Nordic Label Oy (Business ID 2768845-8) Sirrikuja 2, 00940 Helsinki
2 Person responsible for data-related matters
Erik Björkenheim, e-mail: firstname.lastname@example.org
3 Register name
Customer, supplier and stakeholder group register of Nordic Label Oy
4 Purpose and justification for processing personal data
The personal data of the data subject is processed for maintaining, managing and developing client, supplier and other stakeholder group relations, analysis and statistics as well as general development of operations for customer and supplier relations and other appropriate connections, such as partnership.
Personal data will be processed on the basis of legal obligations, contractual relationship or pre-contractual measures, data subject’s consent and legitimate interests of the controller or a third party. Examples of the processing of personal data by Nordic Label on different legal bases are described below.
- Processing of personal data while fulfilling the obligations of customer and supply agreements is based on contractual relationship or actions preceding the conclusion of a contract.
- Personal data processing for the management and development of customer relationships and for the purpose of advertising and marketing Nordic Label’s services and products is based on Nordic Label’s legitimate interest and the data subject’s consent.
- Camera surveillance at Nordic Label’s premises is based on Nordic Label’s legitimate interest in ensuring the safety of the premises.
5 Data content of the register
The following data of the data subject may be processed:
- Basic information of the data subject, including name and contact information, job title, employing company name, contact information, business ID, and other necessary contact information.
- Data related to service and product procurement and payments, notes and other information provided by the data subject.
- Data processing related data, including entry date and data source, as well as other data related to customer and supplier relations and other appropriate connections, as well as data related to contractual relationships.
6 Personal data retention period
Collected personal, customer, supplier and interest group data will be kept in the register only as long as the legislation (e.g. accounting or tax legislation) requires, or it is needed for the purposes listed above. The controller evaluates the specified retention periods regularly.
7 Sources of data
Contact and customer data is provided during contact requests, order placement, quote requests and customer registration. Data submitted by the partners of Nordic Label Oy may also be entered into the data file.
8 Data disclosure and transfer outside the EU or the EEA
The data controller may disclose personal data stored in the data file as permitted or required by relevant legislation for example to a collection agency. The data controller may transfer personal data, for example, when outsourcing personal data processing to an accounting company or marketing and invoicing companies, who in such case will process the personal data on behalf of the data controller without the right to process such data independently. Due to technical reasons, some of the data may be physically located on the servers and equipment of an external service provider, in which case the data is processed remotely. The personal data will not be transferred outside the EU or EEA, unless it is necessary for the technical implementation of the service. The transfers of personal data are based on the model contract clauses approved by the European Commission or other transfer mechanism in accordance with data protection legislation. In such case, the data controller will ensure sufficient data protection as required by relevant data protection legislation.
9 Protection of personal data register
Personal data is stored in databases protected with firewalls, passwords and data security software. Databases and their backups are located in secure facilities and only designated persons have access to the data with a user name and password. Access rights and credentials to the register are granted and managed by a person responsible for data-related matters. The controller’s network and the equipment where the register is stored are protected with firewalls and the data security software of Windows 10 and F-secure.
10 Data subject’s rights
The data subjects have the right
- to obtain information on the processing of their personal data and the purpose for which the data is used,
- of access to their data,
- to rectification of their data,
- to the erasure of their data and to be forgotten if there is no lawful purpose to process the data,
- to data portability,
- to restrict the processing of their personal data to certain purposes, and
- to object the processing of their personal data for direct marketing or other purposes based on a legitimate interest.
When objecting to the processing of personal data, the data subject must indicate the justification for refusing the processing of their personal data. The data controller may deny such requests as permitted under law.
In addition, where the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw such consent at any time. The data subject may wield any of the aforementioned rights by submitting a written and signed request to the data controller with the contact information indicated in Section 1.
If the data subject considers that their personal data is not being processed lawfully, the data subject has the right to file a complaint with the supervisory authority (email@example.com, or by mail PL 800, 00531 HELSINKI).