Customer Register Description per 22 May 2018
Personal Data Act (523/1999), sections 10 and 24
Sunda Systems Oy (Business ID: 1907385-9)
Address: Bulevardi 48 A 24 (P.O. Box 107), 00121 Helsinki, Finland
2. Contact person for matters regarding the register
Tel. +358 50 366 6364
3. Name of the register
Sunda Systems Oy's customer register
4. The purpose of personal data processing
Personal data in the register is used for invoicing, collecting payments, marketing, generating statistics, managing and developing customer relationships, and developing products and services. The data can be used for direct marketing unless this use has been prohibited. Personal data processing can be partially outsourced to an external service provider for purposes such as invoicing and collecting payments.
5. Legal bases for processing personal data
The legal bases for processing personal data are the following criteria in the EU General Data Protection Regulation (GDPR):
- the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR 6 art. 1.a);
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR 6 art. 1.b);
- processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party (GDPR 6 art. 1.f).
6. Data contained in the register
We record the following information about our customers and, if the customer is not a natural person, about the contact persons and any other persons relevant for handling the customer relationship (hereinafter referred to as “Data subjects”):
- first and last name, address, telephone number, email address and business language;
- company/organization name and business id;
- any other data relating to the management of the customership, such as data on marketing permits and prohibitions and on the ordering of services;
- technical data such as customer's IP address, device type and browser type.
7. Regular sources of information
Data related to the customer is primarily collected from the customer when registering and logging in, ordering products, activating product licenses, requesting quotes, requesting trial subscriptions and participating in competitions and customer surveys.
With the consent of the Data subject and based on the law, we may also acquire or receive data relating to the Data subject from third parties such as authorities, for example, to improve the quality of communications and ensure the up-to-dateness of the data.
8. Retention of personal data
The data is stored for the duration that is deemed necessary for maintaining the customer relationship.
Sunda Systems Oy will keep the personal data for no longer than three (3) years after the customer relationship has ended. Sunda Systems Oy may keep the data for a longer time if it is necessary in order to comply with legal requirements.
9. Regular disclosures of data
No regular data disclosures are made from the Sunda Systems Oy's customer register.
Sunda Systems Oy may hand over personal data within the limits allowed and obligated by the existing legislation to third parties, for example, authorities.
10. Transfers of data outside the EU or the European Economic Area
Customer data is not transferred to countries outside the European Union or the European Economic Area.
11. Register protection principles
The register is protected using appropriate technical measures. All servers and databases are located in certified data centres. The register can only be accessed with a username and a password, which are only granted to people who are employed by the controller and whose position and duties involve accessing the data. The controller uses access control measures at its office.
12. Rights of the data subject
The Data subject has the following rights under the EU General Data Protection Regulation:
- the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source; and (viii) the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (GDPR, Art. 15);
- the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR, Art. 7);
- the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement (GDPR, Art. 16);
- the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to the processing based on a special personal situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject (GDPR, Art. 17);
- the right to obtain from the controller restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing based on a special personal situation pending the verification whether the legitimate grounds of the controller override those of the data subject (GDPR, Art. 18);
- the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent referred to in the regulation and the processing is carried out by automated means (GDPR, Art. 20);
- the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the EU General Data Protection Regulation (GDPR, Art. 77).
Requests concerning the exercising of the rights of the Data subject shall be submitted in writing to the contact person of the controller in a personally signed or similarly certified document or personally presented to the controller.