Oy Duell Bike-Center Ab (2464132-0)
Kauppatie 19
65610 Mustasaari
Sami Ilvonen sami.ilvonen (at) duell.eu
Legitimate interest
Legal bases of processing data: the legitimate interest of the data controller. Data is processed as required to investigate possible security anomalies at the premises of the data controller and, in the case of criminal cases, by the necessary authorities. The purpose of processing has to do with general safety, such as the investigation and prevention of criminal activity, vandalism, and other types of misconduct on premises owned or monitored by the data controller. The individuals defined by the controller are legitimate on the basis of their duties or position on the processing of personal data on camera surveillance (eg recordings for viewing and listening to records), as well as administrative services personell, and possibly individual persons related to solving current matter. In addition, the employer also has the right to use the registry for the protection of privacy in accordance with Article 17 § 2 of Section 1-3 of the Law on Privacy (759/2004) to conclude the establishment of an employment relationship to the establishment of an employment relationship, disruption or harassment of harassment or harassment in the Act on Equality between Women and Men (609/1986) in order to identify and demonstrate the harassment and inappropriate behavior referred to in the Occupational Safety Authority (738/2002), as well as to identify the risk or threat of occupational safety or other occupational safety.
The legal basis for the processing of personal data is the legitimate interest of the controller (EU General Data Protection Regulation " GDPR" art. 6.1 (f)). The controller must process personal data in order to carry out its business tasks. The processing of personal data in this context cannot necessarily be justified by a legal obligation or a contract with an individual. In the balancing test, the controller has identified legitimate interest as the most appropriate ground for processing in view of the nature and scope of the processing and the exercise of the rights and freedoms of data subjects. The controller has assessed that the legitimate interest will not cause serious harm to the rights and freedoms of the individuals concerned (data subjects).
The register contains the following image-based personal data of all persons moving within the scope of the CCTV surveillance of the controller's property: 1) The appearance and characteristics of the person 2) The time and exact location of movement within the property The register records information whenever a person moves within the camera surveillance area, as the camera surveillance is based on motion detection. The cameras are placed at the entrances, public areas, access routes and courtyards of the property owned/managed by the controller, as well as at certain locations that are particularly vulnerable for operational reasons due to a specific need for surveillance.
The controller's own personnel. Information is not regularly disclosed anywhere without a legitimate criterion (the law on the protection of privacy in working life 759/2004). Information is transferred to the police only in special situations through the criminal reporting procedure in cases where there has been or suspected of an offense or in case of damage if necessary for the insurance company. Information may also be disclosed to identify and recover the accident at work, harassment or other inappropriate behavior to the supervisor's leadership of the controller's organization.
The register contains the following personal data of the following image material from any of the persons moving in the domain of the data controllers property in the domain of the data controllers property: 1) The appearance of a person and the characteristics of the person 2) Exact time and location of movement on property or in the area of surveillance. The register saves information always when a person is moving in the camera monitoring area as camera control works with motion detection. The recording camera control is indicated by labeling. The cameras are placed in the entrances, general premises, paths and yard areas owned / managed by the controller owned / managed by the controller, and for particular control need for certain functional reasons due to particularly vulnerable objects.
As a regular source of information, there are surveillance cameras whose registers describe the registry information, which are the image material transmitted by the cameras of the recording control system.
Data collected in the register will be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected. The personal data will be stored on the server of the CCTV controller or contractor. The data of the data subjects will be stored for a maximum period of 30 days, depending on the systems. After this the data will be removed. If the retention period becomes a notification of damage or any other offense, the recording is kept in this respect for the period required to determine the crime. The data controller removes the stored personal information when there is no longer any legal basis for their handling. The data controller will regularly evaluate the need for retention of data regularly in accordance with its internal code of conduct
Data in the filing system will not be disclosed to third parties unless disclosure is required for upholding security. If criminal activity is suspected, data may be disclosed to the police.
As a rule, the data in the register is not transferred outside the EU or the EEA. However, it is possible that service providers outside the EU/EEA are used for processing or that the clouds of service providers are located outside the EU/EEA, in which case SCC standard clauses are used as the basis for data transfer and additional safeguards are implemented for data transfers, such as internal guidelines (on pseudonymisation of personal data and the like) and possibly TIA analysis where appropriate.
Manual data is not stored anywhere.
Electronically processed data contained within the filing system are protected with firewalls, passwords and other necessary data security measures in accordance with current methods in the field. Only identifiable individuals employed by the data controller or companies acting on behalf of or under commission by the data controller who have signed confidentiality agreements have access to data stored in the filing system by means of unique access permissions.
The data subject has the right to check what information about him or her is in the register. The request for inspection must be made in writing to a verifiably identifiable e-mail address.
Where a legitimate interest is used as a ground for processing, the data subject does not have the right to transfer his or her data from one system to another.
Taking into account the purposes of processing, any data stored in the filing system that is inaccurate, unnecessary, incomplete, or outdated must be erased or rectified. The written and signed request for rectification should be sent to the company’s customer service or the personal data filing system’s administrator. The request should specify what information should be rectified and on what grounds. Rectification shall be carried out without delay. Notification of rectification will be sent to the party who provided the inaccurate data or to whom the data were disclosed. If a request for rectification is denied, the responsible person of the filing system will provide a written document stating the grounds for the denial of the request for rectification. The data subject concerned may then pass the matter alongto the Data Protection Ombudsman.
The data subject has the right to request restriction of processing, for example if the personal data in the register are inaccurate. Contact the person responsible for the register.
The data subject has the right to request personal data concerning him or her and the right to request the rectification or erasure of personal data. Such requests may be addressed to the contact person of the register.
If you consider that an infringement of the General Data Protection Regulation has occurred in the processing of your personal data, you have the right to lodge a complaint with a supervisory authority. The complaint can also be lodged in a member state where you are a permanent resident or where you are employed. Contact information for the Finnish national supervisory authority: Office of the Data Protection Ombudsman PL 800, Lintulahdenkuja 4, 00530 Helsinki tel. +358 29 566 6700 tietosuoja@om.fi www.tietosuoja.fi/en/
Data subjects have the right to object to the disclosure and processing of their data for direct marketing and other marketing purposes, to request that their data be made anonymous where applicable, and to be completely forgotten.