Privacy Policy and Data Protection Statement

 

 

 

Privacy Policy in accordance with section 10 of the Personal Data Act (523/1999) and the EU’s General Data Protection Regulation 2016/679 (GDPR). This Privacy Policy/ Data Protection Statement shall apply to all Kasve’s services insofar as no separate privacy policy has been prepared for individual services or activities.

  1. Controller

Name: Kasve Ltd
Business ID: 2457832-5
Postal address: Puijonkatu 23, 70110 Kuopio, Finland

  1. Contact person in matters concerning the filing system

Name: Elias Haapakorva
Postal address: Puijonkatu 23, 70110 Kuopio, Finland
Email: tietosuoja@kasve.fi

  1. Name of filing system

Kasve Ltd’s customer register, partner register, marketing register, training registers, event registers.

  1. Purpose of data processing

The personal data are processed on grounds of the company’s legitimate interest and/or customer relationships and/or the explicit consent of the customer, partner, event participant or service user, or the drafting of an agreement. The legitimate interest is based on the management of a contractual customer relationship or the implementation of a service provided to the customer or partner.

The customer’s personal data may be processed for the following purposes:

  • the management of customer relationship
  • the development of customer relationship
  • the provision of a service
  • the verification of customer transactions
  • customer service and business development
  • marketing and the targeting of marketing
  • analysing and compiling statistics
  • market surveys
  • user management
  • other similar purposes

The data contained by the filing system may be processed by the invoicing and marketing services used by Kasve Ltd. The contact information contained by the filing system may never be disclosed/sold to third parties with the exception of purposes such as a marketing campaign for which the customer has given explicit consent.

  1. The data content of the filing system

The customer-specific data content of the register may vary based on what kind of customer data are collected and what kinds of data the customer has disclosed. The data content is based on the customer data and possible information concerning a contact person at the customer organisation. The customer’s name and email address shall always be stored in the data filing system as general data. Additionally, the user’s telephone number, domicile and position in the organisation may also be collected.

The filing system may contain the following information:

  • Contact information, including name, telephone number(s), email address(es)
  • Registration details, such as user ID, username, password and other personalised identifiers if relevant
  • Age, gender
  • Information related to the customer relationship, such as order, purchase and cancellation details of products and services subject, or not subject, to a charge, Business ID and customer number, delivery information, feedback, complaints and data concerning customer service transactions, such as telephone calls, emails, chat records and SMSs
  • Data related to communications and service use, such as browsing and searching information
  • Profiling and interest data provided by the customer, including information whether the customer is a corporate or consumer client, logo, competence, online address, presentation, background information
  • Permissions and consent, if applicable
  • Details concerning the prohibition of service provision, if applicable
  • Other data collected based on the customer’s consent, if applicable

The controller’s website uses cookies and other tracking technology to collect data concerning the user’s movements and actions on the website, the permissions and prohibitions given by the user, and any possible other data personally provided by the user.

Kasve and its affiliates may transfer data concerning client companies and their contact persons between the enterprises for the purpose of managing the customer relationship.

  1. Regular sources of data

User data are primarily obtained directly from the client, partner, event participant or service user in connection with, for instance, registration to a service maintained by Kasve Ltd or alternatively by email, from business cards or by telephone. Data may also be obtained from public sources, such as websites, the trade register and other public and private registers that users have authorised to process their data.

In providing its online and digital services, Kasve Ltd may use third-party tools such as Google Analytics to compile and use non-personal data. Google Analytics collects and stores certain kinds of data, including the time of visit and time spent on the website and each webpage, the user’s IP address, pages viewed, user’s operating system and device used.

Data may also be obtained from:

  • Cookies other similar tracking technology.
  • The trade register, the Posti address system, contact information registers of telephone companies and similar private and public registers (e.g. Fonecta).
  • A marketing register compiled by Kasve Ltd containing general and publicly available information concerning a person’s position and/or task in a public entity or business. This information includes company name, address, town/city, email addresses, name of contact person, and online address and other potentially necessary information.
  1. Regular disclosure of data and the transfer of data outside the EU or EEA

Kasve Ltd may use third-party service providers for obtaining technical solutions and services for the processing of stored data and use a specific technical user interface for accessing the stored data. Personal data may be shared with such service providers and third parties to the extent necessary for maintaining, developing and providing the services produced by Kasve Ltd.

Kasve Ltd may also use services provided by third parties, such as email service providers, credit card companies, data analysis services and business information provision services. Kasve Ltd is entitled to transfer data for the aforementioned parties to the extent necessary for the provision of said services for Kasve. Kasve Ltd is not liable for any actions or neglect by these third-party operators.

Kasve Ltd shall not disclose personal data to third parties without the permission of the personal data holder. Under special and exceptional circumstances, personal data may be disclosed to third parties if required by a valid act or decree or the exercise of authority.

Kasve Ltd may transfer data (incl. personal data) in connection with the preparations for a corporate acquisition or asset deal if the recipient of the data is committed to appropriate secrecy obligation.

The data shall not be regularly transferred outside the European Union or European Economic Area.

  1. The principles of securing the filing system

The filing system is protected appropriately using technical and organisational protection systems. The database may only be accessed by persons expressly authorised by Kasve Ltd. Kasve Ltd shall provide information on its website of any threats to information security that may endanger the security of personal data.

Manual data

Any documents containing personal data processed manually shall be appropriately destroyed after the processing within the time limit specified in section 9.

Electronically stored data

If the data contained by the filing system are stored on servers, appropriate measures shall be taken to ensure the physical and digital information security. The controller shall ensure that the processing of any stored data and user rights and other data critical to personal data security is confidential and only performed by the employees who have been designated for the purpose. The telecommunications to various data filing systems have been protected with encryption.

  1. Data storage periods or the criteria for determining these

Personal data shall be stored for as long as necessary for the purposes stated above. The data storage period (or the criteria used to determine that period) may also be derived from mandatory (statutory) storage periods and codes of conduct valid in the controller’s industry.

The data contained by the filing system and collected with cookies are planned to erase six months after accessing or storing some data content specified in section 5 is no longer necessary for Kasve Ltd’s operations.

  1. The rights of the data subject


Right of access and right to rectification

In accordance with section 26 of the Personal Data Act, data subjects are entitled to obtain from the controller confirmation as to which of their data have been stored in the controller’s filing system. Any contacts concerning the right of access and possible requests to obtain rectification must be submitted in writing. If necessary, the controller may ask for data subjects submitting these requests to prove their identity. The controller shall respond to the client within a period laid down in the General Data Protection Regulation (as a rule within one month since receiving the request).

Right to object

The data subject shall have the right to object to processing of personal data concerning him or her for direct marketing purposes, remote sales and other forms of direct marketing as well as market research and opinion polls. The ban on processing must be submitted in writing.

Right to lodge a complaint with a supervisory authority

Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement of the General Data Protection Regulation.

The data subject shall also have other rights in accordance with the General Data Protection Regulation, including the restriction of processing of personal data under certain conditions. Any requests must be submitted to the controller in writing. If necessary, Kasve Ltd may, as the controller, ask for data subjects submitting requests to prove their identity. As the controller, Kasve shall respond to the client within a period laid down in the General Data Protection Regulation (as a rule within one month since receiving the request).

Impact assessment

In the view of Kasve Ltd, no high risk is involved in the processing of the personal data contained by its filing system. No sensitive data shall be collected in the company’s registers.

  1. Amendments to this Privacy Policy and Data Protection Statement

Kasve Ltd reserves the right to unilaterally change this Privacy Policy. However, any such changes may affect the rights of the data subject without express approval.