N2 Helsinki Oy customer register privacy policy

1 Data Controller

Data controller of the register: N2 Helsinki Oy (2276351-9)

Contact person for register matters:
Lauri Kuorikoski, COO, N2 Helsinki Oy
Address: Pursimiehenkatu 29-31 A, 4th floor
Email: lauri.kuorikoski@n2.fi

2 Name of the Register

The name of the register is N2 Helsinki Oy customer register.

3 Purpose of Personal Data Processing

Personal data is processed for purposes related to managing, administering and developing customer relationships, providing and delivering services, as well as developing services and billing. Personal data is also processed for purposes required to resolve complaints and other claims.

In addition, personal data is processed in communications directed at customers, such as for information and news purposes, as well as in marketing, as part of which personal data is also processed for direct marketing and electronic direct marketing purposes.

The customer has the right to prohibit direct marketing directed at them.

The data controller processes data itself and utilizes subcontractors who process personal data on behalf of and for the data controller.

4 Legal Bases for Processing

The legal bases for processing personal data are the following bases under the EU General Data Protection Regulation (hereinafter also ”GDPR”):

  1. the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Art. 6.1.a);
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6.1.b);
  3. processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party (GDPR Art. 6.1.f).

The aforementioned legitimate interest of the data controller is based on a relevant and appropriate relationship between the data subject and the data controller, which results from the data subject being a customer of the data controller, and when processing takes place for purposes that the data subject could reasonably expect at the time of data collection and in connection with the appropriate relationship.

5 Data Content of the Register (Processed Personal Data Categories)

The register contains the following personal data as a rule for all registered persons:

  1. person’s basic information and contact details: first name, last name, address, phone number, email address;
  2. information related to the person’s company or other organization and the person’s position or job title in said company or organization;
  3. the person’s direct marketing permissions and prohibitions;
  4. marketing classification information (e.g., newsletter subscriber, campaign participant, industry, etc.)

6 Regular Data Sources

Personal data is collected from the data subject themselves.

Personal data is also collected and updated within the limits of applicable legislation from publicly available sources that relate to the implementation of the customer relationship between the data controller and the data subject and through which the data controller fulfills its obligations related to maintaining customer relationships.

7 Retention Period for Personal Data

Data collected in the register is retained only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

The need for retaining personal data is assessed annually, and in any case, data concerning a registered person is deleted from the register 5 years after the customer relationship of said data subject with the data controller has ended and the obligations and actions related to the customer relationship have been completed. For example, accounting records are retained for five years from the end of the financial year.

The data controller regularly assesses the necessity of data retention in accordance with its internal codes of conduct. In addition, the data controller implements reasonable measures to ensure that personal data that is inaccurate, incorrect, or outdated in relation to the purposes of processing is deleted or corrected without delay.

8 Recipients of Personal Data (Recipient Groups) and Regular Data Disclosures

Personal data is not disclosed to external parties.

9 Transfer of Data Outside the EU or EEA

Personal data contained in the register is not transferred outside the EU or EEA.

10 Principles of Register Protection

Materials containing personal data are stored in locked premises, which are accessible only to designated persons authorized to access them due to their duties.

The database containing personal data is on a server that is stored in a locked space, which is accessible only to designated persons authorized to access it due to their duties. The server is protected with an appropriate firewall and technical protection.

Access to databases and systems is granted only through separately issued personal usernames and passwords. The data controller has limited access rights and authorizations to information systems and other storage platforms so that only persons necessary for their lawful processing can view and process the data. In addition, usage events of databases and systems are recorded in the log data of the data controller’s IT system.

The data controller’s employees and other persons are committed to observing confidentiality obligations and keeping confidential the information they receive in connection with processing personal data.

11 Rights of the Data Subject

The data subject has the following rights under the EU General Data Protection Regulation:

  1. the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the right to request from the data controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source (GDPR Art. 15). This basic information described (i)–(vii) is provided to the data subject on this form;
  2. the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Art. 7);
  3. the right to obtain from the data controller without undue delay the rectification of inaccurate and incorrect personal data concerning the data subject and the right to have incomplete personal data completed, including by means of providing a supplementary statement, taking into account the purposes for which the data was processed (GDPR Art. 16);
  4. the right to obtain from the data controller the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; (iii) the data subject objects to the processing on grounds relating to their particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in Union or national law to which the data controller is subject (GDPR Art. 17);
  5. the right to obtain from the data controller restriction of processing where (i) the data subject contests the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing on grounds relating to their particular situation pending the verification whether the legitimate grounds of the data controller override those of the data subject (GDPR Art. 18);
  6. the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where the processing is based on consent referred to in the regulation and the processing is carried out by automated means (GDPR Art. 20);
  7. the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the EU General Data Protection Regulation (GDPR Art. 77).

Requests concerning the implementation of data subject rights shall be addressed to the data controller’s contact person mentioned in section 1.

12 Cookies and Other Tracking Technologies

We use cookies to customize the content and advertisements we provide, to support social media features, and to analyze our visitor numbers. In addition, we share information about how you use our website with our social media, advertising, and analytics partners. Our partners may combine this information with other information that you have provided to them or that has been collected when you have used their services.

The following services collect IP addresses and/or cookie data:

  • Webserver analytics
  • Adobe TypeKit webfont service

13 Targeted Marketing

Based on your visit to the site, we may conduct targeted advertising in the following services:

  • none

You can prohibit the collection and storage of your data by third-party data analytics platforms. Instructions for this can be found on the websites of these third-party data analytics platforms. If you wish to opt out of web-based behavioral advertising, you can visit, for example: https://preferences-mgr.truste.com/ or https://optout.aboutads.info/.

The services may contain advertisements provided by third parties that deliver cookies to your device so that the content you use and advertising directed at you can be tracked. A list of third-party marketing platforms can be provided upon request.

Through the following links: https://www.networkadvertising.org or https://www.youronlinechoices.com/fi/ (or corresponding currently valid URLs), you can obtain more information on how to opt out of the use of cookies for delivering more appropriate advertising.