Espoo Marketing’s Marketing Data File
2. Data controller
Espoo Marketing Oy (Business ID 1627645-8)
3. Contact of the register
A Grid, Otakaari 5, 02150 Espoo
4. Purposes for processing personal data and the legal basis of processing
Espoo Marketing Oy’s marketing data file shall be used for marketing the services and sales and networking events of Espoo Marketing Oy, for sending newsletters and customer bulletins and for other similar activity.
The legal grounds for processing: legitimate benefit and/or consent given by the data subject.
5. Contents of the register (description of the categories of data subjects and the categories of personal data)
Groups of persons whose data may be processed are the contact persons of the data controller’s customer and partner companies, those classed as an ex officio partner, potential customer and/or within the sphere of marketing, persons in contact with the data controller, and those who have participated in events organised by the data controller or have given marketing permission.
A data file may contain, among other things, the following data about the data subjects:
- organisation (and department) and position
- organisation’s address
- e-mail address
- telephone number
- marketing measures targeted at the data subject and participation in them
- other data handed over by the person him/herself
- possible mailing bans (email and mail)
- information about changes to the above data
- log data (e.g. openings of newsletters)
6. Sources of personal data
Data in the marketing data file shall be acquired or collected from the data subject itself through the marketing relationship, from Espoo Marketing Oy’s website (contact forms, downloads of material, newsletter order forms), through registration for the events organised by Espoo Marketing Oy and third parties, and from publicly available Internet sources and other possible public sources. Personal data may also be collected, saved and updated from the data files of a data controller providing an address, updating or other similar service.
7. Disclosure of personal data
According to regulations, personal data may not be released to a third party. Espoo Marketing Oy may, however, hand over data in a manner permitted by legislation to, for example, its partners for marketing purposes, unless the data subject has refused such handing over of its data. Data may also be handed over in cases where it is considered that a third party can offer special information or benefit to a company represented by a person in the data file.
The data controller may also hand over customers’ personal data to third parties if so required by Finnish authorities.
8. Transfer of data outside EU or the EEA
Data may be transferred outside the EU or the European Economic Area with the consent of the data subject.
9. Data storage periods
Data shall be stored for as long as the data controller utilises it for managing a customer relationship and for marketing purposes.
10. Register maintenance systems and principles of protection
Espoo Marketing Oy has an agreement with all its data systems suppliers for processing personal data. The data systems are protected by firewall and other necessary technical measures.
Only persons represented by the data controller and technical persons for data system services may access the data in the data file. The users commit to an obligation of secrecy.
If material is manually printed from a data file, it is kept in a locked facility and only the data controller has the right to use it.
The data controller’s IT equipment is located in protected and controlled facilities. Access rights to the client information systems and files are based on personal access rights the use of which is controlled. Access rights are granted task-specifically. Each user accepts the access and confidentiality undertaking regarding information and information systems.
Archives and units are protected by locked doors. Documents are held on supervised premises and/or in lockable cabinets.
11. Right of access to data
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
The controller shall provide information without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
All information and actions taken on the grounds of a data subject’s right of access request, any information provided under Articles 13 and 14 of the GDPR and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
A data request shall be directed to the e-mail address stated in paragraph 3.
12. Right to rectify data
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Whether the data is incomplete will be determined in the light of the purpose for which the data in the register is processed.
If the controller refuses the request of a data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal and inform the data subject of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
A rectification request shall be directed to the e-mail address stated in paragraph 3.
13. Right to lodge a complaint
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. This right is laid down in Article 77 the General Data Protection Regulation (GDPR, 2016/679).
14. Other potential rights
Requests shall be directed to the e-mail address stated in paragraph 3.
Right to erasure (Article 17 of the GDPR)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds laid down in Article 17(1) applies. The data subject does not have the right to erasure for example if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to restriction of processing (Article 18 of the GDPR)
The data subject shall have the right to obtain from the controller restriction of processing where one of the requirements laid down in Article 18(1)(a–d) applies.
Right to object (Article 21 of the GDPR)
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to data portability (Article 20 of the GDPR)
The data subject shall have the right to have his or her data transmitted only if the processing of data is based on consent or on a contract, and if the processing is carried out by automated means. The data subject’s right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
If the processing of data is based on consent, the data subject shall have the right to withdraw his or her consent at any time.