Personal Data Act (Sections 10 and 24) and General Data Protection Regulation (GDPR) Compliant Registry and Privacy Statement

Created on 23.6.2020
Updated on 23.6.2020

1. Data Controller

Capitano Oy (3140312-8)

2. Contact Person for the Registry

Hanna Heikkilä
0503216360
tampella@ole.fit

3. Name of the Registry

Capitano Oy customer and marketing registry, surveillance camera registry statement

4. Legal Basis and Purpose of Processing Personal Data

The legal basis for the processing of personal data under the EU General Data Protection Regulation is the individual's voluntary, documented consent, a contract in which the data subject is a party, or the legitimate interest of the data controller (customer relationship, employment relationship, membership).

The purpose of processing personal data is to communicate with customers, maintain customer relationships, and marketing. The purpose of surveillance cameras is to protect property, prevent misuse and crimes, assist in investigating committed crimes, and ensure and enhance the safety of staff, customers, and visitors.

5. Contents of the Registry

The registry may contain: the person's name, personal identification number, position, company/organization, contact details (phone number, email address, postal address), company's website addresses, details of ordered services, billing information, and other customer relationship and ordered service-related information. The data is stored in the registry for the duration of the customer relationship and for one year after the end of the customer relationship.

The registry also contains surveillance camera footage.

6. Regular Sources of Data

The data stored in the registry are obtained from the customer via web forms, emails, phone calls, social media services, contracts, customer meetings, and other situations where the customer discloses their information.

7. Regular Disclosures of Data and Transfer of Data Outside the EU or EEA

• We share your personal data with the following parties:
• In cases of criminal suspicion, information can be disclosed to authorities.
• For marketing assignments, with partners who analyze, print, or distribute marketing materials.
• Data may also be transferred outside the EU or EEA by the data controller.
• If we share your data with our partners, they act in the role of data processors under a cooperation agreement. Through the agreement, we obligate our partners to comply with the Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Partners do not have permission to use the registry data for anything other than the assignment agreed upon with Fit Tampella.

8. Principles of Registry Protection

The registry is processed with care, and data processed with information systems are adequately protected. Data is stored in locked facilities, and electronic registry data is password-protected, accessible only to designated persons. When registry data are stored on Internet servers, their physical and digital security is adequately maintained. Fit Tampella ensures that stored data and server access rights and other critical data for personal data security are handled confidentially and only by those employees whose job description includes it. Employees who handle customer registry data are under confidentiality.

9. Right of Inspection and Right to Request Correction of Data

Every person in the registry has the right to inspect their data stored in the registry and to request the correction of any incorrect data or the completion of incomplete data. If a person wishes to inspect their data or request a correction, the request should be sent in writing to the data controller. The data controller may ask the requester to prove their identity. The data controller responds to the customer within the timeframe specified in the EU data protection regulation (usually within one month).

10. Other Rights Related to the Processing of Personal Data

A person in the registry has the right to request the deletion of their personal data from the registry. The data subject also has other rights according to the EU General Data Protection Regulation, such as restricting the processing of personal data in certain situations. Requests should be sent in writing to the data controller. The data controller may ask the requester to prove their identity. The data controller responds to the customer within the timeframe specified in the EU data protection regulation (usually within one month).