Date of drafting: 24 May 2018
1 Data Controller
Finnish Standards Association SFS
Business ID: 0202290-8
Visiting address: Malminkatu 34, 00100 Helsinki, Finland
Postal address: PO Box 130, 00101 Helsinki, Finland
Telephone: +358 9 149 9331
Contact person: Pirjetta Laine
2 Name of the Register
Finnish Standards Association SFS’ customer register
3 Grounds for and Purpose of Processing of Personal Data
The processing of personal data is primarily based on the performance of an agreement between the customer and the Finnish Standards Association SFS. To the extent that personal data are processed more extensively than what the performance of the agreement requires, the grounds for the processing is the legitimate interest of the Finnish Standards Association SFS to maintain and develop customer relationships and its services and to provide advice to customers and future customers preparing an agreement. Marketing and communication activities carried out on the basis of the data in the customer register are also considered processing based on the legitimate interest.
The Finnish Standards Association SFS processes the personal data of customers in accordance with applicable data protection regulation for the following purposes:
- management and development of customer relationships
- offering and delivery of products and services
- sending newsletters
- payments, tracking and collection of payments
- marketing and distance selling of the data controller’s products and services
- development of the data controller’s business operations and the customer service related thereto
- defence against legal claims
- accounting and other obligations based on legislative requirements
4 Data Content of the Register and Required Data
In general, the data that are collected for the customer register are the name and the address and contact information of a customer’s contact person or a private customer. In addition, data related to the management of the customer relationship, such as notes related to customer meetings, are entered into the customer register.
In addition, the register contains information on the customer’s consent for the receipt of newsletters and on possible participation in the events arranged by SFS.
If the customer refuses to disclose the basic data required for the performance of the agreement to the Finnish Standards Association SFS, the products or services requested by the customer cannot necessarily be offered to the customer.
5 Regular Sources of Data
As a general rule, personal data are obtained from customers themselves (e.g. in conjunction with orders, agreements and other contacts).
Personal data can also be collected and updated from business information services as well as from other reliable parties, such as authorities and companies providing marketing-related services.
6 Regular Transfers and Disclosures of Data
The Finnish Standards Association SFS does not generally disclose customer register data to third parties. However, the payment intermediary (bank, credit card company) used by the customer will receive information on the customer’s purchase transaction when the purchase is made.
In addition, SFS uses in the online store (sales.sfs.fi) and in the SFS Online service (online.sfs.fi) external analytics services, such as Google Analytics, which can also place cookies on the website user’s device. Further information is provided by Google Analytics at https://www.google.com/policies/privacy/partners/.
7 Storage of Personal Data
The Finnish Standards Association SFS will store the personal data for the duration of the customer relationship. After the end of the customer relationship, customer data can be stored in the register passively for accounting purposes, for defending possible claims or for any other reason attributable to a legislative requirement.
8 Transfer of Data outside the EU or EEA
The data will not be transferred outside EU or EEA. Depending on the payment service used by the customer, it is, however, possible that the data concerning the payment transaction will also be processed abroad. The customer must ensure this from the own payment intermediary service.
However, some of SFS’ technical service providers mentioned in section 6 above can also process personal data outside EU/EEA. SFS has ensured the secure processing of these data also outside EU/EEA with various protection mechanisms, generally by incorporating the ‘model contract clauses’ approved by the EU Commission into an agreement that will be concluded with a service provider. Some of the service providers can also be subject to the scope of the ‘Privacy Shield programme’: Under the EU Commission’s decision, the US service providers committed to the Privacy Shield programme are considered to provide an adequate level of data protection for the personal data, even though US law does not, as such, correspond to the level of the European data protection legislation. At the request of the data subject, SFS delivers the data subject copies of the additional mechanisms used by it for ensuring data protection.
9 Security Principles for the Register
The data in the customer register will be collected into databases which are protected with firewalls and passwords. The rights of use will be determined by the person responsible for register matters.
The server devices are placed in locked premises which may only be accessed by SFS’ or business partners’ personnel. Only the persons employed by the Finnish Standards Association SFS or its authorised operators that need the data in their work have the right to use the data.
The Finnish Standards Association SFS requires that its personnel and business partners have undertaken to comply with confidentiality. The access to the information systems is possible only by using a username and password. Data set in a physical form is stored in the business premises that are used by the Finnish Standards Association SFS and that are monitored from external persons. The customer data may only be processed by the Finnish Standards Association SFS’ or the service provider’s the employees who need them to fulfil the purposes described in section 4 in conjunction with their duties.
10 Rights of the Data Subject
The data subject has the right to access his or her personal data included in the register and obtain a copy of the personal data being processed.
The data subject has also the right to demand the correction or erasure of the personal data, if the data are incorrect, unnecessary, inadequate or outdated.
In relation to his or her particular situation, the data subject is entitled to object to processing activities that the Finnish Standards Association SFS carries out on the data subject’s personal data to the extent that the processing is based on the data controller’s legitimate interest.
The data subject has the right to demand the Finnish Standards Association SFS to restrict the processing of the personal data, for example, in a situation where the data subject is waiting for the Finnish Standards Association SFS’ response to the request concerning the rectification or erasure of the data.
To the extent that the data subject has provided data to the register or data have been generated in the register directly as a result of the data subject’s activities and the data are processed in order to perform an agreement between the customer and the Finnish Standards Association SFS or based on a consent given by the data subject, the data subject has the right to receive such data in a structured, commonly used and machine-readable format and has the right to transmit these data to another data controller, if this is technically feasible.
The requests related to the data subject’s rights above are generally free of charge and they must be sent to the data controller by using the contact information referred to in section 1 of the policy.
We response to data subjects’ requests without undue delay. If we do not fulfil the request, we will notify the data subject of the reasons for this (e.g. reasons based on legislation).
The data subject has the right to lodge a complaint with the competent supervisory authority, if the data subject deems that the Finnish Standards Association SFS has not complied with applicable data protection regulation in its operations.