Privacy policy for B2B customer
This privacy policy is based on the requirements of the EU General Data Protection Regulation. Last updated: 29th of October 2019.
Data controller
Name: Kivra Oy
Business ID: 2918721-9
Visiting address: Miestentie 9 C, 02150 Espoo, Finland
Contact person for the register
Kivra Oy, tietosuoja@kivra.fi
Name of the register and data subjects
Kivra Oy’s marketing and customer register
This register is used for processing Kivra’s corporate customers’, potential customers’ and their representatives’ data and the personal data of the users of the Service.
What is personal data?
Personal data includes all data that can be connected to a live natural person directly or indirectly.
Examples of personal data include company names, names, titles, mailing information, telephone numbers, email addresses, personal identity codes and IP addresses.
- Marketing permissions/prohibitions issued by the customer for digital direct marketing
- Profiling information provided by the customer, information concerning customer relationships and the use of services (e.g. feedback), information related to the acquisition of services or company strategies
- Identification information related to an individual or a company, in addition to contact information, can be transferred to the marketing register to be used for direct marketing even after the customer relationship has ended.
Identification information related to an individual or a company, in addition to contact information, can be transferred to the marketing register to be used for direct marketing even after the customer relationship has ended.
The register consists of personal data.
Legal basis and purpose of personal data processing
Personal data content of the register is name, title, email address, mobile phone number, exchange number, age, gender, native language, identification information related to the data subject, postal address, IP address.
The data source can be the individual themselves or the organisation they represent in an agreement between Kivra and the organisation or as part of interaction related to a possible agreement. The individual themselves can contact Kivra by email or phone or have meet Kivra’s representative and provided their contact information (e.g. business card). The data source can also be external sources, such as online searches conducted by Kivra: “contact person or function at company X” or be based on the individual’s own activity and behaviour in online environments after they have accepted cookies. For example: website visits, online content downloads, registration for services, social media services, and contacting the customer service department by email or phone or via a chat channel.
The purpose of the processing is to communicate in accordance with the agreement or interaction before a possible agreement, creating or maintaining a business relationship or to contact you to create a business relationship with you or the company that you represent. In other words, contact information is used for interaction and communication, for example when sending press releases, newsletters and invitations. (Users can opt out of receiving newsletters through a link in a newsletter that removes them from the mailing list.) Names and titles are also used to create registration and attendance lists for events, for example, that the data subjects register for and participate in at their own discretion. The purpose can also be the development and measurement of websites, applications and services; compiling statistics; targeting advertisements. Acquisition of new customers and communication with customers, such as newsletters, direct marketing campaigns and the implementation and analysis of events. Data can be used also to various surveys (and the related statistics and analyses) that the user participates in at their own discretion.
Legal base is the Agreement (cooperation/partnership agreement) or legitimate interest
(marketing, since Kivra has a strong interest in keeping the data subject up to date on Kivra’s services, in creating or maintaining a good business relationship and in inviting the data subject to events).
Personal data protection
Kivra’s employees have been provided with basic information about data protection, and Kivra seeks to ensure, through its operations, that personal data is processed appropriately. The databases in which personal data is stored are protected by means of firewalls, passwords and other technical measures. Backup copies of the databases are made on a regular basis. The databases and their backup copies are stored in locked and guarded facilities. The databases can be accessed only by employees whose duties require access to personal data. The employees processing personal data are bound by a non-disclosure obligation.
How long will personal data be stored?
Kivra has clear guidelines and practices for deleting personal data. This means that personal data will be stored only for as long as there is a basis for its storage – that is, for as long as its purpose of use so requires.
Agreement:
Personal data for which the legal basis is an agreement is processed at Kivra for as long as the contractual relationship is valid, and for up to two (2) years after the contractual relationship has ended. However, Kivra will delete (or anonymise) the personal data earlier if the data subject is replaced with another representative in the organisation or if they otherwise announce that they no longer want Kivra to process their personal data.
When the agreement expires or when Kivra otherwise decides that the personal data will no longer be stored for the purposes mentioned above, the personal data will be deleted (or anonymised), excluding data that must be stored for longer based on the law (e.g. the Accounting Act) or other obligations. This means that even if the data subject’s personal data is deleted as described above, their name and contact information may still be included in archived agreements and the related documents.
Legitimate interest:
The personal data mentioned above, for which the legal basis is a legitimate interest, will be stored at Kivra for only as long as there is a basis for its storage. However, Kivra will delete (or anonymise) the personal data earlier if the data subject is replaced with another representative in the organisation or if the individual otherwise announces that they no longer want Kivra to process their personal data. Personal data collected in connection with events and campaigns will be stored only for as long as its processing is justifiable and necessary.
Who has access to personal data?
We process personal data with utmost accuracy and care. We respect everyone’s right to personal data protection. Kivra never sells personal data to third parties or otherwise exposes it to personal data breaches. Furthermore, Kivra does not disclose or otherwise use personal data for purposes other than those mentioned above.
