Martelius Exhaust Oy DATA REGISTER and PRIVACY AGREEMENT
1 Customer data register controller
Customer data register controller is Martelius Exhaust Oy (company ID FI2678850-2)
Contact person for data register:
+3582 856 616
sales (at) martelius.com
Martelius Exhaust Oy
23800 Laitila, Finland
sales (at) martelius.com
2 Name of customer data register
a) Martelius Exhaust Oy Asiakasrekisteri (register for customer data)
b) Martelius Exhaust Oy Markkinointi- ja viestintärekisteri (register for marketing and communications)
3 Purpose for processing personal data
Personal data is processed for purposes related to the management, administration and development of the customer relationship, the provision and delivery of services, and the development and invoicing of services. Personal data is also processed for the purposes required to clarify possible complaints and other claims.
In addition, personal data is processed in communications to customers, such as for information and news purposes and in marketing, as part of which personal data are also processed for purposes related to direct marketing and electronic direct marketing.
The customer has the right to prohibit direct marketing directed at him.
The data controller processes the data itself and utilizes subcontractors acting on behalf and for the account of the data controller in the processing of personal data.
4 Käsittelyn oikeusperusteet
The legal bases for the processing of personal data are the following in accordance with the EU General Data Protection Regulation (hereinafter also referred to as the “GDPR”):
- the data subject has consented to the processing of his or her personal data for one or more specific purposes (Article 6 1.a of the GDPR);
- processing is necessary for the execution of a contract to which the data subject is a party or for taking pre-contractual measures at the request of the data subject (Article 6 (1b) GDPR);
- treatment is necessary to achieve the legitimate controller or a third party's interests (6 GDPR art. 1.f).
The above-mentioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller as a result of the data subject's processing and the processing for purposes which the data subject could reasonably have expected at the time of collection and in the appropriate relationship.
5 Content of the register
The following information can be stored on the controller (customers):
- Name and contact details
- Martelius Exhaust Oy Asiakasrekisteri: first name, last name, address, phone number and email address
- Martelius Exhaust Oy Markkinointi- ja viestintärekisteri: first name, last name, email address
- Organization and the position in the organization
- Customer’s services and invoicing data
6 Regular sources of data
Personal data is collected directly from registered customers.
Personal data shall also be collected and updated, within the limits of the applicable law, from publicly available sources related to the implementation of the customer relationship between the controller and the data subject and through which the controller fulfills its customer relationship responsibilities. The marketing and communications register also collects information about external services or applications, such as Facebook, Instagram, other social media channels, Mailchimp, Campaign Monitor, possible trade fairs and events, customer meetings, partners.
7 Henkilötietojen säilytysaika
The data collected in the register shall be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected.
The need to retain personal data shall be assessed every three years and in any case the data of the data subject shall be deleted from the register five years after the end of that data subject's customer relationship with the controller and the end of the customer relationship obligations and measures. For example, accounting documents are kept for six years from the end of the financial year.
The controller shall regularly assess the need for data retention in accordance with its internal code of conduct. In addition, the controller shall take all reasonable steps to ensure that personal data which are inaccurate, incorrect or out of date for the purposes of processing are deleted or rectified without delay.
8 Disclosure of data and practices relating to the disclosure of data
Personal data is not disclosed to other parties.
9 Data transfers outside EU and ETA
Personal data is not transferred outside EU or ETA.
10 Principles of protection of the data
Materials containing personal data shall be kept in locked premises to which only designated and authorized persons have access.
The database containing personal data is on a server, which is stored in a locked state, which can only be accessed by designated and authorized persons. Data contained in the data register is protected by technical means: using firewalls and passwords, and using other technical means.
Access to databases and systems is only possible with separately issued personal usernames and passwords. The controller has limited the access rights and authorizations to the information systems and other storage media so that the data can be viewed and processed only by persons who are necessary for their lawful processing. In addition, database and system access transactions are recorded in the log data of the registrar's IT system.
The controller's employees and other persons have undertaken to observe professional secrecy and to keep confidential the information they receive in connection with the processing of personal data.
11 Data subjects' rights
In accordance with the EU General Data Protection Regulation, data subjects have the following rights:
the right to obtain confirmation from the controller that personal data concerning him or her are being processed or not to be processed and, if such personal data are being processed, the right to access the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or groups of recipients to whom the personal data have been or are to be disclosed; (iv) where applicable, the intended period of retention of the personal data or, if that is not possible, the criteria for determining that period; (v) the right of the data subject to request the controller to rectify or erase personal data concerning him or her or to restrict or object to the processing of personal data; (vi) the right to lodge a complaint with the supervisory authority; (vii) if personal data are not collected from the data subject, all available information on the origin of the data (Article 15 GDPR). This described basic information (i) to (vii) is provided to the registrant on a form;
the right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out prior to the withdrawal (Article 7 GDPR);
the right to have inaccurate and erroneous personal data concerning the data subject rectified by the controller without undue delay and the right to have incomplete personal data supplemented, inter alia by providing additional clarification taking into account the purposes for which the data were processed (Article 16 GDPR);
the right to have the controller delete personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer needed for the purposes for which they were collected or for which they were otherwise processed; (ii) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing; (iii) the data subject objects to the processing on the basis of his or her specific personal situation and there is no valid reason for the processing or the data subject objects to the processing for direct marketing purposes; (iv) personal data have been processed unlawfully; or (v) personal data must be deleted in order to comply with a legal obligation to which the controller is subject under Union law or national law (Article 17 of the GDPR);
The right to have the controller restrict the processing if (i) the data subject contests the accuracy of the personal data, in which case the processing shall be limited to the period during which the controller can verify their accuracy; (ii) the processing is unlawful and the data subject opposes the deletion of personal data and instead requests that their use be restricted; (iii) the controller no longer needs such personal data for the purposes of processing, but the data subject needs them in order to establish, present or defend a legal claim; or (iv) the data subject has objected to the processing of personal data on the basis of his or her specific personal situation pending verification that the data subject's legitimate grounds override the data subject's grounds (Article 18 GDPR);
6. the right to have personal data concerning him or her provided to the controller by the data controller in a structured, commonly used and machine-readable form and to transfer such data to another controller without prejudice to the controller to whom the personal data have been transmitted, subject to consent under the Regulation and processing automatically (GDPR 20 art.);
7. the right to lodge a complaint with the supervisory authority if the data subject considers that the processing of personal data concerning him or her infringes the general EU data protection regulation (Article 77 GDPR).
Requests for the exercise of the data subject's rights shall be addressed to the controller's contact person mentioned in paragraph 1.