- DATA CONTROLLER , Date 1.5.2020
The data controller is Turkka Lastunen Consulting Oy Ltd (business ID 2802716-8).
Turkka Lastunen, Managing Director, CEO
Turkka Lastunen Consulting Oy Ltd
Lehtohaankuja 101 20900 Turku
Phone: +358 44 5133615
- NAME OF THE REGISTER
The register’s name is the Turkka Lastunen Consulting Oy Ltd
a) Customer register
b) Marketing and Communicatios registers.
3. PURPOSE OF PROCESSING PERSONAL DATA
The data controller processes personal data for purposes related to the management, administration and development of customer relationship, the provision and delivery of services, and developing and invoicing of services. In addition maintenance, management and developing the data controller’s online service, which includes processing data for statistic purposes and management of customer, partner and stakeholder relationships related to the online service.
For the aforementioned purposes the data controller processes personal data to produce a service for their customers, partners and stakeholders and in communication related to this.
In addition, the data controller processes personal data for other communication purposes with customers, such as information and reporting purposes, a part of which is to process personal data for purposes related to direct marketing and electronic direct marketing.
A registered person has the right to prohibit direct marketing aimed at them.
4. LEGAL BASIS FOR PROCESSING PERSONAL DATA
The following list, which complies with the Personal Data Act, defines the legal basis for the processing of personal data:
a) the unambiguous consent of the data subject (GDPR 6 art.1 a.),
b) the data subject has given an assignment for the same, or this is necessary in order to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract (GDPR 6 art.1 b.),
c) there is a relevant connection between the data subject and the operations of the controller, based on the data subject being a client or member of, or in the service of, the controller or on a comparable relationship between the two (connection requirement), the unambiguous consent of the data subject to process their national identification number (GDPR 6 art.1 f.),.
The following list, which complies with the General Data Protection Regulation of the EU, defines the legal basis for the processing of personal data:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes,
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
processing is necessary for compliance with a legal obligation to which the controller is subject,
processing relates to personal data, including data belonging to a specific personal data group, which are manifestly made public by the data subject,
The aforementioned legitimate interest of the data controller is based on the relevant and appropriate relationship between the data subject and the data controller, which is a consequence of the data subject or their organization being a client or partner of the data controller, and the processing is done for purposes the data subject could reasonably expect to involve the collection of personal data and in the context of an appropriate relationship.
5. DATA CONTENT OF THE REGISTER (PROCESSED CATEGORIES OF PERSONAL DATA)
The register contains personal data of the following persons (data subjects):
Seller (private person) or representative, contact person or employee of a seller organization using the service,
Buyer (private person) or representative, contact person or employee of a buyer organization using the service,
Representative, contact person or employee of a brokering organization using the service,
Representative, contact person or employee of a bank/financier organization using the service.
The registers contains the following personal data of all data subjects:
the basic information and contact information of the data subject: first name, last name, address, phone number, email address,
information related to the data subject’s work and position: the business’ name and the data subject’s function,
the log files of the information system created as a result of using the service,
possible direct marketing consent or prohibition given by the data subject.
Giving the personal data described above to the data controller is prerequisite for providing the data controller’s service, and if the data controller does not receive the personal data in question, the data controller cannot provide the service for the data subject and fulfill their obligations related to it.
6. STANDARD SOURCES OF INFORMATION
Personal information is collected from the registered person himself.
Personal data shall also be collected and updated, within the limits of the applicable law, from publicly available sources related to the implementation of the customer relationship between the controller and the data subject and through which the controller fulfills its customer relationship responsibilities.
The Marketing and Communications Register also collects information about external services or applications such as Facebook, Instagram, other social media channels, Mailchimp, Campaign Monitor, company websites, online business listings, potential trade fairs and events, customer meetings, partners.
7. RETENTION PERIOD OF PERSONAL DATA
The data collected in the register is only stored as long and to the extent it is necessary in relation to the original or compatible purposes, for which the personal data has been collected.
The personal data collected in the register is stored in accordance with the following retention periods:
The need to retain personal data, basic information, contact information and information related to their organization and position shall be assessed every three (3) years and in any case the data of the data subject shall be deleted from the register five (5) years after the end of that data subject’s customer relationship with the controller and the end of the customer relationship obligations and measures.
For example, accounting documents and legislation are kept for ten (10) years from the end of the financial year.
The controller shall regularly assess the need for data retention in accordance with its internal code of conduct. In addition, the controller shall take all reasonable steps to ensure that personal data which are inaccurate, incorrect or out of date for the purposes of processing are deleted or rectified without delay
8. THE RECIPIENTS OF PERSONAL DATA (CATEGORIES OF RECIPIENTS) AND STANDARD DISCLOSURE OF INFORMATION
Personal data will not be disclosed to third parties.
9. THE TRANSFER OF DATA OUTSIDE THE EU OR THE ETA
Data in the register is not transferred outside the EU or the ETA.
10. PRINCIPLES OF REGISTER PROTECTION
Material containing personal data is stored in locked spaces, which can only be accessed by designated and due their position authorized persons.
The database containing personal data is on a server stored in a locked space, which can only be accessed by designated and due their position authorized persons. The server is protected by an adequate firewall and technical protection. The firewall prevents access to unnecessary resources in terms of the service. The access to services used for maintenance is restricted to a specific web address.
The databases and systems can only be accessed with separately issued personal usernames and passwords. The data controller has limited the access rights to the information systems and other platforms where information is stored, so that the data can only be viewed and processed by necessary persons in terms of legal processing. In addition, the use of databases and systems is registered to the data controller’s IT system’s log information.
The data controller’s employees and other persons are bound to secrecy and to keeping information they’ve received during the processing of personal data secret.
11. RIGHTS OF THE DATA SUBJECT
The data subject can contact the data controller and request to access their own personal data, request the correction or removal of this data and the limitation of the processing. In addition, the data subject object to the processing and request the data be moved from one system to another. The data controller processes the data subject’s request and responds to it within the time frame required in the data protection legislation.
In addition, the data subject has the right to retract their consent if the processing of personal data is based on consent. However, the retraction does not affect the legality of the processing preceding the retraction.
The data subject also has the right to make a complaint to a supervisory authority.
The requests of the data subject are directed to the data controller’s contact person stated in paragraph 1.