This is a statement on the processing of your personal data pursuant to the EU’s General Data Protection Regulation (679/2016).
CTRL Reality Oy
Business ID: 2593336-8
Address: Eerikinkatu 6B, 20100 Turku, Finland
Communication regarding privacy matters
Contact responsible for privacy matters
We request that the data subjects contact the email listed above for all questions related to the processing of personal data and situations related to the exercising of your rights.
Basis and purpose of processing personal data
The legal basis for processing of personal data is:
- the consent to the processing of personal data provided by the data subject
- the contractual relationship between the data subject and controller
- the controller’s legitimate interest based on the customer relationship between the data subject and the controller
The purposes of processing personal data include marketing, customer service, providing information, maintaining customer relationships and partnerships and organizing events.
Regular data sources
The personal data to be processed is regularly received from the data subjects themselves.
Personal data being processed
The controller only collects personal data concerning the data subjects that is essential and relevant for the purposes explained in this privacy statement
The following data concerning the data subjects may be processed:
- phone number
- email address
- name and address of business or organization
Disclosure of personal data
Personal data will not be disclosed to third parties, unless the law imposes an obligation to do so. Data may, therefore, be disclosed in exceptional cases, such as to the authorities when so required by law.
Transfer of personal data to third countries
Personal data will not be transferred outside the EU and the European Economic Area.
Protection of personal data
The controller processes personal data in a manner that aims to ensure the appropriate security of the personal data, including their protection against unauthorized processing and accidental loss, destruction or damage.
The controller uses appropriate technical and organizational safeguards in order to achieve this goal; these include the use of firewall, encrypting techniques and safe equipment rooms, appropriate access control, careful management of data system user ID’s and providing instructions to the personnel participating in the processing of personal data.
All employees processing personal data have a non-disclosure obligation for the mater related to the processing of personal data of the data subjects based on the Employment Contracts Act (55/2001) and non-disclosure agreements that supplement it.
Retention period for personal data
The controller will process the personal data for the duration of the customer relationship. At the end of this period, the controller will delete or anonymize the data within reasonable period in accordance with the deletion process it follows.
The controller may have an obligation to process some personal data belonging to the filing system for longer than stated above in order to comply with the legislation or authority requirements.
Rights of the data subject
Right to request access to personal data
The data subject has the right to receive confirmation regarding whether personal data concerning them is being processed and, if it is, the right to receive a copy of their personal data.
Right to rectification
The data subject has the right to request that inaccurate and erroneous personal data concerning them be rectified. The data subject also has the right to supplement incomplete personal data by submitting the required additional information.
Right to erasure
The data subject has the right to request erasure of personal data concerning them if
- the personal data is no longer required for the purposes for which they were collected;
- the data subject withdraws their consent which the processing of personal data was based on, and no other legal basis exists for the processing; or
- the personal data has been unlawfully processed.
Right to restriction of Processing
The data subject has the right to restrict the processing of the personal data concerning them if
- the data subject contests the accuracy of their personal data;
- the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; or
- the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise of defense of legal claims.
Right to object
The data subject has the right to object, on grounds relating to their particular situation, at any time, to processing of personal data concerning them.
The controller shall no longer process the data subject’s personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Where personal data is processed for direct marketing purposes, the subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Right to withdraw consent
The data subject has the right to withdraw the consent they have provided for the processing, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to data portability
The data subject has the right to receive the personal data concerning them, which they have provide to a controller, in a structured, commonly used and machinereadable format and have the right to transmit this data to another controller.
Right to lodge a complaint with a supervisory authority
The office of the Data Protection Ombudsman, operating under the Ministry of Justice, is the national supervisory authority for personal data matters. You have the right to bring your case to the supervisory authority if you consider that the processing of personal data concerning you is in violation of applicable law.
The controller is continuously developing its activities and may therefore be required to amend and update its privacy policies when necessary. The amendments may also be based on changes in the legislation concerning data protection.
If the amendments include new purposes for the processing of personal data or otherwise introduce substantial changes, the controller will provide an advance notification of them and, if necessary, request consent.