Privacy Notice on the filing systems containing personal data for services produced by Kasve Ltd
Privacy notice in accordance with the Data Protection Act (1050/2018) and the EU’s General Data Protection Regulation (GDPR, 2016/679). This Privacy Notice shall apply to all Kasve’s services insofar as no separate privacy notice has been prepared for individual services or activities.
Name: Kasve Oy
Business ID: 2457832-5
Postal address: Puijonkatu 23, 70110 Kuopio, Finland
- Contact person in matters concerning the filing system
Name: Elias Haapakorva
Postal address: Puijonkatu 23, 70110 Kuopio, Finland
- Name of filing system
Kasve Ltd’s customer register, partner register, supplier register, marketing register, training registers, event registers and website register.
- Basis for processing personal data and purpose of data processing
The basis for the processing of personal data
- a legitimate interest of the data controller
- a customer and/or supplier relationship between the controller and the data subject
- the consent of the controller’s client, partner, supplier, website users, event participant or service user and/or
- the performance of a contract between the controller and the data subject to which the data subject is party
The legitimate interest is based on the management of a contractual customer relationship or the implementation of a service provided to the customer or partner.
‘Data subject’ means any identifiable natural person who is the controller’s current or potential customer, partner, supplier, event participant, website user and/or service user.
The customer’s personal data may be processed for the following purposes:
- the management of customer relationship
- the development of customer relationship
- the provision of a service
- the verification of customer transactions
- customer service and business development
- marketing and the targeting of marketing
- analysing and compiling statistics
- market surveys
- user management
- website development and improvement of user experience
- the planning and development of the controller’s business, and
- any similar purpose
The personal data of a supplier may be processed for purposes similar to those specified above, but in this case, the processing is based on a supplier relationship and related tasks.
The data contained in the filing system may be processed by the invoicing and marketing services used by Kasve Ltd. The contact information contained by the filing system may never be disclosed to third parties with the exception of purposes such as a marketing campaign for which the customer or supplier has given explicit consent.
- The data content of the filing system
The collection of personal data will produce the following, separate filing systems for the controller.
- Customer register
- Partner register
- Supplier register
- Marketing register
- Training register
- Event register
- Website register
The customer- and supplier-specific data content of the filing system may vary based on what kind of customer and supplier data are collected and what kinds of data the customer or supplier has disclosed to the controller.
The data content is based on the customer and supplier data, and possible customer contact person data. The customer’s or supplier’s name and email address are always stored in the data filing system as general data. Additionally, the user’s telephone number, domicile and position in the organisation may also be collected.
The filing system may contain the following personal data:
- Contact information, including name, telephone number(s), email address(es)
- Registration details, such as user ID, username, password and other personalised identifiers if relevant
- Age, gender
- Information related to the customer relationship, such as order, purchase and cancellation details of products and services subject or not subject to a charge, Business ID and customer number, delivery information, feedback, complaints and data concerning customer service transactions, such as telephone calls, emails, chat records and SMSs
- Information related to the supplier relationship, such as details of payments made to the supplier, Business ID, supplier number, feedback, reclamations, stored supplier transactions, emails, chat records and SMSs
- Data related to communications and service use, such as browsing and searching for information
- Profiling and interest data provided by the customer, including information whether the customer is a corporate or consumer client, logo, competence, online address, presentation, background information
- Permissions and consent, if applicable
- Prevention of provision details, if applicable
- Other data collected based on the customer’s and supplier consent, if applicable
The data content of the filing system concerning website users may vary based on how the user uses the website and which data the site visitor discloses to the controller and what is the content of the consent given by the user for each specific kind of disclosure of personal data.
Personal data disclosed by the customer based on the consent given by the customer for a specific disclosure are stored in a consent register.
Kasve and its affiliates may transfer data concerning client companies and their contact persons between the enterprises for the purpose of managing the customer relationship.
