjects, relevant on the basis of the above mentioned purposes of processing, are processed, such as:
- First name and last name of the data subject
- Company or organization, job description / area of responsibility
- Designation, title, military rank, service rank, or similar if it relates to data subject’s work description
- Postal address
- Email address
- Phone number
- Date of birth (only concerning security-cleared carriers).
The purposes of the processing are determined in connection with the personal data.
Providing personal data to the data controller is necessary for the data controller to be in a customer, business and/or co-operation relationship with a party on whose behalf the data subject is in contact with the data controller (such as the data subject’s employer).
The data subject is not per se under obligation to provide his or her personal data to the data controller, however not delivering personal data may complicate the relationship between the data controller and the party represented by the data subject.
5. DATA STORAGE PERIOD
The data controller will process and retain personal data only as long it is necessary for compliance with a legal obligation or for the purposes of processing which have been determined in advance. Personal data which has become redundant, i.e. personal data which the data controller no longer has legal basis to retain or process, will be deleted on regular basis in accordance with the data controller’s internal data protection policy.
The customer and contact information register is updated three times a year. In cases where the personal data is not necessary considering the purposes of the register, the data will be deleted.
6. REGULAR INFORMATION SOURCES
The personal data of the data subjects will be primarily collected directly from the data subject himself or herself or the data subject’s employer or other representative of the data controller’s customer, business or co-operation contact or contract party, for example in connection with meetings, contacting, exhibitions, campaigns related to marketing and sales, as well as events and training courses. In addition, the personal data can be collected from public / general sources (such as internet, trade register and marketing service providers).
7. REGULAR DISCLOSURES AND TRANSFERS OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION OR EUROPEAN ECONOMIC AREA
The personal data of the data subjects can be disclosed to the service providers of the data controller on a case-by-case basis, i.e. when it is necessary considering the use of personal data.
The data controller will use reliable service providers which process personal data on behalf of the data controller based on data processing agreement between the data controller and service providers required by data protection legislation. The service providers will process the personal data, for which the data controller is responsible for, in accordance with the data controller’s documented instructions. Service providers used by the data controller are event planners, marketing partners, printing houses, advertising agencies, photographer and a provider of a customer satisfaction survey.
By default, personal data is not transferred outside of European Union or European Economic Area. Should personal data be transferred outside of EU or EEA, the data controller and its service providers will make contractual arrangements in order to carry out transfers of personal data in a manner required by applicable data protection legislation.
8. DESCRIPTION OF PRINCIPLES FOR PROTECTING THE REGISTER
Access to register have been granted solely to such designated persons who have undertaken appropriate non-disclosure commitments and who have reasonable grounds to process the contents of the register in connection with their duties.
The data controller has provided all its employees and service providers who process personal data binding written instructions and orders concerning processing of personal data and data protection, which instructions and orders the employees and service providers have committed to comply with.
Data security of information systems has been arranged adequately, including e.g. encryptions and technical restrictions.
The data controller will revise its processing operations and equipment on regular basis and, amongst other things, assess risks related to processing of personal data for example when introducing new technology.
The data controller does not use solely automated decision-making, such as automated profiling, as part of processing personal data.
10. RIGHTS OF THE DATA SUBJECT
10.1. Right of access by the data subject to his or her data
The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and a copy of the personal data processed.
10.2. Right to rectification and erasure
Within the limits of the legislation, the data subject has the right to obtain the rectification or erasure of inaccurate, unnecessary, defective or outdated personal data concerning him or her.
10.3. Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a supervisory authority, if the data controller is infringing applicable legislation concerning personal data processing and data protection. The supervisory authority in Finland is the Data Protection Ombudsman, www.tietosuoja.fi.
10.4. Right to withdraw consent
In case where processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw his or her consent by notifying the data controller, for example in accordance with Section 11 of this Privacy Notice.
10.5. Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time processing of personal data concerning him or her and having its legal ground on the legitimate interest of the data controller, including profiling.
The data controller will no longer process personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time of processing data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
10.6. Right to data portability
The data subject has the right to receive data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another data controller, in cases where processing is based on consent or contract and the processing is carried out by automated means.
When exercising the above described right to data portability, the data subject has the right to have personal data transmitted directly from one data controller to another, where technically feasible.
10.7. Responsibilities of the data controller
The data controller will inform the data subject about all measures that have been taken on basis of a request, without undue delay and in any case within one month having received such a request. The time limit may be prolonged for at most two months where needed, taking into consideration quantity and complexity of the requests made. The data controller will inform the data subject about such possible prolongment within one month having received the request, as well as about the reasons for delay. If the data subject has presented his or her request electronically, the information must be provided electronically when possible, unless the data subject requests otherwise.
If the data controller does not carry out the measures based on the data subject’s request, the data controller must immediately and at the latest within one month since having received the request, notify the data subject about the reasons for this, as well as about the possibility to lodge a complaint with a supervisory authority and to use other legal remedies.
10.8. Exercising rights
You may exercise your above stated rights by contacting the data controller via sending an e-mail to the e-mail address tietosuoja(at)millog.fi. We aspire to provide a reply as soon as possible and, where needed, provide you with additional instructions or ask additional questions based on your request.
Please note that prior to fulfilling a request we have a right as well as an obligation to verify your identity, due to which we must be able to recognize you in an adequate manner.
If your request is manifestly unfounded or excessive, we may charge a reasonable fee for administrative costs to carry out your request or refuse to act on the request.
In all questions and situations considering the personal data processing and use of data subject’s rights, the data subject can contact the data controller by sending an email to tietosuoja(at)millog.fi.
The data controller has right to request the data subject to specify his or her information request in writing and the identity of the data subject may be verified before taking any other measures.
12. CHANGES TO THIS PRIVACY NOTICE
The data controller may change this Privacy Notice. The data controller will inform the data subjects of significant changes to this Privacy Notice and the processing operations reasonably before their entry into force on its website and/or by other appropriate means to allow the data subjects to reasonably assess the consequences of such changes.