Privacy policy – For clients

OK Perintä Oy is committed to upholding the rights of data subjects and the protection of personal data. This privacy statement describes how OK Perintä Oy collects, processes, stores and protects your personal data.

1. Data controller

OK Perintä Oy
Business ID: 0873725-0
Tiilitehtaankatu 7 A
FI-65100 Vaasa, Finland

2. Contact person for privacy matters

Data Protection Officer Jenni Vainionpää
OK Perintä Oy
Tiilitehtaankatu 7 A
FI-65100 Vaasa, Finland

3. Name of filing system

OK Perintä Oy client and marketing database

4. Legal basis and purpose of processing data

The processing of personal data is based on the execution of the legitimate interests of the controller (Article 6.1(f) and Recital 47), the performance of a contract within a client relationship (Article 6.1(b)), or the consent of the data subject (Article 6(1)(a)).

The purpose of processing personal data is to enable communication with the client and customers and for marketing activities.

5. Category of data subjects

The category of data subjects consists of the contact persons of clients, contact persons for potential clients, and contact details for the contact persons of the controller’s stakeholders.

6. Data content of the filing system

Position within company
Telephone number
Email address
Company’s industrial classification
Other classification information on the company’s activities

7. Regular sources of data

Personal data is collected from the form available on the company’s website, in connection with commission agreements, and directly from the data subject through other means. In addition, personal data may be collected from public registries.

8. Regular categories of recipients

The controller may make use of an external subcontractor or software service provider to process personal data on behalf of the controller. In such cases, the controller is responsible for ensuring the lawfulness of processing.

9. Transfer of data outside the EU or EEA

The company will not transfer the personal data of data subjects outside the EU or EEA countries. Under certain conditions, certain processors of personal data acting on behalf of the company may transfer personal and other data of data subjects outside the EU or EEA. In such cases, however, the data will be transferred in compliance with the provisions of the EU General Data Protection Regulation on the protection of personal data. As the data controller, the company is fully responsible for the actions of processors acting on its behalf.

10. Period of storing personal data

Personal data will be stored for the period of time necessary for the management or establishment of the client relationship.

11. Profiling

The company does not carry out profiling of personal data in the filing system.

12. Description of technical and organisational protective measures

The processing of personal data is carried out with due diligence. Members of personnel who process personal data receive initial training and regular yearly training. Data in the filing system may only be processed by individuals entitled to do so by reason of their duties. Processors of personal data are subject to a non-disclosure obligation.

The company processes the personal data of the data subject in both printed and electronic form.

Printed material

Printed material is scanned into an electronic form and stored as part of the filing system. After this, the material is destroyed by disposing of it in a locked security bin.

Electronic material

The company has implemented the technical and organisational measures it has deemed necessary to protect the filing system from unauthorised access and use.

13. Right of access and right to rectification

The data subject shall have the right to access their personal data stored in the filing system. The request for access must be made in writing, and ensure that the company is able to verify the identity of the data subject. If necessary, the controller may ask the individual requesting access to prove their identity. Requests for access shall be presented to the Data Protection Officer (section 2). Rectification may be requested once each year without additional fee, after which the company shall charge an administrative fee of EUR 20 for each further request as compensation for the work caused. The company shall respond to the individual presenting the request within the period of time specified in the GDPR (usually one month from the request).

If a data subject finds their data to be inaccurate, they have the right to request that their data be rectified or erased. The controller must notify third parties with whom they have shared the data or from whom they have received the inaccurate data of the rectification, unless this would require disproportionate effort. Requests for rectification shall be presented to the Data Protection Officer (section 2).

14. Other rights of data subjects

Data subjects have the right to request the restriction of processing until, for example, the controller has verified the accuracy of the data. Data subjects have the right to object to direct marketing at any time. If the personal data of the data subject is processed on the basis of consent, this consent may be revoked at any time.

Data subjects have the right to file a complaint to the regulatory authorities on matters related to the processing of their personal data.

15. Changes to the privacy statement

This privacy statement may be updated at a later date, for example, due to changes in the company’s procedures on the processing of personal data or changes in official regulations or legislation. This privacy statement was last updated on 24 May 2018.