Name: Empirica Finland Oy
Address: Lemminkäisenkatu 48, 20520 Turku, Finland
The purpose of collecting personal data is managing and developing the customer relationship. In addition, personal data is processed in communications aimed at customers, such as for information and news purposes, as well as in marketing, as part of which personal data is also processed for purposes related to direct marketing and electronic direct marketing. The registered person has the right to deny direct marketing aimed at him. Personal data will not be disclosed to external parties. No automated individual decisions are made.
The legal bases for the processing of personal data are the following bases according to the EU General Data Protection Regulation (hereinafter also "GDPR"):
1. the registered person has given his consent to the processing of his personal data for one or more specific purposes (GDPR 6 art. 1.a);
2. the processing is necessary for the implementation of an agreement to which the data subject is a party, or for the implementation of measures prior to the conclusion of the agreement at the request of the data subject (GDPR 6 art. 1.b);
3. processing is necessary to fulfill the legitimate interests of the controller or a third party (GDPR 6 art. 1.f).
The aforementioned legitimate interest of the data controller is based on a meaningful and appropriate relationship between the registered person and the data controller, which is a consequence of the fact that the data subject is a customer of the data controller, and when the processing takes place for purposes that the data subject could reasonably have expected at the time of the collection of personal data and in connection with the relevant relationship.
The register may contain the following personal data:
1. basic information and contact information: first name, last name, address, telephone number, e-mail address
2. information related to the company or other organization and the position or job title of the registered person. in a company or organization
3. direct marketing permits and prohibitions of the registered person
Personal data is stored as long as it is needed to implement the contract with the customer or to develop customer service. The controller evaluates the necessity of storing data regularly in accordance with its internal code of conduct. In addition, the controller takes all possible reasonable measures to ensure that personal data that is inaccurate, incorrect or outdated in relation to the purposes of the processing is deleted or corrected without delay.
The register collects information from the person himself. From the registers kept by the authority within the limits allowed by law (e.g. ytj.fi).
Personal data included in the register will not be transferred outside the EU or EEA.
The data is transferred over an SSL-protected connection. Electronic information is protected by a firewall, usernames and passwords. Only those persons employed by the data controller who need the data in their duties have access to the data.
The registrant has the following rights according to the EU General Data Protection Regulation:
1. the right to receive confirmation from the data controller that the personal data concerning him or her is being processed or that it is not being processed, and if this personal data is being processed, the right to have access to the personal data and the following information: (i) the purposes of the processing; (ii) the groups of personal data in question; (iii) recipients or groups of recipients to whom personal data has been disclosed or is intended to be disclosed; (iv) if possible, the planned retention period of personal data or, if it is not possible, the criteria for determining this period; (v) the right of the data subject to request from the controller the correction or deletion of personal data concerning him or her or to limit the processing of personal data or to object to such processing; (vi) the right to file a complaint with a supervisory authority; (vii) if personal data is not collected from the data subject, all available information about the origin of the data (GDPR art. 15). These described basic information (i)–(vii) are given to the registered person with this form;
2. the right to withdraw consent at any time without affecting the legality of the processing carried out on the basis of consent before its withdrawal (GDPR art. 7);
3. the right to demand that the controller correct inaccurate and incorrect personal data concerning the registered person without undue delay, and the right to have incomplete personal data supplemented, for example by submitting an additional explanation taking into account the purposes for which the data were processed (GDPR 16 art.);
4. the right to have the data controller delete the personal data concerning the data subject without undue delay, provided that (i) the personal data is no longer needed for the purposes for which it was collected or for which it was otherwise processed; (ii) the data subject withdraws the consent on which the processing was based, and there is no other legal basis for the processing; (iii) the data subject objects to the processing on grounds related to his personal special situation and there is no justified reason for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) personal data has been processed unlawfully; or (v) personal data must be deleted in order to comply with a statutory obligation applicable to the data controller based on Union law or national legislation (GDPR art. 17);
5. the right for the data controller to limit the processing if (i) the data subject disputes the accuracy of the personal data, in which case processing is limited to the time during which the data controller can ensure their accuracy; (ii) the processing is illegal and the data subject opposes the deletion of personal data and instead demands the restriction of their use; (iii) the controller no longer needs the personal data in question for the purposes of processing, but the data subject needs them to prepare, present or defend a legal claim; or (iv) the data subject has objected to the processing of personal data on grounds related to his personal special situation pending verification of whether the legitimate grounds of the data controller supersede the grounds of the data subject (GDPR art. 18);
6. the right to receive the personal data concerning himself, which the data subject has provided to the data controller, in a structured, commonly used and machine-readable format, and the right to transfer the data in question to another data controller without hindrance from the data controller to whom the personal data has been delivered, if the processing is based on the consent intended by the regulation and the processing is carried out automatically ( GDPR Art. 20);
7. the right to file a complaint with the supervisory authority if the data subject considers that the processing of personal data concerning him violates the EU's general data protection regulation (GDPR art. 77).
Requests regarding the exercise of the data subject's rights are addressed to the data controller mentioned in point 1.