ROBIT PLC PRIVACY NOTICE
REPRESENTATIVES AND CONTACT PERSONS OF CUSTOMERS AND PROSPECTS
Last updated 14 September 2018
This document describes how Robit Plc (hereinafter ”Robit”) and its staff process the personal data of Robit’s customers’ or potential customers’ representatives and contact persons. Robit acts as a controller to such personal data.
As a controller, we are responsible for such personal data, and for the processing of such personal data. Protecting your privacy and your personal data is of utmost importance to Robit. We are committed to complying with the requirements of data protection regulation applicable to us in the processing of your personal data. The means and purposes of processing the personal data Robit’s customers’ and potential customers’ representatives and contact persons are described in more detail in this Privacy Notice.
What is stated in this Privacy Notice, applies, where appropriate, to the processing of personal data conducted by Robit group companies.
2. Data controller and contact person
(Business ID: 0825627-0)
Tel.: +358 3 3140 3400
c/o Robit Plc
Tel.: +358 40 724 9143
3. Legal bases for processing and processing purposes
Processing of personal data must always be based on a legal basis set forth in the EU’s General Data Protection Regulation (the “GDPR”). Processing of personal data of Robit’s customers’ or prospects’ representatives and contact persons is based on the following legal bases:
- Data subject’s consent under applicable legislation;
- Compliance with a legal obligation to which Robit is subject;
- The performance of a contract between the data subject or an organization represented by the data subject and Robit, or the customer relation or other relevant connection between them, in which case the legal basis for processing is legitimate interest of Robit or a third party (such as current or future business partners, suppliers or customers). A legitimate interest may be, in particular:
- Ensuring and improving data security or the security of premises and data network; Protection of Robit’s property; To prevent and investigate suspected fraud or misuse;
- Managing and developing the customer relationship;
- Marketing and customer acquisition;
- Other legitimate business purposes, such as service and product development.
Personal data is processed in particular for the following purposes:
- The provision of services and/or products ordered by the data subject or an organization represented by the data subject, and the execution of and the obligations related to the provision of them;
- Invoicing and keeping track of the accuracy of the invoicing;
- Taking care of, managing and developing customer relations and other relevant connections comparable to such relations, such as the provision of customer service and the execution of customer communications;
- Services production, business and customer service development by using customer satisfaction surveys, for instance;
- Management of sales contact information;
- Analysing and compiling statistics for business purposes;
- Advertising and marketing, including targeted marketing and electronic direct marketing, but only to the extent permitted by the applicable law or where the data subject has explicitly consented to such practices;
- The execution of administrative payments and costs;
- The prevention and investigation of malpractices, which can be conducted for example through camera and other technical monitoring.
After the termination of a customer agreement or a relevant connection, Robit may transfer data subject’s personal data to direct marketing register of Robit to the extent permitted by the law.
The provision of personal data in the manner described in this Privacy Notice is partially based on a contract between the data subject and Robit or an entity represented by the data subject and Robit. When the data subject places a service or product order by himself/herself or on behalf of the organization represented by the data subject, as well as in the context of the delivery of the services, the data subject is obliged to provide Robit with certain personal data for the processing purposes described in this Privacy Notice. The foregoing does not apply in situations where the provision of the data or certain processing of the data is based on the data subject’s consent. The non-delivery of personal data can prevent Robit from performing its contractual or other obligations or commitments, which can lead to the fact that the data subject or the organization represented by the data subject cannot place a service or product order or that the already ordered services or products cannot be provided.
4. Categories of personal data processed by Robit
Robit may process the following personal data directly necessary for the maintenance of the relevant connection between the data subject and Robit or that relate to taking care of the rights and obligations of the parties. These personal data can be categorised as follows:
Basic information, such as
- Contact information (such as address, telephone number and email)
- Preferred language where appropriate
- When representing an entity, information concerning the data subject’s employer and position or assigned tasks within the entity
Information related to the customer relation or other relevant connection between the data subject and Robit, such as
- Information related to the relevant contract and the data subject’s association to the contract, information on orders on products and/or services;
- Invoicing and payment details
- Information on communications, including possible marketing communications between the data subject and Robit, and information on visits
- Possible permissions and prohibitions concerning direct marketing
Data collected through technical monitoring, such as
- log data of Robit’s data systems where appropriate
- data relating to access control and access control recordings where appropriate
- data relating to camera surveillance and other electronic surveillance recordings recorded when the data subject is visiting Robit’ premises
Furthermore, Robit may process change data of the above mentioned data categories.
5. Regular sources of personal data
Personal data are collected from the data subject himself/herself or from an organization represented by a data subject, for instance in the context of entering into a contract, filling in and signing order forms, or in connection to invoicing. When the contractual relation continues and in the context of delivering the ordered products and/or services, personal data is collected from the data subject himself/herself also by other means, for instance in various customer service occasions via telephone or email or during the visits on Robit’s sites.
Personal data may also be collected and updated from registers of companies belonging to the same group of companies and economic interest group with Robit as well as from authorities and companies providing services related to personal data, such as Suomen Asiakastieto. In addition, Robit conducts active canvassing, and may collect basic data relating to data subjects from public websites or from other publicly available sources.