- Regular sources of data
Data concerning the data subject are primarily obtained directly from the client, partner, supplier, event participant, website visitor or service user in connection with, for instance, registration to a service maintained by Kasve Ltd or alternatively by email, from business cards or by telephone.
Data may also be obtained from public sources, such as websites, the trade register and other public and private registers for which users have given their permission to process their data or to which the controller otherwise has an appropriate right of access.
In providing its online and digital services, Kasve Ltd may use third-party tools such as Google Analytics, to track and use non-personal data. Google Analytics collects and stores certain kinds of data, including time of visit and time spent on the website and each webpage, the user’s IP address, pages viewed, user’s operating system and device used.
Data may also be obtained from:
- Cookies or other similar tracking technology.
- The trade register, the Posti address system, contact information registers of telephone companies and similar private and public registers (e.g. Fonecta).
- A marketing register compiled by Kasve Ltd, which contains general and publicly available information concerning a person’s position and/or task in a public organisation or business life. This information includes company name, address, town/city, email addresses, name of contact person, online address and other potentially necessary information.
- Regular disclosure of data and the transfer of data outside the EU or EEA
Kasve may use third-party service providers for obtaining technical solutions and services for the processing of personal data stored on the data subjects on behalf of the data controller and use a specific technical user interface for accessing the stored data. Personal data may be shared with such service providers and third parties to the extent necessary for maintaining, developing and providing the services produced by Kasve Ltd.
In the above situation, the processing of the data subject’s personal data is based on an agreement between the contracting parties and an agreement on the processing of personal data that provides for the processing of personal data of data subjects in accordance with the valid data protection legislation.
Kasve Ltd may also use services provided by third parties, such as email service providers, credit card companies, data analysis services and business information provision services. In accordance with applicable data protection legislation, Kasve Ltd is entitled to transfer data for the aforementioned parties involved in the processing of personal data to the extent necessary for the provision of said services for Kasve. Kasve Ltd is responsible for the actions of these processors to the extent that Kasve Ltd serves as the data controller and the third party serves as the processor of personal data on behalf of Kasve Ltd. The liability of Kasve Ltd does not extend to any other actions or neglect by these third-party operators.
Kasve Ltd shall not disclose personal data to third parties other than those identified above without the permission of the data subjects. However, under special and exceptional circumstances, personal data may be disclosed to third parties if so required by a valid act or decree or the exercise of public authority.
Kasve Ltd may transfer data (incl. personal data) in connection with the preparations for and subsequent implementation of a corporate acquisition, asset deal or company reorganisation process for third parties (such as potential buyers and/or their advisors), if the recipient of the data is committed to appropriate secrecy obligation.
The personal data shall not be regularly transferred outside the European Union or the European Economic Area.
If the personal data of the data subjects are processed outside the EU and EEA states, we will make sure that a sufficient level of data protection will be ensured throughout this process before the processing of personal data in the third countries.
We shall ensure the protection of the personal data of the data subject by applying the protective measures required under the valid data protection legislation at the EU and national levels (e.g. standard contractual clauses drawn up by the European Commission). We shall also comply with any other obligations set by data protection legislation if the personal data are processed outside the European Union or the European Economic Area.
- The principles of securing the filing system
The filing system is protected appropriately using technical and organisational protection systems. The database may only be accessed by persons expressly authorised by Kasve Ltd. Kasve Ltd shall provide information on its website of any threats to information security that may endanger the security of personal data. If required by the data protection legislation, the data subject will also be directly informed about any threats to information security and data breaches.
Any documents containing personal data processed manually shall be appropriately destroyed after the processing within the time limit specified in section 9.
Electronically stored data
If the data contained by the filing system are stored on servers, appropriate measures shall be taken to ensure the physical and digital information security as appropriate. The controller shall ensure that the processing of any stored data and user rights and other data critical to personal data security is confidential and only performed by the employees who have been designated to perform the task. The data connection to various data filing systems is protected with encryption as necessary.
