Table of Contents
1 Data Controller
2 What do we mean by different terms?
3 For what purposes do we process your Personal Data?
4 What types of data can we process?
5 How do we collect Personal Data?
6 Do we engage in targeted marketing?
7 Who can we share your data with?
8 Do we transfer Personal Data outside the European Union?
9 How long do we process your Personal Data for?
10 Is sharing your data with us necessary?
11 How can you use your rights relating to your data?
12 What legislation is applied to the processing of Personal Data?
13 How can we update this privacy notice?
Ellun Kanat Oy (business ID: 2201275-8) [”Data Controller”]
Address: Käenkuja 3a, 00500 Helsinki
Telephone: +358 45 878 6557.
Contact person for queries relating to data protection:
Nea Hjelt firstname.lastname@example.org
”Data Subject” refers to the natural person whose Personal Data the Data Controller processes in the manner set out in this privacy notice.
”Personal Data” refers to any information relating to an identified or identifiable Data Subject, such as name, address, email address, phone number and records of the Data Subject’s interactions with the Data Controller or its agents and representatives.
“Client” refers to organisations or natural persons with whom the Data Controller has a client relationship.
”Potential clients” refers to the contact persons and customers of organisations with which the Data Controller is intending to create a business relationship.
“processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
”Stakeholders” refers to the contact persons and customers of organisations with which the Data Controller has a cooperative business relationship (such as organisations that provide services for the Data Controller) or other connection (such as members of the media as parties to communication activities, or decisionmakers in connection with public relations activities).
We process the Personal Data for the following purposes (one or several may apply):
• Delivery of products and services
We may use your Personal Data to deliver products and services if you are the agent or representative of an organization that has purchased a product or service from us, used our digital services, subscribed to our newsletter or participated in our events. Personal Data is used to fulfil the rights and obligations resulting from a contract or other agreement between the Data Controller and the Data Subject, or the organization which the Data Subject is an agent or representative of.
• Client communications
We may use your Personal Data in our client communications, such as sending information relating to our products and services, notifying you about changes relating to our services, and asking for feedback on our products and services.
We may contact you to inform you about new products, services or offers. We may use your Personal Data to customize our offering and offer content relevant to you. This may mean that we make recommendations, display customized content or customized advertising on our own or third-party services, such as targeted online advertising towards Data Subjects who have visited our web page.
We may contact you in order to conduct opinion, marketing and other research relating to our business activity.
• Management, analysis and development of client and stakeholder relationships
We may use your Personal Data to manage, analyze and develop the client or stakeholder relationship with you and/or the organization you represent.
• Developing products and services
We may use Personal Data to develop our products and services, such as making our product and service offering more interesting to our clients.
The grounds for processing pursuant to Article 6 of the General Data Protection Regulation (“GDPR”) are:
We process your data in order to perform contractual obligations (such as providing communication services or conducting market research) relating to agreements with you or the organization you represent.
We have certain rights relating to the legitimate interests of our business, such as the right to advance the sales of our products and services through marketing and sales activity. On the basis of these legitimate interests, we may engage in direct marketing and sales activity using your contact information, including the processing of Personal Data in order to form target groups. Other legitimate interests that form a basis for the processing of Personal Data include but are not limited to advisory and other customer service activities for non-clients, business development and the investigation of suspected wrongdoings.
Where the processing is not based on the performance of a contract or legitimate interests, we may ask for your consent to other kinds of processing.
Additionally, we may process your Personal Data in order to fulfil regulatory obligations, such as those relating to the retention of information under applicable accounting law, and legislation used to prevent money laundering.
The Personal Data we process may contain the following types of information and modifications made to them:
• first and last names
• contact information (address, email address, phone numbers)
• communications directed to the Data Subject and activity relating to such communications
• marketing preferences
• information relating to the use of the Data Controller’s digital services
• information about cookies and other similar tools, in addition to data collected using these tools if the Data Subject is personally identifiable from such information
• possible recordings of customer service phone calls and communications via other mediums, such as email and online conversations on social media channels.
