Privacy statement of Kivra Oy’s customer service

Data controller

Name: Kivra Oy
Business ID: 2918721-9
Visiting address: Miestentie 9 C, 02150 Espoo, Finland

Contact person at Kivra for matters related to the register, tietosuoja@kivra.fi

Name of the register and data subjects

Privacy statement of Kivra Oy’s customer service.

This privacy policy is based on the requirements of the EU General Data Protection Regulation. Last updated: 23 October 2019.

This privacy policy covers customer information that is collected and stored in Kivra’s customer service situations in order to provide high-quality customer service.

On this page, we explain the guidelines that we follow, the methods of processing and storing data and your rights related to this matter. These guidelines will never limit your rights provided by the EU General Data Protection Regulation or another legally valid decision.

What is personal data?

Personal data includes all data that can be connected to a live natural person directly or indirectly. Examples of personal data include name, email address, telephone number, postal address, personal identity code and IP address. The register consists of personal data.

In order to identify the user and provide the service, the register shall contain the following information:

  • Personal identity code
  • Name
  • Address
  • Telephone number
  • Email address

Source

We receive the data stored in the register from our customers when they contact us. Channels of contact from where data is stored:

  • Email
  • Telephone
  • Via the Chatbot service

Personal data protection

The name of our register is the Customer Service customer contacts storage and management system.

Your personal data is protected from being viewed, altered or destroyed by unauthorised persons. The protection is based on identity and access management, technical protection of databases and servers, physical protection of premises, access control, protection of data communications and backup of data. Right to access and process data is granted on the basis of work duties. Access to the system is based on personal user identifiers. All employees processing personal data are bound by an appropriate non-disclosure obligation.

How long will personal data be stored?

Kivra has clear guidelines and practices for deleting personal data. This means that personal data will be stored only for as long as there is a basis for its storage – that is, for as long as its purpose of use so requires.

For some of the personal data that will be processed, the storage periods are affected by statutory regulations and security considerations.

Customer Service:

We will store your personal data only for as long as it is necessary for the purpose of carrying out the processing of personal data defined in this privacy policy.

We will record incoming and outgoing calls from our Customer Service. We will keep recorded telephone conversations for 6 months. In the case of quality development projects and complaint processes, we can store individual recordings for a longer period, but not more than 12 months.

Who has access to personal data?

We process personal data with utmost accuracy and care. We respect everyone’s right to personal data protection. Kivra never sells personal data to third parties or otherwise exposes it to personal data breaches. Furthermore, Kivra does not disclose or otherwise use personal data for purposes other than those mentioned above.

Personal data is processed only by employees whose duties require them to process personal data.

Kivra implements all necessary legal, technical and organisational measures to ensure that personal data is processed securely, with an appropriate level of protection. This concerns Kivra internally, in addition to third parties with whom Kivra cooperates. Personal data can be accessed only by employees who need to process personal data to fulfil the purposes mentioned above. All employees processing personal data are bound by an appropriate non-disclosure obligation.

Where is the personal data processed?

Kivra usually processes personal data in Finland. In certain circumstances, however, the technical implementation of the Service may require personal data to be processed in another EU or EEA country and exceptionally even in a non-EU or non-EEA country. If Kivra needs to use a subcontractor in a non-EU or non-EEA country,

Kivra ensures that the personal data is processed lawfully, by means of contract arrangements in accordance with the European Commission’s standard contractual clauses, for example.

Automatic decision-making

Kivra will not engage in automatic decision-making or profiling based on your personal data.

Kivra’s subcontractors and companies belonging to the same group of companies as Kivra

In providing the Service, Kivra may use subcontractors and other companies belonging to the same group of companies. Subcontractors provide Kivra with information technology services, for example. Subcontractors and companies belonging to the same group of companies as Kivra may process personal data on behalf of Kivra. In such an event, Kivra is obligated to ensure that the party in question processes personal data in accordance with the data protection legislation and only for the purpose that Kivra communicates to the data subject in accordance with the table above. The transfer of personal data requires that the organisations receiving and processing the personal data have entered into an agreement with Kivra regarding the lawful processing of personal data.

