Customer and marketing communication register
(Last updated on 18 November 2019)
Controller and contact person of the register
Vastuu Group Oy (Business ID 2327327-1)
Tarvonsalmenkatu 17 B
02600 Espoo, Finland
Data Protection Officer’s contact details:
Vastuu Group Oy
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo, Finland
Data subjects are contact persons of Vastuu Group Oy’s (the ”Supplier”) customers and potential customers, users of Supplier’s services, and users of Supplier’s website. Customers are companies, entrepreneurs, or consumers.
Basis for and purpose of personal data processing
The legal basis for personal data processing is the legitimate interest of the controller or fulfilling a contract made with the controller.
We use personal data in the marketing and sale of our services and for customer relationship management, invoicing, provision of customer support services, user rights monitoring, and service development. Personal data processing also includes processing and analysing the data concerned for targeted marketing and service production. For example, we can show customers targeted messages or content on our website, or channels based on their previous interests.
We will principally collect personal data directly from you when you contact us and use our services. We also collect data on our customers and their contact persons from public sources and registers.
We use web analytics services to collect visitor data on our website in order to analyse and develop our web resources, as well as target relevant marketing and customer communications to the visitors.
Which personal data is collected and from what sources?
We collect and process in the customer and marketing communication register mainly our customers and potential customer’s representatives and contact persons’ personal data. The register contains the following types of data on the contact persons for our customers and potential customers:
- name, email address, telephone number, job title
- name and contact details of the company/organisation
- mailing list subscription data
- consents and bans on direct marketing and customer communications
- pages opened and brochures requested by the user on the website
- information on the logins in our online services
- information on any customer and direct marketing communication sent by email and whether the message has been read
- user profile
- information on any communication with the data subject, such as content, date, and time of message
- messages sent to Customer Service and processing data on the related customer support ticket
- website chats with Customer Service
- recording of calls made to the telephone number of Customer Service
- feedback you provide on the use of Customer Service
- other information related to the purpose of the register that can be linked to the data subject, such as data collected on the use of the website during the use of the service (e.g. the user’s IP address, time of the visit, pages visited, browser type used, website that directed the user to the website, and the server that the user used to access the website).
We typically receive the following information directly from the contact persons of our customers:
- name of the customer company, first and last name of the contact person, work email address, telephone number
- permissions and/or bans on the contact person in electronic direct marketing and customer communications
- classification data provided by the contact person (e.g. interests)
- information provided on contact forms
- customer feedback data, contact messages, and consents
We will process, for example, the following personal data of the user in connection with the use of services and websites:
- IP address or other ID
- Subscription, invoicing, and delivery data
- Data collected through cookies
- Data collected on the use of our online services
- Data collected on the use of our customer support channels
The following data on the user in particular is received from other sources:
- Data related to the use of social media, such as LinkedIn, Facebook and Twitter, e.g. ‘liking’ our website
Regular disclosure and transfer of personal data
We can use subcontractors for personal data processing.
We can disclose personal data to our partners for direct marketing purposes within the limits of the applicable legislation at force.
We can disclose your personal data to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified for the purpose of investigating suspected misuse of our services.
Transfers outside the EU and EEA
Personal data is not principally transferred outside the European Union (EU) or the European Economic Area (EEA), unless necessary for the technical implementation of data processing, e.g. when the data subject sends or receives messages by email or other online-based transmission service.
We can be used in customer and marketing communications and in Customer Service ticket management third-party data systems and cloud services, the personal data processing of which can be partly implemented outside the EEA. To the extent that our subcontractors implement data processing outside the EEA, we will ensure that the transfer of personal data outside the EEA is completed in compliance with the applicable legislation.
Storage period of personal data
Personal data contained in the customer and marketing communication register is stored for as long as we will need it for the above purposes.
Storage periods have been defined for the following data
- recordings of chats with Customer Service: three months
- recordings of telephone conversations with Customer Service: seven months
- details on the customer’s contact person related to customer relationship management: for as long as the data subject is the contact person of the customer concerned or for as long as we store the history data of the service used by the customer
Rights of data subjects
As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the security features of the service.
You have the right to request that your personal data be deleted in situations specified in the general data protection regulation, if:
- you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
- you object to the processing of your personal data, and there is no legal basis for continuing the processing
- processing your personal data is illegal
- you are under 18 and your personal data was collected in connection with providing information society services.
In situations specified in the general data protection regulation, you have the right to object to the processing of your data or to request that the processing of your data is restricted. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.
The right to use the customer and marketing communication register is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is principally stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place, to protect the personal data against misuse and disclosure.
If you have questions regarding this privacy statement or you wish to exercise your rights, please contact controller’s data protection officer by using the above email or postal address.
We can make changes to this privacy statement from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.