- Data storage periods or the criteria for determining these
Personal data shall be stored for the period of validity of the grounds for processing the data described in this Privacy Notice and for as long as the processing of personal data is necessary for the purpose of data processing. The data storage period (or the criteria used to determine that period) may also be derived from mandatory (statutory) storage periods and codes of conduct valid in the controller’s industry.
Any personal data contained by the customer, partner and supplier register is intended to be stored for the period of validity of the customer, partnership and supplier agreement and after this period until any contractual obligations and demands have been satisfied in full.
Any personal data contained by the training and event registers are intended to be stored for the duration of the training and events and after this period until any obligations and demands by the parties have been satisfied in full.
The personal data contained by the marketing register are intended to be stored until further notice for the period of validity of the consent given by the data subject.
Any personal data collected with cookies are to be erased six (6) months after accessing or storing some data content specified in section 5 is no longer necessary for Kasve’s operations unless otherwise stated in the cookie notice providing information about website tracking. Up-to-date information about the storage periods of cookies is available in the currently valid cookie notice on the website.
Data subjects may also personally delete cookies set by websites using their browser settings.
We will also delete the personal data of data subjects when we no longer have a reason for the processing of personal data under the valid legislation, a contractual relationship, reporting and the consent given by the data subject.
If the data subject has requested the erasure of his or her personal data as a result of the withdrawal of consent, we will erase the personal data without undue delay unless we have some other grounds for processing the personal data of the data subject under this Privacy Notice.
- The rights of the data subject
Right of access and right to rectification
Under the data protection legislation, the data subject shall have the right to access the personal data stored on his or her person in a filing system and to obtain from the controller confirmation as to whether or not personal data concerning him or her are contained by the filing system. The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her.
Any contacts concerning the right of access and the right to rectification and possible requests to obtain rectification must be submitted in writing.
If necessary, the controller may ask for data subjects to submit these requests to prove their identity. The controller shall respond to the client within a period laid down in the General Data Protection Regulation (as a rule within one month after receiving the request).
Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her where there is no legal ground for the processing.
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the grounds specified under valid data protection legislation applies.
Right to object
The data subject shall have the right to object to the processing of personal data concerning him or her for direct marketing purposes, remote sales and other forms of direct marketing as well as market research and opinion polls. The ban on processing must be submitted in writing.
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a machine-readable format and have the right to transmit those data to another controller.
Right to withdraw consent
If the processing of personal data is based on the consent given by the data subject, the data subject shall have the right to withdraw his or her consent at any time. Nevertheless, the withdrawal of consent does not render the processing of the personal data of the data subject prior to the withdrawal unlawful.
The right to lodge a complaint with a supervisory authority
Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement of the General Data Protection Regulation. The Office of the Data Protection Ombudsman serves as the national supervisory authority www.tietosuoja.fi.
Any requests for exercising the rights specified above must be submitted to the controller in writing. If necessary, Kasve may, as the controller, ask for data subjects submitting these requests to prove their identity. As the controller, Kasve shall respond to the customer within a period laid down in the General Data Protection Regulation (as a rule within one month after receiving the request).
The controller does not perform automated decision-making based on profiling.
If we require data subjects to provide us with their personal data and a data subject refuses to comply with this request, we shall not be liable for the direct or indirect consequences that may be caused to the data subject due to the failure to provide the necessary personal data. Some services provided by Kasve cannot be accessed without the provision of personal data by the data subject.
In the view of Kasve Ltd, as a rule, no high risk is involved in the processing of the personal data contained by its filing system. No sensitive data or personal data or special categories of personal data shall be collected in the company’s registers.
If the intention is to transfer the data outside the EU and EEA states, Kasve shall perform an impact assessment concerning the relevant personal data in accordance with the valid data protection legislation prior to the processing in a third country.
Our website or services may contain links to websites and content owned or maintained by third parties. When data subjects proceed to such websites or services, they must familiarise themselves with and accept any privacy policies used by these service providers. Such websites or services are not managed by the data controller, and the controller is not responsible for their content or privacy policies.
This Privacy Notice was last updated and adopted on 20 April 2022.