Privacy Notice

A combined privacy notice and information document pursuant to the Finnish Data Protection Act and the EU General Data Protection Regulation (GDPR) (2016/679/EU).

Data Controller

Company: Structural Geology Company Oy
Business ID: 3377630-7
Address: Kaniikintie 3, 20300 Turku

Contact person for data protection matters:
Jussi Mattila, jussi@sgeo.fi

Legal Basis for Processing Personal Data

3.1 General information on the processing of personal data

To the extent that the Customer Register contains personal data, the processing complies with the Finnish Data Protection Act and other applicable laws, decrees, regulations, and authority guidelines relating to the processing of personal data. Personal data means information that can be linked to a specific individual. This privacy notice describes in more detail the practices related to the collection, processing, and disclosure of personal data, as well as the rights of the customer (the data subject).

3.2 Purpose of collecting personal data

Customer relationship or a comparable relationship

The purpose of the Customer Register is to enable customer service-related communication and to maintain the customer relationship.

3.3 Purposes of use of the data

Data in the Customer Register may be used primarily for:

• managing and developing the customer relationship

• producing, offering, developing, improving, and securing services

• invoicing, debt collection, and verifying customer transactions

• targeting advertising

• analysis and statistics related to services

• customer communications

• fulfilling the controller’s statutory obligations

• other similar purposes.

Contents of the Customer Register / What Data We Collect

In the assignment log and its attachments, the following categories of data are processed, or may be processed:

• Customer basic information, such as name/company, address, email address, phone number

• Information related to invoicing and debt collection.

Data Retention Period

Personal data is generally processed for as long as the customer agreement for which we need the data remains in force. Data is recorded as received from the data subject and updated according to information provided by the data subject to the controller.

Other personal data is deleted once it is no longer necessary to retain it. If the collection and retention of personal data has been based solely on the customer’s consent, the data will be deleted at the customer’s request.

Regular Sources of Data / Where Data Is Obtained From

Potential customers’ data is obtained, with consent, from the data subject during a website visit or through other personal or digital interaction.

Disclosure of Data / To Whom Data May Be Disclosed

Data is not disclosed for marketing purposes.

Data is not routinely transferred outside the European Union or the European Economic Area. Data may, however, be transferred or disclosed outside the EU/EEA as permitted by law, if transferred to a country deemed by the European Commission to provide an adequate level of data protection, or if contractual arrangements ensure an adequate level of protection. Transfers outside the EU may also occur temporarily in connection with the use of various cloud services, such as OneDrive, Google Analytics, iCloud, or Dropbox.

Data is disclosed to authorities in cases required by law.

Principles of Register Protection / How We Protect Your Personal Data

Access to the register requires a user account granted by the Customer Register’s main administrator. The main administrator also determines the level of access rights granted to other users. Only those employees of the controller and employees of subcontractors who require access for their work-related tasks may access the data.

Customer Rights / How Can I Ensure Lawful Processing?

9.1 Right of access, right to receive data, and right to data portability

The customer has the right to inspect what data concerning them has been stored in the Customer Register. The request must be submitted to the controller in writing, either as a document signed by hand or otherwise reliably verified, or by email.

The controller will provide the requested information within 30 days of receiving the request.

The customer has the right to have their customer data (which they have provided) transferred to a third party in a structured, commonly used, machine-readable format. The controller will nonetheless retain the transferred data in accordance with this privacy notice.

9.2 Rectification of inaccurate data

The customer has the right to rectify personal data concerning them in the register to the extent that it is inaccurate.

9.3 Right to object or restrict processing and right to erasure

The customer has the right to object to the processing of data concerning them for direct advertising, distance selling, and other direct marketing, as well as for market and opinion research and the controller’s business development, and to restrict the processing of their data. The customer also has the right to have personal data already recorded for the above purposes erased, even if there would otherwise be a legal basis for processing.

9.4 Withdrawal of consent

If data in the register is based on the customer’s consent, consent may be withdrawn at any time by contacting the controller’s representative using the contact details provided in this notice. Based on the request, all data that is not required to be retained—or that cannot be retained—under law or another basis mentioned in this privacy notice will be deleted.

9.5 Exercising rights

Requests for access, rectification, or other requests can be submitted by contacting customer service using the contact details provided in this notice.

9.6 Disputes

The customer has the right to refer the matter to the Office of the Data Protection Ombudsman if the controller does not comply with the customer’s rectification request or other request.