OK Perintä Oy is committed to upholding the rights of data subjects and the protection of personal data. This privacy statement describes how OK Perintä Oy collects, processes, stores and protects your personal data.
This privacy statement contains the information to be provided under Article 14 of the General Data Protection Regulation (EU 2016/679) in cases where personal data have not been obtained from the data subject.
1. Data controller
OK Perintä Oy
Business ID: 0873725-0
Tiilitehtaankatu 7 A
FI-65100 Vaasa, Finland
2. Contact person for privacy matters
Data Protection Officer Jenni Keskinen
OK Perintä Oy
Tiilitehtaankatu 7 A
FI-65100 Vaasa, Finland
3. Name of filing system
OK Perintä Oy customer database
4. Legal basis and purpose of processing data
The legal basis for processing data under the EU General Data Protection Regulation is based on the performance of a contract (Article 6.1(b)) and the execution of the legitimate interests of the controller (Article 6.1(f)). As the company is engaged in licensed and regulated professional debt collection activities, the processing of personal data can be deemed appropriate under the aforementioned grounds.
The purpose of processing personal data is the collection of receivables resulting from a debt relationship.
5. Category of data subjects
The category of data subjects comprises the customers in the debt collection database.
Other personal data necessary for the purposes of carrying out debt collection commissions may also be stored in the filing system. These may include the personal data of the client, the authorities and representatives of the customer.
6. Data content of the filing system
Personal identity number
Other information necessary for the performance of the commission provided by the client
Personal credit information and other information necessary for the performance of the commission obtained from public registries
Information on the debt and its payment
Information on debt collection measures
Other information necessary for the performance of the commission
7. Regular sources of data
The initial inclusion of personal data in the filing system is made primarily on the basis of information received from the client placing the commission.
Personal data may also be collected from the data subject or from courts, enforcement authorities, Legal Register Centre, credit registers, Tax Administration, local register offices, Population Register Centre, telephone directory service providers, and police authorities. The company notes that the aforementioned list is not intended to be exhaustive.
8. Regular categories of recipients
Personal data in the filing system may be disclosed within the limits of and to fulfil the obligations of commission contracts and legislation valid at a given time to, for example, the client, the data subject, courts, enforcement authorities, credit register companies, Population Register Centre, local register offices, telephone directory service providers, police authorities, and the Legal Register Centre. The company notes that the aforementioned list is not intended to be exhaustive.
In addition, the controller may make use of an external subcontractor or software service provider to process personal data on behalf of the controller. In such cases, the controller is responsible for ensuring the lawfulness of processing.
9. Transfer of data outside the EU or EEA
The company will not disclose or transfer personal data outside the EU or EEA. Under certain conditions, certain processors of personal data acting on behalf of the company may transfer the personal of data subjects outside the EU or EEA. However, such data is transferred in compliance with the provisions of the EU General Data Protection Regulation on the protection of personal data. As the data controller, the company is fully responsible for the actions of processors acting on its behalf.
10. Period of storing personal data
Personal data will be stored for the period required for the performance of the debt collection commission. In such cases, the company will update the personal data of the subject regularly, in order to ensure that the data are up to date. In addition, documents and information concerning debt collection are stored for the period required by legislation valid at a given time. The storage period may be based on the requirements of good practice in debt collection or the Accounting Act.
The company will store call recordings of telephone conversations with data subjects for a period of three years. If the debt claim is contested, call recordings may be stored until the resolution of the matter is legally valid.
As part of its processing activities, the company may use personal data for purposes of profiling. Profiling is made primarily on the basis of personal data provided in the commission and other available public information (e.g., credit information). The purpose of profiling is to assess the payment behaviour of data subjects in order to allow the controller to appropriately proportion its debt collection measures. The profile of the data subject may be compared with the profiles created from other data subjects. However, the company does not exercise any form of automatic decision-making that is based on profiling and that would have legal or other significant repercussions on the data subject.
12. Description of technical and organisational protective measures
The processing of personal data is carried out with due diligence. Members of personnel who process personal data receive initial training and regular yearly training. Data in the filing system may only be processed by individuals entitled to do so by reason of their duties. Processors of personal data are subject to a non-disclosure obligation.
The company processes the personal data of the data subject in both printed and electronic form.
Printed material is scanned into an electronic form and stored as part of the filing system. After this, the material is destroyed by disposing of it in a locked security bin. Printed materials that the company cannot destroy (due to requirements on original documents) are stored in a locked deposit. The company premises may be accessed only by personnel in an employment relationship with the company.
The company has implemented the technical and organisational measures it has deemed necessary to protect the filing system from unauthorised access and use. Such measures include the use of various username and password combinations and secure data connections.
13. Right of access and right to rectification
The data subject shall have the right to access their personal data stored in the filing system. The request for access must be made in writing and ensure that the company is able to verify the identity of the data subject. If necessary, the controller may ask the individual requesting access to prove their identity. Requests for access shall be presented to the Data Protection Officer (section 2). Rectification may be requested once each year without additional fee, after which the company shall charge an administrative fee of EUR 20 for each further request as compensation for the work caused. The company shall respond to the individual presenting the request within the period of time specified in the GDPR (usually one month from the request).
If a data subject finds their data to be inaccurate, they have the right to request that their data be rectified or erased, unless such data is necessary for the performance of debt collection. The controller must notify third parties with whom they have shared the data or from whom they have received the inaccurate data of the rectification unless this would require disproportionate effort. Requests for rectification shall be presented to the Data Protection Officer (section 2).
14. Other rights of data subjects
Data subjects have the right to file a complaint to the regulatory authorities on matters related to the processing of their personal data.
15. Changes to the privacy statement
This privacy statement may be updated at a later date, for example, due to changes in the company’s procedures on the processing of personal data or changes in official regulations or legislation. This privacy statement was last updated on 11 November 2020. The updated version will be published on the company website within three days from the update. Earlier versions will be found at the company.