•Title and/or job description in current and previous duties connected to the activities of the Data Controller
• date and manner of commencement and termination of the client or other equivalent relationship
• campaigns and offers directed to the Data Subject and the use of such campaigns or offers
• topics and areas of interest in addition to other information communicated by the Data Subject
• the contents of feedback and claims, associated correspondence and actions taken
• information about dietary requirements (special category of data that the Data Subject has given voluntarily)
• date of birth for events where required, for example, by a passenger ship operator
• names and dates of birth of accompanying passengers where required, for example by a passenger ship operator
• Data Subject’s login information
• activity on the web service after logging in
We receive most of your Personal data at the start of and during the customer or stakeholder relationship from the devices and software you use access our products and services.
We also receive Personal Data and updates to them from public authorities and organisations that provide services relating to the procurement and updating of personal data and credit information. Additionally, we receive data from public directories and other publicly available sources, such as company web pages and media sources. We collect Personal Data for marketing purposes in connection with prize draws, competitions, surveys or events (by the Data Controller or its associates).
We also receive Personal Data from the colleagues of representatives or agents of an organization. The main contact person for an organization may share Personal Data relating to other personnel relevant to the use of the Data Controller’s products and services.
We may analyze the data we have and combine them with data received from third parties. The processing may be used, for example, to create target groups that are interested in similar content, and target content to different groups in order to create the optimal client experience and spark the interest of potential clients.
We do not hand over, sell, or in any other way disclose your Personal Data to third parties, unless otherwise specified below.
We share your Personal Data with our third-party service providers. These services may include customer service, software services, research activities, marketing, event production or organization, and invoicing. We may share your Personal Data in order to collect invoices for goods and services, and we may transfer or sell unpaid invoices to third parties that provide debt collection services.
Protecting your Personal Data is important to us, and we do not therefore permit the aforementioned third parties to use your data for any other purpose than providing the agreed services. We require such third parties to protect your Personal Data in compliance with this privacy notice and all applicable legislation.
We may share your Personal Data with our partners, such as those with whom we manage and carry out common projects, such as events.
We may share your Personal Data with carefully considered third parties for their independent direct marketing purposes. Personal Data may be shared for the aforementioned purposes only where the third party’s intended use does not conflict with the purposes for processing defined in this privacy notice. We hand over only the minimum amount of Personal Data necessary for the performance of the undertaking agreed with the third party.
We may share the Personal Data of Data Subjects who participate in our events to other event participants, or to the public, insofar as doing so is appropriate taking into consideration the nature and character of the event. For example, we may share the participant list of a stakeholder event to all event participants, and publish images and videos captured at the event on social media.
We may share your Personal Data in connection with a merger, acquisition, or other form of restructuring, or when a service is transferred to another service provider. We may disclose your Personal Data where compelled to do so by a court of competent jurisdiction or other legal authority.
In providing our services, we may use resources and servers located in different parts of the world. In doing so, we may transfer your Personal Data outside the country in which the services are used, including to countries outside the European Union where different data protection legislation applies.
In such cases, we will ensure the lawfulness of the transfer and protect your data using, where necessary, data processing agreements and/or model contracts approved by relevant public authorities. Where the country in question is the USA, we will use the Privacy Shield framework and require the recipient of personal data to comply with the relevant technical and other information security requirements.
We process your Personal Data as long as the grounds for processing set out in section 3 of this privacy notice remain applicable, in addition to a reasonable duration after.
The duration of processing of Personal Data of different groups of Data Subjects is defined as follows:
• representatives or agents of organizational clients
We may process your Personal Data for the duration that you act as a representative or agent of the Data Controller’s organizational client, in addition to the end of the third year following the termination of your relationship with such an organization. Following this, we may transfer the necessary Personal Data to our marketing database and treat you as a representative or agent of a potential organizational client.
