Updated on 24 May 2018
Varamiespalvelu-Group Oy (hereinafter referred to as “VMP”)
Business ID: 2514701-7
Maariankatu 6, 20101 TURKU, FINLAND
Telephone: +358 (0)40 307 5000
2 Contact details of the person responsible for data protection
Attorney Aki Saari
c/o Varamiespalvelu-Group Oy
Telephone: +358 (0)40 307 5031
3 Privacy statement description
This privacy statement in accordance with Articles 13 and 14 of the General Data Protection Regulation (679/2016/EU) describes how the controller processes the personal data related to the management of corporate customers’ customer relationships.
The group of data subjects consists of the personal data of the corporate customers’ contact persons. Corporate customers refer to people or companies who use the services provided by the controller.
4 Personal data to be processed
The following personal data categories are collected and processed of the data subjects:
- Data subjects’ identification and contact details, such as name, date of birth, workplace contact details (postal address, telephone number, e-mail), job title of the data subject and other data about the data subject’s position, title, role and language
- Data related to bans on marketing and promoting activities, such as bans and consents on direct marketing, marketing activities (for instance, data on marketing raffles and their participation data)
- Data related to the corporate customer relationship or an appropriate connection, such as customer number, start and end date and method of customer relationship, and data related to communications (for instance, order and cancellation data, feedback and recordings of customer service events), invoicing and debt collection data
- Data related to handling electronic services, such as newsletter subscriptions and cookies when they contain personal data and data related to a service for verified users, such as the data about the service’s characteristics.
- Login credentials
- Changes to the data of the data subject’s above-mentioned individualised personal data categories.
5 Regular sources of personal data
Personal data is collected from the data subject, different services used by the data subject and in connection with different marketing activities.
In addition, personal data may be collected and updated from the register of other enterprises of the same group of undertakings, the registers of the controller’s partners, trade registers and from businesses and public authorities providing services related to personal data.
6 Purpose and legal basis for the processing of personal data
Personal data is processed in connection with processing and analysing corporate customer relationships, producing and personalising the controller’s services, developing and planning business operations as well as marketing, distance sales and surveys and market research and customer communications and profiling. In addition, personal data is processed for customer communications that are realised also electronically and using targeting.
The personal data may be processed in ways allowed by the applicable legislation for the marketing purposes of enterprises in the same group of undertakings and partners carefully selected by the controller (e.g. direct marketing, distance sales and surveys and market research). The data is disclosed to partners for only such purposes that support the purpose of the corporate customer register and do not conflict with the purpose of use of this register.
The legal basis for the processing of personal data is the legitimate interest created by handling the corporate customer relationship and the fulfillment of any related contractual obligations.
7 Disclosure and transfer of personal data
Primarily, personal data may only be disclosed for purposes that support the idea of the corporate customer register and in which the purpose of use of the data does not conflict with the purpose of use of this register.
At the controller’s discretion, personal data may be disclosed to, for instance, companies in the same group of undertakings with the controller or the data subject’s partners unless the data subject has specifically forbidden this, as allowed and obligated by the valid legislation at the time.
Data may also be disclosed as required by competent public authorities or other parties in accordance with the valid legislation, and for historical or scientific research when personal data has been anonymised.
If the controller sells or otherwise reorganises its business operations, data may be disclosed to the buyers in connection with corporate transactions.
In addition, personal data may be disclosed to such partners of the data subject that process personal data on behalf of the controller and instructed by the data controller. In these cases, the data controller’s partner does not have the right to process the personal data on behalf of itself.
Primarily, data is not transferred to locations outside the member states of the European Union or the European Economic Area unless necessary for the technical implementation of the data processing or the purposes of the processing of personal data. In these cases, the requirements of the data protection legislation will be complied with in the transfer of data.
8 Protection of personal data
The controller implements the appropriate technical and administrative data privacy measures for the protection of personal data. Personal data is stored in both electronic databases and manually maintained materials. Electronically processed databases are protected using firewalls, passwords and other technical measures generally accepted in the field of data privacy. Manually maintained and processed materials are located on premises with no unauthorised access.
Personal data may only be access by the specifically defined and identified people whose work performance requires the processing of personal data stored in the register. These people may access the system using their personal login credentials to the controller’s internal network. Each user has signed a special login credential and confidentiality agreement.
9 Retention period of personal data
The data subject’s personal data is stored only for as long as is required for the implementation of the purposes specified in this privacy statement.
10 Rights of the data subject
The data subject has the following rights guaranteed by the data protection legislation:
- The data subject has the right to ask the data controller for access to their personal data and the right to ask for the said data to be rectified. The request for rectifying personal data must be individualised so that the error in the personal data may be observed and rectified easily.
- The data subject has the right to request the erasure of personal data pursuant to and within the limits of the data protection legislation.
- The data subject has the right to request the restriction of the processing of personal data and to object to the processing of personal data pursuant to and within the limits of the data protection legislation.
- The data subject has the right to data portability or the right to receive their personal data in a structured and generally used format and transfer them to another controller pursuant to and within the limits of the data protection legislation.
- The data subject has the right to file a complaint with the local data protection authority (in Finland, the Data Protection Ombudsman) or another data protection authority in the European Union or the European Economic Area if the data subject sees that the statutory rights related to the processing of their personal data have been breached.
The data subject may address the requests of exercising their above-mentioned rights to the contact person in charge of data protection.
11 Changes to the privacy statement
The controller continuously develops its business operations and, therefore, reserves the right to change this privacy statement by notifying about it in its services and on its website at https://www.vmp.fi/tietosuoja-ja-kayttoehdot/. Changes may also be based on changes in the legislation. The controller recommends customers to check the content of the privacy statement regularly and from time to time again.