Personal data is processed only by employees whose duties require them to process personal data.
Kivra implements all necessary legal, technical and organisational measures to ensure that personal data is processed securely, with an appropriate level of protection. This concerns Kivra internally, in addition to third parties with whom Kivra cooperates and possibly shares personal data in order to provide the Service. Personal data can be accessed only by employees who need to process personal data to fulfil the purposes mentioned above. All employees processing personal data are bound by an appropriate non-disclosure obligation.
Kivra’s subcontractors and companies belonging to the same group of companies as Kivra
In providing the Service, Kivra may use subcontractors and other companies belonging to the same group of companies. Subcontractors provide Kivra with information technology services, for example. Subcontractors and companies belonging to the same group of companies as Kivra may process personal data on behalf of Kivra. In such an event, Kivra is obligated to ensure that the party in question processes personal data in accordance with the data protection legislation and only for the purpose that Kivra communicates to the data subject in accordance with the table above. The disclosure and transfer of personal data requires that the organisations receiving and processing the personal data have entered into an agreement with Kivra regarding the lawful processing of personal data.
The authorities
Kivra may disclose personal data to the authorities, such as the police, if required by law to do so.
Where is the personal data processed?
Kivra usually processes personal data in Finland. However, there may be circumstances in which some of the data may be physically located on external subcontractors’ servers or equipment, where it is processed through a technical connection. Personal data will not be transferred outside EU or EEA countries, unless it is necessary to do so for technological reasons. If Kivra needs to use a subcontractor in a non-EU or non-EEA country, Kivra ensures that the personal data is processed lawfully, by means of contract arrangements in accordance with the European Commission’s standard contractual clauses, for example.
Automatic decision-making
Kivra will not engage in automatic decision-making or profiling based on your personal data.
What are the data subject’s rights?
If you so wish, you may contact Kivra for more information about personal data processing or to exercise your rights related to personal data processing. To do so, please contact Kivra at tietosuoja@kivra.fi.
Your rights concerning personal data processing:
You have the right to obtain information about the collection and processing of your personal data. Personal data processing must be transparent.
You have the right to access your personal data, meaning that you are entitled to obtain confirmation from Kivra as to whether or not Kivra is processing personal data concerning you. You are also entitled to obtain a copy of the personal data Kivra has collected about you. In your request, please specify clearly what data you wish to obtain. The data is free of charge and will be sent to you as a letter to Kivra, or by some other electronic means, without undue delay, within one (1) month. If you have several requests or your request is complicated, the time limit may be expanded by two months. The extension of the time limit must be justified to you. If Kivra is unable to provide you with the requested data, Kivra has the obligation to explain the justifications.
You have the right to request that your personal data be rectified. It is important that the personal data processed by Kivra concerning you be accurate. If your telephone number, email address or other contact details change, or if you notice that we have inaccurate, erroneous or insufficient information about you, you have the right to request that we rectify the data.
In certain circumstances, you have the right to request that your personal data be erased and the “right to be forgotten” without undue delay. For example, if the data is no longer necessary for the purpose for which it was collected, you have the right to be forgotten. However, this right cannot be exercised if Kivra is required by law to store some of your personal data. If you request that your personal data be erased, Kivra will erase all personal data concerning you that can be erased. However, Kivra will erase your personal data without request once there no longer are legal or other obligations for its storage.
In certain circumstances, you have the right to request that Kivra restrict the processing of your personal data. For example, personal data processing may be restricted if you have requested that we rectify your data and it is taking us a long time to fulfil your request. In such an event, we will restrict the processing of your personal data until we have fulfilled your request.
In certain circumstances, you have the right to transfer your personal data from one system to another. This means that you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer the data to another controller. You have the right to have your personal data transferred directly to another controller only if this is technically possible.
In certain circumstances, you have the right to object to the processing of your personal data, meaning that you have the right to request that your personal data not be processed at all. You are entitled to this right if the personal data processing is based on a legitimate interest (see above for more information about such cases). In your request, please specify what you object to in terms of processing.
Kivra will respond to your request within one (1) month of receiving it, unless Kivra has specific reasons to extend the response time. If necessary, Kivra may ask the sender of the request to verify their identity and to specify the request further. The measures related to the request will be implemented without delay after the response, unless otherwise stipulated. Kivra may refuse your request based on the applicable law.
Where can I file a complaint?
If you believe that Kivra is processing your personal data in violation of the applicable data protection legislation, we want you to inform us about this. You can contact Kivra at tietosuoja@kivra.fi. You also have the right to file a complaint with the Office of the Data Protection Ombudsman. For more information, visit the website of the Office of the Data Protection Ombudsman at www.tietosuoja.fi.
Updating this privacy policy
Kivra reserves the right to make changes to this privacy policy at any time, since Kivra is developing the Service continuously. Updates may also be made in connection with amendments to laws. The changes will come into effect once the updated policy has been published. For this reason, we ask you to study this privacy policy at regular intervals. The newest version of the privacy policy can always be found on Kivra’s website.