privacy policy for customer and prospect register
This privacy policy has been modified latest on: 11.9.2018
-
data controller
Make Helsinki Oy (Business ID 2369795-5) (“Make Helsinki”) Address: Köydenpunojankatu 13, 00180 Helsinki Telephone:
+358 50 3278276
-
person responsible for personal data matters
name: Joonas Turunen email: joonas@makehelsinki.com
-
NAME AND PURPOSE OF REGISTER
- Name of the Register is Make Helsinki Oy’s Customer and Prospect Register. This policy applies to persons
who are representatives or employees of Make Helsinki’s customers or customer prospects. Each such person
is defined in this policy as a “person”.
- Provision of the Personal Data for the purposes of provision of Make Helsinki’s products and services and
performance of a contract is obligatory. If Make Helsinki does not have the data it requests, it may not
be able to provide the customer with Make Helsinki’s products and services.
- In order for Make Helsinki to comply with legislation, Make Helsinki and its customer might have entered
into a data processing agreement regarding Make Helsinki’s processing of customer’s Personal Data (“DPA”)
when Make Helsinki is the processor of such Personal Data. In such case, the terms of the DPA prevail over
the provisions in this policy and the person shall contact his/her employer or other organization regarding
the matters related to his/her Personal Data.
-
Purposes for Processing and Legal Basis for Processing
-
The purposes for processing of Personal Data are as follows:
- Provision of Make Helsinki’s products and services and performance of a contract, or in order to
take steps prior to entering into a contract. Use of Make Helsinki’s contractual rights. “The
legitimate interests pursued by Make Helsinki” is the legal basis for processing of the Personal
Data for these purposes.
- Development of Make Helsinki’s products and services and Make Helsinki’s business. “The legitimate
interests pursued by Make Helsinki” is the legal basis for processing of the Personal Data for
this purpose.
- Taking care of data security. “Legal obligations” is the legal basis for processing of
the Personal Data for this purpose.
- Preventing fraud. “The legitimate interests pursued by Make Helsinki” is the legal basis
for processing of the Personal Data for this purpose.
- Marketing of Make Helsinki’s products and services, within the boundaries set by law. When consent
is required according to legislation for marketing, “consent” is the legal basis for processing
of the Personal Data for this purpose. When legislation does not require consent for marketing, “the
legitimate interests pursued by Make Helsinki” is the legal basis for processing of the Personal
Data for this purpose.
-
The legal basis for the processing of Personal Data:
- “Consent”. Consent to the processing is the legal basis for the processing of Personal
Data to the extent mentioned above in Section 4.1. If a person withdraws a consent given to the processing
of Personal Data when the legal basis of processing is “consent”, the withdrawal of consent
does not affect the lawfulness of the processing based on consent before its withdrawal.
- “Legal obligations” is the basis for processing of the Personal Data to the extent mentioned
above in Section 4.1.
- “The legitimate interests pursued by Make Helsinki” is the basis for processing of the
Personal Data to the extent mentioned above in Section 4.1. Make Helsinki has considered that Make
Helsinki’s legitimate interests are not overridden by the interests or fundamental rights and freedoms
of the persons.
Such legitimate interests exist as there is a relevant and appropriate relationship
with the person and/or its organization, such as a customer relationship with Make Helsinki. The
interests and fundamental rights and freedoms of the persons are respected, as no special categories
of Personal Data are processed and the persons can expect Make Helsinki’s processing activities.
Provision of Make Helsinki’s products and services and performance of a contract would not be possible
without using the Personal Data. Make Helsinki’s security methods described in Section 10 are maintained
by Make Helsinki in order to protect the data from unauthorized access.
-
CONTENT OF REGISTER and categories of Personal Data
- “Personal Data” means any information relating to an identified or identifiable natural
person. An identifiable natural person is one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person.
- The register includes the following data. Whether or not the data actually constitutes Personal Data depends
on whether the data can be considered Personal Data according to the definition above. For example, if the
data identifies only an organization such as a company, the data is not Personal Data.
