Privacy description of Suomen Palautuspakkaus Oy’s Customer, Supplier and Bulletins data file
1 September 2018
Suomen Palautuspakkaus Oy, PO Box 119, FI-00241 Helsinki
2. Person in charge of the data file
Minna Arala, tel.: +358 (0)9 8689 8663, firstname.lastname@example.org
3. Name of the data file
Suomen Palautuspakkaus Oy’s Customer, Supplier and Bulletins data file
4. Purpose and basis of the data file
Personal data are processed in the data file for the purpose of sending bulletins of Suomen Palautuspakkaus Oy and its subsidiaries (hereinafter referred to as “Palpa”), maintaining customer and supplier relationships, communications pertaining to the aforementioned relationships as well as the planning and development of Palpa’s business operations with due consideration for the customer and supplier points of view. The processing of personal data is based on Palpa’s justified benefit, such as a customer and cooperation agreement or the ordering of the bulletin.
5. Data contained in the data file and data subject groups
The data file contains the following personal data regarding the contact persons of customers and suppliers as well as the people who have ordered the bulletins (incl. contact requests and people who have given feedback or taken part in events):
- Name, title, company
- Contact information; telephone number, e-mail address, postal address
- Customer and supplier history; information linked to securities, sales, returns, invoicing and collections
- Stakeholder information; a return system member, recycling station, driver, processing plant, machine manufacturer, expense supplier, reprocessor, etc.
- Extranet user role information, user identifier and password, the user identifier’s period of validity
- Direct marketing permissions and bans
- Potential other information provided by the customer or supplier
6. Data file data sources
Data are regularly collected for the data file from the data subjects themselves via electronic forms, the telephone, in meetings or in other similar ways. The data file is compiled in connection with making a customer or cooperation agreement with Palpa and during the contractual relationship of data provided by the customer and other data obtained during the relationship. Personal data may also be collected and updated from public and private registers.
7. Disclosure and transfer of data and the transfer of data outside the EU or EEC
Palpa does not regularly disclose data. Palpa uses subcontractors for updating the website, sending the bulletins, maintaining and developing the ERP system as well as providing customer service. In this case, personal data are transferred to the subcontractors insofar as it is deemed necessary for providing the service. With regard to the ERP system, personal data are transferred outside the EU/EEA to India. In this case, an appropriate level of data security is secured by using the sample clauses of the European Commission. Data are disclosed to the authorities in order to execute statutory tasks. Occasionally, data may also be disclosed for other purposes pursuant to the Finnish law.
8. Data file protection principles and storage time
The controller’s information system and files are protected with technical means of protection used by businesses. In order to receive the right to access the data file, a person must have a personal username and password, which are only granted to members of the controller’s personnel who need the access right because of their position and duties. The controller’s premises are secured with an access control system. Palpa ensures the implementation of data protection by data processing agreements made with the subcontractors who process personal data. Personal data are stored until the data subject prohibits the controller from processing the data subject’s personal data for the purpose of direct marketing or unsubscribes to the bulletins. As long as the customer or supplier relationship is in force, the data are stored for at least the duration of the contractual relationship.
9. Data subject’s rights
Right of inspection and right to request rectification
The data subject has the right to inspect the personal data contained in the personal data file that concern them and to request the rectification or removal of erroneous data. Such requests shall be issued in writing to the contact person specified in item 2.
The data subject has the right to prohibit the controller from processing personal data for the purposes of direct marketing and to unsubscribe to the bulletins at any time by notifying the contact person specified in item 2. The data subject has the right to prohibit the controller from processing personal data for the purposes of direct marketing or opinion polls. Such a ban can be issued at any time to the contact person specified in item 2. Subject to the GDPR, the data subject has the right to oppose the processing of their data or request the restriction and transfer of the processing of their data as well as file a complaint regarding the processing of their personal data to the Data Protection Commissioner.