Official Section:
The data controller of the register is GLVS Jefuhanskat (Business ID: 3093124-4).
The contact person for register matters is: Antti Vuorenlehto.
Postal address:
JEFUHANSKAT.FI
Tykistökapteenintie 5 C
00340 Helsinki
Email: info@jefuhanskat.fi
2. Name of the Register
The name of the register is the GLVS Customer Register.
3. Purpose of Personal Data Processing
Personal data is processed for purposes related to customer relationship management, administration, development, service provision, and invoicing. Personal data is also processed for the resolution of potential complaints and other claims. Additionally, personal data is processed for communications aimed at customers, including informational and news-related purposes, as well as marketing, including direct marketing and electronic direct marketing. The customer has the right to object to direct marketing. The data controller processes the data itself and may use subcontractors to process personal data on behalf of the data controller.
4. Legal Basis for Processing
The legal bases for processing personal data under the EU General Data Protection Regulation (GDPR) are:
The data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Article 6(1)(a));
Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b));
Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party (GDPR Article 6(1)(f)).
The legitimate interest of the data controller is based on the relevant and appropriate relationship between the data subject and the data controller, which arises because the data subject is a customer of the data controller, and processing takes place for purposes that the data subject could reasonably have expected when the personal data was collected and in the context of the legitimate relationship.
5. Content of the Register (Personal Data Groups Processed)
The register includes the following personal data, primarily for all registered individuals:
Basic information and contact details (first name, last name, address, phone number, email address);
Information related to the person's company or organization and their position or title in the company or organization;
Direct marketing consents and objections.
6. Regular Sources of Data
Personal data is collected from the data subject themselves. Personal data may also be collected and updated from publicly available sources, within the limits of applicable laws, which are relevant to the implementation of the customer relationship between the data controller and the data subject and which help the data controller fulfill their obligations in maintaining the customer relationship.
7. Retention Period of Personal Data
Personal data collected in the register is only stored as long as necessary and to the extent necessary for the original or compatible purposes for which the data was collected. The need for storing personal data is evaluated every five years, and in any case, the data related to the data subject will be removed from the register 10 years after the end of the customer relationship, once all obligations and actions related to the customer relationship have been completed. For example, accounting documents are kept for five years after the end of the fiscal year. The data controller regularly evaluates the necessity of retaining the data in accordance with internal policies. Additionally, the data controller takes all reasonable measures to ensure that inaccurate, incorrect, or outdated personal data is deleted or corrected promptly.
8. Recipients of Personal Data (Recipient Groups) and Regular Disclosures
Personal data is not disclosed to external parties.
9. Transfer of Data Outside the EU or EEA
Personal data in the register is not transferred outside the EU or EEA.
10. Principles of Register Protection
Personal data is stored in locked premises, accessible only to designated individuals authorized to access them due to their duties. The personal data database is stored on a server, which is kept in a locked area, accessible only to designated individuals authorized to access them due to their duties. The server is protected by an appropriate firewall and technical security. Access to databases and systems is restricted to personal user IDs and passwords. The data controller has restricted access rights to the information systems and other storage platforms so that only individuals who need to process the data for lawful purposes can view or process it. Additionally, the use of databases and systems is logged in the data controller's IT system logs. Employees and others working for the data controller are committed to confidentiality and keeping the information obtained during personal data processing confidential.
11. Rights of the Data Subject
The data subject has the following rights under the EU General Data Protection Regulation:
The right to obtain confirmation from the data controller whether their personal data is being processed, and if so, the right to access the personal data and the following information: (i) purposes of processing; (ii) categories of personal data concerned; (iii) recipients or categories of recipients to whom the personal data has been or will be disclosed; (iv) where possible, the intended retention period or the criteria used to determine the period; (v) the right to request the rectification or deletion of personal data, or the restriction of processing, or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) if personal data has not been obtained from the data subject, any available information regarding the source (GDPR Article 15). These basic details (i)–(vii) will be provided to the data subject on this form.
The right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7);
The right to request the data controller to rectify inaccurate or incomplete personal data without undue delay (GDPR Article 16);
The right to request the data controller to delete personal data without undue delay, provided that: (i) personal data is no longer necessary for the purposes for which it was collected or processed; (ii) the data subject withdraws consent, and there is no other legal basis for processing; (iii) the data subject objects to processing based on personal grounds and there are no legitimate grounds for processing, or objects to processing for direct marketing purposes; (iv) personal data has been processed unlawfully; or (v) personal data must be deleted in compliance with a legal obligation (GDPR Article 17);
The right to request restriction of processing if: (i) the data subject disputes the accuracy of the personal data, and processing is restricted while the data controller verifies the accuracy; (ii) the processing is unlawful, and the data subject objects to deletion and requests restriction instead; (iii) the data controller no longer needs the personal data for processing, but the data subject needs it for legal claims; or (iv) the data subject has objected to processing based on personal grounds, while awaiting confirmation of whether the legitimate interests of the data controller override the data subject's interests (GDPR Article 18);
The right to receive personal data provided by the data subject in a structured, commonly used, and machine-readable format, and the right to transfer this data to another data controller (GDPR Article 20);
The right to lodge a complaint with a supervisory authority if the data subject believes their personal data processing violates the GDPR (GDPR Article 77).
Requests to exercise the rights of the data subject should be addressed to the contact person for the data controller mentioned in section 1.
12. Cookies
We use cookies on our website. By using our website, you accept the use of cookies.