-
Customer and Prospect History
- The number of deals associated with the person;
- Became a customer date – the date that a contact’s lifecycle stage changed to customer;
- Became a lead date – the date that a contact’s lifecycle stage changed to lead;
- Organization name – the name of the person’s organization;
- Create date – the date that the contact was created; and
- Days to close – the days that elapsed from when a contact was created until they closed as a customer.
-
Contact Information
- Email address;
- First and last name(s);
- Job title;
- Phone number;
- Website URL – the person’s organization website; and
- IP address.
-
Analytics History
- Dates and times of visiting Make Helsinki’s website page(s);
- Website page(s) visited, referring site(s) (the known source through which the person found Make
Helsinki’s website);
- The campaign responsible for the first or last touch creation of the contact;
- Number of page views;
- Number of visits; and
- Time first seen – the time and date when the person first interacted with Make Helsinki (website
visit, form submission, manual contact creation or import.
-
SOURCES OF PERSONAL DATA
Sources of the Personal Data are:
- Person or the person’s organization;
- Marketing data sources;
- Personal Data collected when visiting Make Helsinki’s webpages; and
- Usage of Make Helsinki’s products and services.
-
Recipients or Categories of Recipients of Personal Data
Personal Data may be transferred to the following different parties:
- Make Helsinki’s subcontractors e.g. in ICT, customer and prospect management, payment and financial services
field, who process the Personal Data on Make Helsinki’s behalf for the purpose of providing services to Make
Helsinki and with whom Make Helsinki has entered into data processing agreements.
- One of the subcontractors is HubSpot Ireland Limited who provides Make Helsinki with e.g. CRM and related
services.
- The subcontractors may use also their affiliates and/or subcontractors in the processing of the Personal
Data.
- HubSpot Ireland Limited’s current subcontractors are listed at: https://legal.hubspot.com/sub-processors-page
-
Transfers of Personal Data to Third Country
- Make Helsinki and its subcontractors might transfer the Personal Data to countries outside the European Economic
Area (EEA) and European Union (EU) (“Third Country”) for the purposes set out in this policy.
- The legal basis for the transfer of Personal Data to Third Countries is Make Helsinki’s or the subcontractors’
Binding Corporate Rules, European Commission’s Standard Contractual Clauses for the transfer of Personal
Data to processors established in third countries (“Standard Contractual Clauses”), the EU-U.S. Privacy Shield
Framework, alternative data export mechanisms for the lawful transfer of Personal Data (as recognized under
EU data protection laws) or other legal basis.
-
Period for Which Personal Data will be Stored
- Information regarding the contractual relationship is processed for the time until claims related to the
contractual relationship expire. Main rule according to Finnish law for claims related to the contractual
relationship to expire is three years.
- Information regarding the contractual relationship can be processed for longer than the above-mentioned time
period, if the Personal Data in question is necessary for the establishment, exercise or defence of legal
claims.
-
METHODS HOW REGISTER IS SECURED
The Personal Data processed by Make Helsinki is secured by using the following methods and principles:
- locks at Make Helsinki’s premises;
- electrical surveillance systems of Make Helsinki’s premises and equipment;
- firewall, anti-malware and spam filtering systems;
- personal user rights;
- limited number of superusers;
- professional knowledge of Make Helsinki’s personnel; and
- Make Helsinki’s policies and guidelines relating to Personal Data matters.
-
Right of access
- The person has the right to get information on which Personal Data on the person is being processed by Make
Helsinki or information that no such Personal Data is being processed.
- Where such Personal Data is being processed by Make Helsinki, Make Helsinki shall provide the person with
a copy of the Personal Data and the following information:
- the purposes of the processing;
- the categories of Personal Data concerned;
- the recipients or categories of recipients to whom the Personal Data will be or has been disclosed;
- where possible, the period for which the Personal Data will be stored;
- the existence of the right to request from Make Helsinki rectification or erasure of Personal Data
concerning the person or to object or restrict the processing of the Personal Data;
- the right to lodge a complaint with a supervisory authority;
- where the Personal Data is not collected from the person, any available information as to the source
of the Personal Data;
- the existence of automated decision-making, including profiling, and meaningful information about
the logic involved, as well as the significance and the envisaged consequences of such processing
for the person; and
- where the Personal Data is transferred to a Third Country as defined in Section 8 or to an international
organization, information of the appropriate safeguards relating to the transfer.
