Cardirad Oy (2246563-4)
08150 Lohja Finand
Cardirad OY Pajakatu 5 08100 Lohja Finland GDPR@cardirad.com
Legal bases of processing data is legitimate interest. The purpose of use for the filing system is to promote business operations, create new customer relationships and to communicate with potential customers. Collected data are used to create and maintain new customer relationships as well as carry out other business-related tasks.
Establishing and negotiating customer relationship and other activities related to the data controller’s business. The data controller’s legitimate interest for processing collected and used personal data is based on the company’s direct marketing needs and the freedom to engage in commercial activity. Direct marketing is considered a legitimate interest in accordance with the EU General Data Protection Regulation.
The data controller’s personnel and outsourcing partners when applicable.
Personal data filing system contains the following information: - First and last name of person - Community represented - Email address - Postal address - Phone number - Information on previous orders - Information on discussions during customer negotiations
Data are collected from email messages and business cards received from customers as well as during phone conversations and face-to-face meetings with customers. Data can also be received from interest groups, such as mass communication, marketing or contact forms on the company website. Data will not be disclosed to external parties or to the company’s partners except for purposes related to credit applications, debt collection or invoicing as well as in situations required by law. Personal data will not be transferred outside the European Union unless necessary for ensuring the technical implementation of the company’s or its partners’ activities. A data subject’s personal data will be removed upon the data subject’s request unless such removal is prohibited by legislation, matters related to the management of the customer relationship, outstanding invoices, or debt collection.
Personal data are stored for only the duration that is necessary for the above-mentioned purposes of processing in accordance with current legislation.
The data stored in the register are used solely by the company and its employees, except when an external service provider is used either to provide added value services or to support credit-related decision-making. Data will not be disclosed to external parties or to the company’s partners except for purposes related to credit applications, debt collection or invoicing as well as in situations required by law. A data subject’s personal data will be removed upon the data subject’s request unless such removal is prohibited by legislation, matters related to the management of the customer relationship, outstanding invoices, or debt collection.
Personal data will not be transferred outside the European Union unless necessary for ensuring the technical implementation of the company’s or its partners’ activities.
Manually processed documents containing customer data (e.g. printed emails or their attachments, printed online forms or other similar documents) are, after initial processing, stored in a locked and fireproof space. Only specific employees who have signed confidentiality agreements have the right to process manually stored customer data.
Only specific employees working for or on behalf of the company have the right to use for example workstations whose software can be used to maintain data on potential customers. Each specific user has his or her personal username and password. Each user has signed a confidentiality agreement. The system is protected by a firewall to prevent external attacks on the system, and workstations are protected by relevant security software.
The data subject has the right to check what data has been stored about them in the filing system. The request for access must be made in writing or from a verifiable email address. The data subject has the right to prohibit the processing and disclosure of their data for the purposes of direct marketing, distance marketing or opinion polls by contacting the data controller’s customer service.
The data subject has the right to transfer his or her own data from one system to another. The transfer request can be addressed to the registry contact person.
Taking into account the purposes of processing, any data stored in the filing system that is inaccurate, unnecessary, incomplete, or outdated must be erased or rectified. A written request for rectification, signed by hand, should be sent to the company’s customer service or the personal data filing system’s administrator. The request should specify what information should be rectified and on what grounds. Rectification shall be carried out without delay. Notification of rectification will be sent to the party who provided the inaccurate data or to whom the data were disclosed. If a request for rectification is denied, the responsible person of the filing system will provide a written document stating the grounds for the denial of the request for rectification. The data subject concerned may then pass the matter along to the Data Protection Ombudsman.
If you consider that an infringement of the General Data Protection Regulation has occurred in the processing of your personal data, you have the right to lodge a complaint with a supervisory authority. The complaint can also be lodged in a member state where you are a permanent resident or where you are employed. Contact information for the Finnish national supervisory authority: Office of the Data Protection Ombudsman PL 800, Lintulahdenkuja 4, 00530 Helsinki tel. +358 29 566 6700 firstname.lastname@example.org www.tietosuoja.fi/en/
Right to restrict processing The data subject has the right to request that the processing of their personal data is restricted for example if data stored in the filing system is erroneous. Requests should be sent to the responsible person of the filing system. Right to object The data subject has the right to request for personal data pertaining to them, and the data subject has the right to request for the rectification or erasure of said data. Request can be sent to the contact person of the filing system. If you are acting as the contact person of a company or organisation, your data cannot be erased during this time. The data subject has the right to prohibit the disclosure of processing of personal data for the purposes of direct marketing or other marketing, the right to demand the anonymization of data where applicable, as well as the right to be completely forgotten.