EU General Data Protection Regulation (679/2016), Article 12
Date of completion: 18 May 2018
This privacy notice describes how we process personal data. You have the right to the protection of personal data. We process personal data only on the basis of legal grounds and in a transparent manner. We comply with the provisions and principles of the European Union’s General Data Protection Regulation (GDPR) and national data protection legislation.
EastCham Finland kauppakamariyhdistys ry
Eteläranta 10, FI-00130 Helsinki
2. Person in charge of register-related matters
Eteläranta 10, FI-00130 Helsinki
+358 50 555 2047
3. Used personal data registers
- Registers pertaining to personal data and terms of employment of personnel
- Member/customer registers and various types of customer registers based on them, such as the marketing register for potential customers in the CRM system
- Personal data register of the members of the association’s Board of Directors
- Temporary personal register for participants in Team Finland trips
4. Purpose of the processing of personal data and legal basis for the processing of personal data
Management of the activities, memberships and customer relationships of the association, marketing of the services of the Chamber of Commerce and the implementation of the employer obligations of the association.
The legal bases for the processing of personal data are consent, agreements related to customer relationships and their preparation/implementation, legitimate interest and statutory obligations.
Data subjects are always asked for a separate specific consent for the use of personal data collected in connection with filling in the forms (membership application, registration forms) for the processing purposes stated in the association’s privacy statement.
5. Data content of the personal data registers
Personally identifiable information:
- First name, last name, contact information of the employer company, work email, work telephone number (for personnel, members of the Board and honorary members, also home email and home telephone number, and for personnel and members of the Board, also personal identity code)
- Information related to the task, such as the role and position in the organisation, event information, such as participation in events or contacting sales or customer service
- Photographs taken at customer events containing identifiable persons and photographs of the personnel. At events, photographs may be taken for editorial use for our communications. The association reserves each participant the opportunity to not be shown in the photographs
- Possible permissions and consents as well as any other data collected with the consent of the person
Information on the marketing content used by the person (usage data):
- Sending, opening and clicking data of marketing messages, usage information pertaining to the company’s website, such as time, date, pages and duration, order and download information of guides and other material as well as cookies.
Data derived from usage data through the use of analytics (derived data):
- Points of interest and lead points, which describe content use activity.
6. Regular data sources
The information has been obtained from the data subjects themselves, from their employer or on the basis of the association’s own activities.
7. Regular disclosure of information
The member register is sold for the purposes permitted by the data protection regulation (e.g. direct advertising and marketing, market research) only to the member companies of the Chamber of Commerce.
Personal data may be disclosed to various partners of the association/participants of events in accordance with the EU General Data Protection Regulation.
8. Transfer of personal data outside the EU/EEA
The data may be transferred to offices located in the target countries of the association for the purposes described in section 4, except for personal identity codes, when the legal grounds for processing provided for in the EU General Data Protection Regulation apply.
The processing of personal data may take place in offices located in the target countries of the association, but the storage of personal data always takes place on a server located in Finland.
9. Principles of protection of the association’s personal data registers
Customer and member data is stored in Finland in the CRM customer management system. With regard to the personnel’s personal data and registers pertaining to terms of employment, the personal data register of the members of the association’s Board of Directors and the temporary personal data registers for participants in Team Finland trips, the association has implemented appropriate technical and organisational measures to protect personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction or unauthorized access.
The association stores personal data in paper and digital format. Paper materials are stored in locked premises that can only be accessed by designated persons authorized to access them as part of their duties. The digital materials are stored on a server that is maintained in a locked facility accessible only to designated persons and persons authorized to access it as part of their duties. Access to personal data stored in the system is only granted to designated persons who need it to perform their duties. The environments are protected by the appropriate firewalls and technical protection methods.
Employees of the Chamber of Commerce have unrestricted access to the member/customer register database. Employees have access to other personal registers only to the extent that their duties require it.
For Team Finland trips, a trip-specific, temporary personal data register is created, which is then destroyed after the trip has taken place.
10. Retention period of personal data
The data collected in the register is stored only for the period of time and extent necessary for the original or compatible purposes for which the personal data was collected. The legal basis for the data in the register and the need for processing are reviewed at least every five (5) years. The personal data in accordance with the privacy statement are retained for as long as the controller uses the data for customer relationship management and marketing purposes. However, personal data is always stored in the association’s databases for the required legal period. Personal data are is always stored at least for the duration of the agreement/legitimate interest pertaining to the data subject.
The usage data for targeted direct marketing-related email messages and the usage data for the contents of the company’s website are automatically erased 18 months after use.
The association assesses the need for data retention in accordance with its internal Code of Conduct. In addition, EastCham Finland takes all reasonable measures to ensure that personal data that are inaccurate, erroneous or outdated with regard to the purposes of the processing are erased or rectified without delay.
11. Rights of the data subjects
To the extent permitted by law, the data subject has the right to inspect their personal data stored in the association’s personal data register. The request must be submitted in writing (including by email) to the contact person mentioned in section 2. Under this privacy notice, you will also find a form where the data subject can enter their email address and request access to the data collected in the Vine database at the level required by law. An email will be sent to the recipient with links to access the personal data collected about them.
The association’s information systems do not include automated decision-making/profiling.
To the extent permitted by law, the data subject has the right to demand the rectification or erasure of incorrect, unnecessary, incomplete or outdated personal data.
A person has the right to the erasure of his/her data (“right to be forgotten”). The request must be submitted in writing (including by email) to the contact person mentioned in section 2.
The data subject has the right to request the association to erase the personal data concerning the data subject without undue delay, provided that
- the personal data is no longer needed for the purposes for which it was collected or otherwise processed;
- the data subject withdraws the consent on which the processing was based, and there is no other legal ground for the processing;
- the personal data have been processed unlawfully; or
- the personal data must be erased in order to comply with a statutory obligation based on EU or national law applicable to the association.
12. Amendments to the privacy statement
We are constantly developing our operations and, therefore, reserve the right to amend the privacy statement by notifying of it in our services. The amendments may be based on changes in legislation. We recommend that you regularly review the content of the privacy statement.