Name: Kivra Oy
Business ID: 2918721-9
Visiting address: Miestentie 9 C, 02150 Espoo, Finland
Contact person for the register
Kivra Oy, email@example.com
Name of the register and data subjects
Kivra Oy’s user register.
Kivra’s user register is used in connection with Kivra’s services (electronic mailbox and any Additional Services).
For the sake of clarity: Kivra serves as the controller for data concerning the Users of the Service. The sender organisation serves as the controller with regard to the creation of electronic documents and their transmission to the User. Kivra serves during the time of document delivery as the personal data processor on behalf of the sender and processes personal data in accordance with the instructions provided by the sender organisation. After receiving the document from the sender organisation Kivra becomes the data controller of the document.
What is personal data?
Personal data includes all data that can be connected to a live natural person directly or indirectly. Examples of personal data include name, email address, telephone number, postal address, personal identity cod, IP address, user’s documents. The register consists of personal data and users’ documents.
Legal basis and purpose of personal data processing
Personal data content of the register:
- Personal identity code
- Email address
- Mobile phone number
- Postal address
- IP address
- Device ID
- IBAN account number if User pays invoices with Kivra
- Letters, invoices and other content, when it has arrived to the service
- Other information that comes with the content, such as the sender and invoice payment information
- Own documents that the user uploads to the service
- Information collected about the use of services (such as sign-in information, viewing content, paying invoices, sharing of inbox)
- Telia Identification – Strong electronic authentication
- Digital and Population Data Services Agency (DPDSA) and its Population Information System (PIS)
- Kivra (when the Service is used and an email is sent to Kivra)
- Kivra (each time when logging in)
Kivra may continuously update the User’s personal identity code, name and postal address by checking it against the Population Information System to ensure that the personal data is up to date and accurate.
The purpose to process personal data is to identify the User unequivocally as the User of the Service. Unambiguous identification of the user is important to ensure that electronic documents are delivered to the right person, which is essential for privacy protection. This means that Kivra and the Sender use personal data to identify the recipients of electronic documents. Identification takes place by Kivra comparing Users’ personal data and to the personal data of the recipients of documents transmitted by the Sender’s. Also Sender can do this identification by comparing the personal data of the document’s recipient with a list of some personal data element of Kivra’s Users.
Personal identity code is used to request your name and address information from the Population Register Centre.
Personal data may be also used to verify that the data subject is who they claim to be, to implement security questions and other security measures, for example.
Your email address serves as your user ID and is used to identify you when you sign in to the Service. Your mobile phone number is used to send you a one-time password each time you sign in to the Service. This is called two-factor authentication, and its purpose is to ensure the security of your user account.
Kivra may use email address and mobile phone number when informing the User about important matters related to the Service, such as new electronic documents and terms and conditions. In terms of security, it is necessary for Kivra to have connection to both email address and mobile phone number so that Kivra can inform the data subjects when they have new documents to process in the Service (however, the data subjects can opt out of email notifications about unread documents and unprocessed payments through the Service). Please note that some of the communication related to the Service, such as amendments to the terms and conditions, cannot be refused.
Names are used in communication to make Kivra’s services more personal. This means, for example, addressing the recipient at the beginning of the message: “Hello, X”.
IP addresses are stored in log files in Kivra’s system for 45 days to ensure that Kivra can perform the necessary troubleshooting, defend against attacks and dangerous situations and further develop the Service (mainly in terms of security).
We need your device ID to send push notifications to your mobile device. The device ID is used for fingerprint login. The device ID may be used for product development related to the Service (mainly in terms of security).
To be able to pay, User adds their bank details. IBAN account number is stored in the service.
Content that has arrived and is uploaded to the service is stored on behalf of the user to enable the use of the service. Other information that comes with the content, such as invoice payment information, is used to enable the use of the service.
The information generated from the payment of the invoices is updated along with the invoices, so that the information about the payment reaches the user.
Other information collected about the use of services (such as sign-in information) is processed to maintain and further develop the Service.
The legal basis is the agreement between the User and Kivra (in the context of registration and the acceptance of Kivra’s general terms and conditions) and legitimate interest ( motivated by Kivra’s strong need to defend against attacks and dangerous situations and to continuously improve the Service and its security and Kivra’s strong need to notify the User that they will receive electronic documents sent to the Service by a new Sender). The processing of personal identity code is based on the User consent on processing comparable to the activities referred to in section 29 (2) of the Data Protection Act.
Personal data protection
Kivra’s employees have been provided with basic information about data protection, and Kivra seeks to ensure, through its operations, that personal data is processed appropriately. The databases in which personal data is stored are protected by means of firewalls, passwords and other technical measures. Backup copies of the databases are made on a regular basis. The databases and their backup copies are stored in locked and guarded facilities. The databases can be accessed only by employees whose duties require access to personal data. The employees processing personal data are bound by a non-disclosure obligation.
How long will personal data be stored?
Kivra has clear guidelines and practices for deleting personal data. This means that personal data will be stored only for as long as there is a basis for its storage – that is, for as long as its purpose of use so requires.
For some of the personal data that will be processed, the storage periods are affected by statutory regulations and security considerations.
Personal data for which the legal basis is an agreement will be processed for as long as you use the Service.
If the use of the Service is interrupted or discontinued, all personal data that Kivra has collected concerning you will be removed from the Service forty-five (45) days after you have closed the Service (see the general terms and conditions for the Service). This time period has been selected to enable the User to transfer and store their documents elsewhere and to give them time to have their documents sent to another channel.
