The controller of the register is Mechalto Oy (business ID 3326863-6)
The contact person for register matters is Vesa Mäkinen
Address: Tuurinkorventie 18, 47400 KAUSALA
Phone: 040 555 1432
2. Name of the register
The name of the register is Mechalto Oy's customer register.
3. Purpose of processing personal data
Personal data is processed for purposes related to the management, management and development of customer relationships, the provision and delivery of services and the development and invoicing of services. Personal data is also processed for the purposes necessary for the investigation of possible complaints and other requirements. In addition, personal data is processed in customer communications, such as information and news purposes and marketing, as part of which personal data is also processed for direct marketing and electronic direct marketing purposes. The Customer has the right to prohibit direct marketing directed at him or her. The controller processes the data itself and utilises subcontractors acting on behalf and on behalf of the controller in the processing of personal data.
4. Grounds for the proceedings
The legal basis for the processing of personal data is the following criteria in accordance with the EU's General Data Protection Regulation (hereinafter also referred to as the GDPR:
- The data subject has given his or her consent to the processing of his/her personal data for one or more specific purposes (GDPR 6. 1.a);
- Processing is necessary for the implementation of a contract in which the data subject is a party or for the implementation of pre-contract measures at the request of the data subject (GDPR Art. 6. 1.b);
- Processing is necessary for the real purpose of implementing the legitimate interests of the controller or a third party (GDPR 6. 1.f.
The above-mentioned legitimate interest of the controller is based on a meaningful and appropriate relationship between the data subject and the controller as a result of the fact that the data subject is the controller's customer and when the processing takes place for purposes that the data subject could reasonably have expected at the time of the collection of personal data and in the context of an appropriate relationship.
5 Data content of the register (categories of personal data to be processed)
The register contains the following personal data on all registered persons in principle:
- Basic information and contact details of the person: [first name, surname, address, telephone number, e-mail address];
- Information relating to a person's company or other organisation and their status or job title. the undertaking or organisation;
- Direct marketing permits and prohibitions for a person.
6. Regular data sources
Personal data is collected from the data subject himself or herself. Personal data is also collected and updated within the limits of applicable law from publicly available sources related to the implementation of the customer relationship between the controller and the data subject, through which the controller fulfils its obligations related to maintaining customer relationships.
7. Retention period for personal data
Data collected in the register shall be stored only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected. The need to store personal data is assessed every five years and in any case the data concerning the data subject is removed from the register five years after the end of the data subject's customer relationship with the controller, and the obligations and measures related to the customer relationship have been completed. For example, accounting documents are kept for five years from the end of the financial year. The controller regularly assesses the need to store data in accordance with its internal code of conduct. In addition, the controller shall take all reasonable steps to ensure that personal data inaccurate, inaccurate or outdated in relation to the purposes of processing are deleted or rectification without delay.
8. Recipients of personal data (categories of recipients) and regular disclosures
Personal data will not be disclosed to third parties.
9. Transfer of data outside the EU or EEA
The personal data contained in the register will not be transferred outside the EU or EEA.
10. Principles of registry security
Materials containing personal data are stored in locked spaces accessible only to designated persons and authorised to access their duties. The database containing personal data is located on a server that is stored in a locked state accessible only to designated persons authorised to access their duties. The server is protected by an appropriate firewall and technical security. Databases and systems are accessible only by separately issued personal user IDs and passwords. The controller has limited access rights and powers to information systems and other storage platforms so that the data can only be viewed and processed by persons necessary for their lawful processing. In addition, database and system usage transactions are registered in the controller's IT system logs. The controller's employees and other persons are committed to secrecy and to keeping confidential the data received in connection with the processing of personal data.
11 Rights of the data subject
The data subject has the following rights under the EU's General Data Protection Regulation:
- The right to receive confirmation from the controller that personal data concerning him or her are being processed or not processed and, if such personal data are being processed, the right to access personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom personal data have been or are to be disclosed; (iv) where possible, the envisaged retention period of personal data or, where that is not possible, the criteria for determining that period; (v) the data subject's right to request from the controller the rectification or erasure of personal data concerning him or her or the restriction of the processing of personal data or to object to such processing; (vi) the right to lodge a complaint with the supervisory authority; (vii) if personal data is not collected from the data subject, all available data on the origin of the data (GDPR Art. 15). This basic information described (i)–(vii) shall be provided to the data subject on this form;
- The right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal (GDPR Art. 7);
- The right to require the controller to rectify, without undue delay, inaccurate and inaccurate personal data concerning the data subject and the right to have incomplete personal data supplemented, including by providing further information, taking into account the purposes for which the data were processed (GDPR Art. 16);
- The right to have the controller delete personal data concerning the data subject without undue delay, provided that (i) personal data are no longer needed for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other legal basis for the processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no reasonable grounds for the processing or the data subject's opposition to the processing for direct marketing purposes; (iv) personal data have been processed unlawfully; or (v) personal data shall be erased in order to comply with a legal obligation applicable to the controller under Union or national law (GDPR Art. 17);
- The right for the controller to restrict processing if (i) the data subject disputes the accuracy of the personal data, in which case the processing is restricted for a period during which the controller can verify its accuracy; (ii) the processing is unlawful and the data subject objects to the erasure of personal data and instead requests that their use be restricted; (iii) the controller no longer needs such personal data for the purposes of processing, but the data subject needs it to establish, exercise or defend a legal claim; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation pending verification of whether the data controller's legitimate grounds supersede the data subject's grounds (GDPR Art. 18).
- The right to obtain personal data relating to him or her provided by the data subject to the controller in a structured, commonly used and machine-readable format and the right to transfer that data to another controller, without the restriction of the controller to whom the personal data have been provided, if the processing is based on the consent referred to in the Regulation and the processing is carried out automatically (GDPR Art. 20);
- Right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her violates the EU's General Data Protection Regulation (GDPR 77). Requests for the exercise of the data subject's rights shall be addressed to the controller's contact person mentioned in section 1.
12. Online analytics
The services below collect anonymised information about visits to the website without any personal information.
Google cookies are used for site development and user analytics. Google cookies may also be used for remarketing purposes.