6. Transfers and disclosures of personal data
Robit may transfer personal data to third parties in the following manner in order to fulfil the processing purposes described in this Privacy Notice. When personal data are transferred to an entity which processes personal data on behalf of Robit (i.e. data processor), Robit has through contractual arrangements ensured that personal data is processed only in accordance with Robit’s written instructions and only for the purposes described in this document and that access to personal data is restricted to persons who need access to data based on their tasks.
- Data processors: Robit may transfer personal data to processors in order for the processors to perform services and tasks assigned to them. Data processors’ tasks relate, for instance, to provision and maintaining of devices, data systems and software, as well as provision of other data processing services, or to marketing or other equivalent tasks closely related to sales and marketing.
Some of the data processors used by Robit are located outside the EU or EEA area. Robit has contractually ensured that these entities undertake to apply an appropriate level of data protection in their processing practices, and thus the data transfers are subject to appropriate safeguards. More information on cross border transfers of the personal data and on the appropriate safeguards applied thereto from time to time is available from the contact person mentioned under Section 2 of this Privacy Notice.
Robit shares the personal data of customers’ representatives and contact persons to the companies belonging to the same group of companies with Robit to the extent necessary in order to e.g. facilitate the provision of services to its customers and to facilitate communications and cooperation between the Robit group companies in relation to provision of the services.
Robit may disclose personal data within the limits permitted or required by applicable legislation from time to time, for example to competent authorities when required to do so under applicable laws, to prepare for legal proceedings or to defend a claim. In addition, Robit may disclose personal data to a debt collection agency for purposes of debt collection, or to other service providers, but only to the extent that the fulfilment of their tasks require the disclosure of personal data.
In case of the sale of Robit’s business, or a part of it, or in case Robit conducts other organizational changes to its business, Robit may disclose personal data to the buyers and their advisors in accordance with the then current legislation.
7. Data retention period
The retention period of personal data depends on the data concerned and its purpose of use. Robit retains personal data at least as long as they are needed for the execution of the informed purposes of processing, such as in the performance of Robit’s contractual obligations or in managing the contractual relation with the customer.
The retention periods are determined in accordance with the following criteria:
- Related personal data will be retained for as long as the legitimate interest of Robit can reasonably be considered valid. The validity of the legitimate interest is determined by, for example, the communications between Robit and the data subject.
- Related personal data will be deleted when the data subject withdraws his/her consent or objects to the processing of your personal data for direct marketing purposes. In this case, however, Robit may keep the information regarding the data subject’s objection to receiving direct marketing.
- In case of customers’ contact persons and representatives, the retention period of personal data is ultimately tied to the term of a contract with the data subject or an organization represented by the data subject.
- Statutory retention periods may also apply. For instance, the accounting regulation requires that the information included in the accounting materials are retained for six years.
When personal data are no longer needed, the data is destroyed in a secure way or irrevocably anonymized.
8. Rights of the data subject
The GDPR provides the data subject with several rights based on which the data subject can in many situation himself/herself decide on the processing of his/her personal data. The data subject may use the following rights with regard to Robit to the extent Robit acts as the controller to the personal data of the data subject in question. The extent of your rights is subject to the legal basis for processing and exercising your rights requires identification.
- Right of access: The data subject has the right to obtain a confirmation from the controller on whether the controller processes personal data concerning the data subject and the right to access such data. The data controller may ask the data subject to specify his/her access request, amongst others, with regard to the details of the data to be delivered.
- Right to rectification: The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning him/her processed by the controller, or to have incomplete personal data processed by the controller to be completed.
- Right to be forgotten: The data subject has the right to obtain from controller the erasure of personal data related to him/her and the controller has the obligation to erase such data in case there is no longer a legal ground for the processing of such data or, where the legal or contractual obligation binding the controller related to the storing of the personal data has ended or, where the data subject has withdrawn his/her consent to the processing of his/her personal data.
- Restriction of processing: In certain cases, where so prescribed by law, the data subject may have the right to obtain from the controller restriction of processing of his/her personal data.
- Right to data portability: The data subject may, subject to certain conditions prescribed by law, have the right to receive the personal data concerning him/her processed by the controller in a commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the original controller.
- Right to object to processing of his/her personal data: In certain cases, the data subject may have the right to object to processing of personal data concerning him or her. The right to object is applicable in such situations in particular where the processing of personal data is based on the controller’s legitimate interest. In such situations the controller has to follow the data subject’s request, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- To the extent the processing of personal data has been based on the data subject’s unambiguous consent, the data subject has, at any time, the right to withdraw his/her consent regarding the processing.
The requests shall be directed to the contact person mentioned in section 2 of this Privacy Notice.
In addition, the data subject has the right to lodge a complaint with the supervisory authority on the processing of the personal data by the controller. The complaint shall be made to the competent supervisory authority, in Finland to the Data Protection Ombudsman, in accordance with its instructions. The web-site of the Data Protection Ombudsman can be found here.
9. Changes to this Privacy Notice