Personal data that Kivra processes concerning the data subject in connection with customer service will be stored for up to 180 days. This data storage is necessary for Kivra to be able to help the data subject and to monitor matters related to customer service.
Population Information System log data:
Personal identity codes that Kivra processes in connection with services will be stored in the Population Information System log data for five (5) years. This data storage is necessary for Kivra to be able to detect, monitor, manage and rectify security measures related to personal data.
Personal data processed in connection with services will be stored in application logs for forty-five (45) days after the Service has been closed. Application logs are used only internally at Kivra.
Who has access to personal data?
We process personal data with utmost accuracy and care. We respect everyone’s right to personal data protection. Kivra never sells personal data to third parties or otherwise exposes it to personal data breaches. Furthermore, Kivra does not disclose or otherwise use personal data for purposes other than those mentioned above.
Personal data is processed only by employees whose duties require them to process personal data
Kivra implements all necessary legal, technical and organisational measures to ensure that personal data is processed securely, with an appropriate level of protection. This concerns Kivra internally, in addition to third parties with whom Kivra cooperates. Personal data can be accessed only by employees who need to process personal data to fulfil the purposes mentioned above. All employees processing personal data are bound by an appropriate non-disclosure obligation.
Kivra’s subcontractors and companies belonging to the same group of companies as Kivra
In providing the Service, Kivra may use subcontractors and other companies belonging to the same group of companies. Subcontractors provide Kivra with information technology services, for example. Subcontractors and companies belonging to the same group of companies as Kivra may process personal data on behalf of Kivra. In such an event, Kivra is obligated to ensure that the party in question processes personal data in accordance with the data protection legislation and only for the purpose that Kivra communicates to the data subject in accordance with the table above. The transfer of personal data requires that the organisations receiving and processing the personal data have entered into an agreement with Kivra regarding the lawful processing of personal data.
Population Registration Centre
Kivra may check your personal data against the state personal data register (Population Information System) to ensure that the personal data Kivra stores about the data subject is up to date and accurate.
Kivra may disclose personal data to the authorities, such as the police, if required by law to do so.
Where is the personal data processed?
Kivra usually processes personal data in Finland. In certain circumstances, however, the technical implementation of the Service may require personal data to be processed in another EU or EEA country and exceptionally even in a non-EU or non-EEA country. If Kivra needs to use a subcontractor in a non-EU or non-EEA country, Kivra ensures that the personal data is processed lawfully, by means of contract arrangements in accordance with the European Commission’s standard contractual clauses, for example.
Kivra will not engage in automatic decision-making or profiling based on your personal data.
What are the data subject’s rights?
If you so wish, you may contact Kivra for more information about personal data processing or to exercise your rights related to personal data processing. To do so, please contact Kivra at firstname.lastname@example.org.
Your rights concerning personal data processing:
You have the right to obtain information about the collection and processing of your personal data. Personal data processing must be transparent.
You have the right to access your personal data, meaning that you are entitled to obtain confirmation from Kivra as to whether or not Kivra is processing personal data concerning you. You are also entitled to obtain a copy of the personal data Kivra has collected about you. In your request, please specify clearly what data you wish to obtain. The data is free of charge and will be sent to you as a letter to Kivra, or by some other electronic means, without undue delay, within one (1) month. If you have several requests or your request is complicated, the time limit may be expanded by two months. The extension of the time limit must be justified to you. If Kivra is unable to provide you with the requested data, Kivra has the obligation to explain the justifications.
You have the right to request that your personal data be rectified. It is important that the personal data processed by Kivra concerning you be accurate. If your telephone number, email address or other contact details change, or if you notice that we have inaccurate, erroneous or insufficient information about you, you have the right to request that we rectify the data.
In certain circumstances, you have the right to request that your personal data be erased and the “right to be forgotten” without undue delay. For example, if the data is no longer necessary for the purpose for which it was collected, you have the right to be forgotten. However, this right cannot be exercised if Kivra is required by law to store some of your personal data. If you request that your personal data be erased, Kivra will erase all personal data concerning you that can be erased. However, Kivra will erase your personal data without request once there no longer are legal or other obligations for its storage.
In certain circumstances, you have the right to request that Kivra restrict the processing of your personal data. For example, personal data processing may be restricted if you have requested that we rectify your data and it is taking us a long time to fulfil your request. In such an event, we will restrict the processing of your personal data until we have fulfilled your request.
In certain circumstances, you have the right to transfer your personal data from one system to another. This means that you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer the data to another controller. You have the right to have your personal data transferred directly to another controller only if this is technically possible.
In certain circumstances, you have the right to object to the processing of your personal data, meaning that you have the right to request that your personal data not be processed at all. You are entitled to this right if the personal data processing is based on a legitimate interest (see above for more information about such cases). In your request, please specify what you object to in terms of processing.
Kivra will respond to your request within one (1) month of receiving it, unless Kivra has specific reasons to extend the response time. If necessary, Kivra may ask the sender of the request to verify their identity and to specify the request further. The measures related to the request will be implemented without delay after the response, unless otherwise stipulated. Kivra may refuse your request based on the applicable law.
Where can I file a complaint?
If you believe that Kivra is processing your personal data in violation of the applicable data protection legislation, we want you to inform us about this. You can contact Kivra at email@example.com. You also have the right to file a complaint with the Office of the Data Protection Ombudsman. For more information, visit the website of the Office of the Data Protection Ombudsman at www.tietosuoja.fi.