Privacy Notice for Labquality Oy’s Customer, Supplier and Marketing Register
(hereafter ”we” or ”Labquality”)
Contact person for register matters
Name of register
CUSTOMER, SUPPLIER AND MARKETING REGISTER
What is the legal basis for and purpose of the processing of personal data?
The basis of processing personal data is the performance of a contract between us and our legitimate interest to develop our business and conduct direct marketing).
The purposes of processing personal data are:
- The delivery and development of our products and services (performance of a contract and legitimate interest),
- Sourcing and acquiring products and services necessary for our business from suppliers (performance of a contract and legitimate interest),
- Fulfilling our contractual and other rights, promises and obligations (performance of a contract),
- Taking care of the customer and supplier relationship (performance of a contract and legitimate interest),
- Organizing events (legitimate interest),
- Analyzing and profiling the behaviour of a customer or other data subject such as a potential customer (legitimate interest),
- electronic and direct marketing (legitimate interest),
- targeting advertising in our and others’ online services (legitimate interest).
We use automated decision-making (inc. profiling) to identify the data subjects’ profiles and online behaviour. We use this information to target marketing and develop our services.
What data do we process?
We process the following personal data of our customers, suppliers or other data subjects (like prospects) in connection with the customer, supplier and marketing register:
- Basic information of the data subject such as name*, date of birth, social security number, customer number, the language of use;
- Contact information of the data subject such as e-mail address*, phone number, and address;
- Information of company and company’s contact persons such as Business ID* of the company and names*, contact details*, role/title and professional interests of the contact persons;
- Information about the customer relationship and agreement such as information related to previous and existing agreements and orders*, other customer information;
- Information about the supplier relationship and agreement such as information related to previous and existing agreements and orders*, other supplier information;
- Information related to event participation and training such as the name, date and location of the event, dietary or allergy information (only collected and processed with the consent of the data subject);
- Information related to the subscription of customer magazines such as postal address and invoicing information;
- Information related to personal certificates such as work history, information related to the certification exam;
- Information about potential direct marketing opt-outs
- Technical information about the user of a website such as IP address and cookie information;
- Information related to the behaviour of the data subject on the website, which is used for profiling purposes such as the sites visited and the duration of visits/use;
- Other possible information collected from the data subject him-/herself.
Providing the information marked with an asterisk (*) is a prerequisite for our contractual relationship and/or supplier relationship. We cannot enter into a relationship without the necessary information.
From where do we receive data?
We receive personal data primarily from the data subject him-/herself as well as from newspapers and other news sources, professional social media networks, contact information providers and company websites.
To whom do we disclose data and do we transfer data outside of the EU or EEA?
We disclose personal data to the National Institute for Health and Wealthfare as a part of their official duties.
We use subcontractors that process personal data on behalf of and for us (data transfer). We have outsourced the IT management to an external service provider, to whose server the data is stored. The server is protected and managed by an external service provider.
We transfer and disclose personal data related to customers outside the EU/EEA. We have implemented suitable safeguards for the transfers and disclosures. We use EU Commission standard contractual clauses or the Privacy Shield system.
How do we protect the data and how long do we store them?
Only those of our employees, who on behalf of their work are entitled to process customer, supplier and marketing data, are entitled to use a system containing personal data. Each user has a personal username and password to the system. The information is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and their backup copies are in locked premises and can be accessed only by certain pre-designated persons.
We store personal data for as long as necessary considering the purpose of the processing. Personal data about customers and suppliers is processed and retained during the customer or supplier relationship or as long as services are delivered, and after the relationship or service provision has ended for ten (10) years. Personal data used for marketing purposes is retained and processed until it is updated or the data subject opts out of the marketing.
We regularly assess the need for data retention in light of the applicable legislation. In addition, we take reasonable measures to ensure that the personal data in the register is not incompatible, obsolete or inaccurate considering the purpose of the processing. We rectify or delete such information without delay.
What are your rights as a data subject?
As a data subject, you have the right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of the data. You also have a right to withdraw or change your consent, in cases where the processing of the data is based on your consent.
As a data subject, you have a right, according to the EU’s General Data Protection Regulation (applied from 25.5.2018) to object to the processing or request restricting the processing of your personal data. Additionally, you have a right to request your data to be delivered to you in a standard format, in cases where the processing of data is based on your consent or a contract between us.
You also have a right to lodge a complaint with a data protection authority in your jurisdiction or with the power to investigate processing concerning your personal data.
For specific personal reasons, you also have a right to object to profiling and other processing concerning you, when the processing of the personal data is based on our legitimate interest. In connection to your claim, you should identify the specific grounds on which you object to the processing. We can refuse to act on such a request on the basis of privacy legislation.
As a data subject, you have the right to object to processing, including profiling, at any time free of charge in so far as it relates to direct marketing.
Who can you contact?
Should we make amendments to this privacy notice, we will place the amended statement on our website, with an indication of the amendment date. If the amendments are significant, we may also inform you about this by other means, for example by sending an email or placing a bulletin on our homepage. We recommend that you review this privacy notice from time to time to ensure you are aware of any amendments made.