Privacy Statement according to the Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR)

Created 22.05.2018
Updated 22.5.2018

1. Data Controller

Karfit Oy (2793386-3)

2. Contact Person in charge of the Register

Maija Niskanen
0452163106
karhula@ole.fit

3. Name of the Register

Karfit Oy customer and marketing register

4. Legal Basis and Purpose of Processing Personal Data

The legal basis for the processing of personal data under the EU General Data Protection Regulation is

• the individual's voluntary, documented consent
• a contract in which the registrant is a party, or
• the legitimate interest of the data controller (customer relationship, employment, membership).

The purpose of processing personal data is to communicate with customers, maintain customer relationships, and marketing.

5. Content of the Register

Information stored in the register includes: person's name, personal identification number, position, company/organization, contact details (phone number, email address, postal address), company's website addresses, information on services ordered, billing information, other information related to the customer relationship and ordered services.

The data is stored in the register for the duration of the customer relationship and for one year after the end of the customer relationship.

6. Regular Sources of Information

The information stored in the register is obtained from the customer through web forms, emails, phone calls, social media services, contracts, customer meetings, and other situations where the customer provides their information.

7. Regular Disclosures of Information and Transfer of Data Outside the EU or EEA

• We share your personal data with the following parties:
• With the police in criminal investigations.

In marketing-related assignments, with partners who analyze, print, or distribute marketing material.

Data may also be transferred by the data controller outside the EU or EEA.

If we transfer your data to our partners, they act as data processors under the cooperation agreement. The agreement obliges our partners to comply with the Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Partners are not permitted to use the data in the register for purposes other than those agreed upon with Karfit Oy.

8. Principles of Register Protection

In processing the register, care is taken and data handled by information systems is appropriately protected. When register data is stored on Internet servers, their physical and digital data security is adequately maintained.

Karfit Oy ensures that stored data, server access rights, and other data critical to the security of personal data are treated confidentially and only by those employees whose job description includes it. Employees handling customer register data are bound by confidentiality.

9. Right to Inspection and the Right to Demand Correction of Information

Each person in the register has the right to check their data stored in the register and to demand the correction of any incorrect information or completion of incomplete information. If a person wants to check their stored data or demand a correction, the request must be sent in writing to the data controller. The data controller may, if necessary, ask the person making the request to prove their identity.

The data controller responds to the customer within the time frame specified in the EU data protection regulation. (usually within one month).

10. Other Rights Related to the Processing of Personal Data

The person in the register has the right to request the deletion of their personal data from the register. The registrant also has other rights under the EU General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations. Requests should be sent in writing to the data controller. The data controller may, if necessary, ask the person making the request to prove their identity.

The data controller responds to the customer within the time frame specified in the EU data protection regulation. (usually within one month).