• consumer clients
We may process your Personal Data for the duration of your client relationship in addition to the end of the third year following the termination of the client relationship. After this we may transfer the necessary Personal Data to our marketing database and treat you as a potential client.
• potential consumer clients and representatives or agents of potential organizational clients
We can process your Personal Data indefinitely until you or the organization you represent becomes our client, or you request that we remove your Personal Data from our marketing database
• members of stakeholder groups
We can process your Personal Data so long as you remain a member of a stakeholder group, such as a partner organization or the media, in addition to the end of the calendar year during which you cease being a member of the relevant stakeholder group.
As a Data Subject, you have a number of rights to influence the processing of your data. We aim to fulfil your request within 1 month of receiving it. To use your rights, you can get in touch using the contact information specified in section 1 of this notice.
Your rights are listed below. Please note that the extent to which these rights are applicable to you depends on the grounds for processing your data, meaning that not all of the rights listed below are applicable in all situations.
a) Right to information and access to Personal Data. This means that following a suitable request, we will deliver to you a report about Personal Data concerning you that is held by us.
b) Right to rectification. If you notice that the Personal Data concerning you held in our databases is inaccurate, you can request to rectify it.
c) Right to erasure. We are obligated to erase from our databases the categories of Personal Data concerning you that you request, if one of the following grounds applies, and applicable legislation or other orders of competent authorities, do not create an obligation to retain such data:
1. Your Personal Data is no longer needed for the purposes for which it was processed;
2. You withdraw the consent you have given, and there are no other legal grounds for processing;
3. You object to the processing for reasons relating to your particular personal situation, and there are no other grounds for processing, or you object to the use of your Personal Data for direct marketing purposes;
4. Your Personal Data has been processed unlawfully;
5. Your Personal Data must be erased in order to comply with a legal obligation that applies to the Data Controller under European Union or Finnish national legislation;
6. Your Personal Data has been collected in connection with providing information society services, such as digital information services provided by the Data Controller;
d) Right to restriction of processing. You may request that we restrict the processing of your Personal Data, if:
1. You contest the accuracy of the Personal Data we have;
2. The processing is unlawful, and you oppose the erasure of the Personal Data and request the restriction of their use instead;
3. We no longer need the Personal Data in question for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims;
4. You have objected to processing pending the verification whether our legitimate grounds override yours;
e) Right to object to processing of your Personal Data. If we process your data on the basis of a legitimate interest, you have a right to object to the processing of your Personal Data on grounds relating to your particular situation. All Data Subjects whose Personal Data is contained in databases covered by this privacy notice have a right to object to the processing of their data for direct marketing purposes.
f) Right to data portability. If the automatic processing of your Personal Data is done on the grounds of your consent or a contract, you have a right to receive the Personal Data concerning you in a structured, commonly used and machine readable format, and a right to transmit those data to another data controller.
g) Right to withdraw consent. If a section or all of your Personal Data is processed within the databases covered by this privacy notice on the grounds of your consent, you have a right to withdraw your consent.
h) Right to lodge a complaint with a supervisory authority. If a potential dispute between the you and the Data Controller relating to the processing of your Personal Data is not resolved amicably, you have a right to lodge a complaint to a supervisory authority for the resolution of the dispute.
We are a Finnish company. The Personal Data to which this privacy notice applies to is governed by the national legislation of Finland and applicable EU legislation, such as the General Data Protection Regulation.
We are constantly developing our business which may lead to changes relating to our processing of Personal Data. We will update this privacy notice to reflect any such changes made. Changes may also be based on changes in applicable legislation. We recommend that you review this privacy notice regularly.
Should we process your Personal Data for purposes other than those for which your Personal Data was collected, we will issue a notice about such processing and the changes made to this privacy notice. For other changes to this notice, we will issue a notification on our website.