1 CONTROLLER
The controller is Isännöintitoimisto Isto, which comprises ISTO Group Oy (2157160-3), ISTO Etelä-Suomi Oy (2830044-3), ISTO Espoo Oy (3107682-5), ISTO Itä-Suomi Oy (0864416-9), ISTO Kaakkois-Suomi Oy (0826511-8) and ISTO Pohjois-Savo Oy (3097433-2).
2 CONTACT PERSON IN MATTERS CONCERNING THE REGISTER
Jarno Matikainen
+358 (0)10 231 0621
jarno.matikainenisto.fi
3 DATA PROTECTION OFFICER
The controller’s Data Protection Officer is Jarno Matikainen.
4 NAME OF REGISTER
The register’s name is the customer and marketing register.
5 THE PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
The personal data are collected for a specific, legislative purpose to fulfill the contractual obligations of a customer relationship. The controller has the right to practise marketing based on legitimate interests.
Personal data are collected in accordance with this privacy policy, and they are never used, changed or transferred in any other manner outside of what is stated in this privacy policy.
6 DATA CONTENT OF THE REGISTER
The register includes personal data regarding the controller’s customers. These data include the customer’s name, social security number, address, phone number, email address and payment information, as well as other information that customers have provided to the controller themselves.
7 COOKIES
The controller’s website uses a third-party analytics and marketing system (Google Analytics). The system uses cookies to collect data on visitors. However, these data are not used to identify individual users, but to improve the website’s services. Google Analytics transfers data to, and stores data in, its own server.
8 REGULAR DATA SOURCES
Data collected into the register comes from data subjects as well as from customer and stakeholder sources. In addition, data is collected from public sources, such as organisation contact information on websites or address registers.
9 REGULAR DISCLOSURES OF DATA
Necessary customer data can be disclosed to authorities for legal purposes. The controller does not disclose data to third parties or automatically disclose data to other partners. In individual cases, the controller discloses customer data to appointed parties if the party concerned requests the controller to act in the aforementioned manner or if a competent authority requires the controller on legal grounds to disclose specified data that is in the controller’s possession in the database.
10 DATA TRANSFER TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
Data is not transferred to third countries or to international organisations.
11 RIGHT OF ACCESS
Data subjects have the right to inspect what data concerning them have been recorded in the register. Furthermore, after submitting a sufficiently detailed and accurate request, the data subjects have the right to access the register content that concerns them. The inspection request must be submitted in written form and signed to the controller’s contact person, and the request must include an attachment with a copy of photo identification.
12 RIGHT TO RECTIFICATION AND ERASURE
The controller must, at the demand of the party concerned, rectify inaccurate data in the personal data register. The controller also has an obligation to inspect all data on its own accord to ensure that the data in the register are appropriate and up to date. The data subject may also demand the controller erase data concerning them from the register. The Data Protection Officer is responsible for processing the request and taking the appropriate actions.
13 OTHER RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
The data subject has the right to request a restriction of processing data on them. The data subject also has the right to receive the personal data which they have provided to a controller and which concerns them in a structured, commonly used and machine-readable format, and the data subject has the right to transmit those data to another controller. In addition, the data subject has the right to object to automated decision-making and profiling and to the processing of personal data.
14 ERASURE OF DATA AND STORAGE TIME
The controller removes data on a customer from the register when there are no longer operational grounds for processing the data or if a data subject exercises their legal right to request that the controller erase the data on the data subject.
Personal data are erased once there are no longer grounds for processing or storing the data. However, data are not erased if legislation states otherwise, if a competent authority has begun a process that requires the controller to retain data or if a third party has requested a Finnish court of law to make a decision on safeguarding the data.
15 APPROVAL OF THE PRIVACY POLICY
The privacy policy has been inspected and its continuation has been approved on 8 December 2020.