Purpose

The purpose of the collection of personal data is to identify the user in a customer service situation.

Email address
The email address will be stored in Kivra’s customer service system when the customer sends an email or contacts the Chatbot in Kivra’s Customer Service. The email address functions as the customer’s user identifier in the service and is requested by Customer Service as one way of identifying the customer.

Telephone number
The telephone number is stored in Kivra’s customer service system when the customer contacts Kivra’s Customer Service by telephone.

Name
The name is stored in the Kivra’s customer service system when the customer contacts Kivra’s Customer Service. The customer’s name is also requested in order to identify the customer.

Address
The customer’s postal address may be requested if the customer service situation so requires, such as to identify the customer or check the delivery address.

Personal identity code
The customer’s personal identity code can be asked as one way of identifying the customer in a customer service situation.

What are the data subject’s rights?

If you so wish, you may contact Kivra for more information about personal data processing or to exercise your rights related to personal data processing. To do so, please contact Kivra at tietosuoja@kivra.fi.

Your rights concerning personal data processing:

You have the right to obtain information about the collection and processing of your personal data. Personal data processing must be transparent.

You have the right to access your personal data, meaning that you are entitled to obtain confirmation from Kivra as to whether or not Kivra is processing personal data concerning you. You are also entitled to obtain a copy of the personal data Kivra has collected about you. In your request, please specify clearly what data you wish to obtain. The data is free of charge and will be sent to you as a letter to Kivra, or by some other electronic means, without undue delay, within one (1) month. If you have several requests or your request is complicated, the time limit may be expanded by two months. The extension of the time limit must be justified to you. If Kivra is unable to provide you with the requested data, Kivra has the obligation to explain the justifications.

You have the right to request that your personal data be rectified. It is important that the personal data processed by Kivra concerning you be accurate. If your telephone number, email address or other contact details change, or if you notice that we have inaccurate, erroneous or insufficient information about you, you have the right to request that we rectify the data.

In certain circumstances, you have the right to request that your personal data be erased and the “right to be forgotten” without undue delay. For example, if the data is no longer necessary for the purpose for which it was collected, you have the right to be forgotten. However, this right cannot be exercised if Kivra is required by law to store some of your personal data. If you request that your personal data be erased, Kivra will erase all personal data concerning you that can be erased. However, Kivra will erase your personal data without request once there no longer are legal or other obligations for its storage.

In certain circumstances, you have the right to request that Kivra restrict the processing of your personal data. For example, personal data processing may be restricted if you have requested that we rectify your data and it is taking us a long time to fulfil your request. In such an event, we will restrict the processing of your personal data until we have fulfilled your request.

In certain circumstances, you have the right to transfer your personal data from one system to another. This means that you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer the data to another controller. You have the right to have your personal data transferred directly to another controller only if this is technically possible.

In certain circumstances, you have the right to object to the processing of your personal data, meaning that you have the right to request that your personal data not be processed at all. You are entitled to this right if the personal data processing is based on a legitimate interest (see above for more information about such cases). In your request, please specify what you object to in terms of processing.

Kivra will respond to your request within one (1) month of receiving it, unless Kivra has specific reasons to extend the response time. If necessary, Kivra may ask the sender of the request to verify their identity and to specify the request further. The measures related to the request will be implemented without delay after the response, unless otherwise stipulated. Kivra may refuse your request based on the applicable law.

Where can I file a complaint?

If you believe that Kivra is processing your personal data in violation of the applicable data protection legislation, we want you to inform us about this. You can contact Kivra at tietosuoja@kivra.fi. You also have the right to file a complaint with the Office of the Data Protection Ombudsman. For more information, visit the website of the Office of the Data Protection Ombudsman at www.tietosuoja.fi.

Updating this privacy policy

Kivra reserves the right to make changes to this privacy policy at any time, since Kivra is developing the Service continuously. Updates may also be made in connection with amendments to laws. The changes will come into effect once the updated policy has been published. For this reason, we ask you to study this privacy policy at regular intervals. The newest version of the privacy policy can always be found on Kivra’s website.