- For any further copies requested by the person, Make Helsinki may charge a reasonable fee based on
administrative costs.
- For any further copies requested by the person, Make Helsinki may charge a reasonable fee based on administrative costs.
-
Right to Data Portability
At the person’s request, if Make Helsinki processes the Personal Data based on the person’s consent or based on
a contract with the person and if the processing is carried out by automated means:
- Make Helsinki will provide the person with his/her the Personal Data which he or she has provided to Make
Helsinki, in a structured, commonly used and machine-readable format; or
- On the person’s request and if technically feasible, Make Helsinki will transmit such Personal Data in the
same format directly to another controller.
-
Rectification AND right to lodge complaint with supervisory authority
- Make Helsinki shall, at the person’s request, without undue delay rectify inaccurate Personal Data contained
in Make Helsinki’s Personal Data register. Taking into account the purposes of the processing, the person
may have incomplete Personal Data completed, including by means of providing a supplementary statement.
- If Make Helsinki does not take a legally required action regarding the person’s Personal Data on the person’s
request, Make Helsinki shall inform the person without delay and at the latest within one month of receipt
of the request of the reasons for not taking action and on the possibility of lodging a complaint with a
supervisory authority and seeking a judicial remedy. Please note that the person may bring the matter to
be handled by the Data Protection Ombudsman.
- The person has the right to lodge a complaint to the supervisory authority. The contact details of the Finnish
supervisory authority are:Office of the Data Protection Ombudsman
Visiting address:
Ratapihantie 9, 6th floor, 00520 Helsinki
Postal address: P.O. Box 800, 00521 Helsinki, Finland
E-mail:
tietosuoja@om.fi
-
Right to object processing
The person has the right to object, on grounds relating to his/her particular situation, to the processing of
Personal Data which is based on either of the following legal basis for processing when the processing has been
found necessary for the purposes of the legitimate interests of Make Helsinki. The person however does not have
the right to object if Make Helsinki demonstrates compelling legitimate grounds for the processing which override
the interests, rights and freedoms of the person or for the establishment, exercise or defence of legal claims.
-
Right to Restriction of Processing
- ‘Restriction of processing’ means the marking of stored Personal Data with the aim of limiting its use in
the future.
- If the person requests, Make Helsinki must restrict processing in the following situations:
- the accuracy of the Personal Data is contested by the person, for a period enabling Make Helsinki
to verify the accuracy of the Personal Data;
- the processing is unlawful and the person opposes the erasure of the Personal Data and requests the
restriction of its use instead;
- Make Helsinki no longer needs the Personal Data for the purposes of the processing, but the Personal
Data is required by the person for the establishment, exercise or defence of legal claims; or
- the person has objected to processing, but verification whether the legitimate grounds of Make Helsinki
override those of the person is still ongoing.
- In the situations listed above, Make Helsinki can only process the Personal Data:
-
- with the person’s consent or for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another natural or legal person;
- for reasons of important public interest of European Union or of a European Union member State; and
- to store the Personal Data.
-
Right to be forgotten
- The person has the right to have his/her Personal Data erased at his/her request if one of the following grounds applies:
- the Personal Data is no longer necessary for the purposes for which it was collected or otherwise
processed; the person
- withdraws consent on which the processing is based and where there is no other legal ground for the
processing; the person
- objects to the processing in accordance with Section 14; the Personal Data has been processed unlawfully;
the Personal Data
- has to be erased for compliance with a legal obligation in Union or Member State law to which Make
Helsinki is subject; or
- the Personal Data has been collected in relation to the offer of information society services.
- However, Make Helsinki does not have to erase the Personal Data to the extent Make Helsinki still needs to process the Personal Data:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by law to which Make Helsinki is
subject or for the performance of a task carried out in the public interest or in the exercise of
official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with legal requirements;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with legal requirements; or
- for the establishment, exercise or defence of legal claims.
-
Automated decision-making and profiling
- The person shall have the right not to be subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Such automated decision-making is not used by Make Helsinki at the moment.